def encryption_oracle():
key = random_integer(0, 2**16 - 1)
prefix = crypto_random_bytes(random_integer(0, 200))
message = prefix + b"A" * 14
ciphertext = cipher_encrypt(message, key)
return key, ciphertext
def generate_keys(self, subgroup=False):
if not subgroup:
self.secret_key = random_integer(0, self.p - 1)
self.public_key = modexp(self.g, self.secret_key, self.p)
else:
self.secret_key = random_integer(0, self.q)
self.public_key = modexp(self.g, self.secret_key, self.p)
def mitm_pose_as_server(self):
self.mitm_salt = random_integer(0, 2**32)
self.mitm_b = random_integer(0, self.N - 1)
self.mitm_server_pub_key = pow(self.g, self.mitm_b, self.N)
self.mitm_u = random_integer(1, 2**128 - 1)
return (self.mitm_salt, self.mitm_server_pub_key, self.mitm_u)
def encryption_oracle_ecb_cbc(bt):
key = crypto_random_bytes(16)
iv = crypto_random_bytes(16)
mode = choice(['ecb', 'cbc'])
begin_pad = crypto_random_bytes(random_integer(5, 10))
end_pad = crypto_random_bytes(random_integer(5, 10))
to_encrypt = pad_to_mod_16(begin_pad + bt + end_pad)
if mode == 'ecb':
ciphertext = encrypt_aes_128_ecb(to_encrypt, key)
else:
ciphertext = encrypt_aes_cbc(to_encrypt, key, iv)
# do not cheat, use mode for validation only
return ciphertext, mode
def sign(self, message):
h = int(hashlib.sha1(message).hexdigest(), 16)
k = random_integer(2, self.q-1)
r = pow(self.g, k, self.p) % self.q
s = (modinv(k, self.q) * (h + self.x * r)) % self.q
#if r == 0 or s == 0:
# return self.sign(message)
return (r,s)
def sign(self, message):
h = int(hashlib.sha1(message).hexdigest(), 16)
k = random_integer(2, self.q - 1)
r = pow(self.g, k, self.p) % self.q
s = (modinv(k, self.q) * (h + self.x * r)) % self.q
if r == 0 or s == 0:
print 'trying to sign again'
return self.sign(message)
else:
return (r, s)
def __init__(self):
self.N = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
self.g = 2
self.k = 3
self.I = '*****@*****.**'
self.P = 'secure_password'
self.salt = random_integer(0, 2**32)
s = str(self.salt) + self.P
xH = hashlib.sha256(s.encode('ascii')).hexdigest()
x = int(xH, 16)
self.v = pow(self.g, x, self.N)
def exploit_oracle(ciphertext):
n = ORACLE_KEY.N
e = ORACLE_KEY.e
s = random_integer(2, n-1)
crafted_c = (pow(s, e, n) * ciphertext) % n
crafted_p = unpadded_message_oracle(crafted_c)
crafted_p = rsa_string_to_integer(crafted_p)
plaintext = (crafted_p * modinv(s, n)) % n
return rsa_integer_to_string(plaintext)
def trick_bob_to_communicate(bob, r):
h = 1
while h == 1:
r_int = random_integer(1, p)
h = pow(r_int, (p - 1) / r, p)
bob.compute_shared_secret(h)
m = "crazy flamboyant for the rap enjoyment" + "\x10" * 10
_, iv = bob.send_encrypted_message(m)
t = bob.send_mac(m)
return h, m, t
def main():
test_cipher()
key, ciphertext = encryption_oracle()
key_found = break_mt19937_stream_cipher(ciphertext)
assert key == key_found, 'breaking stream cipher not working properly'
token = generate_password_reset_token()
assert analyze_password_reset_token(token) == True
random_token = random_integer(0, 2**32 - 1)
assert analyze_password_reset_token(random_token) == False
print("challenge 3.24 completed.")
