def f1(plaintext):
block_len = 16
global key
global IV
aes_ecb = AES.new(key, AES.MODE_ECB)
sanitised = plaintext.replace(";", "';'").replace("=", "'='")
# A new block starts right after userdata=
data = "comment1=cooking%20MCs;userdata=" + sanitised + ";comment2=%20like%20a%20pound%20of%20bacon"
return cbc_encrypt(aes_ecb, bytearray(data, "ascii"), IV)
def f1():
block_len = 16
global key
data = INPUT[randint(0,
len(INPUT) -
1)] #padding is added by the encryption function
key = random_aes_key(16)
iv = random_aes_key(16)
aes_ecb = AES.new(key, AES.MODE_ECB)
return (cbc_encrypt(aes_ecb, bytearray(data, "ascii"), iv), iv)
def encryption_oracle(plaintext):
block_len = 16
key = random_aes_key(block_len)
aes_ecb = AES.new(key, AES.MODE_ECB)
data = bytearray(random_str(5, 10))
data.extend(bytearray(plaintext, "ascii"))
data.extend(random_str(5, 10))
if randint(0, 1) == 0: #ECB
data = bytes(pkcs7_add(
data, block_len)) #turning into bytes so aes_ecb won't bitch
test = (aes_ecb.encrypt(data), "ECB")
else: #CBC
iv = random_aes_key(block_len)
test = (cbc_encrypt(aes_ecb, data, iv), "CBC")
#Detection
if detect_ecb(test[0]):
print("ECB detected!")
else:
print("Guessed \"%s\" as CBC" % (test[1], ))
def f1(plaintext):
global key
aes_ecb = AES.new(key, AES.MODE_ECB)
return cbc_encrypt(aes_ecb, plaintext, IV)
def main():
p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff
g = 2
################################################################################
###### MITM attack - Scenario 01: g = 1
################################################################################
#User A generates A
a = randint(0, p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p, g, A)
#Use M send (p,g,A) to M
g_m = 1
b_data = (p, g_m, A)
#User B generates B
b = randint(0, b_data[0])
B = pow(b_data[1], b, b_data[0]) #the result will be 1
#User B sends B to M
m_data2 = B
a_data = m_data2 #let's send this 1 forward
#User A calculates s, iv, key and encrypt a message
#print a_data
s_a = pow(a_data, a, p) #s_a = 1
#print s_a
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123", "ascii")
#print hex(s_a)
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#test = cbc_decrypt(aes_ecb_a, enc_a, iv_a)
#print test
#User A sends encrypted message and iv to M
m_data3 = enc_a + iv_a
#M can recalculate the key and decrypt the message:
key_m = sha1(b"\x01")[:16]
#print key_m
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
msg_m = cbc_decrypt(aes_ecb_m,
m_data3[:-16],
m_data3[-16:],
validation=True) #M knows the message (DONE)
print("Retrieved by M (scenario 1):", msg_m)
################################################################################
###### MITM attack - Scenario 02: g = p
################################################################################
#User A generates A
a = randint(0, p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p, g, A)
#Use M send (p,g,A) to M
g_m = p
b_data = (p, g_m, A)
#User B generates B
b = randint(0, b_data[0])
B = pow(b_data[1], b, b_data[0]) #the result will be 0
#User B sends B to M
m_data2 = B
a_data = m_data2 #let's send this 0 forward
#User A calculates s, iv, key and encrypt a message
#print a_data
s_a = pow(a_data, a, p) #s_a = 0
#print s_a
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123", "ascii")
#print hex(s_a)
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#test = cbc_decrypt(aes_ecb_a, enc_a, iv_a)
#print test
#User A sends encrypted message and iv to M
m_data3 = enc_a + iv_a
#M can recalculate the key and decrypt the message:
key_m = sha1(b'\x00')[:16]
#print key_m
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
msg_m = cbc_decrypt(aes_ecb_m,
m_data3[:-16],
m_data3[-16:],
validation=True) #M knows the message (DONE)
print("Retrieved by M (scenario 2):", msg_m)
################################################################################
###### MITM attack - Scenario 03: g = p-1
################################################################################
#User A generates A
a = randint(0, p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p, g, A)
#Use M send (p,g,A) to M
