def client():
client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_sock.connect((HOST, PROTOCOL))
# generate a needed for diffie hellman
a = secrets.randbelow(MODPGROUP["1536"])
g_with_a = GroupOp.mod_exp(GENERATOR, a, MODPGROUP["1536"])
if not net_utils.send_msg("({},{})".format(g_with_a, EMAIL), client_sock):
raise ValueError("Failed to send message")
message_received = net_utils.receive_msg(client_sock)
msg_ints = literal_eval(message_received.decode('utf-8'))
salt = msg_ints[0]
b_value = msg_ints[1]
sha_pw_digest = sha256.SHA256()
sha_pw_digest.Update(
bytes("{}||{}".format(salt, PASSWORD), encoding='utf-8'))
x_exp = sha_pw_digest.Sum()
u_digest = sha256.SHA256()
u_digest.Update(bytes("{}||{}".format(g_with_a, b_value),
encoding='utf-8'))
u = u_digest.Sum()
v_value = GroupOp.mod_exp(GENERATOR, x_exp, MODPGROUP["1536"])
total = (b_value - (K * v_value)) % MODPGROUP["1536"]
total = GroupOp.mod_exp(total, a + (x_exp * u), MODPGROUP["1536"])
key_digest = sha256.SHA256()
key_digest.Update(bytes("{}".format(total), encoding='utf-8'))
actual_key = (key_digest.Sum()).to_bytes(256 // 8, byteorder='big')
verification_check = hmac_myimpl.SHA256_HMAC(actual_key, salt)
if not net_utils.send_msg(verification_check, client_sock):
raise ValueError("Could not send over pipe")
def verify_login(self, u_id, password):
"""
verifies user id and password for login
Args:
u_id - user email to be added
password - password to be added (unhashed)
Returns:
status code - to signal error or success back to server
"""
users = self.db.users
# hash user provided password using sha256
login_hash = sha256.SHA256(password).hexdigest()
user = users.find_one({"u_id": u_id})
# if no user with the u_id is found
if user is None:
return 431
else:
# compare user hashed password to hash stored in database
if (user.get('password') == login_hash):
return 102
else:
return 431
def offline_attack(client_key_share, salt, client_output, pw_dictionary):
for psw in pw_dictionary:
sha_pw_digest = sha256.SHA256()
sha_pw_digest.Update(bytes("{}||{}".format(salt,psw), encoding='utf-8'))
x_exp = sha_pw_digest.Sum()
g_to_the_x = GroupOp.mod_exp(CP36.GENERATOR, x_exp, CP36.MODPGROUP["1536"])
potential_s = (g_to_the_x * client_key_share) % CP36.MODPGROUP["1536"]
key_digest = sha256.SHA256()
key_digest.Update(bytes("{}".format(potential_s), encoding='utf-8'))
actual_key = (key_digest.Sum()).to_bytes(256 // 8,byteorder='big')
check_against = hmac_myimpl.SHA256_HMAC(actual_key, salt)
if client_output == check_against:
return psw
return None
def simple_srp(email, client_share, client_sock):
# try and receive msg from pipe
b = secrets.randbelow(CP36.MODPGROUP["1536"])
salt, v = server_user_list[email]
g_with_b = GroupOp.mod_exp(CP36.GENERATOR, b, CP36.MODPGROUP["1536"])
u = secrets.randbelow(2**128)
server_msg = "({},{},{})".format(salt, g_with_b, u)
if not net_utils.send_msg(server_msg, client_sock):
raise ValueError("Failed writing to pipe")
client_hmac_val = net_utils.receive_msg(client_sock)
total = GroupOp.mod_exp(v,u, CP36.MODPGROUP["1536"])
total = (total * client_share) % CP36.MODPGROUP["1536"]
total = GroupOp.mod_exp(total, b, CP36.MODPGROUP["1536"])
key_digest = sha256.SHA256()
key_digest.Update(bytes("{}".format(total), encoding='utf-8'))
actual_key = (key_digest.Sum()).to_bytes(256 // 8,byteorder='big')
check_against = hmac_myimpl.SHA256_HMAC(actual_key, salt)
# this comparison is very insecure
if client_hmac_val == check_against:
return True
else:
return False
return
def generate_v(salt, password):
sha256_string = sha256.SHA256()
salt_hash_concat = "{}||{}".format(salt, password)
sha256_string.Update(bytes(salt_hash_concat, encoding='utf-8'))
x = sha256_string.Sum()
# this is a random numerical value -- not a string although it should be one
v = GroupOp.mod_exp(GENERATOR, x, MODPGROUP["1536"])
