0xdec0de01 crypto CTF solutions

Vladimir Garbuz

Security Engineer at HP LM Security Center of Excellence

Walkthrough 0xDEC0DE01 cryptoCTF

Intro

What this talk is about

What this talk is NOT about

google “vladimir garbuz cryptography” for

dec0de01 talk and slides with more technical details

Ok… The cryptoCTF!

solve 5 challenges to win 10000$

well, 100.00$...

Still available at the link: http://goo.gl/tuKku7

http://goo.gl/tuKku7

Intro

CTF consisted of 5 tasks:

1. Poor AES-CBC cryptolocker (bruteforce)

2. Simple stream cipher (pad reuse)

3. AES-ECB encryption (data leaking)

4. SHA256 MAC (length extension attack)

5. SHA256 proof of work (bruteforce)

AES-CBC cryptolocker

2 files available:

very_bad_encryptor is VERY bad:

Very slow (~1MB/sec)

Can encrypt and decrypt

Uses SHA256 hash as AES encryption key

Hash of a 8 digit numeric user entered code…

Uses CBC encryption mode



But how to know when the password is right?..


AES-ECB encryption

AES-ECB encryption

Simple stream cipher

Stream cipher basics

Sender computes Message ⊕ Keystream and sends the

Ciphertext

Receiver computes Ciphertext⊕ Keystream to get

Message

In our case, the key stream was generated via Python

random, initialized with constant “0xdec0de01”


Basic vulnerabilities: key reuse

What’s so terrible about key reuse?

So we have 2 plaintexts P1 and P2, and we encrypt

them separately under the same Key:

C1=P1⊕F(Key)

C2=P2⊕F(Key)

When attacker intercepts them, he can then compute:

C1⊕C2=P1⊕P2

“Oh, please! How bad could that possibly be?..”





Case 1: if one of the plaintexts, e.g. P1, is known,

restoring the other one is trivial

P1⊕P2⊕P1 = P1⊕P1⊕P2 = 0⊕P2 = P2

Case 2: if a portion of Plaintext is known, the

Keystream in corresponding position is revealed

C = P⊕E(Key) C⊕P = E(Key)

Now, having the Keystream at some position, we can

decrypt data at that position from other ciphertexts


SHA256 MAC – length extension

The task was, quote:

d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3

This is a MAC (SHA256) of a secret key concatenated with the e-mail address

that you need to send your results to. The length of the key+e-mail is 53 bytes.

Your task is to add any message you want to this e-mail and compute a new

SHA256 hash of it - all in such a way that your hash is identical to the MAC that

I will compute from my key + your message.

As a solution for this task I expect 2 things: forged message AND it's SHA256 hash.

Yes, it's that simple, but can YOU actually do it?


Breaking “key + message MAC”

What’s vulnerable?

Hash functions with Merkle–Damgård construction, e.g.

MD4, MD5, RIPEMD-160, WHIRLPOOL, SHA-0, SHA-1

and even SHA-2

Doesn’t work on other constructions - SHA-3, poly1305,...

In this construction, the resulting hash is the internal

state of the function at the end of computation

Which can (and will ) be used as the starting state of

the hash function


Hash of k+m is actually a hash of k+m+p, where p

is some necessary, but easily predictable, padding

To illustrate this:

H0(k) = Hk - here, H0 is the initial state of hash function

Hk(m) = Hkm - Hk is its state after processing k

Hkm (p) = Hkmp

Hkmp = H(k+m+p)


Since p is predictable and end state Hkmp is known

We chose any arbitrary m´

Set the hash function’s initial state to Hkmp

And make it process the bytes of message m´

Hkmp(m´) = Hkmpm´

Curiously, this is EXACTLY what happens when you

hash m+p+m´ under a known key!

Now, our hash is forged but will check out as valid!


Example solution:

Using https://github.com/iagox86/hash_extender we can append string '0wn3d',

$ hash_extender -d '' -s d60d6d39c50b85f8a080ab510c2f3402c34ffc8cf09f9f3bfc7fc218d77bb5a3 -a '0wn3d' -f sha256 -l 53

Type: sha256

Secret length: 53

New signature: 787f169dcb032ada7dbdfc7906eeccc6701f7c0cdf4ee1e09da441e9351d6f53

New string: 80000000000000000001a830776e3364

https://github.com/iagox86/hash_extender

SHA256 proof of work

The task was to find a string such that it’s SHA256 in

hex encoding would start with dec0de01

How to?..

Just bruteforce it!

Example string is “3928979165”

It’s sha256 in hex encoding is:

dec0de01646730a1e0f2d6d34a0833be52df6e055

2fe16f04ab66610b70321f1

Questions and Discussion

Software

0xdec0de01 crypto CTF solutions