g_m = p - 1
b_data = (p, g_m, A)
#User B generates B
b = randint(0, b_data[0])
B = pow(b_data[1], b, b_data[0]) #(p-1)^x % p == (-1)^x % p
# if x is even: 1, if x is odd, p-1
#User B sends B to M
m_data2 = B
a_data = m_data2 #sending the information forward
#User A calculates s, iv, key and encrypt a message
#print a_data
s_a = pow(a_data, a, p) #s_a is either p-1 or 1
#print s_a
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123", "ascii")
#print hex(s_a)
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#User A sends encrypted message and iv to M
m_data3 = enc_a + iv_a
#M can calculate both possible keys and decrypt the message:
key_m1 = sha1(b'\x01')[:16]
key_m2 = sha1(int_to_bytes(g_m))[:16]
for key_m in (key_m1, key_m2):
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
try:
msg_m = cbc_decrypt(aes_ecb_m,
m_data3[:-16],
m_data3[-16:],
validation=True) #M knows the message (DONE)
except: #this is me being lazy. Note that it might break if the wrong key decrypts some garbage with the right padding
pass
print("Retrieved by M (scenario 3):", msg_m)
def main():
p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff
g = 2
#User A generates A
a = randint(0,p)
A = pow(g, a, p)
#User A sends (p,g,A) to B
b_data = (p,g,A)
#User B generates B
b = randint(0,b_data[0])
B = pow(b_data[1], b, b_data[0])
#User B sends B to A
a_data = B
#User A calculates s, iv, key and encrypt a message
s_a = pow(a_data, a, p)
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123","ascii")
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#test = cbc_decrypt(aes_ecb_a, enc_a, iv_a)
#print test
#User A sends encrypted message and iv to B
b_data2 = enc_a+iv_a
#User B calculates s, key, retrieves iv and decrypts the message:
s_b = pow(b_data[2],b,p)
#print s_a == s_b
key_b = sha1(int_to_bytes(s_b))[:16]
aes_ecb_b = AES.new(key_b, AES.MODE_ECB)
msg_b = cbc_decrypt(aes_ecb_b,b_data2[:-16],b_data2[-16:],validation=True)
#User B generates an IV, encrypts the message retrieved and send it with the IV to A
iv_b = random_aes_key(16)
enc_b = cbc_encrypt(aes_ecb_b, msg_b, iv_b)
a_data2 = enc_b+iv_b
#A gets the iv, decrypts the data and verify the message:
msg_temp = cbc_decrypt(aes_ecb_a,a_data2[:-16],a_data2[-16:],validation=True)
print (msg_a == msg_temp)
################################################################################
###### MITM attack
################################################################################
#User A generates A
a = randint(0,p)
A = pow(g, a, p)
#User A sends (p,g,A) to M
m_data = (p,g,A)
#Use M send (p,g,p) to M
b_data = (m_data[0],g,m_data[0])
#User B generates B
b = randint(0,b_data[0])
B = pow(b_data[1], b, b_data[0])
#User B sends B to M
m_data2 = B
#User M sends p to A
a_data = p
#User A calculates s, iv, key and encrypt a message
s_a = pow(a_data, a, p) # (p ** a) % p == (0 ** a) % p == 0
iv_a = random_aes_key(16)
msg_a = bytearray("Super Secret Stuff123","ascii")
print (hex(s_a))
key_a = sha1(int_to_bytes(s_a))[:16]
aes_ecb_a = AES.new(key_a, AES.MODE_ECB)
enc_a = cbc_encrypt(aes_ecb_a, msg_a, iv_a)
#test = cbc_decrypt(aes_ecb_a, enc_a, iv_a)
#print test
#User A sends encrypted message and iv to M
m_data3 = enc_a+iv_a
#User M relays message to B
b_data2 = m_data3
#User B calculates s, key, retrieves iv and decrypts the message:
s_b = pow(b_data[2],b,p)
#print s_a == s_b
key_b = sha1(int_to_bytes(s_b))[:16]
aes_ecb_b = AES.new(key_b, AES.MODE_ECB)
msg_b = cbc_decrypt(aes_ecb_b,b_data2[:-16],b_data2[-16:],validation=True)
#User B generates an IV, encrypts the message retrieved and send it with the IV to M
iv_b = random_aes_key(16)
enc_b = cbc_encrypt(aes_ecb_b, msg_b, iv_b)
m_data4 = enc_b+iv_b
#User M relays message to A
a_data2 = m_data4
#A gets the iv, decrypts the data and verify the message:
msg_temp = cbc_decrypt(aes_ecb_a,a_data2[:-16],a_data2[-16:],validation=True)
print (msg_a == msg_temp)
#M can decrypt the message as well:
key_m = sha1(b'\x00')[:16]
aes_ecb_m = AES.new(key_m, AES.MODE_ECB)
msg_m = cbc_decrypt(aes_ecb_m,m_data4[:-16],m_data4[-16:],validation=True)
print (msg_a == msg_m)