def break_dh_gps1():
# Mallory intercepts the group negotiation and sets g=1
alice = Node(prime, prime - 1)
mallory = Node(prime, prime - 1)
bob = Node(prime, prime - 1)
# Mallory doesn't tamper with the public keys
alice_symkey = alice.negotiate_key(peer_pubkey=bob.pubkey)
bob_symkey = alice.negotiate_key(peer_pubkey=alice.pubkey)
# Alice encrypts a message with her symmetric key
message = b"alice: *******\nalice: thats what I see"
iv = os.urandom(16)
ciphertext = aes_cbc_encrypt(message, alice_symkey, iv)
# Mallory intercepts the message. He knows the secret is either 1 or p-1,
# so he calculates both keys and finds out which one can decrypt the
# message.
mallory_symkey = mallory.negotiate_key(secret=1)
try:
plaintext = aes_cbc_decrypt(ciphertext, mallory_symkey, iv)
except InvalidPadding:
mallory_symkey = mallory.negotiate_key(secret=prime - 1)
plaintext = aes_cbc_decrypt(ciphertext, mallory_symkey, iv)
return str(plaintext, 'utf8')
def main():
# Alice wants to encrypt a top-secret cookie recipe to Bob. They decide to
# negotiate a symmetric encryption key using the Diffie-Hellman Key Exchange.
alice = Node(prime, generator)
# Alice sends her public key to Bob. Bob calculates the symmetric key from
# Alice's public key. But wait, Mallory is on the network and replaced her
# public key with her prime number! D:
mallory = Node(prime, generator)
bob = Node(alice.prime, mallory.generator)
bob_symkey = bob.negotiate_key(peer_pubkey=mallory.prime)
# Bob sends his public key to Alice, and Mallory does the same thing.
alice_symkey = alice.negotiate_key(peer_pubkey=mallory.prime)
# Alice encrypts the message
recipe = b'6 eggs\n2 cups flower\n1 cup brown sugar\n1 tbsp vanilla ice'
iv = os.urandom(16)
ciphertext = aes_cbc_encrypt(recipe, alice_symkey, iv)
# Mallory knows the secret value because p ** n % p = 0, and from it can
# calculate the key.
mallory_symkey = mallory.negotiate_key(secret=0)
# Mallory intercepts and then decrypts the ciphertext
plaintext = aes_cbc_decrypt(ciphertext, mallory_symkey, iv)
print("Succesfully MITM'd the DH key exchange! Plaintext:")
print(str(plaintext, 'utf8'))
def encrypt_data(data):
if ';' in data or '=' in data:
raise Exception("Invalid userdata")
data = b"comment1=cooking%20MCs;userdata=" + bytes(data, 'utf8')
data += b";comment2=%20like%20a%20pound%20of%20bacon"
return aes_cbc_encrypt(data, p27_key, p27_iv, pkcs7_pad)
def init():
global key, IV, ciphertext
key = Random.new().read(AES.block_size)
IV = Random.new().read(AES.block_size)
plaintext = None
with open('p17-input.txt') as fh:
pts = fh.readlines()
n = randint(0, len(pts) - 1)
plaintext = b64decode(pts[n].encode('utf8'))
ciphertext = aes_cbc_encrypt(plaintext, key, IV, pkcs7_pad)
def main():
# test cbc encryption and decryption
key = b'YELLOW SUBMARINE'
iv = b"\x00" * 16
pt = b'A' * 156
ct = aes_cbc_encrypt(pt, key, iv)
print(b64encode(ct).decode('utf8'))
pt = aes_cbc_decrypt(ct, key, iv)
print(pt.decode('utf8'))
# decrypt the actual answer
plaintext = aes_cbc_decrypt(b64decode(ciphertext), key, iv)
print(plaintext.decode("utf8"))
def encryption_oracle(pt):
entropy = Random.new()
key = entropy.read(AES.block_size)
crypt = randint(0, 1)
prefix = entropy.read(randint(5, 10))
suffix = entropy.read(randint(5, 10))
pt = prefix + pt + suffix
if crypt == 0:
print("Crypting in ECB mode")
return aes_ecb_encrypt(pt, key)
elif crypt == 1:
print("Crypting in CBC mode")
iv = entropy.read(AES.block_size)
return aes_cbc_encrypt(pt, key, iv)
def break_dh_gp():
# Mallory intercepts the group negotiation and sets g=1
alice = Node(prime, prime)
mallory = Node(prime, prime)
bob = Node(prime, prime)
# Mallory doesn't tamper with the public keys
alice_symkey = alice.negotiate_key(peer_pubkey=bob.pubkey)
bob_symkey = alice.negotiate_key(peer_pubkey=alice.pubkey)
# Bob encrypts a message with his symmetric key
message = b"bob: hunter2.\nbob: doesnt look like stars to me"
iv = os.urandom(16)
ciphertext = aes_cbc_encrypt(message, bob_symkey, iv)
# Mallory intercepts the message. He knows the secret is 0, so he
# calculates the key and decrypts the message.
mallory_symkey = mallory.negotiate_key(secret=0)
plaintext = aes_cbc_decrypt(ciphertext, mallory_symkey, iv)
return str(plaintext, 'utf8')
def break_dh_g1():
# Mallory intercepts the group negotiation and sets g=1
alice = Node(prime, 1)
mallory = Node(prime, 1)
bob = Node(prime, 1)
# Mallory doesn't tamper with the public keys
alice_symkey = alice.negotiate_key(peer_pubkey=bob.pubkey)
bob_symkey = alice.negotiate_key(peer_pubkey=alice.pubkey)
# Alice encrypts a message with her symmetric key
message = b"alice: hey, if you type in your pw, it will show as stars.\nalice: ********* see!"
iv = os.urandom(16)
ciphertext = aes_cbc_encrypt(message, alice_symkey, iv)
# Mallory intercepts the message. He knows the secret is 1, so he
# calculates the key and decrypts the message.
mallory_symkey = mallory.negotiate_key(secret=1)
plaintext = aes_cbc_decrypt(ciphertext, mallory_symkey, iv)
return str(plaintext, 'utf8')
def admin_get():
key = None
ct = encrypt_data("A"*16)
ct = ct[:16] + b"\x00"*16 + ct[:16] + b"\x00"*16
for i in range(1, 256):
try:
decrypt_data(ct)
except InvalidPadding as e:
# Since padding is used, we must find a ciphertext with correct
# padding by fiddling with the last byte of the 2nd to last block.
ct = ct[:16] + b"\x00"*16 + ct[:16]
ct += b"\x00"*15+bytes([i]) + b"\x00"*16
continue
except InvalidAscii as e:
e = str(e)
index = e.find(':') + 2
pt = b16decode(bytes(e[index:], 'utf8'))
key = fixed_xor(pt[:16], pt[32:48])
data = b'crypto=hard;pimping=easy;admin=true'
return aes_cbc_encrypt(data, key, key, pkcs7_pad)
raise Exception("Your code is bad and you should feel bad")