"""Attack block using side-channel leak in padding oracle.""" c2 = ciphertext[16:32] plaintext = b"" dc_string = b"" h = 15 for i in range(1, 17): for j in range(256): c1 = b"A" * h + bytes([j]) if dc_string: for c in dc_string[::-1]: c1 += bytes([c ^ i]) if padding_validation(c1 + c2): dc = j ^ i dc_string += bytes([dc]) plaintext += bytes([dc ^ ciphertext[h]]) break h -= 1 return plaintext[::-1] IV = generate_bytes(16) KEY = generate_bytes(16) ciphertext = IV + padding_oracle() plaintext = b"" for i in range(0, len(ciphertext) - 16, 16): plaintext += attack_block(ciphertext[i:i + 32]) print(plaintext)
def extract_secret(oracle, offset, keysize): """Extract secret text from encryption oracle with a known offst and keysize.""" plaintext = b"" # iterate over the blocksize for i in range(0, len(oracle(b"A" * offset + b"")[16:]), keysize): h = keysize - 1 for j in range(keysize): block = oracle(b"A" * offset + b"A" * h)[16:][i:i + keysize] byte_dict = {} for k in range(127): byte_dict[k] = oracle(b"A" * offset + b"A" * h + plaintext + bytes([k]))[16:][i:i + keysize] for key, value in byte_dict.items(): if block == value: plaintext += bytes([key]) h -= 1 return plaintext def extract_prefix_secret(): """Iterate over offsets from 0-16 returning secret when output != b''.""" for i in range(16): if extract_secret(encryption_oracle, i, 16) != b"": return extract_secret(encryption_oracle, i, 16) KEY = generate_bytes(16) RANDOM_PREFIX = generate_bytes(16) # print(extract_prefix_secret())