def chall_two_phase_1(p, g):
# Alice and Bob generate private keys
a, b = random.randint(0, p), random.randint(0, p)
# Alice and Bob sends public messages
A, B = modexp(g,a,p), modexp(g,b,p)
print(f"These are public info! \np: \t\t\t{hex(p)} \ng: {g}\nAlice public key: \t{hex(A)}\nBob public key: \t{hex(B)}")
# Now, generate shared secret S by computing
# S == A^b == B^a
S = modexp(A,b,p)
bytes_S = hex(S)[2:].encode()
assert S == modexp(B,a,p), "Shared secret miscomputed"
# 1a) Preparing to send Bob the message
iv_a = get_random_int(128)
sha_S = sha1(bytes_S,len(bytes_S)*8)
print(f"shared secret is: {S}")
shared_S = sha_S[2:][:32]
alice_msg = "This is the password. Pass it on!".encode().hex()
alice_encrypt = cbc_encrypt(alice_msg, shared_S, iv_a) + iv_a
print(f"Here is my (alice's) encrypted text: \t\t{alice_encrypt}")
print("\n~~~~~SENDING MESSAGE~~~~~~ PLS NO INTERCEPT ~~~~~")
print("~~~~~BUT EVEN IF YOU DO THIS IS UNHAXABLE~~~~~~~~\n")
# 1b) Bob receives the message
# Confirming that Bob received the message from Alice correctly
iv_b = alice_encrypt[-32:]
alice_ciphertext = alice_encrypt[:-32]
bob_decrypt = cbc_decrypt(alice_ciphertext, shared_S, iv_b)
padding = int(bob_decrypt[-1], 16)*2
bob_decrypt = bob_decrypt[:-padding]
assert bob_decrypt == alice_msg
iv_b = get_random_int(128)
bob_encrypt = cbc_encrypt(bob_decrypt, shared_S, iv_b) + iv_b
print(f"Thanks! Here is my (bob's) encrypted text: \t{bob_encrypt}")
# 2) Bob sending message back to Alice
iv_b = bob_encrypt[-32:]
bob_ciphertext = bob_encrypt[:-32]
alice_decrypt = cbc_decrypt(bob_ciphertext, shared_S, iv_b)
padding = int(alice_decrypt[-1], 16)*2
alice_decrypt = alice_decrypt[:-padding]
assert alice_decrypt == alice_msg
return alice_encrypt, bob_encrypt
def honest_server():
salt = get_random_int(32)
xH = hashlib.sha256(salt.encode() + creds['pass'].encode())
x = int(xH.hexdigest(), 16)
DB.v = modexp(g, x, N)
# DB server state
DB.salt = salt
DB.b = random.randint(0, N)
DB.serverKey = modexp(g, DB.b, N)
DB.u = int(get_random_int(128), 16)
return "OK", 200
def phase_one():
a = random.randint(0, N)
A = modexp(g, a, N)
salt, server_pubKey, challenge = send_pubKey(A)
xH = hashlib.sha256(salt.encode() + creds['pass'].encode())
x = int(xH.hexdigest(), 16)
shared_S = modexp(server_pubKey, a + x*challenge, N)
K = hashlib.sha256(hex(shared_S).encode()).hexdigest()
hmac = hashlib.pbkdf2_hmac('sha256', K.encode(), salt.encode(), 100000).hex()
retCode = validate(hmac)
print(f"-\thmac: {hmac} ret code {retCode}")
def check_password():
DB.b = random.randint(0, N)
DB.salt = hex(random.randint(0, 2**32))[2:]
xH = hashlib.sha256(DB.salt.encode() + password.encode()).hexdigest()
x = int(xH, 16)
DB.v = modexp(g, x, N)
if request.method == "POST":
payload = request.get_json()
email, A = payload['email'], payload['pubKey']
serverKey = hex(k * DB.v + modexp(g, DB.b, N))[2:]
respData = json.dumps({"salt": DB.salt, "serverKey": serverKey})
DB.uH = hashlib.sha256((hex(A)[2:] + serverKey).encode()).hexdigest()
DB.u = int(DB.uH, 16)
DB.S = modexp(A * modexp(DB.v, DB.u, N), DB.b, N)
DB.K = hashlib.sha256(hex(DB.S)[2:].encode()).hexdigest()
return respData, 200
def chall_six():
if request.method == "POST":
payload = request.get_json()
client_pubKey = payload['pubKey']
serverKey = DB.serverKey
respData = json.dumps({
"salt": DB.salt,
"serverKey": serverKey,
"challenge": DB.u
})
# ((A * (v ** u)) ** b) % N
temp_base = client_pubKey * modexp(DB.v, DB.u, N)
DB.S = hex(modexp(temp_base, DB.b, N))
DB.K = hashlib.sha256(DB.S.encode()).hexdigest()
if MitmAttacker.enabled:
MitmAttacker.A = client_pubKey
return respData, 200
def crack():
# We know the protocol being run, so we can recompute every step
# and compare against the MITM information
# Further, since we're a malicious server, we can just forge a lot of stuff
# e.g. b, B, u, salt
# key compute steps are:
# - x = SHA256(salt + pass) // WE KNOW SALT; WILL GUESS PASS
# - ((A * (v ** u)) ** b) % N // WE KNOW b and u
# ((A * (v ** u)) ** b) % N
with open("/usr/share/dict/xato-net-10-million-passwords-100000.txt",
"r") as passFile:
print("==================")
print("RUNNING OFFLINE ATTACK")
print("==================")
for password in passFile:
xH = hashlib.sha256(MitmAttacker.salt.encode() +
password.strip().encode())
x = int(xH.hexdigest(), 16)
v = modexp(g, x, N)
temp_base = MitmAttacker.A * modexp(v, MitmAttacker.u, N)
S = hex(modexp(temp_base, MitmAttacker.b, N))
K = hashlib.sha256(S.encode()).hexdigest()
computed_hmac = hashlib.pbkdf2_hmac('sha256', K.encode(),
MitmAttacker.salt.encode(),
100000).hex()
captured_hmac = MitmAttacker.hmac
print(
f"comparing password {password.strip()}: {computed_hmac} against {captured_hmac}"
)
if computed_hmac == captured_hmac:
print(f"HACKED PASSWORD: {password}")
return
print("did not find password in dictionary; try again!")
