def value(self):
random_generator = RandomByteGenerator()
key = random_generator.value(self.BLOCK_SIZE)
iv = random_generator.value(self.BLOCK_SIZE)
ciphertext = AES(key).encrypt(self.plaintext, mode=CBC(iv))
oracle = CBCPaddingOracle(key, iv)
return CBCPaddingOracleAttack(oracle).value(ciphertext, iv)
class RandomECB_CBCEncrypter(object):
def __init__(self, block_size):
self.block_size = block_size
self.random_generator = RandomByteGenerator()
def get_mode(self):
# To use after encryption in order to confirm that the oracle works.
return self.mode.name()
def _prepare_plaintext(self, plaintext):
header = self.random_generator.value(random.randint(5,10))
footer = self.random_generator.value(random.randint(5,10))
return '%s%s%s' % (header, plaintext, footer)
def _get_random_mode(self):
if random.random() >= 0.5:
mode = ECB(block_size=self.block_size)
else:
random_iv = self.random_generator.value(self.block_size)
mode = CBC(iv=random_iv, block_size=self.block_size)
return mode
def encrypt(self, plaintext):
plaintext = self._prepare_plaintext(plaintext)
key = self.random_generator.value(self.block_size)
self.mode = self._get_random_mode()
return AES(key).encrypt(plaintext, mode=self.mode)
def value(self):
random_generator = RandomByteGenerator()
key = random_generator.value(self.BLOCK_SIZE)
iv = random_generator.value(self.BLOCK_SIZE)
ciphertext = AES(key).encrypt(self.plaintext, mode=CBC(iv))
oracle = CBCPaddingOracle(key, iv)
return CBCPaddingOracleAttack(oracle).value(ciphertext, iv)
def validate(self):
secret_key = RandomByteGenerator().value(self.BLOCK_SIZE)
secret_iv = RandomByteGenerator().value(self.BLOCK_SIZE)
mode = CBC(secret_iv)
profile_generator = UserProfileGenerator(secret_key, mode)
attack = CBCBitFlippingAttack(profile_generator, self.BLOCK_SIZE)
encrypted_profile = attack.value()
profile = UserProfileParser(secret_key, mode).parse(encrypted_profile)
return ';admin=true' in profile
def _init_cipher_from(self, secret, iv=None):
secret_bytes = IntToBytes(secret).value()
key = SHA1().hash(secret_bytes)[:self.BLOCK_SIZE]
self.iv = RandomByteGenerator().value(self.BLOCK_SIZE) if iv is None\
else iv
self.cipher = AES(key)
self.cipher_mode = CBC(iv=self.iv)
def validate(self):
secret_key = RandomByteGenerator().value(self.BLOCK_SIZE)
mode = CBC(iv=secret_key)
profile_generator = UserProfileGenerator(secret_key, mode)
profile_parser = CustomUserProfileParser(secret_key, mode)
recovered_key = CBCKeyRecoveryAttack(profile_generator,
profile_parser).value()
return recovered_key == secret_key
def value(self):
secret_key = RandomByteGenerator().value(self.BLOCK_SIZE)
profile_generator = UserProfileGenerator(secret_key)
# The secret key is not known by the admin profile generator.
encrypted_profile = AdminUserProfileGenerator(profile_generator).\
value()
profile = UserProfileParser(secret_key).parse(encrypted_profile)
return profile['role']
def validate(self):
secret_key = RandomByteGenerator().value(self.BLOCK_SIZE)
secret_nonce = random.randint(0, 2**64 - 1)
mode = CTR(nonce=secret_nonce)
profile_generator = UserProfileGenerator(secret_key, mode)
attack = CTRBitFlippingAttack(profile_generator, self.BLOCK_SIZE)
encrypted_profile = attack.value()
profile = UserProfileParser(secret_key, mode).parse(encrypted_profile)
return ';admin=true' in profile
def validate(self):
key = RandomByteGenerator().value(20)
sha1mac = HashBasedMAC(key, SHA1)
string_mac = sha1mac.value(self.STRING)
message, mac = SHA1BasedMACMessageForger(sha1mac).\
forge(self.STRING, string_mac, self.TARGET_STRING)
return message.startswith(self.STRING) and\
message.endswith(self.TARGET_STRING) and\
sha1mac.validate(message, mac)
def validate(self):
key = RandomByteGenerator().value(20)
md4mac = HashBasedMAC(key, MD4)
string_mac = md4mac.value(self.STRING)
message, mac = MD4BasedMACMessageForger(md4mac).\
forge(self.STRING, string_mac, self.TARGET_STRING)
return message.startswith(self.STRING) and\
message.endswith(self.TARGET_STRING) and\
md4mac.validate(message, mac)
class Set7Challenge54(MatasanoChallenge):
LENGTH = 50
BLOCK_SIZE = MDHashFunction.block_size()
PREFIX = RandomByteGenerator().value(LENGTH * BLOCK_SIZE)
PREDICTION_LENGTH = 150 * BLOCK_SIZE
def validate(self):
hash_function = BasicHashFunctionFactory.build(16)
attack = NostradamusAttack(hash_function, self.PREDICTION_LENGTH, k=5)
prediction = attack.prediction()
message = attack.for_prefix(self.PREFIX)
return message.startswith(self.PREFIX) and\
hash_function().hash(message) == prediction
def validate(self):
key = RandomByteGenerator().value(self.BLOCK_SIZE)
mac_generator = CBC_MACGenerator(key)
mac_validator = CBC_MAC(key)
message, mac = mac_generator.get_message_and_mac_for(
self.VICTIM_ID, {2: [100]})
