cryptopals

s2.md (11895B)

---

 ### Set 2
 
 #### 2.9
 
 PKCS #7 padding (see section 10.3 of [RFC-2315][pkcs]) just means that
 to pad a message of length 'l' to 'k' bytes, one appends `k - (l mod k)`
 bytes -- each of value `k - (l mod k)` -- to the message. So here we get
 four bytes' worth of padding, each of value 04:
 
     $ pkcs7 20 "YELLOW SUBMARINE" | xxd
     00000000: 5945 4c4c 4f57 2053 5542 4d41 5249 4e45  YELLOW SUBMARINE
     00000010: 0404 0404                                ....
 
 Of note, the case for `l mod k = 0` is interesting, since even though
 we don't necessarily *need* padding in such a case, we get k bytes
 of padding, each with value k, anyway. If one asks for padding, he's
 getting padding.
 
 (N.b., the reason is that a deciphering algorithm can thus always treat
 a string as padded and look only at the last byte to determine the
 number of padding bytes to strip. In the case of `l mod k = 0`, the
 extra padded block just gets chopped entirely.)
 
 [pkcs]: https://datatracker.ietf.org/doc/html/rfc2315#section-10.3
 
 #### 2.10
 
 Here we're implementing CBC mode for AES. The essential difference
 compared to ECB is that CBC (i.e., cipher block chaining) operates
 sequentially; ciphertext is produced by folding over the initialization
 vector + plaintext in 16-byte blocks, each time XOR-ing the current
 block with the previous one before encrypting the result with AES-128 in
 ECB mode.
 
 Again, I think it's worth using the openssl tool to gain familiarity
 with it:
 
     $ key=$(echo -n "YELLOW SUBMARINE" | xxd -p)
     $ openssl enc -aes-128-cbc \
         -a -d -K "$key" -nosalt -iv 0 \
         -in data/s2/q10_input.txt | head -2
     I'm back and I'm ringin' the bell
     A rockin' on the mike while the fly girls yell
 
 The `aes` binary will also get the job done:
 
     $ key=$(echo -n "YELLOW SUBMARINE" | xxd -p)
     $ ciphertext=$(cat data/s2/q10_input.txt | \
         base64 -d | xxd -p | tr -d '\n')
     $ iv=$(printf '0%.0s' {1..32})
     $ aes decrypt cbc --iv "$iv" "$key" "$ciphertext" | xxd -r -p | head -2
     I'm back and I'm ringin' the bell
     A rockin' on the mike while the fly girls yell
 
 #### 2.11
 
 Here we want to build what I've dubbed a `chaosEncrypter` and then something
 to detect what it might be using on any given iteration.  Easy enough:
 
     -- in Cryptopals.Block.Attacks
 
     chaosEncrypter
       :: PrimMonad m
       => BS.ByteString
       -> MWC.Gen (PrimState m)
       -> m BS.ByteString
     chaosEncrypter plaintext gen = do
       key  <- bytes 16 gen
       pre  <- MWC.uniformR (5, 10) gen >>= flip bytes gen
       pos  <- MWC.uniformR (5, 10) gen >>= flip bytes gen
 
       let tex = pre <> plaintext <> pos
           pad = roundUpToMul 16 (BS.length tex)
           bs = CU.pkcs7 pad tex
 
       ecb  <- MWC.uniform gen
 
       if   ecb
       then pure $ AES.encryptEcbAES128 key bs
       else do
         iv <- bytes 16 gen
         pure $ AES.encryptCbcAES128 iv key bs
 
 Note the use of PKCS#7 padding in order to make sure the input length is
 always valid. The detection oracle can be produced by simply fmapping
 `Cryptopals.Block.Tools.detectMode` over this.
 
 Checking it in action, with some tracing to determine it's working
 properly:
 
     > fmap detectMode $ chaosEncrypter "yellow submarineyellow
       submarineyellow submarineyellow submarine" gen
     was really CBC
     CBC
 
     > fmap detectMode $ chaosEncrypter "yellow submarineyellow
       submarineyellow submarineyellow submarine" gen
     was really ECB
     ECB
 
 #### 2.12
 
 Here we're breaking AES in ECB mode via byte-at-a-time decryption. The
 idea is that, given an AES encryption oracle, we can incrementally
 add or subtract bytes from our input to 1) identify that the oracle
 is using ECB mode, 2) figure out the block size of the cipher, and 3)
 incrementally decrypt the ciphertext it produces.
 