def main():
a = random.randint(0, N)
A = modexp(g, a, N)
payload = { 'email': '*****@*****.**',
'pubKey': A}
r = requests.post("http://*****:*****@ssw0rd'.encode()).hexdigest()
x = int(xH, 16)
S = modexp((int(B, 16) - k*modexp(g,x,N)), a + u*x, N)
K = hashlib.sha256(hex(S)[2:].encode()).hexdigest()
hmac_sha2 = hashlib.pbkdf2_hmac('sha256', K.encode(), salt.encode(), 100000).hex()
r = requests.post("http://localhost:9000/validate", json={'hmac' : hmac_sha2})
print(r.text)
assert r.ok
print("Server accepted credentials")
def rsa_decrypt_int(key, ciphertext, n):
return modexp(ciphertext, key, n)
def rsa_encrypt_int(key, plaintext, n):
return modexp(plaintext, key, n)
def main():
p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff
g = 2
# Alice and Bob generate private keys
a, b = random.randint(0, p), random.randint(0, p)
# Alice and Bob sends public messages
A, B = modexp(g,a,p), modexp(g,b,p)
print(f"These are public info! \np: \t\t\t{hex(p)} \ng: {g}\nAlice public key: \t{hex(A)}\nBob public key: \t{hex(B)}")
# Now, generate shared secret S by computing
# S == A^b == B^a
S = modexp(A,b,p)
bytes_S = hex(S)[2:].encode()
assert S == modexp(B,a,p), "Shared secret miscomputed"
# 1a) Preparing to send Bob the message
iv_a = get_random_int(128)
sha_S = sha1(bytes_S,len(bytes_S)*8)
print(f"shared secret is: {S}")
shared_S = sha_S[2:][:32]
alice_msg = "This is the password. Pass it on!".encode().hex()
alice_encrypt = cbc_encrypt(alice_msg, shared_S, iv_a) + iv_a
print(f"Here is my (alice's) encrypted text: \t\t{alice_encrypt}")
print("\n~~~~~SENDING MESSAGE~~~~~~ PLS NO INTERCEPT ~~~~~")
print("~~~~~BUT EVEN IF YOU DO THIS IS UNHAXABLE~~~~~~~~\n")
# 1b) Bob receives the message
# Confirming that Bob received the message from Alice correctly
iv_b = alice_encrypt[-32:]
alice_ciphertext = alice_encrypt[:-32]
bob_decrypt = cbc_decrypt(alice_ciphertext, shared_S, iv_b)
padding = int(bob_decrypt[-1], 16)*2
bob_decrypt = bob_decrypt[:-padding]
assert bob_decrypt == alice_msg
iv_b = get_random_int(128)
bob_encrypt = cbc_encrypt(bob_decrypt, shared_S, iv_b) + iv_b
print(f"Thanks! Here is my (bob's) encrypted text: \t{bob_encrypt}")
# 2) Bob sending message back to Alice
iv_b = bob_encrypt[-32:]
bob_ciphertext = bob_encrypt[:-32]
alice_decrypt = cbc_decrypt(bob_ciphertext, shared_S, iv_b)
padding = int(alice_decrypt[-1], 16)*2
alice_decrypt = alice_decrypt[:-padding]
assert alice_decrypt == alice_msg
"""
PHASE 2
"""
print("~~~~~~~~~~~~~~~~~~~~~~~~~~")
print(" PHASE 2 ")
print("~~~~~~~~~~~~~~~~~~~~~~~~~~")
# if A == B == p, keys are just 0 since p^k mod p == 0
A, B = modexp(g,a,p), modexp(g,b,p)
M_A, M_B = p, p
S = modexp(M_A,b,p)
bytes_S = hex(S)[2:].encode()
print(f"shared secret is: {S}")
assert S == modexp(M_B,a,p)
sha_S = sha1(bytes_S,len(bytes_S)*8)
print(f"shared secret is: {S}")
shared_S = sha_S[2:][:32]
"""
