def oracle_cbc(P): request = format_request(P) compressed_request = zlib.compress(request.encode('ascii')) key = util.randbytes(16) iv = util.randbytes(16) cipher = AES.new(key, AES.MODE_CBC, iv) encrypted_request = cipher.encrypt(util.padPKCS7(compressed_request, 16)) return len(encrypted_request)
def encryption_oracle(s): key = util.randbytes(16) cipher = AES.new(key, AES.MODE_ECB) if random.randint(0, 1) == 0: print('Encrypting with ECB') else: print('Encrypting with CBC') IV = util.randbytes(16) cipher = challenge10.CBC(cipher, IV) s = util.randbytes(random.randint(5, 10)) + s + util.randbytes(random.randint(5, 10)) s = util.padPKCS7(s, 16) return cipher.encrypt(s)
def encryption_oracle(s): global key global prefix if key is None: key = util.randbytes(16) if prefix is None: # TODO(akalin): Extend to arbitrary sizes. randcount = random.randint(16, 32) prefix = util.randbytes(randcount) cipher = AES.new(key, AES.MODE_ECB) s = util.padPKCS7(prefix + s + base64.b64decode(challenge12.encodedSuffix), 16) return cipher.encrypt(s)
def encryption_oracle(s): global key if key is None: key = util.randbytes(16) cipher = AES.new(key, AES.MODE_ECB) s = util.padPKCS7(s + base64.b64decode(encodedSuffix), 16) return cipher.encrypt(s)
def oracle_ctr(P): request = format_request(P) compressed_request = zlib.compress(request.encode('ascii')) key = util.randbytes(16) ctr = Counter.new(128) cipher = AES.new(key, AES.MODE_CTR, counter=ctr) encrypted_request = cipher.encrypt(compressed_request) return len(encrypted_request)
def decipher_last_block_previous_byte(iv, s, padding_oracle, knownI, knownP): k = len(knownI) + 1 prefix = util.randbytes(16 - k) for i in range(256): c1 = s[-32:-16] if len(s) > 16 else iv c1p = prefix + bytes([i]) + bytes([ch ^ k for ch in knownI]) sp = s[:-32] + c1p + s[-16:] if padding_oracle(iv, sp): iPrev = i ^ k pPrev = c1[-k] ^ iPrev return (bytes([iPrev] + list(knownI)), bytes([pPrev] + list(knownP))) raise Exception('unexpected')
def frontend_send_message(sender, recipient, amount): global key global last_sent_message if not re.match(b'^[A-Za-z]+$', sender): raise Exception(b'Invalid sender ' + sender) if not re.match(b'^[A-Za-z]+$', recipient): raise Exception(b'Invalid recipient ' + recipient) amount = int(amount) message = b'from=' + sender + b'&to=' + recipient + b'&amount=' + str(amount).encode('ascii') iv = util.randbytes(16) last_sent_message = message + iv + CBC_MAC(key, iv, message) print('C:', last_sent_message) backend_process_message(last_sent_message)
def ciphertext_oracle(): s = base64.b64decode(random.choice(strings)) iv = util.randbytes(16) cipher = challenge10.CBC(AES.new(key, AES.MODE_ECB), iv) return (iv, cipher.encrypt(util.padPKCS7(s, 16)))
import util strings = [ b'MDAwMDAwTm93IHRoYXQgdGhlIHBhcnR5IGlzIGp1bXBpbmc=', b'MDAwMDAxV2l0aCB0aGUgYmFzcyBraWNrZWQgaW4gYW5kIHRoZSBWZWdhJ3MgYXJlIHB1bXBpbic=', b'MDAwMDAyUXVpY2sgdG8gdGhlIHBvaW50LCB0byB0aGUgcG9pbnQsIG5vIGZha2luZw==', b'MDAwMDAzQ29va2luZyBNQydzIGxpa2UgYSBwb3VuZCBvZiBiYWNvbg==', b'MDAwMDA0QnVybmluZyAnZW0sIGlmIHlvdSBhaW4ndCBxdWljayBhbmQgbmltYmxl', b'MDAwMDA1SSBnbyBjcmF6eSB3aGVuIEkgaGVhciBhIGN5bWJhbA==', b'MDAwMDA2QW5kIGEgaGlnaCBoYXQgd2l0aCBhIHNvdXBlZCB1cCB0ZW1wbw==', b'MDAwMDA3SSdtIG9uIGEgcm9sbCwgaXQncyB0aW1lIHRvIGdvIHNvbG8=', b'MDAwMDA4b2xsaW4nIGluIG15IGZpdmUgcG9pbnQgb2g=', b'MDAwMDA5aXRoIG15IHJhZy10b3AgZG93biBzbyBteSBoYWlyIGNhbiBibG93' ] key = util.randbytes(16) def ciphertext_oracle(): s = base64.b64decode(random.choice(strings)) iv = util.randbytes(16) cipher = challenge10.CBC(AES.new(key, AES.MODE_ECB), iv) return (iv, cipher.encrypt(util.padPKCS7(s, 16))) def padding_oracle(iv, s): cipher = challenge10.CBC(AES.new(key, AES.MODE_ECB), iv) paddedT = cipher.decrypt(s) try: t = challenge15.unpadPKCS7(paddedT) except ValueError: return False return True
from Crypto.Util.strxor import strxor_c from Crypto.Util.strxor import strxor import binascii import challenge28 import http.server import socketserver import time import urllib.parse import util PORT = 9000 DELAY = 0.05 blocksize = 64 key = util.randbytes(100) def sha1(x): return challenge28.SHA1(x).digest() def hmacSHA1(key, message): if len(key) > blocksize: key = sha1(key) if len(key) < blocksize: key += b'\x00' * (blocksize - len(key)) opad = strxor_c(key, 0x5c) ipad = strxor_c(key, 0x36) return sha1(opad + sha1(ipad + message))
