0xdec0de01 crypto ctf solutions
TRANSCRIPT
![Page 1: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/1.jpg)
Vladimir Garbuz
Security Engineer at HP LM Security Center of Excellence
Walkthrough 0xDEC0DE01 cryptoCTF
![Page 2: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/2.jpg)
Intro
What this talk is about
What this talk is NOT about
google “vladimir garbuz cryptography” for
dec0de01 talk and slides with more technical details
Ok… The cryptoCTF!
solve 5 challenges to win 10000$
well, 100.00$...
Still available at the link: http://goo.gl/tuKku7
![Page 3: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/3.jpg)
Intro
CTF consisted of 5 tasks:
1. Poor AES-CBC cryptolocker (bruteforce)
2. Simple stream cipher (pad reuse)
3. AES-ECB encryption (data leaking)
4. SHA256 MAC (length extension attack)
5. SHA256 proof of work (bruteforce)
![Page 4: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/4.jpg)
AES-CBC cryptolocker
2 files available:
very_bad_encryptor is VERY bad:
Very slow (~1MB/sec)
Can encrypt and decrypt
Uses SHA256 hash as AES encryption key
Hash of a 8 digit numeric user entered code…
Uses CBC encryption mode
![Page 5: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/5.jpg)
AES-CBC cryptolocker
![Page 6: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/6.jpg)
AES-CBC cryptolocker
But how to know when the password is right?..
![Page 7: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/7.jpg)
AES-CBC cryptolocker
![Page 8: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/8.jpg)
AES-ECB encryption
![Page 9: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/9.jpg)
AES-ECB encryption
![Page 10: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/10.jpg)
Simple stream cipher
Stream cipher basics
Sender computes Message ⊕ Keystream and sends the
Ciphertext
Receiver computes Ciphertext⊕ Keystream to get
Message
In our case, the key stream was generated via Python
random, initialized with constant “0xdec0de01”
![Page 11: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/11.jpg)
Simple stream cipher
Basic vulnerabilities: key reuse
What’s so terrible about key reuse?
So we have 2 plaintexts P1 and P2, and we encrypt
them separately under the same Key:
C1=P1⊕F(Key)
C2=P2⊕F(Key)
When attacker intercepts them, he can then compute:
C1⊕C2=P1⊕P2
“Oh, please! How bad could that possibly be?..”
![Page 12: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/12.jpg)
Simple stream cipher
Basic vulnerabilities: key reuse
![Page 13: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/13.jpg)
Simple stream cipher
Basic vulnerabilities: key reuse
Case 1: if one of the plaintexts, e.g. P1, is known,
restoring the other one is trivial
P1⊕P2⊕P1 = P1⊕P1⊕P2 = 0⊕P2 = P2
Case 2: if a portion of Plaintext is known, the
Keystream in corresponding position is revealed
C = P⊕E(Key) C⊕P = E(Key)
Now, having the Keystream at some position, we can
decrypt data at that position from other ciphertexts
![Page 14: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/14.jpg)
Simple stream cipher
![Page 15: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/15.jpg)
SHA256 MAC – length extension
The task was, quote:
d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3
This is a MAC (SHA256) of a secret key concatenated with the e-mail address
that you need to send your results to. The length of the key+e-mail is 53 bytes.
Your task is to add any message you want to this e-mail and compute a new
SHA256 hash of it - all in such a way that your hash is identical to the MAC that
I will compute from my key + your message.
As a solution for this task I expect 2 things: forged message AND it's SHA256 hash.
Yes, it's that simple, but can YOU actually do it?
![Page 16: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/16.jpg)
SHA256 MAC – length extension
Breaking “key + message MAC”
What’s vulnerable?
Hash functions with Merkle–Damgård construction, e.g.
MD4, MD5, RIPEMD-160, WHIRLPOOL, SHA-0, SHA-1
and even SHA-2
Doesn’t work on other constructions - SHA-3, poly1305,...
In this construction, the resulting hash is the internal
state of the function at the end of computation
Which can (and will ) be used as the starting state of
the hash function
![Page 17: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/17.jpg)
SHA256 MAC – length extension
Hash of k+m is actually a hash of k+m+p, where p
is some necessary, but easily predictable, padding
To illustrate this:
H0(k) = Hk - here, H0 is the initial state of hash function
Hk(m) = Hkm - Hk is its state after processing k
Hkm (p) = Hkmp
Hkmp = H(k+m+p)
![Page 18: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/18.jpg)
SHA256 MAC – length extension
Since p is predictable and end state Hkmp is known
We chose any arbitrary m´
Set the hash function’s initial state to Hkmp
And make it process the bytes of message m´
Hkmp(m´) = Hkmpm´
Curiously, this is EXACTLY what happens when you
hash m+p+m´ under a known key!
Now, our hash is forged but will check out as valid!
![Page 19: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/19.jpg)
SHA256 MAC – length extension
Example solution:
Using https://github.com/iagox86/hash_extender we can append string '0wn3d',
$ hash_extender -d '' -s d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3 -a '0wn3d' -f sha256 -l 53
Type: sha256
Secret length: 53
New signature: 787f169dcb032ada7dbdfc7906eeccc6701f7c0cdf4ee1e09da441e9351d6f53
New string: 80000000000000000001a830776e3364
![Page 20: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/20.jpg)
SHA256 proof of work
The task was to find a string such that it’s SHA256 in
hex encoding would start with dec0de01
How to?..
Just bruteforce it!
Example string is “3928979165”
It’s sha256 in hex encoding is:
dec0de01646730a1e0f2d6d34a0833be52df6e055
2fe16f04ab66610b70321f1
![Page 21: 0xdec0de01 crypto CTF solutions](https://reader030.vdocuments.us/reader030/viewer/2022020108/5884a82b1a28ab76798b51c5/html5/thumbnails/21.jpg)
Questions and Discussion