def SRP_step5(state):
xH = sha256(intToBytes(state["salt"]) + state["P"]).hexdigest()
x = int(xH, 16)
S = mypow((state["B"] - state["k"] * mypow(state["g"], x, state["p"])),
(state["a"] + state["u"] * x), state["p"])
state["C_K"] = sha256(intToBytes(S)).digest()
return state
def message5_5_gp1(state):
# (p-1) is essentially (-1)
# B's secret is (-1)^b which is either (+1) or (-1) (and also B)
# A's secret is (-1)^b^a, which is either (+1) or (-1),
# but not necessarily the same as B's secret
# thus, we may need to modify cipher
# use CBC padding to check validity of key
# check validity of cbc padding to determine which
# B's secret
cipherkey_plus1, mackey_plus1 = secretToKeys(intToBytes(1))
cipherkey_minus1, mackey_minus1 = secretToKeys(intToBytes(state["p"] - 1))
plain_plus1 = aes_cbc_dec(state["a_cipher"], cipherkey_plus1,
state["a_iv"])
plain_minus1 = aes_cbc_dec(state["a_cipher"], cipherkey_minus1,
state["a_iv"])
plain = None
try:
plain = checkAndRemovePKCS7Padding(plain_plus1)
state["m_key_a"] = cipherkey_plus1
except ValueError:
plain = checkAndRemovePKCS7Padding(plain_minus1)
state["m_key_a"] = cipherkey_minus1
state["m_plain_a"] = plain
# encrypt to B's key
state["m_key_b"], b_mackey = secretToKeys(intToBytes(state["B"]))
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(plain, 16),
state["m_key_b"], state["a_iv"])
return state
def message5_5_gp1(state):
# (p-1) is essentially (-1)
# B's secret is (-1)^b which is either (+1) or (-1) (and also B)
# A's secret is (-1)^b^a, which is either (+1) or (-1),
# but not necessarily the same as B's secret
# thus, we may need to modify cipher
# use CBC padding to check validity of key
# check validity of cbc padding to determine which
# B's secret
cipherkey_plus1, mackey_plus1 = secretToKeys(intToBytes(1));
cipherkey_minus1, mackey_minus1 = secretToKeys(intToBytes(state["p"]-1));
plain_plus1 = aes_cbc_dec(state["a_cipher"], cipherkey_plus1, state["a_iv"])
plain_minus1 = aes_cbc_dec(state["a_cipher"], cipherkey_minus1, state["a_iv"])
plain = None;
try:
plain = checkAndRemovePKCS7Padding(plain_plus1)
state["m_key_a"] = cipherkey_plus1
except ValueError:
plain = checkAndRemovePKCS7Padding(plain_minus1)
state["m_key_a"] = cipherkey_minus1
state["m_plain_a"] = plain;
# encrypt to B's key
state["m_key_b"], b_mackey = secretToKeys(intToBytes(state["B"]))
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(plain, 16), state["m_key_b"], state["a_iv"]);
return state;
def message4_5(state):
# message 3.5 in the opposite order
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
plain = removePKCS7Padding(aes_cbc_dec(state["b_cipher"], cipherkey, state["b_iv"]));
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["b_iv"]);
state["b_cipher"] = cipher;
return state;
def message4_5(state):
# message 3.5 in the opposite order
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
plain = removePKCS7Padding(
aes_cbc_dec(state["b_cipher"], cipherkey, state["b_iv"]))
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["b_iv"])
state["b_cipher"] = cipher
return state
def message3_5(state):
# A's secret is p^a = (g^1) ^ a = A
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
plain = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], cipherkey, state["a_iv"]));
# B's secret is p^b = (g^1)^b = B
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["a_iv"]);
state["a_cipher"] = cipher;
return state;
def message3_5(state):
# A's secret is p^a = (g^1) ^ a = A
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
plain = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], cipherkey, state["a_iv"]))
# B's secret is p^b = (g^1)^b = B
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["a_iv"])
state["a_cipher"] = cipher
return state
def message4_5(state):
# message 3.5 in the opposite order
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
plain = removePKCS7Padding(aes_cbc_dec(state["b_cipher"], cipherkey, state["b_iv"]));
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["b_iv"]);
