cryptopals

Matasano's cryptopals challenges (cryptopals.com).
Log | Files | Refs | README | LICENSE
commit 04bbe6d6e05d5a423417083c1581cb4b803e09d4
parent 96facaa3b06e241027cb237adfccfebf8515492c
Author: Jared Tobin <jared@jtobin.io>
Date:   Wed, 16 Aug 2023 16:43:13 -0230

Add 5.37.

Diffstat:

Mdocs/s5.md | 30+++++++++++++++++++++++++++---


Mlib/Cryptopals/SRP.hs | 31+++++++++++++++++++++++++++++++


2 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/docs/s5.md b/docs/s5.md
@@ -258,9 +258,10 @@ SRP (Secure Remote Password) is an authentication protocol for which
 a client authenticates with a server via a zero-knowledge proof.
 Cryptopals.SRP implements it much in the same way that Cryptopals.DH
 implements Diffie-Hellman; here one can perform the protocol via the
-'server' and 'client' functions analogously:
+'server' and 'client' functions analogously.
 
-Interleaved logs for 'server "3000" srp' and 'client "3000" srp auth':
+Some interleaved logs for 'server "3000" srp' and 'client "3000" srp
+auth':
 
     (cryptopals) server: listening..
     (cryptopals) client: session established
@@ -271,5 +272,28 @@ Interleaved logs for 'server "3000" srp' and 'client "3000" srp auth':
     (cryptopals) client: sending MAC 6p7eE/pTSijdReePtswOKDZZUFYhLkJfeKps0GD4Yc4=
     (cryptopals) server: received MAC 6p7eE/pTSijdReePtswOKDZZUFYhLkJfeKps0GD4Yc4=
     (cryptopals) server: OK
-    (cryptopals) client: ending session
+
+#### 5.37
+
+If the client forwards A = 0 (or anything congruent modulo N to 0) as
+its public key, then the server will compute S = 0 as its shared secret.
+Whoops! The client can then just pass along the appropriate MAC to
+authenticate.
+
+Example, using the 'srpZero' protocol and 'authZero' initial client
+action:
+
+    -- GHCi instance one
+    > server "3000" srp
+    -- GHCi instance two
+    > client "3000" srpZero authZero
+    (cryptopals) server: listening..
+    (cryptopals) client: session established
+    (cryptopals) client: sending authentication request with a zero key
+    (cryptopals) server: received authentication request for l33th4x0r@hotmail.com
+    (cryptopals) server: acking authentication request for l33th4x0r@hotmail.com
+    (cryptopals) client: received authentication request ack
+    (cryptopals) client: sending MAC 5xO9hEUJOTX5EIU+DmYV0QOs1L1oVp3fphREooN/8L4=
+    (cryptopals) server: received MAC 5xO9hEUJOTX5EIU+DmYV0QOs1L1oVp3fphREooN/8L4=
+    (cryptopals) server: OK
 
diff --git a/lib/Cryptopals/SRP.hs b/lib/Cryptopals/SRP.hs
@@ -107,6 +107,14 @@ auth = do
   slog "sending authentication request"
   pure (Auth ei pub)
 
+authZero :: SRP IO Command
+authZero = do
+  Env {..} <- lift ask
+  sesh <- get
+  put sesh { sourpub = 0 }
+  slog "sending authentication request with a zero key"
+  pure (Auth ei 0)
+
 -- basic log
 blog :: T.Text -> T.Text -> IO ()
 blog host msg = do
@@ -241,6 +249,29 @@ srp cmd = do
       slog "ending session"
       liftIO SE.exitSuccess -- XX close the socket
 
+srpZero :: MonadIO m => PN.Protocol (SRP m) Command Command
+srpZero cmd = do
+  Env {..} <- lift ask
+  case cmd of
+    AckAuth salt herpub -> do
+      slog "received authentication request ack"
+      sesh@Sesh {..} <- get
+      put sesh {
+          ssalt   = Just salt
+        , sherpub = Just herpub
+        }
+      let k = CS.bytestringDigest
+            . CS.sha256
+            . DB.encode
+            $ (0 :: Natural)
+      let mac = BL.toStrict
+              . CS.bytestringDigest
+              $ CS.hmacSha256 k (BL.fromStrict salt)
+      slog $ "sending MAC " <> B64.encodeBase64 mac
+      pure (SendMAC mac)
+
+    _ -> srp cmd
+
 hashpubs :: Natural -> Natural -> Natural
 hashpubs a b =
     fromIntegral