def f1(plaintext): block_len = 16 global key global IV aes_ecb = AES.new(key, AES.MODE_ECB) sanitised = plaintext.replace(";", "';'").replace("=", "'='") # A new block starts right after userdata= data = "comment1=cooking%20MCs;userdata=" + sanitised + ";comment2=%20like%20a%20pound%20of%20bacon" return cbc_encrypt(aes_ecb, bytearray(data, "ascii"), IV)
def f1(): block_len = 16 global key data = INPUT[randint(0, len(INPUT) - 1)] #padding is added by the encryption function key = random_aes_key(16) iv = random_aes_key(16) aes_ecb = AES.new(key, AES.MODE_ECB) return (cbc_encrypt(aes_ecb, bytearray(data, "ascii"), iv), iv)
def encryption_oracle(plaintext): block_len = 16 key = random_aes_key(block_len) aes_ecb = AES.new(key, AES.MODE_ECB) data = bytearray(random_str(5, 10)) data.extend(bytearray(plaintext, "ascii")) data.extend(random_str(5, 10)) if randint(0, 1) == 0: #ECB data = bytes(pkcs7_add( data, block_len)) #turning into bytes so aes_ecb won't bitch test = (aes_ecb.encrypt(data), "ECB") else: #CBC iv = random_aes_key(block_len) test = (cbc_encrypt(aes_ecb, data, iv), "CBC") #Detection if detect_ecb(test[0]): print("ECB detected!") else: print("Guessed \"%s\" as CBC" % (test[1], ))
def f1(plaintext): global key aes_ecb = AES.new(key, AES.MODE_ECB) return cbc_encrypt(aes_ecb, plaintext, IV)
def main(): p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff g = 2 ################################################################################ ###### MITM attack - Scenario 01: g = 1 ################################################################################ #User A generates A a = randint(0, p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p, g, A) #Use M send (p,g,A) to M g_m = 1 b_data = (p, g_m, A) #User B generates B b = randint(0, b_data[0]) B = pow(b_data[1], b, b_data[0]) #the result will be 1 #User B sends B to M m_data2 = B a_data = m_data2 #let's send this 1 forward #User A calculates s, iv, key and encrypt a message #print a_data s_a = pow(a_data, a, p) #s_a = 1 #print s_a iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123", "ascii") #print hex(s_a) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #test = cbc_decrypt(aes_ecb_a, enc_a, iv_a) #print test #User A sends encrypted message and iv to M m_data3 = enc_a + iv_a #M can recalculate the key and decrypt the message: key_m = sha1(b"\x01")[:16] #print key_m aes_ecb_m = AES.new(key_m, AES.MODE_ECB) msg_m = cbc_decrypt(aes_ecb_m, m_data3[:-16], m_data3[-16:], validation=True) #M knows the message (DONE) print("Retrieved by M (scenario 1):", msg_m) ################################################################################ ###### MITM attack - Scenario 02: g = p ################################################################################ #User A generates A a = randint(0, p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p, g, A) #Use M send (p,g,A) to M g_m = p b_data = (p, g_m, A) #User B generates B b = randint(0, b_data[0]) B = pow(b_data[1], b, b_data[0]) #the result will be 0 #User B sends B to M m_data2 = B a_data = m_data2 #let's send this 0 forward #User A calculates s, iv, key and encrypt a message #print a_data s_a = pow(a_data, a, p) #s_a = 0 #print s_a iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123", "ascii") #print hex(s_a) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #test = cbc_decrypt(aes_ecb_a, enc_a, iv_a) #print test #User A sends encrypted message and iv to M m_data3 = enc_a + iv_a #M can recalculate the key and decrypt the message: key_m = sha1(b'\x00')[:16] #print key_m aes_ecb_m = AES.new(key_m, AES.MODE_ECB) msg_m = cbc_decrypt(aes_ecb_m, m_data3[:-16], m_data3[-16:], validation=True) #M knows the message (DONE) print("Retrieved by M (scenario 2):", msg_m) ################################################################################ ###### MITM attack - Scenario 03: g = p-1 ################################################################################ #User A generates A a = randint(0, p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p, g, A) #Use M send (p,g,A) to M g_m = p - 1 b_data = (p, g_m, A) #User B generates B b = randint(0, b_data[0]) B = pow(b_data[1], b, b_data[0]) #(p-1)^x % p == (-1)^x % p # if x is even: 1, if x is odd, p-1 #User B sends B to M m_data2 = B a_data = m_data2 #sending the information forward #User A calculates s, iv, key and encrypt a message #print a_data s_a = pow(a_data, a, p) #s_a is either p-1 or 1 #print s_a iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123", "ascii") #print hex(s_a) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #User A sends encrypted message and iv to M m_data3 = enc_a + iv_a #M can calculate both possible keys and decrypt the message: key_m1 = sha1(b'\x01')[:16] key_m2 = sha1(int_to_bytes(g_m))[:16] for key_m in (key_m1, key_m2): aes_ecb_m = AES.new(key_m, AES.MODE_ECB) try: msg_m = cbc_decrypt(aes_ecb_m, m_data3[:-16], m_data3[-16:], validation=True) #M knows the message (DONE) except: #this is me being lazy. Note that it might break if the wrong key decrypts some garbage with the right padding pass print("Retrieved by M (scenario 3):", msg_m)
def main(): p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff g = 2 #User A generates A a = randint(0,p) A = pow(g, a, p) #User A sends (p,g,A) to B b_data = (p,g,A) #User B generates B b = randint(0,b_data[0]) B = pow(b_data[1], b, b_data[0]) #User B sends B to A a_data = B #User A calculates s, iv, key and encrypt a message s_a = pow(a_data, a, p) iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123","ascii") key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #test = cbc_decrypt(aes_ecb_a, enc_a, iv_a) #print test #User A sends encrypted message and iv to B b_data2 = enc_a+iv_a #User B calculates s, key, retrieves iv and decrypts the message: s_b = pow(b_data[2],b,p) #print s_a == s_b key_b = sha1(int_to_bytes(s_b))[:16] aes_ecb_b = AES.new(key_b, AES.MODE_ECB) msg_b = cbc_decrypt(aes_ecb_b,b_data2[:-16],b_data2[-16:],validation=True) #User B generates an IV, encrypts the message retrieved and send it with the IV to A iv_b = random_aes_key(16) enc_b = cbc_encrypt(aes_ecb_b, msg_b, iv_b) a_data2 = enc_b+iv_b #A gets the iv, decrypts the data and verify the message: msg_temp = cbc_decrypt(aes_ecb_a,a_data2[:-16],a_data2[-16:],validation=True) print (msg_a == msg_temp) ################################################################################ ###### MITM attack ################################################################################ #User A generates A a = randint(0,p) A = pow(g, a, p) #User A sends (p,g,A) to M m_data = (p,g,A) #Use M send (p,g,p) to M b_data = (m_data[0],g,m_data[0]) #User B generates B b = randint(0,b_data[0]) B = pow(b_data[1], b, b_data[0]) #User B sends B to M m_data2 = B #User M sends p to A a_data = p #User A calculates s, iv, key and encrypt a message s_a = pow(a_data, a, p) # (p ** a) % p == (0 ** a) % p == 0 iv_a = random_aes_key(16) msg_a = bytearray("Super Secret Stuff123","ascii") print (hex(s_a)) key_a = sha1(int_to_bytes(s_a))[:16] aes_ecb_a = AES.new(key_a, AES.MODE_ECB) enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a) #test = cbc_decrypt(aes_ecb_a, enc_a, iv_a) #print test #User A sends encrypted message and iv to M m_data3 = enc_a+iv_a #User M relays message to B b_data2 = m_data3 #User B calculates s, key, retrieves iv and decrypts the message: s_b = pow(b_data[2],b,p) #print s_a == s_b key_b = sha1(int_to_bytes(s_b))[:16] aes_ecb_b = AES.new(key_b, AES.MODE_ECB) msg_b = cbc_decrypt(aes_ecb_b,b_data2[:-16],b_data2[-16:],validation=True) #User B generates an IV, encrypts the message retrieved and send it with the IV to M iv_b = random_aes_key(16) enc_b = cbc_encrypt(aes_ecb_b, msg_b, iv_b) m_data4 = enc_b+iv_b #User M relays message to A a_data2 = m_data4 #A gets the iv, decrypts the data and verify the message: msg_temp = cbc_decrypt(aes_ecb_a,a_data2[:-16],a_data2[-16:],validation=True) print (msg_a == msg_temp) #M can decrypt the message as well: key_m = sha1(b'\x00')[:16] aes_ecb_m = AES.new(key_m, AES.MODE_ECB) msg_m = cbc_decrypt(aes_ecb_m,m_data4[:-16],m_data4[-16:],validation=True) print (msg_a == msg_m)