def confirmECB(encryption_oracle, blocksize): s = util.randbytes(blocksize) * 2 t = encryption_oracle(s) if t[0:blocksize] != t[blocksize:2 * blocksize]: raise Exception('Not using ECB')
def encryption_oracle(plaintext): prefix = util.randbytes(random.randint(4, 20)) cipher = MT19937Cipher(key) return cipher.encrypt(prefix + plaintext)
def confirmECB(encryption_oracle, blocksize): s = util.randbytes(blocksize) * 2 t = encryption_oracle(s) if t[0:blocksize] != t[blocksize : 2 * blocksize]: raise Exception("Not using ECB")
print('C: writing p...') util.writenum(p) print('C: writing g...') util.writenum(g) print('C: writing A...') util.writenum(A) print('C: reading B...') B = util.readnum() s = pow(B, a, p) key = util.derivekey(s) iv = util.randbytes(16) encryptedMessage = util.encrypt(key, iv, message) print('C: writing encrypted message...') util.writebytes(encryptedMessage) print('C: writing iv...') util.writebytes(iv) print('C: reading encrypted message...') encryptedMessage2 = util.readbytes() message2 = util.decrypt(key, iv, encryptedMessage2) if message2 != message: raise Exception(message2 + ' != ' + message) finally: sock.close()
from Crypto.Random import random import challenge28 import struct import util def padSHA1(s): l = len(s) * 8 s += b'\x80' s += b'\x00' * ((56 - (len(s) % 64)) % 64) s += struct.pack('>Q', l) return s keylen = random.randint(0, 100) key = util.randbytes(keylen) def validate(message, digest): return challenge28.authSHA1(key, message) == digest message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon' messageDigest = challenge28.authSHA1(key, message) def forgeHash(keylen, message, digest, suffix): paddedForgedMessageWithKey = padSHA1(key + message) + suffix forgedMessage = paddedForgedMessageWithKey[keylen:] h = struct.unpack('>5I', digest) forgedDigest = challenge28.SHA1(suffix, h[0], h[1], h[2], h[3], h[4], len(paddedForgedMessageWithKey) * 8).digest() return (forgedMessage, forgedDigest) def forgeValidatingHash(maxkeylen, message, digest, suffix): for i in range(maxkeylen): (forgedMessage, forgedDigest) = forgeHash(i, message, digest, suffix)
i += 1 if not statesToIndices: raise Exception('unexpected') s, h = findCollisionInSet(hashFn, iv, blockLength, statesToIndices) return s, statesToIndices[h] def findSecondPreimage(m, hashFn, iv, blockLength, hashLength): blockCount = (len(m) + blockLength - 1) // blockLength k = blockCount.bit_length() prefixState, blocks = makeExpandablePrefix(hashFn, iv, blockLength, k) intermediateStateIter = getIntermediateStates(m, hashFn, iv, blockLength) bridge, collisionBlockCount = findIntermediateStateCollision(hashFn, prefixState, blockLength, hashLength, intermediateStateIter, k) m2 = makeExpandedPrefix(blockLength, blocks, k, collisionBlockCount) + bridge m2 += m[len(m2):] return m2 if __name__ == '__main__': m = util.randbytes(100) h = challenge52.badHash(m, b'') m2 = findSecondPreimage(m, challenge52.badHash, b'', challenge52.badHashBlockLength, challenge52.badHashHashLength) h2 = challenge52.badHash(m2, b'') print(m, m2, h, h2) if len(m2) != len(m): raise Exception('{0} != {1}'.format(len(m2), len(m))) if h2 != h: raise Exception(h2 + b' != ' + h)
def authMD4(key, message): md4obj = md4.md4() md4obj.update(key + message) return md4obj.digest() def padMD4(s): l = len(s) * 8 s += b'\x80' s += b'\x00' * ((56 - (len(s) % 64)) % 64) s += struct.pack("<2I", l & 0xffffffff, (l >> 32) & 0xffffffff) return s keylen = random.randint(0, 100) key = util.randbytes(keylen) def validate(message, digest): return authMD4(key, message) == digest message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon' messageDigest = authMD4(key, message) def forgeHash(keylen, message, digest, suffix): paddedForgedMessageWithKey = padMD4(key + message) + suffix forgedMessage = paddedForgedMessageWithKey[keylen:] h = struct.unpack('<4I', digest) md4obj = md4.md4(h[0], h[1], h[2], h[3])