Upload
vladimir-garbuz
View
220
Download
1
Embed Size (px)
Citation preview
Vladimir Garbuz
Security Engineer at HP LM Security Center of Excellence
Walkthrough 0xDEC0DE01 cryptoCTF
Intro
What this talk is about
What this talk is NOT about
google “vladimir garbuz cryptography” for
dec0de01 talk and slides with more technical details
Ok… The cryptoCTF!
solve 5 challenges to win 10000$
well, 100.00$...
Still available at the link: http://goo.gl/tuKku7
Intro
CTF consisted of 5 tasks:
1. Poor AES-CBC cryptolocker (bruteforce)
2. Simple stream cipher (pad reuse)
3. AES-ECB encryption (data leaking)
4. SHA256 MAC (length extension attack)
5. SHA256 proof of work (bruteforce)
AES-CBC cryptolocker
2 files available:
very_bad_encryptor is VERY bad:
Very slow (~1MB/sec)
Can encrypt and decrypt
Uses SHA256 hash as AES encryption key
Hash of a 8 digit numeric user entered code…
Uses CBC encryption mode
AES-CBC cryptolocker
AES-CBC cryptolocker
But how to know when the password is right?..
AES-CBC cryptolocker
AES-ECB encryption
AES-ECB encryption
Simple stream cipher
Stream cipher basics
Sender computes Message ⊕ Keystream and sends the
Ciphertext
Receiver computes Ciphertext⊕ Keystream to get
Message
In our case, the key stream was generated via Python
random, initialized with constant “0xdec0de01”
Simple stream cipher
Basic vulnerabilities: key reuse
What’s so terrible about key reuse?
So we have 2 plaintexts P1 and P2, and we encrypt
them separately under the same Key:
C1=P1⊕F(Key)
C2=P2⊕F(Key)
When attacker intercepts them, he can then compute:
C1⊕C2=P1⊕P2
“Oh, please! How bad could that possibly be?..”
Simple stream cipher
Basic vulnerabilities: key reuse
Simple stream cipher
Basic vulnerabilities: key reuse
Case 1: if one of the plaintexts, e.g. P1, is known,
restoring the other one is trivial
P1⊕P2⊕P1 = P1⊕P1⊕P2 = 0⊕P2 = P2
Case 2: if a portion of Plaintext is known, the
Keystream in corresponding position is revealed
C = P⊕E(Key) C⊕P = E(Key)
Now, having the Keystream at some position, we can
decrypt data at that position from other ciphertexts
Simple stream cipher
SHA256 MAC – length extension
The task was, quote:
d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3
This is a MAC (SHA256) of a secret key concatenated with the e-mail address
that you need to send your results to. The length of the key+e-mail is 53 bytes.
Your task is to add any message you want to this e-mail and compute a new
SHA256 hash of it - all in such a way that your hash is identical to the MAC that
I will compute from my key + your message.
As a solution for this task I expect 2 things: forged message AND it's SHA256 hash.
Yes, it's that simple, but can YOU actually do it?
SHA256 MAC – length extension
Breaking “key + message MAC”
What’s vulnerable?
Hash functions with Merkle–Damgård construction, e.g.
MD4, MD5, RIPEMD-160, WHIRLPOOL, SHA-0, SHA-1
and even SHA-2
Doesn’t work on other constructions - SHA-3, poly1305,...
In this construction, the resulting hash is the internal
state of the function at the end of computation
Which can (and will ) be used as the starting state of
the hash function
SHA256 MAC – length extension
Hash of k+m is actually a hash of k+m+p, where p
is some necessary, but easily predictable, padding
To illustrate this:
H0(k) = Hk - here, H0 is the initial state of hash function
Hk(m) = Hkm - Hk is its state after processing k
Hkm (p) = Hkmp
Hkmp = H(k+m+p)
SHA256 MAC – length extension
Since p is predictable and end state Hkmp is known
We chose any arbitrary m´
Set the hash function’s initial state to Hkmp
And make it process the bytes of message m´
Hkmp(m´) = Hkmpm´
Curiously, this is EXACTLY what happens when you
hash m+p+m´ under a known key!
Now, our hash is forged but will check out as valid!
SHA256 MAC – length extension
Example solution:
Using https://github.com/iagox86/hash_extender we can append string '0wn3d',
$ hash_extender -d '' -s d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3 -a '0wn3d' -f sha256 -l 53
Type: sha256
Secret length: 53
New signature: 787f169dcb032ada7dbdfc7906eeccc6701f7c0cdf4ee1e09da441e9351d6f53
New string: 80000000000000000001a830776e3364
SHA256 proof of work
The task was to find a string such that it’s SHA256 in
hex encoding would start with dec0de01
How to?..
Just bruteforce it!
Example string is “3928979165”
It’s sha256 in hex encoding is:
dec0de01646730a1e0f2d6d34a0833be52df6e055
2fe16f04ab66610b70321f1
Questions and Discussion