state["b_cipher"] = cipher;
print("B->M Send AES-CBC(SHA1(s)[0:16], iv=random(16), A's msg) + iv");
print("M->A Relay that to A");
#print(state);
print('-'*64);
return state;
def message3_5(state):
# A's secret is p^a = (g^1) ^ a = A
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
plain = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], cipherkey, state["a_iv"]));
# B's secret is p^b = (g^1)^b = B
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["a_iv"]);
state["a_cipher"] = cipher;
print("A->M Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv");
#print(state);
print('-'*64);
return state;
def try_simplified_SRP_password(state, guess):
# hmac(K, salt) =
# hmac(sha256(S), salt) =
# hmac(sha256((A * v ** u)**b % n), salt) =
# hmac(sha256((A * ((g**x)** u))**b % n), salt) =
# hmac(sha256((A * ((g**SHA256(salt|password))** u))**b % n), salt) =
# and now we're down to thinks we know (minus password)
x = sha256(intToBytes(state["salt"]) + guess).hexdigest();
v = mypow(state["g"], int(x, 16), state["p"]);
v_u = mypow(v, state["u"], state["p"]);
S = mypow(state["A"] * v_u, state["b"], state["p"]);
mychal = myhmac(sha256, sha256(intToBytes(S)).digest(), intToBytes(state["salt"]));
return mychal == state["challenge"];
def message3_5(state):
# A's secret is p^a = (g^1) ^ a = A
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
plain = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], cipherkey, state["a_iv"]))
# B's secret is p^b = (g^1)^b = B
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["a_iv"])
state["a_cipher"] = cipher
print(
"A->M Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv")
#print(state);
print('-' * 64)
return state
def message4_5(state):
# message 3.5 in the opposite order
cipherkey, mackey = secretToKeys(intToBytes(state["B"]))
plain = removePKCS7Padding(
aes_cbc_dec(state["b_cipher"], cipherkey, state["b_iv"]))
cipherkey, mackey = secretToKeys(intToBytes(state["A"]))
cipher = aes_cbc_enc(addPKCS7Padding(plain, 16), cipherkey, state["b_iv"])
state["b_cipher"] = cipher
print(
"B->M Send AES-CBC(SHA1(s)[0:16], iv=random(16), A's msg) + iv"
)
print("M->A Relay that to A")
#print(state);
print('-' * 64)
return state
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!";
secret = mypow(state["B"], state["a"], group5_p);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret));
state["a_iv"] = generateAESKey();
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], state["a_iv"]);
return state;
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!"
secret = mypow(state["B"], state["a"], group5_p)
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret))
state["a_iv"] = generateAESKey()
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16),
state["a_cipherkey"], state["a_iv"])
return state
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!";
secret = mypow(state["B"], state["a"], group5_p);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret));
state["a_iv"] = generateAESKey();
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], state["a_iv"]);
print('A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv');
return state;
def SRP_step1(state):
salt = randrange(2, state["p"] - 2)
xH = sha256(intToBytes(salt) + state["P"]).hexdigest()
x = int(xH, 16)
v = mypow(state["g"], x, state["p"])
state["v"] = v
state["salt"] = salt
return state
def SRP_step1(state):
salt = randrange(2, state["p"]-2);
xH = sha256(intToBytes(salt) + state["P"]).hexdigest();
x = int(xH, 16);
v = mypow(state["g"], x, state["p"]);
state["v"] = v;
state["salt"] = salt;
return state;
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"]);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(a_shared));
a_iv = generateAESKey();
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], a_iv);
state["a_cipher"] = a_cipher;
state["a_iv"] = a_iv;
return state;
def message5(state):
message = b"Thomas, he's the cheeky one. James is vain but lots of fun!"