return v
def client(email, password, new_user=False):
client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_sock.connect((HOST,PROTOCOL))
if new_user:
msg = "CREATE_PASSWORD:({},{})".format(email, password)
if not net_utils.send_msg(msg, client_sock):
raise ValueError("Failed to send message")
# wait to receive a SUCCESSFUL from the server
server_reply = (net_utils.receive_msg(client_sock)).decode('utf-8')
if server_reply != "SUCCESS":
raise ValueError("Could not create account")
else:
print("Successfully created account")
else:
# generate a needed for diffie hellman
a = secrets.randbelow(CP36.MODPGROUP["1536"])
g_with_a = GroupOp.mod_exp(CP36.GENERATOR, a, CP36.MODPGROUP["1536"])
if not net_utils.send_msg("AUTH_ATTEMPT:({},{})".format(g_with_a, email),client_sock):
raise ValueError("Failed to send message")
message_received = net_utils.receive_msg(client_sock)
msg_ints = literal_eval(message_received.decode('utf-8'))
salt = msg_ints[0]
b_value = msg_ints[1]
u = msg_ints[2]
sha_pw_digest = sha256.SHA256()
sha_pw_digest.Update(bytes("{}||{}".format(salt, password), encoding='utf-8'))
x_exp = sha_pw_digest.Sum()
total = GroupOp.mod_exp(b_value, a + (x_exp * u), CP36.MODPGROUP["1536"])
key_digest = sha256.SHA256()
key_digest.Update(bytes("{}".format(total), encoding='utf-8'))
actual_key = (key_digest.Sum()).to_bytes(256 // 8,byteorder='big')
verification_check = hmac_myimpl.SHA256_HMAC(actual_key, salt)
if not net_utils.send_msg(verification_check, client_sock):
raise ValueError("Could not send over pipe")
msg = (net_utils.receive_msg(client_sock)).decode('utf-8')
print("Server says {}".format(msg))
print("Finishing client thread")
return
def server_srp(client_sock, email_held, salt, v_held):
# try and receive msg from pipe
b = secrets.randbelow(MODPGROUP["1536"])
client_msg = (net_utils.receive_msg(client_sock)).decode('utf-8')
args = client_msg.split(",")
email = args[1][:-1]
client_key_share = int(args[0][1:])
if email == email_held:
g_with_b = GroupOp.mod_exp(GENERATOR, b, MODPGROUP["1536"])
maskedv = (K * v_held + g_with_b) % MODPGROUP["1536"]
server_msg = "({},{})".format(salt, maskedv)
else:
print("Server received wrong email identifier")
server_msg = "ERROR"
if not net_utils.send_msg(server_msg, client_sock):
raise ValueError("Failed writing to pipe")
client_hmac_val = net_utils.receive_msg(client_sock)
#compute local
u_hash = sha256.SHA256()
u_hash.Update(
bytes("{}||{}".format(client_key_share, maskedv), encoding='utf-8'))
u = u_hash.Sum()
total = GroupOp.mod_exp(v_held, u, MODPGROUP["1536"])
total = (total * client_key_share) % MODPGROUP["1536"]
total = GroupOp.mod_exp(total, b, MODPGROUP["1536"])
key_digest = sha256.SHA256()
key_digest.Update(bytes("{}".format(total), encoding='utf-8'))
actual_key = (key_digest.Sum()).to_bytes(256 // 8, byteorder='big')
check_against = hmac_myimpl.SHA256_HMAC(actual_key, salt)
# this comparison is very insecure
if client_hmac_val == check_against:
print("{} client succesfully authenticated".format(email_held))
return True
else:
return False
def __init__(self, curve=_default_curve, n=_default_n, P=None):
self._curve = curve
self._n = n # order of base point
self._L_n = self._n.bit_length()
if P is None:
self._P = self._calculate_base_point() # base point
else:
self._P = P
self._d = self._calculate_private_key() # private key
self._Q = self._calculate_public_key() # public key
self._e, self._F_e = self._calculate_pre_signature(
) # e and pre-signature
self._L_h = 256
self._H = sha256.SHA256()
self._iH = 'SHA-256'
self._L_D = math.ceil((2 * self._L_n) / 16) * 16
def sha256_with_secret_round_keys(m: bytes, secret_round_keys: dict) -> bytes:
"""Computes SHA256 with some secret round keys.
