init

1 files changed, 148 insertions, 0 deletions

diff --git a/index.html b/index.html
new file mode 100644
index 0000000..7b4572b
--- /dev/null
+++ b/index.html
@@ -0,0 +1,148 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Forbidden Salamanders</title>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" type="text/css" href="/static/styles.css">
+    <link rel="stylesheet" type="text/css" href="/forbidden-salamanders/static/styles.css">
+    <link rel="shortcut icon" type="image/x-icon" href="/forbidden-salamanders/static/favicon.ico">
+  </head>
+  <body>
+	<div class="container">
+        <div>
+            <div class="home">
+                <a href="/forbidden-salamanders" class="home-title">Forbidden Salamanders</a>
+                <span> at </span><a href="/">cyfraeviolae.org</a>
+            </div>
+            <div class="crumbs">
+                <a href="/git/forbidden-salamanders">source code</a>
+                <span class="sep"> · </span>
+                <a href="/forbidden-salamanders/nonce-reuse">nonce reuse</a>
+                <span class="sep"> · </span>
+                <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a>
+                <span class="sep"> · </span>
+                <a href="/forbidden-salamanders/key-commitment">key commitment</a>
+            </div>
+        </div>
+		<p>
+            The FIPS-compliant sorcerer Roseacrucis uses the <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">Advanced Encryption Standard in Galois/Counter Mode</a>
+            to correspond with his retinue. The Library&rsquo;s cryptanalysts
+            have intercepted the communication channel, but we need your
+            help to exploit their broken protocols.
+		</p>
+		<p>
+			Choose one of the following missions.
+		</p>
+        <p>
+            <strong><a href="#">Nonce reuse</a>.</strong> Due to rising entropy
+            prices, Roseacrucis has started to reuse nonces. You must perform the
+            Forbidden Attack in order to recover the authentication key and
+            forge arbitrary ciphertext.
+        </p>
+        <p>
+            <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer
+            aims to conserve bandwidth by truncating nonces from twelve bytes
+            to four. Use the enemy as a decryption oracle to once again,
+            recover the authentication key and forge arbitrary ciphertext.
+        </p>
+        <p>
+            <strong><a href="#">Key commitment</a>.</strong> One of
+			our agents has infiltrated Roseacrucis&rsquo; inner circle, but all
+			secret keys are required to be surrendered to the
+			counterintelligence authority. Help her send ciphertexts to the
+			Library that decrypt to confidential information under one key, but
+			innocuous banter under another.
+        </p>
+        <br>
+		<details>
+			<summary>
+                Though it is not required to complete your missions, we now
+                review the construction of AES-GCM.
+			</summary>
+            <p>
+                AES-GCM is a block cipher that accepts a key of 16 bytes,
+                a nonce of 12 bytes, plaintext, and additional authenticated data.
+                It returns ciphertext and a message authentication code (MAC).
+            </p>
+            <p>
+                The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC.
+            </p>
+			<p>
+				Let
+				\[
+					m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1
+				\]
+				\[
+					\mathbb{K} = \mathbb{F}(2^{128})/m.
+				\]
+			</p>
+			<p>
+				The finite field \(\mathbb{K}\) can be
+				interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\)
+				of degree less than \(128\). Multiplication
+				is performed modulo \(m\). This field is of characteristic 2;
+				e.g., \((\alpha^5 + \alpha+1)+(\alpha^5 + \alpha+1) = 0\).
+			</p>
+			<p>
+				We interpret 16-byte blocks as elements in \(\mathbb{K}\)
+				in little-endian bit order:
+                \[
+				b_0b_1b_2\ldots{}b_{127} \mapsto
+                b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127},
+                \]
+				where \(b_0\) is the least significant bit of the first byte of
+				the block.
+			</p>
+			<p>
+				12-byte nonces are interpreted as 96-bit integers in big-endian byte order.
+			</p>
+            <p>
+                Let \(\operatorname{Byte} = [0, 2^8-1]\).
+            </p>
+			<br>
+			<div class="algorithm">
+                <p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p>
+				<ol class="algorithm-code">
+                    <li>\( aad' = \operatorname{chunk}_{16}(aad, \operatorname{pad}=\mathtt{0x00}) \)</li>
+                    <li>\( c' = \operatorname{chunk}_{16}(c, \operatorname{pad}=\mathtt{0x00}) \)</li>
+					<li>\( len = \operatorname{encode_{big}}(128\vert aad' \vert, 8) \mathbin\Vert \operatorname{encode_{big}}(128\vert c'\vert, 8) \)</li>
+					<li>\( blocks = aad' \mathbin\Vert c' \mathbin\Vert (len) \mathbin\Vert (s) \)</li>
+					<li>\( \operatorname{return} \sum\limits_{i=1}^{\vert blocks\vert} blocks_{\vert blocks \vert-i} h^{i-1}\)</li>
+				</ol>
+			</div>
+			<br>
+			<br>
+			<div class="algorithm">
+                <p>\(\operatorname{GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p>
+				<ol class="algorithm-code">
+					<li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES-ECB}(k, n') \)</li>
+					<li> \( c = r \oplus m \) </li>
+					<li> \( h = \operatorname{AES-ECB}(k, 0) \) </li>
+					<li> \( s = \operatorname{AES-ECB}(k, 2^{32}n + 1) \) </li>
+					<li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li>
+				</ol>
+			</div>
+            <p>
+                The authentication key \( h \) is independent of the
+                nonce \( n \). The constant term \( s \) acts as a blind to
+                hide the confidential block data in the MAC. Finally, note
+                that the polynomial computation reverses the order of the blocks.
+            </p>
+		</details>
+    <!-- <script id="MathJax-script" async src="/forbidden-salamanders/static/mathjax.js"></script> -->
+	<!-- <script type="text/x-mathjax-config"> -->
+	  <!-- MathJax.Hub.Config({ TeX: { extensions: ["AMSmath.js", "AMSsymbols.js"] }}); -->
+	<!-- </script> -->
+<script>
+MathJax = {
+  tex: {
+		extensions: ["AMSmath.js", "AMSsymbols.js"]
+  }
+};
+</script>
+<script id="MathJax-script" async
+  src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js">
+</script>
+  </body>
+</html>