summaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
authorcyfraeviolae <cyfraeviolae>2022-08-31 00:03:26 -0400
committercyfraeviolae <cyfraeviolae>2022-08-31 00:03:26 -0400
commitd53fd5c63c58ea00b8249b3ce2dc95315ea624e1 (patch)
treee31497514d3b6dda2f00cf7d6cb761b16d23ae51 /templates
parent7863559c620faf9780b65db4f022304d4a6ac2c6 (diff)
updates
Diffstat (limited to 'templates')
-rw-r--r--templates/key-commitment.html27
-rw-r--r--templates/mac-truncation.html2
-rw-r--r--templates/nonce-reuse.html8
3 files changed, 22 insertions, 15 deletions
diff --git a/templates/key-commitment.html b/templates/key-commitment.html
index da11bf7..f3a309e 100644
--- a/templates/key-commitment.html
+++ b/templates/key-commitment.html
@@ -150,6 +150,10 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go
This attack was shown by Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, and Joanne Woodage
in <a href="https://eprint.iacr.org/2019/016">Fast Message Franking: From Invisible Salamanders to Encryptment</a>.
</p>
+ <p>
+ After reviewing the collisions below for JPEG/BMP files and PDF/PDF files, the reader is encouraged to try
+ to construct an attack for a different pair of file formats.
+ </p>
<h4>Colliding MACs</h4>
<p>
First, we will describe a general strategy to create a ciphertext that yields the same MAC
@@ -209,8 +213,9 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go
<pre>
%PDF-1.7
%µ¶</pre>
- The header is followed by a sequence of objects. A simple object containing a stream is shown below, with the data
- for the object inserted at <code>[DATA]</code>.
+ The header is followed by a sequence of objects. A simple object
+ with id <code>1 0</code> containing a stream is shown below, with
+ the data for the stream inserted at <code>[DATA]</code>.
<pre>
1 0 obj
&lt;&lt;&gt;&gt;
@@ -218,15 +223,15 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go
[DATA]
endstream
endobj</pre>
- At the end of the file, an <code>xref</code> table determines how the objects are layed out in space,
- and finally, the file ends with the line <code>%%EOF</code>, after which no more bytes are read by the PDF parser.
+ At the end of the file, an <code>xref</code> table summarizes the byte offsets of each object in the file.
+ The file ends with the line <code>%%EOF</code>.
</p>
<p>
- Our strategy will be to place a new stream object at the beginning of the first PDF file. This object
- will include the entirety of the second PDF file. Because the
- <code>xref</code> table does not reference this new object, the
- first PDF will not attempt to render the additional data.
- </p>
+ Our strategy will be to place a new, unused stream object at the beginning of the first PDF file. This object
+ will include the entirety of the second PDF file. When decrypted under \(k_1\), the second PDF file
+ will not be rendered as it is included only in an unused object. When decrypted under \(k_2\), the initial
+ bytes of the first PDF and stream object opening will be commented out, so the second PDF file is rendered.
+ </p>
<p>
Fix an arbitrary nonce \(n\) and key \(k_1\). We need our ciphertext header \(c_H\) to decrypt to the following
plaintext \(m_H\) under \(k_1\). We choose the object ID <code>0 0
@@ -399,10 +404,10 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go
</details>
<details>
<summary>
- Show me the code.
+ Example with code.
</summary>
<pre>
-from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import att_merge_jpg_bmp
+from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import att_merge_jpg_bmp, att_merge_pdf_pdf
with open('first.jpg', 'rb') as h:
jpg = h.read()
diff --git a/templates/mac-truncation.html b/templates/mac-truncation.html
index 24d4889..742a0c8 100644
--- a/templates/mac-truncation.html
+++ b/templates/mac-truncation.html
@@ -352,7 +352,7 @@
</details>
<details id="show-code">
<summary>
- Show me the code.
+ Example with code.
</summary>
<pre>
from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, mac_truncation_recover_secrets
diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html
index eff36b4..5412050 100644
--- a/templates/nonce-reuse.html
+++ b/templates/nonce-reuse.html
@@ -165,8 +165,9 @@
<p>
We plug \(h\) back into the first equation to recover \(s\), and we
can forge the MAC for arbitary ciphertext under the same nonce.
- Note that there may be multiple possible monomial roots; in this
- case, one can check each possibility against the enemy.
+ Note that there may be multiple possible roots; in this
+ case, one can check each possibility against the enemy, or perform
+ the attack twice on two pairs of intercepted messages.
</p>
<p>
One can use SageMath to compute factors of a polynomial:
@@ -189,6 +190,7 @@ for factor, _ in p.factor():
<ul>
<li>The gcd of two polynomials is unique only up to multiplication by a non-zero constant because &ldquo;greater&rdquo; is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the <em>monic</em> gcd, which is unique.</li>
<li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).</li>
+ <li>The authentication key <strong>must</strong> appear in one of the linear factors (those of the form \(y+h\)). This allows one to skip parts of the distinct-degree factorization and equal-degree factorization, making the algorithm much faster. Exercise: prove this claim.</li>
</ul>
<p>
Readers who wish to implement this attack themselves can try
@@ -198,7 +200,7 @@ for factor, _ in p.factor():
</details>
<details>
<summary>
- Show me the code.
+ Example with code.
</summary>
<pre>
from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, gcm_decrypt, nonce_reuse_recover_secrets