secret = mypow(state["B"], state["a"], group5_p)
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(secret))
state["a_iv"] = generateAESKey()
state["a_cipher"] = aes_cbc_enc(addPKCS7Padding(message, 16),
state["a_cipherkey"], state["a_iv"])
print(
'A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv')
return state
def message6(state):
secret = mypow(state["A"], state["b"], state["p"]);
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret));
b_iv = generateAESKey();
received_message = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]));
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16), state["b_cipherkey"], b_iv);
state["b_cipher"] = b_cipher;
state["b_iv"] = b_iv;
state["b_received_plain"] = received_message;
return state;
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"])
state["a_cipherkey"], state["a_mackey"] = secretToKeys(
intToBytes(a_shared))
a_iv = generateAESKey()
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"],
a_iv)
state["a_cipher"] = a_cipher
state["a_iv"] = a_iv
return state
def message6(state):
secret = mypow(state["A"], state["b"], state["p"]);
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret));
b_iv = generateAESKey();
received_message = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]));
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16), state["b_cipherkey"], b_iv);
state["b_cipher"] = b_cipher;
state["b_iv"] = b_iv;
state["b_received_plain"] = received_message;
print("B->A Send AES-CBC(SHA1(s)[0:16], iv=random(16), A's msg) + iv");
return state;
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"]);
state["a_cipherkey"], state["a_mackey"] = secretToKeys(intToBytes(a_shared));
a_iv = generateAESKey();
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"], a_iv);
state["a_cipher"] = a_cipher;
state["a_iv"] = a_iv;
print("3.A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv");
#print(state);
print('-'*64);
return state;
def message6(state):
secret = mypow(state["A"], state["b"], state["p"])
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret))
b_iv = generateAESKey()
received_message = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]))
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16),
state["b_cipherkey"], b_iv)
state["b_cipher"] = b_cipher
state["b_iv"] = b_iv
state["b_received_plain"] = received_message
return state
def check_protocol_g1(state):
# B's public key is 1^b = 1.
# A's secret is (1)^a = 1.
# B's secret is (1)^b = 1
# In this case, Mallory doesn't need to modify ciphers,
# becasue A and B have the same shared secret.
# But Mallory gets to know their messages (and potentially
# inject her own)
m_secret = 1;
m_cipherkey, m_mackey = secretToKeys(intToBytes(m_secret));
m_plain_a = removePKCS7Padding(aes_cbc_dec(state["a_cipher"], m_cipherkey, state["a_iv"]));
m_plain_b = removePKCS7Padding(aes_cbc_dec(state["b_cipher"], m_cipherkey, state["b_iv"]));
assert(m_plain_a == state["a_received_plain"]);
assert(m_plain_b == state["b_received_plain"]);
def message3(state):
a_shared = mypow(state["B"], state["a"], state["p"])
state["a_cipherkey"], state["a_mackey"] = secretToKeys(
intToBytes(a_shared))
a_iv = generateAESKey()
message = b"mary had a little lamb"
a_cipher = aes_cbc_enc(addPKCS7Padding(message, 16), state["a_cipherkey"],
a_iv)
state["a_cipher"] = a_cipher
state["a_iv"] = a_iv
print("3.A->B Send AES-CBC(SHA1(s)[0:16], iv=random(16), msg) + iv")
#print(state);
print('-' * 64)
return state
def message6(state):
secret = mypow(state["A"], state["b"], state["p"])
state["b_cipherkey"], state["b_mackey"] = secretToKeys(intToBytes(secret))
b_iv = generateAESKey()
received_message = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], state["b_cipherkey"], state["a_iv"]))
b_cipher = aes_cbc_enc(addPKCS7Padding(received_message, 16),
state["b_cipherkey"], b_iv)
state["b_cipher"] = b_cipher
state["b_iv"] = b_iv
state["b_received_plain"] = received_message
print(
"B->A Send AES-CBC(SHA1(s)[0:16], iv=random(16), A's msg) + iv"
)
return state
def check_protocol_g1(state):