 The block size in AES-128 is 16 bytes, and this becomes apparent when
 encrypting at least 17 repeated bytes (as the initial 16-byte ciphertext
 block will be unchanged).  Here `alienEncrypter` is the oracle:
 
     > B16.encodeBase16 $ alienEncrypter (BS.replicate 32 65)
     57eef2e16c3867b9889350eb5732c183
     57eef2e16c3867b9889350eb5732c183
     99203986e6420a8cfed14ef4052331cd
     912d36f3419517ff9092e2f53d814a7b
     41d4bfa372eca117569d2ccbbf34e848
     [..]
 
 The mode detector correctly guesses this to be running in ECB mode when
 using 32 bytes of repeated input or more, since that gives us enough
 bytes to get repeated blocks in the ciphertext:
 
     > detectMode $ alienEncrypter (BS.replicate 32 65)
     ECB
 
 The `Cryptopals.Block.Attacks.incrByteEcbAttack` function attacks the provided
 oracle by incrementally decrypting bytes:
 
     > TIO.putStrLn $ TE.decodeUtf8 $ incrByteEcbAttack alienEncrypter
     Rollin' in my 5.0
     With my rag-top down so my hair can blow
     The girlies on standby waving just to say hi
     Did you stop? No, I just drove by
 
 #### 2.13
 
 (N.b., I thought this was super fun.)
 
 The idea here is to craft a ciphertext block that can be swapped into
 the opportune position. We want to align everything so that the final
 block will start right after the `role=` string, and then craft it as
 the enciphered `admin` plus padding.
 
 A 13-byte long email address will be sufficient to push everything to
 the desired block boundaries.  I used the following:
 
     > B16.encodeBase16 $ cpeEncrypt "me@retorts.io"
 
 which produces the following hex-encoded ciphertext (aligned in blocks):
 
     c4352ebf0bbf88ab50941d47fe7b9e90
     38fa40090568d9af9fa626a8a55409fd
     921defeffad5601a06500289684b16ca   <- 'user' block
 
 Now, inserting some malicious plaintext:
 
     > let admin = "admin" <> BS.replicate 11 11
     > B16.encodeBase16 $ cpeEncrypt ("me@retorts" <> admin <> ".io")
 
 and that produces the following hex-encoded ciphertext:
 
     c4352ebf0bbf88ab50941d47fe7b9e90
     d5adeeedb90f079930a3d9c4492746e5   <- evil block
     38fa40090568d9af9fa626a8a55409fd
     921defeffad5601a06500289684b16ca   <- 'user' block
 
 Now all we want to do is replace the final block in the initial
 ciphertext, corresponding to `user` and padding, with our malicious
 enciphered block:
 
     c4352ebf0bbf88ab50941d47fe7b9e90
     38fa40090568d9af9fa626a8a55409fd
     d5adeeedb90f079930a3d9c4492746e5   <- evil block
 
 Now we decrypt it (called `evil` below), mua ha ha:
 
     > let Right ciph = B16.decodeBase16 $ TE.encodeUtf8 evil
     > cpeDecrypt ciph
     "email=me@retorts.io&uid=10&role=admin\v\v\v\v\v\v\v\v\v\v\v"
 
 It's even nicer when one strips the padding as per challenge 15:
 
     > CU.unpkcs7 $ cpeDecrypt ciph
     Just "email=me@retorts.io&uid=10&role=admin"
 
 #### 2.14
 
 The idea is to inject a block whose ciphertext is known, followed by the
 malicious alignment block(s) necessary to perform the attack. One can
 figure out ciphertext corresponding to any block of repeated bytes by
 just feeding in more than a block's worth of them -- necessarily some
 (plaintext) block will then include only that repeated byte.
 
 E.g.: one can determine that "AAAAAAAAAAAAAAAA" encrypts to
 "57eef2e16c3867b9889350eb5732c183", so we can look for that ciphertext
 in the result in order to locate an "origin," only analyzing ciphertexts
 in which it appears (since, if it doesn't happen to align perfectly in
 a block, we won't see it in the ciphertext). By chopping that and any
 preceeding bytes from the ciphertext, the attack reduces to the simpler
 version we've already performed.
 
 The `Cryptopals.Block.Attacks.hardIncrByteEcbAttack` function will
 perform the attack; it's just a version of `incrByteEcbAttack`
 from challenge 12 adapted to handle a monadic oracle.
 `Cryptopals.Block.Attacks.attackProxy` wraps the `weirdEncrypter` oracle
 and does the work of inserting/locating our malicious block and pruning
 the ciphertext for us, so we can attack `weirdEncrypter` via:
 
     > plain <- hardIncrByteEcbAttack (attackProxy weirdEncrypter) gen
     > TIO.putStrLn $ TE.decodeUtf8 plain
     Rollin' in my 5.0
     With my rag-top down so my hair can blow
     The girlies on standby waving just to say hi
     Did you stop? No, I just drove by
 
