Hands-On Ethical Hacking and Network Defense Second Edition Chapter 12 Cryptography.
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владимир Гарбуз
-
Upload
hackit-ukraine -
Category
Technology
-
view
288 -
download
1
Transcript of Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владимир Гарбуз
Vladimir GarbuzSecurity Engineer at HP LM Security Center of Excellence
Walkthrough 0xDEC0DE01 cryptoCTF
Intro What this talk is about What this talk is NOT about
google “vladimir garbuz cryptography” for dec0de01 talk and slides with more technical details
Ok… The cryptoCTF! solve 5 challenges to win 10000$
well, 100.00$...
Still available at the link: http://goo.gl/tuKku7
Intro CTF consisted of 5 tasks:
1. Poor AES-CBC cryptolocker (bruteforce)2. Simple stream cipher (pad reuse)3. AES-ECB encryption (data leaking)4. SHA256 MAC (length extension attack)5. SHA256 proof of work (bruteforce)
AES-CBC cryptolocker 2 files available: very_bad_encryptor is VERY bad:
Very slow (~1MB/sec) Can encrypt and decrypt Uses SHA256 hash as AES encryption key
Hash of a 8 digit numeric user entered code…
Uses CBC encryption mode
AES-CBC cryptolocker
AES-CBC cryptolocker But how to know when the password is
right?..
AES-CBC cryptolocker
AES-ECB encryption
AES-ECB encryption
Simple stream cipher Stream cipher basics
Sender computes Message ⊕ Keystream and sends the Ciphertext
Receiver computes Ciphertext ⊕ Keystream to get Message
In our case, the key stream was generated via Python random, initialized with constant “0xdec0de01”
Simple stream cipherBasic vulnerabilities: key reuse
What’s so terrible about key reuse? So we have 2 plaintexts P1 and P2, and we
encrypt them separately under the same Key:C1=P1⊕F(Key)C2=P2⊕F(Key)When attacker intercepts them, he can then compute:C1⊕C2=P1⊕P2 “Oh, please! How bad could that possibly be?..”
Simple stream cipherBasic vulnerabilities: key reuse
Simple stream cipherBasic vulnerabilities: key reuse
Case 1: if one of the plaintexts, e.g. P1, is known, restoring the other one is trivial
P1⊕P2⊕P1 = P1⊕P1⊕P2 = 0⊕P2 = P2 Case 2: if a portion of Plaintext is known,
the Keystream in corresponding position is revealed
C = P⊕E(Key) C⊕P = E(Key) Now, having the Keystream at some position,
we can decrypt data at that position from other ciphertexts
Simple stream cipher
SHA256 MAC – length extension The task was, quote:
d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3
This is a MAC (SHA256) of a secret key concatenated with the e-mail addressthat you need to send your results to. The length of the key+e-mail is 53 bytes.
Your task is to add any message you want to this e-mail and compute a newSHA256 hash of it - all in such a way that your hash is identical to the MAC thatI will compute from my key + your message.
As a solution for this task I expect 2 things: forged message AND it's SHA256 hash.
Yes, it's that simple, but can YOU actually do it?
SHA256 MAC – length extension
Breaking “key + message MAC” What’s vulnerable?
Hash functions with Merkle–Damgård construction, e.g. MD4, MD5, RIPEMD-160, WHIRLPOOL, SHA-0, SHA-1 and even SHA-2
Doesn’t work on other constructions - SHA-3, poly1305,...
In this construction, the resulting hash is the internal state of the function at the end of computation Which can (and will ) be used as the starting
state of the hash function
SHA256 MAC – length extension Hash of k+m is actually a hash of
k+m+p, where p is some necessary, but easily predictable, padding
To illustrate this: H0(k) = Hk - here, H0 is the initial state of
hash function Hk(m) = Hkm - Hk is its state after processing k Hkm (p) = Hkmp Hkmp = H(k+m+p)
SHA256 MAC – length extension Since p is predictable and end state Hkmp is
known We chose any arbitrary m´ Set the hash function’s initial state to Hkmp And make it process the bytes of message m´Hkmp(m´) = Hkmpm´
Curiously, this is EXACTLY what happens when you hash m+p+m´ under a known key!
Now, our hash is forged but will check out as valid!
SHA256 MAC – length extension Example solution:
Using https://github.com/iagox86/hash_extender we can append string '0wn3d',
$ hash_extender -d '' -s d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3 -a '0wn3d' -f sha256 -l 53
Type: sha256Secret length: 53New signature: 787f169dcb032ada7dbdfc7906eeccc6701f7c0cdf4ee1e09da441e9351d6f53New string: 80000000000000000001a830776e3364
SHA256 proof of work The task was to find a string such that
it’s SHA256 in hex encoding would start with dec0de01
How to?.. Just bruteforce it!
Example string is “3928979165” It’s sha256 in hex encoding is: dec0de01646730a1e0f2d6d34a0833be52df
6e0552fe16f04ab66610b70321f1
Questions and Discussion