def encryption_oracle(): key = random_integer(0, 2**16 - 1) prefix = crypto_random_bytes(random_integer(0, 200)) message = prefix + b"A" * 14 ciphertext = cipher_encrypt(message, key) return key, ciphertext
def generate_keys(self, subgroup=False): if not subgroup: self.secret_key = random_integer(0, self.p - 1) self.public_key = modexp(self.g, self.secret_key, self.p) else: self.secret_key = random_integer(0, self.q) self.public_key = modexp(self.g, self.secret_key, self.p)
def mitm_pose_as_server(self): self.mitm_salt = random_integer(0, 2**32) self.mitm_b = random_integer(0, self.N - 1) self.mitm_server_pub_key = pow(self.g, self.mitm_b, self.N) self.mitm_u = random_integer(1, 2**128 - 1) return (self.mitm_salt, self.mitm_server_pub_key, self.mitm_u)
def encryption_oracle_ecb_cbc(bt): key = crypto_random_bytes(16) iv = crypto_random_bytes(16) mode = choice(['ecb', 'cbc']) begin_pad = crypto_random_bytes(random_integer(5, 10)) end_pad = crypto_random_bytes(random_integer(5, 10)) to_encrypt = pad_to_mod_16(begin_pad + bt + end_pad) if mode == 'ecb': ciphertext = encrypt_aes_128_ecb(to_encrypt, key) else: ciphertext = encrypt_aes_cbc(to_encrypt, key, iv) # do not cheat, use mode for validation only return ciphertext, mode
def sign(self, message): h = int(hashlib.sha1(message).hexdigest(), 16) k = random_integer(2, self.q-1) r = pow(self.g, k, self.p) % self.q s = (modinv(k, self.q) * (h + self.x * r)) % self.q #if r == 0 or s == 0: # return self.sign(message) return (r,s)
def sign(self, message): h = int(hashlib.sha1(message).hexdigest(), 16) k = random_integer(2, self.q - 1) r = pow(self.g, k, self.p) % self.q s = (modinv(k, self.q) * (h + self.x * r)) % self.q if r == 0 or s == 0: print 'trying to sign again' return self.sign(message) else: return (r, s)
def __init__(self): self.N = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919 self.g = 2 self.k = 3 self.I = '*****@*****.**' self.P = 'secure_password' self.salt = random_integer(0, 2**32) s = str(self.salt) + self.P xH = hashlib.sha256(s.encode('ascii')).hexdigest() x = int(xH, 16) self.v = pow(self.g, x, self.N)
def exploit_oracle(ciphertext): n = ORACLE_KEY.N e = ORACLE_KEY.e s = random_integer(2, n-1) crafted_c = (pow(s, e, n) * ciphertext) % n crafted_p = unpadded_message_oracle(crafted_c) crafted_p = rsa_string_to_integer(crafted_p) plaintext = (crafted_p * modinv(s, n)) % n return rsa_integer_to_string(plaintext)
def trick_bob_to_communicate(bob, r): h = 1 while h == 1: r_int = random_integer(1, p) h = pow(r_int, (p - 1) / r, p) bob.compute_shared_secret(h) m = "crazy flamboyant for the rap enjoyment" + "\x10" * 10 _, iv = bob.send_encrypted_message(m) t = bob.send_mac(m) return h, m, t
def main(): test_cipher() key, ciphertext = encryption_oracle() key_found = break_mt19937_stream_cipher(ciphertext) assert key == key_found, 'breaking stream cipher not working properly' token = generate_password_reset_token() assert analyze_password_reset_token(token) == True random_token = random_integer(0, 2**32 - 1) assert analyze_password_reset_token(random_token) == False print("challenge 3.24 completed.")