Args:
m: the message to hash
secret_round_keys: a dictionary where secret_round_keys[i] is the value of
the round key k[i] used in SHA-256
Returns:
the digest
"""
sha = sha256.SHA256()
round_keys = sha.k[:]
for i, v in secret_round_keys.items():
round_keys[i] = v
return sha.sha256(m, round_keys)
def get_states(msg: bytes, digest: bytes, round_keys=None):
sha = sha256.SHA256()
states = [ExtendedState() for i in range(65)]
m_padded = sha.padding(msg)
if len(m_padded) != 64:
raise ValueError('not implemented')
w = sha.compute_w(m_padded)
last = struct.unpack('>8L', digest)
d = [(x - y) & 0xffffffff for x, y in zip(last, sha.h)]
s = states[-1]
s.a, s.b, s.c, s.d, s.e, s.f, s.g, s.h = d
s = states[0]
s.a, s.b, s.c, s.d, s.e, s.f, s.g, s.h = sha.h
for i, wi in enumerate(w):
states[i].w = wi
for i, k in enumerate(round_keys):
states[i].k = k
return states
def attacker():
print("Attacker trying to authenticate")
email = input("Please enter the user you would like to authenticate as...")
# generate a needed for diffie hellman
share = input(
"Input client share (i.e. g**a) as numerical value or [number]G\n")
changed_val = False
if "G" in share:
g_with_a = CP36.MODPGROUP["1536"] * int(share[:share.index("G")])
changed_val = True
else:
g_with_a = int(share)
second_client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
second_client_sock.connect((HOST, PROTOCOL))
if not net_utils.send_msg("AUTH_ATTEMPT", second_client_sock):
raise ValueError("Failed to send message")
saw_okay = (net_utils.receive_msg(second_client_sock)).decode('utf-8')
if saw_okay != "CONTINUE":
raise ValueError("Server Error")
if not net_utils.send_msg("({},{})".format(g_with_a, email),
second_client_sock):
raise ValueError("Failed to send message")
message_received = net_utils.receive_msg(second_client_sock)
msg_ints = literal_eval(message_received.decode('utf-8'))
salt = msg_ints[0]
total = int(input("Please give integer input (i.e. S): "))
key_digest = sha256.SHA256()
key_digest.Update(bytes("{}".format(total), encoding='utf-8'))
actual_key = (key_digest.Sum()).to_bytes(256 // 8, byteorder='big')
verification_check = hmac_myimpl.SHA256_HMAC(actual_key, salt)
if not net_utils.send_msg(verification_check, second_client_sock):
raise ValueError("Could not send over pipe")
response = (net_utils.receive_msg(second_client_sock)).decode('utf-8')
print("Finishing client thread, received from server {}".format(response))
def create_account(self, u_id, password):
"""
adds new account to database, password is stored as a sha256 hash
Args:
u_id - user email to be added
password - password to be added (unhashed)
Returns:
status code - to signal error or success back to server
"""
# get users documnet
users = self.db.users
# hash user provided password using sha256
password = sha256.SHA256(password).hexdigest()
# if user email is already in database
if (not users.find_one({"u_id": u_id}) is None):
return 421
new_user = {"u_id": u_id, "password": password}
# insert new user to database
new_user_insert = users.insert_one(new_user)
return 101
s0 = self.rotate_right(a, 2) ^ self.rotate_right(
a, 13) ^ self.rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
tmp2 = (tmp1 + s0 + maj) & 0xffffffff
tmp3 = (d + tmp1) & 0xffffffff
print("Compression step:", list(map(hex, (tmp2, a, b, c, tmp3, e, f, g))))
return (tmp2, a, b, c, tmp3, e, f, g)
if __name__ == '__main__':
while True:
secret_round_keys = generate_random_round_keys(NUM_KEYS)
#print("Secret_round_keys:", secret_round_keys)
#digest = sha256_with_secret_round_keys(MSG, secret_round_keys)
#print('MSG Digest: {}'.format(binascii.hexlify(digest).decode()))
sha = sha256.SHA256()
#digest2 = sha.sha256(MSG)
#print('MSG Digest with real SHA-256: {}'.format(binascii.hexlify(digest2).decode()))
