diff options
| author | cyfraeviolae <cyfraeviolae> | 2022-08-24 16:21:17 -0400 |
|---|---|---|
| committer | cyfraeviolae <cyfraeviolae> | 2022-08-24 16:21:17 -0400 |
| commit | 7872bbcaf421bbb2fd3ab5fb1283e9cb8282a02f (patch) | |
| tree | 0505be1597733b12825096c5437c2aa9a55d070a | |
| parent | f649ba59fe194ef169881579138023ec1493a254 (diff) | |
work
| -rw-r--r-- | templates/index.html | 13 | ||||
| -rw-r--r-- | templates/nonce-reuse.html | 23 |
2 files changed, 24 insertions, 12 deletions
diff --git a/templates/index.html b/templates/index.html index fdcddd8..baf6a6d 100644 --- a/templates/index.html +++ b/templates/index.html @@ -18,11 +18,13 @@ <div class="crumbs"> <a href="/git/forbidden-salamanders">source code</a> <span class="sep"> · </span> - <a href="/forbidden-salamanders/nonce-reuse">aes-gcm nonce reuse</a> + <a href="/forbidden-salamanders/nonce-reuse">nonce reuse</a> + <!-- <span class="sep"> · </span> - <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a> + <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a> <span class="sep"> · </span> - <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a> + <a href="/forbidden-salamanders/key-commitment">key commitment</a> + --> </div> </div> <p> @@ -37,9 +39,10 @@ <p> <strong><a href="/forbidden-salamanders/nonce-reuse">Nonce reuse</a>.</strong> Due to rising entropy prices, Roseacrucis has - started to reuse nonces. You must perform the Forbidden Attack in order to + started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to recover the authentication key and forge arbitrary ciphertext. </p> + <!-- <p> <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer aims to conserve bandwidth by truncating nonces from twelve bytes @@ -54,6 +57,7 @@ Library that decrypt to confidential information under one key, but innocuous banter under another. </p> + --> <br> <details> <summary> @@ -64,6 +68,7 @@ AES-GCM is a block cipher that accepts a key of 16 bytes, a nonce of 12 bytes, plaintext, and additional authenticated data. It returns ciphertext and a message authentication code (MAC). + The construction is <a href="https://csrc.nist.gov/publications/detail/sp/800-38d/final">specified by NIST</a>. </p> <p> The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC. diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index 2637d50..e60cc95 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -18,16 +18,18 @@ <div class="crumbs"> <a href="/git/forbidden-salamanders">source code</a> <span class="sep"> · </span> - <a href="/forbidden-salamanders/nonce-reuse"><strong>aes-gcm nonce reuse</strong></a> + <a href="/forbidden-salamanders/nonce-reuse"><strong>nonce reuse</strong></a> + <!-- <span class="sep"> · </span> - <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a> + <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a> <span class="sep"> · </span> - <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a> + <a href="/forbidden-salamanders/key-commitment">key commitment</a> + --> </div> </div> <p> <strong>Nonce reuse.</strong> Due to rising entropy - prices, Roseacrucis has started to reuse nonces. You must perform the + prices, Roseacrucis has started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to recover the authentication key and forge arbitrary ciphertext. </p> @@ -160,10 +162,15 @@ polynomial</a>. </p> <p> - We plug \(h\) back into the first equation to recover \(s\), - and finally, we can forge the MAC for arbitary ciphertext under the - same nonce. Note that there may be multiple possible monomial roots; - in this case, one can check each possibility online. + We plug \(h\) back into the first equation to recover \(s\), and we + can forge the MAC for arbitary ciphertext under the same nonce. + Note that there may be multiple possible monomial roots; in this + case, one can check each possibility against the enemy. + </p> + <p> + Readers who wish to implement this attack themselves can try + <a href="https://cryptopals.com/">Cryptopals</a>; specifically + Set 8 Problem 62. </p> </details> <details> |