TIL About CBC
by n0_1
Posted on Aug 29, 2017 at 05:00 AM
Workshop / Tutorial on Cipher Block Chaining @ UNSW, featuring a blackbox approach for breaking blocks.
Cipher Block Chaining
White Box vs Black Box Cryptanalysis
Similarly to white and black box testing techniques, white box and black box cryptanalysis refers to Cryptanalysis where the availability of certain aspects of the protocol are revealed. If we have access to the source code of the encryption server, the keys, the IV and the client, the entire protocol and encryption technique is revealed to the attacker. This is white box cryptanalysis.
On the other hand, and in this tutorial we will not have access to the Key, IV or (theoretically) the server source code. What we do have is the ability to encode anything we like using the encryption service, and we will have access to the resulting ciphertext afterwards.
Black Box Accessories
- Access to Encryption Service (
Plaintext -> E(k,iv) -> Ciphertext) - Access to Ciphertext
- Control of Plaintext
Cryptanalysis Overview and Lingo
The term Crib was used at Bletchley Park to denote any known plaintext, or suspected plaintext at some point in an enciphered message. Cryptanalysts leverage Cribs to discern additional information about the ciphertext.
Crib Examples
- Plaintext Length
- Plaintext Redundancy
- Plaintext Repetition
Cipher Block Chaining (CBC)
Let's cover the basics of blockchain first. Blockchaining is a growing list of records, each of which are linked together and secured with cryptography. Each record (block) typically contains a hash pointer to a previous block. The decryption of subsequent blocks is dependent on the data integrity of the blocks that came before. A single bit modification of any preceeding block causes all subsequent blocks to be decrypted incorrectly.
Blockchain technology hinges on record keeping, and data integrity.
Bitcoin Block Chain
Cipher Block Chain
Cipher block chaining is a primitive encoding mode of the modern day 'Blockchain' definition. The plaintext is partitioned into equal sized blocks. Each plaintext block is encrypted using a cipher to create a corresponding ciphertext block for that plaintext. Each generated ciphertext block is then XOR'd with the next plaintext block BEFORE the cipher is applied to create the next ciphertext block. Rinse repeat.
Some CBC Attack Vectors
- Replay Attack
- Padding Oracle
Block Encryption
Same Key, Same IV.
Example 1
| Block Num | Plaintext Block | Ciphertext Block |
|---|---|---|
| 1 | AAAAAAAAAAAAAAAA | 4a900a8ecf2d6fb472428bc9ee9662b7 |
| 2 | CCCCCCCCCCCCCCCC | 0e59fa3e137576a1a36a69f609e39317 |
Example 2
| Block Num | Plaintext Block | Ciphertext Block |
|---|---|---|
| 1 | AAAAAAAAAAAAAAAB | 63c02cff46df0a27831129395bb6066d |
| 2 | CCCCCCCCCCCCCCCC | b850c611ba186c86f5a07d84b943a478 |
Black Box Attack on CBC
We have some ciphertext. We control the first 15 bytes of plaintext. We need these 15 bytes in order to nudge future values to brute force. We have the encryption mechanism, so we can encrypt whatever plaintext we would like.
Step 1 - Byte 1
| Block Num | Plaintext Block | Ciphertext Block |
|---|---|---|
| 1 | AAAAAAAAAAAAAAAA | 4a900a8ecf2d6fb472428bc9ee9662b7 |
| 2 | etctf{reuse_sin} | 0b428bd0877ee4436ab448646cf51225 |
Step 2 - Byte 2
| Block Num | Plaintext Block | Ciphertext Block |
|---|---|---|
| 1 | AAAAAAAAAAAAAAAe | aa9683917bed5713b88ae5662452c56f |
| 2 | tctf{reuse_sin}? | d0bb390563dd69bfd94cdcc73d1fb6bb |
Step 3 - Byte 3
| Block Num | Plaintext Block | Ciphertext Block |
|---|---|---|
| 1 | AAAAAAAAAAAAAAet | fb50aafbdb19ab643abf0ad052655398 |
| 2 | ctf{reuse_sin}?? | 2f0c88ffe8e33c8a5e0e5d21201ff24f |
Step 4 - Byte 4
| Block Num | Plaintext Block | Ciphertext Block |
|---|---|---|
| 1 | AAAAAAAAAAAAAetc | 049c5f621ccb69ca3273d95813eff828 |
| 2 | tf{reuse_sin}??? | 8d3744eaf0e4e546dfe3cdb959996528 |
AES-CBC Encryption Service
#!/usr/bin/python
from Crypto.Cipher import AES
import math
BLOCK_SIZE = 16
EncodeAES = lambda c, s: c.encrypt(pad(s, BLOCK_SIZE)).encode('hex')
DecodeAES = lambda c, e: c.decrypt(e.decode('hex'))
key = 'etctf{pwn_2_w1n}'
cookie = 'etctf{0_m41_g0d}'
iv = 'etctf{reuse_sin}'
flag1 = 'etctf{flagone}'
flag2 = 'etctf{f1agtwo}'
flag3 = 'etctf{fl4g_thr3}'
flag4 = 'etctf{F14G_F0UR}'
flag5 = 'try_for_padding_oracle'
def pad(text, block_size):
no_of_blocks = math.ceil(len(text)/float(block_size))
pad_value = int(no_of_blocks block_size - len(text))
if pad_value == 0:
return text + chr(block_size) block_size
else:
return text + chr(pad_value) * pad_value
def AES128_CBC_ENEX(msg):
cipher = AES.new(key, AES.MODE_CBC, iv)
exMsg = msg
exMsg += iv
exMsg += flag1
exMsg += flag2
exMsg += flag3
exMsg += flag4
exMsg += flag5
return EncodeAES(cipher, exMsg)
def AES128_CBC_DEEX(msg):
cipher = AES.new(key, AES.MODE_CBC, iv)
return DecodeAES(cipher, msg)
Check this tool out...
Back to Home