r = remote('sharky.2020.ctfcompetition.com', 1337)
r.recvuntil("MSG Digest: ")
final_state = [
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f,
0x9b05688c, 0x1f83d9ab, 0x5be0cd19
]
hh = r.recvline().strip()
#hh = binascii.hexlify(digest).decode() #"39715f0da097fc779d86e4ec5221d19cec1d908d219e725b929ff540158da0c0"
unpacked_digest = []
for i in range(0, len(hh), 8):
unpacked_digest.append(int(hh[i:i + 8], 16))
#print(unpacked_digest)
last_state = [(x - y) % 2**32
import sha256
import struct
from telnetlib import Telnet
remote = Telnet('sharky.2020.ctfcompetition.com', 1337)
remote.read_until(b'MSG Digest: ')
target = bytes.fromhex(remote.read_until(b'\n').strip().decode())
# Processing input blocks
input = b'Encoded with random keys'
sha2 = sha256.SHA256()
state = struct.unpack('>8L', target)
block = sha2.padding(input)
assert len(block) == 64
w = sha2.compute_w(block)
# Undo last 56 rounds with known round constants
state = [(x - y) & 0xffffffff for x, y in zip(state, sha2.h)]
for k in range(63, 7, -1):
state = sha2.decompression_step(state, sha2.k[k], w[k])
# Recover secret round constants
rk = [0] * 8
for k in range(7, -1, -1):
# Make the error propagate to first round
state2 = state[:]
for i in range(k, -1, -1):
state2 = sha2.decompression_step(state2, 0, w[i])
def _benchmark_sha256_hash(message_bytes: int):
_helper_benchmark_hash(sha256.SHA256(), message_bytes)
def _benchmark_sha256_pow(message_bytes: int, zero_bytes: int):
algorithm = sha256.SHA256()
return _helper_benchmark_pow(algorithm, message_bytes, zero_bytes)
def _test_pow_correctness():
print(_benchmark_sha256_pow(3, 2))
print(sha256.SHA256().hash(b'\x01\xb1\x7f'))
print(_benchmark_kupyna_pow(3, 2, 256))
print(kupyna.Kupyna(256).hash(b'\x01\xb1\x7f'))
def test_instance(self):
sha = sha256.SHA256('Hello world!')
self.assertIsNotNone(sha)
def solve_state(self):
"""Tries to solve for not yet known variables in a given state."""
sha = sha256.SHA256()
if self.ch is None and None not in (self.e, self.f, self.g):
self.ch = (self.e & self.f) ^ (~self.e & self.g)
if self.maj is None and None not in (self.a, self.b, self.c):
self.maj = (self.a & self.b) ^ (self.a & self.c) ^ (self.b
& self.c)
if self.sigma0 is None and self.a is not None:
self.sigma0 = (sha.rotate_right(self.a, 2)
^ sha.rotate_right(self.a, 13)
^ sha.rotate_right(self.a, 22))
if self.sigma1 is None and self.e is not None:
self.sigma1 = (sha.rotate_right(self.e, 6)
^ sha.rotate_right(self.e, 11)
^ sha.rotate_right(self.e, 25))
cnt = 0
for x in (self.tmp1, self.h, self.sigma1, self.ch, self.k, self.w):
if x is None:
cnt += 1
if cnt == 1:
if self.tmp1 is None:
self.tmp1 = (self.h + self.sigma1 + self.ch + self.k +
self.w) & 0xffffffff
else:
diff = self.tmp1
for x in (self.h, self.sigma1, self.ch, self.k, self.w):
if x is not None:
diff -= x
diff &= 0xffffffff
if self.h is None:
self.h = diff
if self.sigma1 is None:
self.sigma1 = diff
if self.ch is None:
self.ch = diff
if self.k is None:
self.k = diff
if self.w is None:
self.w = diff
cnt = 0
for x in (self.tmp2, self.tmp1, self.sigma0, self.maj):
if x is None:
cnt += 1
if cnt == 1:
if self.tmp2 is None:
self.tmp2 = (self.tmp1 + self.sigma0 + self.maj) & 0xffffffff
else:
diff = self.tmp2
for x in (self.tmp1, self.sigma0, self.maj):
if x is not None:
diff -= x
diff &= 0xffffffff
if self.tmp1 is None:
self.tmp1 = diff
if self.sigma0 is None:
self.sigma0 = diff
if self.maj is None:
self.maj = diff
cnt = 0
for x in (self.tmp3, self.tmp1, self.d):
if x is None:
cnt += 1
if cnt == 1:
if self.tmp3 is None:
self.tmp3 = (self.d + self.tmp1) & 0xffffffff
elif self.tmp1 is None:
self.tmp1 = (self.tmp3 - self.d) & 0xffffffff
else:
self.d = (self.tmp3 - self.tmp1) & 0xffffffff
