summaryrefslogtreecommitdiff
path: root/index.html
diff options
context:
space:
mode:
authorcyfraeviolae <cyfraeviolae>2022-08-23 02:40:04 -0400
committercyfraeviolae <cyfraeviolae>2022-08-23 02:40:04 -0400
commit8595c70d789183c71dac1469eb8bd484284589c5 (patch)
tree5043f386657d0855fc12f16818d76ae8ef6b753b /index.html
init
Diffstat (limited to 'index.html')
-rw-r--r--index.html148
1 files changed, 148 insertions, 0 deletions
diff --git a/index.html b/index.html
new file mode 100644
index 0000000..7b4572b
--- /dev/null
+++ b/index.html
@@ -0,0 +1,148 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Forbidden Salamanders</title>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <link rel="stylesheet" type="text/css" href="/static/styles.css">
+ <link rel="stylesheet" type="text/css" href="/forbidden-salamanders/static/styles.css">
+ <link rel="shortcut icon" type="image/x-icon" href="/forbidden-salamanders/static/favicon.ico">
+ </head>
+ <body>
+ <div class="container">
+ <div>
+ <div class="home">
+ <a href="/forbidden-salamanders" class="home-title">Forbidden Salamanders</a>
+ <span> at </span><a href="/">cyfraeviolae.org</a>
+ </div>
+ <div class="crumbs">
+ <a href="/git/forbidden-salamanders">source code</a>
+ <span class="sep"> · </span>
+ <a href="/forbidden-salamanders/nonce-reuse">nonce reuse</a>
+ <span class="sep"> · </span>
+ <a href="/forbidden-salamanders/nonce-truncation">nonce truncation</a>
+ <span class="sep"> · </span>
+ <a href="/forbidden-salamanders/key-commitment">key commitment</a>
+ </div>
+ </div>
+ <p>
+ The FIPS-compliant sorcerer Roseacrucis uses the <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">Advanced Encryption Standard in Galois/Counter Mode</a>
+ to correspond with his retinue. The Library&rsquo;s cryptanalysts
+ have intercepted the communication channel, but we need your
+ help to exploit their broken protocols.
+ </p>
+ <p>
+ Choose one of the following missions.
+ </p>
+ <p>
+ <strong><a href="#">Nonce reuse</a>.</strong> Due to rising entropy
+ prices, Roseacrucis has started to reuse nonces. You must perform the
+ Forbidden Attack in order to recover the authentication key and
+ forge arbitrary ciphertext.
+ </p>
+ <p>
+ <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer
+ aims to conserve bandwidth by truncating nonces from twelve bytes
+ to four. Use the enemy as a decryption oracle to once again,
+ recover the authentication key and forge arbitrary ciphertext.
+ </p>
+ <p>
+ <strong><a href="#">Key commitment</a>.</strong> One of
+ our agents has infiltrated Roseacrucis&rsquo; inner circle, but all
+ secret keys are required to be surrendered to the
+ counterintelligence authority. Help her send ciphertexts to the
+ Library that decrypt to confidential information under one key, but
+ innocuous banter under another.
+ </p>
+ <br>
+ <details>
+ <summary>
+ Though it is not required to complete your missions, we now
+ review the construction of AES-GCM.
+ </summary>
+ <p>
+ AES-GCM is a block cipher that accepts a key of 16 bytes,
+ a nonce of 12 bytes, plaintext, and additional authenticated data.
+ It returns ciphertext and a message authentication code (MAC).
+ </p>
+ <p>
+ The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC.
+ </p>
+ <p>
+ Let
+ \[
+ m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1
+ \]
+ \[
+ \mathbb{K} = \mathbb{F}(2^{128})/m.
+ \]
+ </p>
+ <p>
+ The finite field \(\mathbb{K}\) can be
+ interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\)
+ of degree less than \(128\). Multiplication
+ is performed modulo \(m\). This field is of characteristic 2;
+ e.g., \((\alpha^5 + \alpha+1)+(\alpha^5 + \alpha+1) = 0\).
+ </p>
+ <p>
+ We interpret 16-byte blocks as elements in \(\mathbb{K}\)
+ in little-endian bit order:
+ \[
+ b_0b_1b_2\ldots{}b_{127} \mapsto
+ b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127},
+ \]
+ where \(b_0\) is the least significant bit of the first byte of
+ the block.
+ </p>
+ <p>
+ 12-byte nonces are interpreted as 96-bit integers in big-endian byte order.
+ </p>
+ <p>
+ Let \(\operatorname{Byte} = [0, 2^8-1]\).
+ </p>
+ <br>
+ <div class="algorithm">
+ <p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p>
+ <ol class="algorithm-code">
+ <li>\( aad' = \operatorname{chunk}_{16}(aad, \operatorname{pad}=\mathtt{0x00}) \)</li>
+ <li>\( c' = \operatorname{chunk}_{16}(c, \operatorname{pad}=\mathtt{0x00}) \)</li>
+ <li>\( len = \operatorname{encode_{big}}(128\vert aad' \vert, 8) \mathbin\Vert \operatorname{encode_{big}}(128\vert c'\vert, 8) \)</li>
+ <li>\( blocks = aad' \mathbin\Vert c' \mathbin\Vert (len) \mathbin\Vert (s) \)</li>
+ <li>\( \operatorname{return} \sum\limits_{i=1}^{\vert blocks\vert} blocks_{\vert blocks \vert-i} h^{i-1}\)</li>
+ </ol>
+ </div>
+ <br>
+ <br>
+ <div class="algorithm">
+ <p>\(\operatorname{GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p>
+ <ol class="algorithm-code">
+ <li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES-ECB}(k, n') \)</li>
+ <li> \( c = r \oplus m \) </li>
+ <li> \( h = \operatorname{AES-ECB}(k, 0) \) </li>
+ <li> \( s = \operatorname{AES-ECB}(k, 2^{32}n + 1) \) </li>
+ <li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li>
+ </ol>
+ </div>
+ <p>
+ The authentication key \( h \) is independent of the
+ nonce \( n \). The constant term \( s \) acts as a blind to
+ hide the confidential block data in the MAC. Finally, note
+ that the polynomial computation reverses the order of the blocks.
+ </p>
+ </details>
+ <!-- <script id="MathJax-script" async src="/forbidden-salamanders/static/mathjax.js"></script> -->
+ <!-- <script type="text/x-mathjax-config"> -->
+ <!-- MathJax.Hub.Config({ TeX: { extensions: ["AMSmath.js", "AMSsymbols.js"] }}); -->
+ <!-- </script> -->
+<script>
+MathJax = {
+ tex: {
+ extensions: ["AMSmath.js", "AMSsymbols.js"]
+ }
+};
+</script>
+<script id="MathJax-script" async
+ src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js">
+</script>
+ </body>
+</html>