# B's public key is 1^b = 1.
# A's secret is (1)^a = 1.
# B's secret is (1)^b = 1
# In this case, Mallory doesn't need to modify ciphers,
# becasue A and B have the same shared secret.
# But Mallory gets to know their messages (and potentially
# inject her own)
m_secret = 1
m_cipherkey, m_mackey = secretToKeys(intToBytes(m_secret))
m_plain_a = removePKCS7Padding(
aes_cbc_dec(state["a_cipher"], m_cipherkey, state["a_iv"]))
m_plain_b = removePKCS7Padding(
aes_cbc_dec(state["b_cipher"], m_cipherkey, state["b_iv"]))
assert (m_plain_a == state["a_received_plain"])
assert (m_plain_b == state["b_received_plain"])
def client0_SRP():
state = { "p" : SRP_p,
"g" : SRP_g,
"k" : SRP_k,
"I" : b"*****@*****.**",
"P" : b'GANDALF THE GREY'}
state = SRP_step1(state);
state = SRP_step2(state);
state["A"] = 0;
state = SRP_step3(state);
state = SRP_step4(state);
#state = SRP_step5(state);
'''Step 5 is the one in the client would use the password.
This client doesn't know the password, but instead does:'''
state["C_K"] = sha256(intToBytes(0)).digest();
state = SRP_step6(state);
state = SRP_step7(state);
assert(SRP_validate(state));
def SRP_step5(state):
xH = sha256(intToBytes(state["salt"]) + state["P"]).hexdigest();
x = int(xH, 16);
S = mypow((state["B"] - state["k"] * mypow(state["g"], x, state["p"])), (state["a"] + state["u"] * x), state["p"]);
state["C_K"] = sha256(intToBytes(S)).digest();
return state;
def simplified_SRP_step6(state):
state["challenge"] = myhmac(sha256, state["C_K"], intToBytes(state["salt"]));
return state;
def SRP_validate(state):
expected = myhmac(sha256, state["S_K"], intToBytes(state["salt"]));
return expected == state["challenge"];
def simplified_SRP_step5(state):
S = mypow(state["A"] * mypow(state["v"], state["u"], state["p"]), state["b"], state["p"]);
state["S_K"] = sha256(intToBytes(S)).digest();
return state;
def SRP_step4(state):
uH = sha256(intToBytes(state["A"]) + intToBytes(state["B"])).hexdigest();
state["u"] = int(uH, 16);
return state;
def SRP_step7(state):
state["challenge"] = myhmac(sha256, state["C_K"],
intToBytes(state["salt"]))
return state
def SRP_validate(state):
expected = myhmac(sha256, state["S_K"], intToBytes(state["salt"]))
return expected == state["challenge"]
def SRP_step6(state):
S = mypow(state["A"] * mypow(state["v"], state["u"], state["p"]), state["b"], state["p"]);
state["S_K"] = sha256(intToBytes(S)).digest();
return state;
def SRP_step4(state):
uH = sha256(intToBytes(state["A"]) + intToBytes(state["B"])).hexdigest()
state["u"] = int(uH, 16)
return state
def SRP_step7(state):
state["challenge"] = myhmac(sha256, state["C_K"], intToBytes(state["salt"]));
return state;
def SRP_step6(state):
S = mypow(state["A"] * mypow(state["v"], state["u"], state["p"]),
state["b"], state["p"])
state["S_K"] = sha256(intToBytes(S)).digest()
return state
def simplified_SRP_step4(state):
x = sha256(intToBytes(state["salt"]) + state["P"]).hexdigest();
S = mypow(state["B"], state["a"] + state["u"] * int(x, 16), state["p"]);
state["C_K"] = sha256(intToBytes(S)).digest();
return state;