def attacker2(m):
message1 = util.padding(m[:-BLOCKSIZE], BLOCKSIZE)
mac = m[-BLOCKSIZE:]
my_tx = ';{}:{};'.format(attacker_id, attack_amount).encode('utf-8')
my_tx = util.padding(my_tx, BLOCKSIZE)
m2 = client(attacker_id, [(1,1)], note = util.xor(my_tx, mac))
my_mac = m2[-BLOCKSIZE:]
forged_message = message1 + my_tx + m2[BLOCKSIZE:-BLOCKSIZE]
server(forged_message + my_mac)
def md_hash(message, state_len = STATE_LEN, H = None):
# initial state
h = b''.join([util.int_to_bytes((37*i + 42) % 256) for i in range(state_len)])
if not H:
H = h
M = util.padding(message, AES_BLOCK_SIZE)
for i in range(len(M)//AES_BLOCK_SIZE):
Mi = util.get_ith_block(M, i, AES_BLOCK_SIZE)
H = util.ecb_encrypt(Mi, util.padding(H, AES_BLOCK_SIZE))[0:state_len]
return binascii.hexlify(H)
def generate_many_collisions(rounds):
h = b''.join([util.int_to_bytes((37*i + 42) % 256) for i in range(STATE_LEN)])
colliding_messages = set()
colliding_messages.add(b'')
for i in range(rounds):
new_set = set()
m1, m2, h = find_block_collision(h)
m1 = util.padding(m1, AES_BLOCK_SIZE)
m2 = util.padding(m2, AES_BLOCK_SIZE)
for m in colliding_messages:
new_set.add(m + m1)
new_set.add(m + m2)
colliding_messages = new_set
return colliding_messages
def md_hash(message):
h = initial_state
M = length_padding(message)
for i in range(len(M) // BLOCK_SIZE):
Mi = util.get_ith_block(M, i, BLOCK_SIZE)
h = util.ecb_encrypt(Mi, util.padding(h, BLOCK_SIZE))[0:STATE_LEN]
return binascii.hexlify(h)
def ecb_cbc_oracle(data):
prefix = util.random_byte_string(random.randint(5, 10))
suffix = util.random_byte_string(random.randint(5, 10))
key = util.random_byte_string(16)
data = util.padding(prefix + data + suffix, 16)
mode = random.randint(0, 1)
if mode == 1:
return util.ecb_encrypt(data, key), mode
else:
iv = util.random_byte_string(16)
return util.cbc_encrypt(data, key, iv), mode
def cbc_bitflipping_attack():
ciphertext = cbc_encrypt_surround(b'')
BLOCK_SIZE = 16
num_blocks = len(ciphertext)//BLOCK_SIZE
first_block_ciphertext = util.get_ith_block(ciphertext, 0, BLOCK_SIZE)
second_block_plaintext = b'%20MCs;userdata='
desired_text = util.padding(b';admin=true;', BLOCK_SIZE)
fixed_first_block = b''
for i in range(BLOCK_SIZE):
fixed_first_block += bytes([second_block_plaintext[i]^first_block_ciphertext[i]^desired_text[i]])
fixed_ciphertext = fixed_first_block + ciphertext[BLOCK_SIZE:]
print(cbc_decrypt_surround(fixed_ciphertext))
def ctr_bitflipping_attack():
ciphertext = ctr_encrypt_surround(b'')
BLOCK_SIZE = 16
num_blocks = len(ciphertext) // BLOCK_SIZE
third_block_ciphertext = util.get_ith_block(ciphertext, 2, BLOCK_SIZE)
third_block_plaintext = b';comment2=%20lik'
desired_text = util.padding(b';admin=true;', BLOCK_SIZE)
fixed_third_block = b''
for i in range(BLOCK_SIZE):
fixed_third_block += bytes([
third_block_plaintext[i] ^ third_block_ciphertext[i]
^ desired_text[i]
])
fixed_ciphertext = ciphertext[
0:2 * BLOCK_SIZE] + fixed_third_block + ciphertext[3 * BLOCK_SIZE:]
print(ctr_decrypt_surround(fixed_ciphertext))
