diff options
| author | cyfraeviolae <cyfraeviolae> | 2022-08-30 02:00:05 -0400 |
|---|---|---|
| committer | cyfraeviolae <cyfraeviolae> | 2022-08-30 02:00:05 -0400 |
| commit | c14d12e6bc997a1aa4d6ed8bde90c8dc9659f3a5 (patch) | |
| tree | 04bb03a71fcbd123fe635dd12fb37c069026b176 | |
| parent | f41d5f84468603f1468565369d75897737baa33c (diff) | |
pdf pdf
| -rw-r--r-- | aesgcmanalysis.py | 63 | ||||
| -rw-r--r-- | static/ashbery.pdf | bin | 0 -> 47552 bytes | |||
| -rw-r--r-- | static/bishop.pdf | bin | 0 -> 46289 bytes |
3 files changed, 45 insertions, 18 deletions
diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py index b73960e..12442c1 100644 --- a/aesgcmanalysis.py +++ b/aesgcmanalysis.py @@ -1,5 +1,5 @@ from binascii import unhexlify -import random, struct, hmac, itertools, math +import random, struct, hmac, itertools, math, secrets from Crypto.Cipher import AES import cryptography from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes @@ -746,15 +746,14 @@ def mac_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle, compu # Key Commitment Attack -def gmac_blind(k, nonce): - return bytes_to_gf128(ecb_encrypt(k, nonce + b'\x00\x00\x00\x01')) def encode_lengths(ad_length, ct_length): return struct.pack('>QQ', ad_length*8, ct_length*8) + def collide(k1, k2, nonce, c): - h1 = gmac_key(k1) - h2 = gmac_key(k2) - p1 = gmac_blind(k1, nonce) - p2 = gmac_blind(k2, nonce) + h1 = authentication_key(k1) + h2 = authentication_key(k2) + p1 = blind(k1, nonce) + p2 = blind(k2, nonce) assert len(c) % 16 == 0 mlen = len(c)//16+1 lens = bytes_to_gf128(encode_lengths(0, len(c) + 16)) @@ -783,22 +782,13 @@ def collide_penultimate(k1, k2, nonce, c): h1Running = gf128_exp(h1, 4) h2Running = gf128_exp(h2, 4) for i in reversed(range(0, mlen-2)): - # print(mlen+1-(i)) - # i = mlen-2-1-i hi = gf128_add(h1Running, h2Running) h1Running = gf128_mul(h1Running, h1) h2Running = gf128_mul(h2Running, h2) n+=1 - # hi = gf128_add(gf128_exp(h1, mlen+1-i), gf128_exp(h2, mlen+1-i)) - #print('block', i, pt[i*16:(i+1)*16], 'exp', mlen+1-i) acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) - # for i in range(0, mlen-2): - # print(i,mlen+1-i) - # hi = gf128_add(gf128_exp(h1, mlen+1-i), gf128_exp(h2, mlen+1-i)) - # acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) hi = gf128_add(gf128_exp(h1, 2), gf128_exp(h2, 2)) i = mlen-1 - #print('block', i, pt[i*16:(i+1)*16], 'exp', 2) acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) inv = gf128_inv(gf128_add(gf128_exp(h1, 3), gf128_exp(h2, 3))) c_append = gf128_mul(acc, inv) @@ -811,7 +801,7 @@ def gctr_oneblock(k, pt, nonce): stream = ecb_encrypt(k, enckeyval) return xor(pt, stream) -def key_search(nonce, init_bytes1, init_bytes2): +def key_search_jpg_bmp(nonce, init_bytes1, init_bytes2): seen1 = dict() seen2 = dict() while True: @@ -827,7 +817,7 @@ def key_search(nonce, init_bytes1, init_bytes2): return seen1[ct2], k2 def att_merge_jpg_bmp(jpg, bmp, aad): - # Precomputed with key_search; works for any files + # Precomputed with key_search_jpg_bmp; works for any files k1 = unhexlify('8007941455b5af579bb12fff92ef31a3') k2 = unhexlify('14ef746e8b1792e52b1d22ef124fae97') nonce = b'JORGELBORGES' @@ -865,6 +855,43 @@ def att_merge_jpg_bmp(jpg, bmp, aad): return cfin, macfin +def key_search_pdf_pdf(): + a = ''' + %PDF-1.7 + %µ¶ + + 0 0 obj + <<>> + stream + '''.strip().encode('utf-8') + nonce = b'JORGELBORGES' + k1 = secrets.token_bytes(16) + m1 = a + b'\x0a' + c1 = gctr(k1, nonce, m1) + while True: + k2 = secrets.token_bytes(16) + m2 = gctr(k2, nonce, c1) + if m2[0] == b'%'[0] and b'\x0a' not in m2[:-1] and m2[-1] == b'\x0a'[0]: + return k1, k2, nonce, c1 + +def att_merge_pdf_pdf(pdf1, pdf2, aad): + # precomputed with key_search_pdf_pdf + k1 = binascii.unhexlify('c94a4dbd95faf02bdc0c39e0c0984299') + k2 = binascii.unhexlify('e4d26cdfbc732473103a5a887a755e19') + nonce = binascii.unhexlify('4a4f5247454c424f52474553') + r = binascii.unhexlify('ade70922bef96292d1b7d39d53140ed2229a6819eebe86f5a536ad7da256679ae12b88a8bbfad501') + + N = len(pdf1) + len(pdf2) + 1000 + pdf1stream = gctr(k1, nonce, b'\x00'*N) + pdf2stream = gctr(k2, nonce, b'\x00'*N) + + r += xor(pdf2, pdf2stream[len(r):]) + r += xor(b"\x0aendstream\x0aendobj\x0a", pdf1stream[len(r):]) + r += xor(pdf1, pdf1stream[len(r):]) + r += b'\x00' * (16 - (len(r) % 16)) + + return collide(k1, k2, nonce, r) + # Demos def forbidden_attack_demo(): diff --git a/static/ashbery.pdf b/static/ashbery.pdf Binary files differnew file mode 100644 index 0000000..b03dbcd --- /dev/null +++ b/static/ashbery.pdf diff --git a/static/bishop.pdf b/static/bishop.pdf Binary files differnew file mode 100644 index 0000000..16779ec --- /dev/null +++ b/static/bishop.pdf |