Anzeige
Check these out next
0xdec0de01 crypto CTF solutions
20. Mar 2016•0 gefällt mir•1,765 Aufrufe
2 gefällt mir
Sei der Erste, dem dies gefällt
Mehr anzeigen
Aufrufe
Aufrufe insgesamt
0
Auf Slideshare
0
Aus Einbettungen
0
Anzahl der Einbettungen
0
Downloaden Sie, um offline zu lesen
Melden
Software
Walk-through for the tasks of 0xdec0de01 cryptographic CTF.
Vlad GarbuzFolgen
Anzeige
Anzeige
Anzeige
Recomendados
Investment basics wayne lippmanWayne Lippman
健保實務達人10409nhi111
Dr. Andrew W. Lo - Adaptive Markets: Financial Evolution and the Speed of Tho...GeoInvesting LLC
NINE TRACKS IN THE MULTI-TRACK SYSTEMMuhammad Syukhri Shafee
台灣的環境特色mcvsgeo
State Of Security In Kenya - 2012 PresentationWorld Agroforestry (ICRAF)
0xdec0de01 crypto CTF solutions
- Vladimir Garbuz Security Engineer at HP LM Security Center of Excellence Walkthrough 0xDEC0DE01 cryptoCTF
- Intro What this talk is about What this talk is NOT about google “vladimir garbuz cryptography” for dec0de01 talk and slides with more technical details Ok… The cryptoCTF! solve 5 challenges to win 10000$ well, 100.00$... Still available at the link: http://goo.gl/tuKku7
- Intro CTF consisted of 5 tasks: 1. Poor AES-CBC cryptolocker (bruteforce) 2. Simple stream cipher (pad reuse) 3. AES-ECB encryption (data leaking) 4. SHA256 MAC (length extension attack) 5. SHA256 proof of work (bruteforce)
- AES-CBC cryptolocker 2 files available: very_bad_encryptor is VERY bad: Very slow (~1MB/sec) Can encrypt and decrypt Uses SHA256 hash as AES encryption key Hash of a 8 digit numeric user entered code… Uses CBC encryption mode
- AES-CBC cryptolocker
- AES-CBC cryptolocker But how to know when the password is right?..
- AES-CBC cryptolocker
- AES-ECB encryption
- AES-ECB encryption
- Simple stream cipher Stream cipher basics Sender computes Message ⊕ Keystream and sends the Ciphertext Receiver computes Ciphertext ⊕ Keystream to get Message In our case, the key stream was generated via Python random, initialized with constant “0xdec0de01”
- Simple stream cipher Basic vulnerabilities: key reuse What’s so terrible about key reuse? So we have 2 plaintexts P1 and P2, and we encrypt them separately under the same Key: C1=P1⊕F(Key) C2=P2⊕F(Key) When attacker intercepts them, he can then compute: C1⊕C2=P1⊕P2 “Oh, please! How bad could that possibly be?..”
- Simple stream cipher Basic vulnerabilities: key reuse
- Simple stream cipher Basic vulnerabilities: key reuse Case 1: if one of the plaintexts, e.g. P1, is known, restoring the other one is trivial P1⊕P2⊕P1 = P1⊕P1⊕P2 = 0⊕P2 = P2 Case 2: if a portion of Plaintext is known, the Keystream in corresponding position is revealed C = P⊕E(Key) C⊕P = E(Key) Now, having the Keystream at some position, we can decrypt data at that position from other ciphertexts
- Simple stream cipher
- SHA256 MAC – length extension The task was, quote: d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3 This is a MAC (SHA256) of a secret key concatenated with the e-mail address that you need to send your results to. The length of the key+e-mail is 53 bytes. Your task is to add any message you want to this e-mail and compute a new SHA256 hash of it - all in such a way that your hash is identical to the MAC that I will compute from my key + your message. As a solution for this task I expect 2 things: forged message AND it's SHA256 hash. Yes, it's that simple, but can YOU actually do it?
- SHA256 MAC – length extension Breaking “key + message MAC” What’s vulnerable? Hash functions with Merkle–Damgård construction, e.g. MD4, MD5, RIPEMD-160, WHIRLPOOL, SHA-0, SHA-1 and even SHA-2 Doesn’t work on other constructions - SHA-3, poly1305,... In this construction, the resulting hash is the internal state of the function at the end of computation Which can (and will ) be used as the starting state of the hash function
- SHA256 MAC – length extension Hash of k+m is actually a hash of k+m+p, where p is some necessary, but easily predictable, padding To illustrate this: H0(k) = Hk - here, H0 is the initial state of hash function Hk(m) = Hkm - Hk is its state after processing k Hkm (p) = Hkmp Hkmp = H(k+m+p)
- SHA256 MAC – length extension Since p is predictable and end state Hkmp is known We chose any arbitrary m´ Set the hash function’s initial state to Hkmp And make it process the bytes of message m´ Hkmp(m´) = Hkmpm´ Curiously, this is EXACTLY what happens when you hash m+p+m´ under a known key! Now, our hash is forged but will check out as valid!
- SHA256 MAC – length extension Example solution: Using https://github.com/iagox86/hash_extender we can append string '0wn3d', $ hash_extender -d '' -s d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d7 7bb5a3 -a '0wn3d' -f sha256 -l 53 Type: sha256 Secret length: 53 New signature: 787f169dcb032ada7dbdfc7906eeccc6701f7c0cdf4ee1e09da441e93 51d6f53 New string: 80000000000000000001a830776e3364
- SHA256 proof of work The task was to find a string such that it’s SHA256 in hex encoding would start with dec0de01 How to?.. Just bruteforce it! Example string is “3928979165” It’s sha256 in hex encoding is: dec0de01646730a1e0f2d6d34a0833be52df6e055 2fe16f04ab66610b70321f1
- Questions and Discussion
Anzeige