def main():
alice = HonestCryptographer(p, g, q=q)
bob = HonestCryptographer(p, g, q=q)
alice.generate_keys(subgroup=True)
bob.generate_keys(subgroup=True)
#### subchallenge 1 ####
y = 7760073848032689505395005705677365876654629189298052775754597607446617558600394076764814236081991643094239886772481052254010323780165093955236429914607119
x = brute_force_dlp(y)
print "Brute forced DLP: %s" % x
a, b = 0, 2**20
x = wild_kangaroo(a, b, y, g)
print "Pollard kangaroo method DLP (subchallenge 1): %s" % x
#### subchallenge 2 ####
y = 9388897478013399550694114614498790691034187453089355259602614074132918843899833277397448144245883225611726912025846772975325932794909655215329941809013733
a, b = 0, 2**40
x = wild_kangaroo(a, b, y, g)
print "Pollard kangaroo method DLP (subchallenge 2): %s" % x
assert pow(g, 359579674340, p) == y
#### subchallenge 3 - extra info ####
r = random_integer(2, q - 1)
n = bob.secret_key % r
y_, g_ = transform(bob.public_key, r, n)
m = wild_kangaroo(0, (q - 1) / r, y_, g_)
x = n + r * m
if x == bob.secret_key:
print("challenge 7.58 completed.")
else:
print("challenge 7.58 failed.")
def send_salt_pub_key(self):
self.b = random_integer(0, self.N - 1)
self.B = pow(self.g, self.b, self.N)
self.u = random_integer(1, 2**128 - 1)
return (self.salt, self.B, self.u)
def forge_signature(y):
z = random_integer(1, 2**16)
r = pow(y, z, P) % Q
s = (r * modinv(z, Q)) % Q
return (r, s)
def send_salt_pub_key(self):
self.b = random_integer(0, self.N - 1)
self.B = (self.k * self.v + pow(self.g, self.b, self.N)) % self.N
return (self.salt, self.B)
def generate_keys(self):
self.x = random_integer(1, self.q - 1)
self.y = pow(self.g, self.x, self.p)
def send_email_pub_key(self):
self.a = random_integer(0, self.N - 1)
self.A = pow(self.g, self.a, self.N)
return (self.I, self.A)
from pkcs7_padding import pad_to_mod_16
from ecb_cbc_detection_oracle import detection_oracle
import byte_at_a_time_ecb_decryption_simple as byte_at_a_time_simple
from utils import chunks_of_bytearray
from itertools import groupby
oracle_key = crypto_random_bytes(16)
secret_b64_string = '''
Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkg
aGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBq
dXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUg
YnkK
'''
secret = base64_to_bytearray(secret_b64_string)
padding = crypto_random_bytes(random_integer(1, 30))
def encryption_oracle_ecb(plaintext):
to_encrypt = pad_to_mod_16(padding + plaintext + secret)
return encrypt_aes_128_ecb(to_encrypt, oracle_key)
def _check_magic_blocks_number(magic, ct, block_size):
blocks = chunks_of_bytearray(ct, block_size)
repeating_blocks_grouped = [list(j) for i, j in groupby(blocks)]
repeating_blocks_sizes = [len(i) for i in repeating_blocks_grouped]
# padding is multiple of block_size
if magic in repeating_blocks_sizes:
# find the position of the first magic block
def send_email_pub_key(self):
m = random_integer(0, 10)
return (self.I, self.N * m)
import sys
sys.path.insert(0, '../set_1_basics')
sys.path.insert(0, '../set_2_block_crypto')
sys.path.insert(0, '../set_3_block_stream_crypto')
from utils import crypto_random_bytes, random_integer, chunks_of, string_to_bytearray
import sha1_keyed_mac as sha1_km
import struct
key = crypto_random_bytes(random_integer(8, 64))
def sign(message):
return sha1_km.sha1_keyed_mac(key, message)
def verify_signature(sig, message):
return sig == sha1_km.sha1_keyed_mac(key, message)
def verify_signature_admin(sig, message):
return verify_signature(sig, message) and b"admin=true" in message
def get_sha_registers_from_signature(signature_hex):
ch = list(chunks_of(signature_hex, 8))
h0 = int("".join(ch[0]), 16)
h1 = int("".join(ch[1]), 16)
h2 = int("".join(ch[2]), 16)
h3 = int("".join(ch[3]), 16)
h4 = int("".join(ch[4]), 16)