def ecb_encrypt_surround(chosen):
key = b'\x01\x1f\x89\x94\x85{\x8e\xa4\xfa\x8e\xc9\xc3{\x1dz\x06'
prefix = b'\xc0NF\x87\xd69\xb7\x11n\\\xd5H\x0c\xee\xe6\xd2\xe9k\xdc\xb9^\x7fk\xff\xectG2gRx\xb2Y5\xd7\xf2}\xecM\xee&\xc7'
secret = 'Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkgaGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBqdXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUgYnkK'
secret = util.base64.b64decode(secret)
return util.ecb_encrypt(util.padding(prefix + chosen + secret, 16), key)
def ecb_encrypt_prepend(prefix):
key = b'\x01\x1f\x89\x94\x85{\x8e\xa4\xfa\x8e\xc9\xc3{\x1dz\x06'
data = 'Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkgaGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBqdXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUgYnkK'
data = base64.b64decode(data)
return util.ecb_encrypt(util.padding(prefix + data, 16), key)
def encrypt_profile_for(email):
plaintext = encode_profile(profile_for(email)).encode('utf-8')
return util.ecb_encrypt(util.padding(plaintext, 16), PROFILE_KEY)
assert '&' not in email and '=' not in email
return {
'email': email,
'uid': 10,
'role': 'user',
}
def encrypt_profile_for(email):
plaintext = encode_profile(profile_for(email)).encode('utf-8')
return util.ecb_encrypt(util.padding(plaintext, 16), PROFILE_KEY)
def decrypt_profile(crypt):
plaintext = util.ecb_decrypt(crypt, PROFILE_KEY)
return decode_profile(util.unpadding(plaintext).decode('utf-8'))
if __name__ == '__main__':
BLOCK_SIZE = 16
admin = util.padding(b'admin', BLOCK_SIZE)
admin_block = util.get_ith_block(
encrypt_profile_for('A' * (BLOCK_SIZE - len('email=')) +
admin.decode('utf-8')), 1, BLOCK_SIZE)
first_block = util.get_ith_block(encrypt_profile_for('*****@*****.**'), 0,
BLOCK_SIZE)
second_block = util.get_ith_block(encrypt_profile_for('*****@*****.**'), 1,
BLOCK_SIZE)
admin_ciphertext = first_block + second_block + admin_block
print(decrypt_profile(admin_ciphertext))
from utilities import util
import binascii
import os
# Challenge 50
original = b"alert('MZA who was that?');\n"
new = b"alert('Ayo, the Wu is back!')\n//"
the_hash = b'296b8d7cb78a243dda4d0a61d33bbdd1'
key = b'YELLOW SUBMARINE'
if __name__ == '__main__':
assert binascii.hexlify(util.cbc_mac(original, key)) == the_hash
my_mac = util.cbc_mac(new, key)
forged_message = util.padding(new, 16) + util.xor(my_mac, original[:16]) + original[16:]
assert binascii.hexlify(util.cbc_mac(forged_message, key)) == the_hash
html = b'<script>\n' + forged_message + b'</script>'
with open('/tmp/test.html', 'wb') as f:
f.write(html)
os.system('open /tmp/test.html')
print('Success!')
def md_hash_instrumented(M, H=initial_state):
for i in range(len(M) // BLOCK_SIZE):
Mi = util.get_ith_block(M, i, BLOCK_SIZE)
H = util.ecb_encrypt(Mi, util.padding(H, BLOCK_SIZE))[0:STATE_LEN]
return binascii.hexlify(H)
import base64 import binascii from utilities import util # Challenge 9 if __name__ == '__main__': string = b'YELLOW SUBMARINE' print(util.padding(string, 16))