# The MAC generator is only meant to be used to generate MACs for
# "attacker-controlled" accounts.
crafted_message, forged_mac = CBC_MACMessageForger(mac_generator).\
forge_from(message, mac)
from_victim = 'from=%d' % self.VICTIM_ID
to_attacker = '%d:1000000' % CBC_MACMessageForger.ACCOUNT_ID
return from_victim in crafted_message and\
to_attacker in crafted_message and\
mac_validator.validate(crafted_message, forged_mac)
class Set4Challenge32(MatasanoChallenge):
STRING = 'foo bar baz'
KEY = RandomByteGenerator().value(50)
TIMING_LEAK = 0.003
def __init__(self):
MatasanoChallenge.__init__(self)
self.hmac = HMAC(self.KEY, SHA1).value(self.STRING)
def expected_value(self):
return self.hmac
def value(self):
with TimeLeakingWebServer(self.STRING, self.hmac, self.TIMING_LEAK)\
as server:
return HMACCrackerForReducedTimeLeak(server).crack()
class Set7Challenge51Base(MatasanoChallenge):
# This length corresponds to the length of the cookie used in the challenge.
# For greater lengths, the algorithm used here does not seem to work
# properly. However, it might be fixed by using symbols of greater size
# (e.g., combinations of three characters instead of two) and just keeping
# the first character of each candidate symbol on each iteration. The
# downside of this is that the running time increases exponentially.
COOKIE_SIZE = 32
COOKIE = RandomByteGenerator().value(COOKIE_SIZE)
def __init__(self):
MatasanoChallenge.__init__(self)
self.cookie = Base64Encoder().encode(self.COOKIE)
def expected_value(self):
return self.cookie
def value(self):
return self._get_attack().value()
def _get_attack(self):
raise NotImplementedError
def _init_state(self):
self.b = random.randint(1, self.MAX_INT)
self.salt = RandomByteGenerator().value()
hashed_password = self.sha256.hash(self.salt + self.password)
integer = self._to_int(hashed_password)
self.v = self.modexp.value(self.G, integer)
def __init__(self, hash_function):
self.hash_function = hash_function
self.resumable_hash = ResumableMDHash(hash_function).value()
self.block_size = self.resumable_hash.block_size()
self.byte_generator = RandomByteGenerator()
def _encrypt(self, plaintexts):
key = RandomByteGenerator().value(self.BLOCK_SIZE)
aes = AES(key)
return map(lambda text: aes.encrypt(text, mode=CTR(nonce=0)).bytes(),
plaintexts)
def _encrypt(self, message):
key = RandomByteGenerator().value(BlockCipherMode.DEFAULT_BLOCK_SIZE)
cipher = AES(key)
mode = self._get_encryption_mode()
return cipher.encrypt(message, mode=mode)
def __init__(self):
key = RandomByteGenerator().value(self.BLOCK_SIZE)
self.cipher = AES(key)
self.trailing_string = self._decode_trailing_string()
def __init__(self):
self.key = random.randint(0, 65535)
self.cipher = MersenneTwisterCipher(self.key)
prefix_size = random.randint(1, 50)
self.prefix = RandomByteGenerator().value(prefix_size)
def _get_encryption_mode(self):
iv = RandomByteGenerator().value(CBC.DEFAULT_BLOCK_SIZE)
return CBC(iv)
def value(self):
key = RandomByteGenerator().value(self.BLOCK_SIZE)
cipher = RandomAccessAES(key)
ciphertext = cipher.encrypt(self.plaintext, nonce=0)
return RandomAccessAESDecrypter(cipher).decrypt(ciphertext)
def validate(self):
key = RandomByteGenerator().value()
sha1mac = HashBasedMAC(key, SHA1)
valid_mac_ok = self._check_valid_mac(sha1mac)
invalid_mac_ok = self._check_invalid_mac(sha1mac)
return valid_mac_ok and invalid_mac_ok
def __init__(self):
ECBEncryptionOracle.__init__(self)
self.random_prefix = RandomByteGenerator().value()
def _build_padding(self, size):
byte_generator = RandomByteGenerator()
padding = byte_generator.value(size)
return padding.replace('\x00', byte_generator.value(1))
def encrypt(self, message):
key = RandomByteGenerator().value(self.RC4_KEY_SIZE)
return RC4(key).encrypt(message + self.suffix)
def __init__(self, block_size):
self.block_size = block_size
self.random_generator = RandomByteGenerator()