 #### 2.15
 
 To validate PKCS#7 padding, just look at the last byte of the input,
 take that many bytes from the end, and check that they're all the same.
 `Cryptopals.Util.unpkcs7` will do it (and strip the padding), returning
 Nothing on inputs with invalid padding:
 
     > CU.unpkcs7 ("ICE ICE BABY\x04\x04\x04\x04" :: BS.ByteString)
     Just "ICE ICE BABY"
     > CU.unpkcs7 ("ICE ICE BABY\x05\x05\x05\x05" :: BS.ByteString)
     Nothing
     > CU.unpkcs7 ("ICE ICE BABY\x01\x02\x03\x04" :: BS.ByteString)
     Nothing
 
 #### 2.16
 
 This one is pretty cool and tricky. AES encryption in CBC (cipher block
 chaining) mode proceeds as follows:
 
     for plaintext                     p = (p_1, .., p_l)
         block encryption w/key k      enc_k
         initialization vector         IV
         xor operator                  +
 
     let c_0 = IV
         c_1 = enc_k(c_0 + p_1)
         c_2 = enc_k(c_1 + p_2)
         ..
         c_l = enc_k(c_{l-1} + p_l)
 
     in  ciphertext                    c = (c_0, c_1, c_2, .., c_l)
 
 and decryption goes like this:
 
     for ciphertext                    c = (c_0, c_1, c_2, .., c_l)
         block decryption w/key k      dec_k
         xor operator                  +
 
     let p_1 = dec_k(c_1) + c_0
         p_2 = dec_k(c_2) + c_1
         ..
         p_l = dec_k(c_1) + c_{l-1}
 
     in  plaintext                     p = (p_1, p_2, .., p_l)
 
 Let plaintext block 3 be "AAAAA!admin!true". Since:
 
     p_2 = dec_k(c_2) + c_1
 
 if ciphertext block 2 is ".....X.....X...." for unspecified bytes ".",
 then we can recover the plaintext "AAAAA;admin=true" by substituting in
 the following ciphertext block instead:
 
     .....X+a.....X+b....
 
 for '+' the XOR operator, 'a' the byte such that '!' + 'a' = ';', and 'b'
 the byte such that '!' + 'b' = '='. The second plaintext block, which is found
 by passing `c_2` through AES decryption, will be effectively destroyed, but
 the third plaintext block will be modified as desired.
 
 (Note by padding the malicious input block with 'A' bytes we line everything
 up so as to take advantage of the following semicolon.)
 
 Using an IV of all zero bytes, `Cryptopals.Block.Attacks.bfcEncrypter` will
 return the following, given the malicious input:
 
     00000000000000000000000000000000 ................
     63530f935e8a082aefc3010403ddd0c8 comment1=cooking
     5d7abe5ba83c8f15d5768e372b8d9d3e %20MCs;userdata=
     d84ed53685df3c0fe1f047a8d8067e2b AAAAA!admin!true
     ca8ca55382df2e963b10dec76fd282ce ;comment=%20like
     cf39e6549b264c0eb44340b5f0e3ebdc %20a%20pound%20o
     214abfcb615d8c63406ee84093538051 fbacon__________
 
 We can see that 0x3c and 0x37 in ciphertext block 2 (i.e. the third,
 counting the IV) need to be changed. The bytes are at index 37 and 43 in
 the raw ciphertext, respectively; some calculation shows what we need to
 XOR them by:
 
     > showHex (ord '!' `B.xor` ord ';') mempty
     "1a"
 
 and
 
     > showHex (ord '!' `B.xor` ord '=') mempty
     "1c"
 
 so we replace 0x3c in `c_2` with `0x3c + 0x1a` and 0x37
 with `0x37 + 0x1c` and pass the resulting munged ciphertext
 through the ";admin=true;" substring checker found in
 `Cryptopals.Block.Attacks.bfcChecker`:
 
     > let cip = bfcEncrypter "AAAAA!admin!true"
     > :{
     ghci| let munge = loop 0 mempty where
     ghci|       loop j acc !bs = case BS.uncons bs of
     ghci|         Nothing -> acc
     ghci|         Just (b, etc)
     ghci|           | j == 37 -> let nex = BS.snoc acc (0x3c `B.xor` 0x1a)
     ghci|                        in  loop (succ j) nex etc
     ghci|           | j == 43 -> let nex = BS.snoc acc (0x37 `B.xor` 0x1c)
     ghci|                        in  loop (succ j) nex etc
     ghci|           | otherwise -> loop (succ j) (BS.snoc acc b) etc
     ghci| :}
     > let munged = munge cip
     > bfcChecker cip
     False
     > bfcChecker munged
     True
 
 indicating that the evil substring is present, as desired.