def main(): alice = HonestCryptographer(p, g, q=q) bob = HonestCryptographer(p, g, q=q) alice.generate_keys(subgroup=True) bob.generate_keys(subgroup=True) #### subchallenge 1 #### y = 7760073848032689505395005705677365876654629189298052775754597607446617558600394076764814236081991643094239886772481052254010323780165093955236429914607119 x = brute_force_dlp(y) print "Brute forced DLP: %s" % x a, b = 0, 2**20 x = wild_kangaroo(a, b, y, g) print "Pollard kangaroo method DLP (subchallenge 1): %s" % x #### subchallenge 2 #### y = 9388897478013399550694114614498790691034187453089355259602614074132918843899833277397448144245883225611726912025846772975325932794909655215329941809013733 a, b = 0, 2**40 x = wild_kangaroo(a, b, y, g) print "Pollard kangaroo method DLP (subchallenge 2): %s" % x assert pow(g, 359579674340, p) == y #### subchallenge 3 - extra info #### r = random_integer(2, q - 1) n = bob.secret_key % r y_, g_ = transform(bob.public_key, r, n) m = wild_kangaroo(0, (q - 1) / r, y_, g_) x = n + r * m if x == bob.secret_key: print("challenge 7.58 completed.") else: print("challenge 7.58 failed.")
def send_salt_pub_key(self): self.b = random_integer(0, self.N - 1) self.B = pow(self.g, self.b, self.N) self.u = random_integer(1, 2**128 - 1) return (self.salt, self.B, self.u)
def forge_signature(y): z = random_integer(1, 2**16) r = pow(y, z, P) % Q s = (r * modinv(z, Q)) % Q return (r, s)
def send_salt_pub_key(self): self.b = random_integer(0, self.N - 1) self.B = (self.k * self.v + pow(self.g, self.b, self.N)) % self.N return (self.salt, self.B)
def generate_keys(self): self.x = random_integer(1, self.q - 1) self.y = pow(self.g, self.x, self.p)
def send_email_pub_key(self): self.a = random_integer(0, self.N - 1) self.A = pow(self.g, self.a, self.N) return (self.I, self.A)
from pkcs7_padding import pad_to_mod_16 from ecb_cbc_detection_oracle import detection_oracle import byte_at_a_time_ecb_decryption_simple as byte_at_a_time_simple from utils import chunks_of_bytearray from itertools import groupby oracle_key = crypto_random_bytes(16) secret_b64_string = ''' Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkg aGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBq dXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUg YnkK ''' secret = base64_to_bytearray(secret_b64_string) padding = crypto_random_bytes(random_integer(1, 30)) def encryption_oracle_ecb(plaintext): to_encrypt = pad_to_mod_16(padding + plaintext + secret) return encrypt_aes_128_ecb(to_encrypt, oracle_key) def _check_magic_blocks_number(magic, ct, block_size): blocks = chunks_of_bytearray(ct, block_size) repeating_blocks_grouped = [list(j) for i, j in groupby(blocks)] repeating_blocks_sizes = [len(i) for i in repeating_blocks_grouped] # padding is multiple of block_size if magic in repeating_blocks_sizes: # find the position of the first magic block
def send_email_pub_key(self): m = random_integer(0, 10) return (self.I, self.N * m)
import sys sys.path.insert(0, '../set_1_basics') sys.path.insert(0, '../set_2_block_crypto') sys.path.insert(0, '../set_3_block_stream_crypto') from utils import crypto_random_bytes, random_integer, chunks_of, string_to_bytearray import sha1_keyed_mac as sha1_km import struct key = crypto_random_bytes(random_integer(8, 64)) def sign(message): return sha1_km.sha1_keyed_mac(key, message) def verify_signature(sig, message): return sig == sha1_km.sha1_keyed_mac(key, message) def verify_signature_admin(sig, message): return verify_signature(sig, message) and b"admin=true" in message def get_sha_registers_from_signature(signature_hex): ch = list(chunks_of(signature_hex, 8)) h0 = int("".join(ch[0]), 16) h1 = int("".join(ch[1]), 16) h2 = int("".join(ch[2]), 16) h3 = int("".join(ch[3]), 16) h4 = int("".join(ch[4]), 16)