summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--aesgcmanalysis.py63
-rw-r--r--static/ashbery.pdfbin0 -> 47552 bytes
-rw-r--r--static/bishop.pdfbin0 -> 46289 bytes
3 files changed, 45 insertions, 18 deletions
diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py
index b73960e..12442c1 100644
--- a/aesgcmanalysis.py
+++ b/aesgcmanalysis.py
@@ -1,5 +1,5 @@
from binascii import unhexlify
-import random, struct, hmac, itertools, math
+import random, struct, hmac, itertools, math, secrets
from Crypto.Cipher import AES
import cryptography
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
@@ -746,15 +746,14 @@ def mac_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle, compu
# Key Commitment Attack
-def gmac_blind(k, nonce):
- return bytes_to_gf128(ecb_encrypt(k, nonce + b'\x00\x00\x00\x01'))
def encode_lengths(ad_length, ct_length):
return struct.pack('>QQ', ad_length*8, ct_length*8)
+
def collide(k1, k2, nonce, c):
- h1 = gmac_key(k1)
- h2 = gmac_key(k2)
- p1 = gmac_blind(k1, nonce)
- p2 = gmac_blind(k2, nonce)
+ h1 = authentication_key(k1)
+ h2 = authentication_key(k2)
+ p1 = blind(k1, nonce)
+ p2 = blind(k2, nonce)
assert len(c) % 16 == 0
mlen = len(c)//16+1
lens = bytes_to_gf128(encode_lengths(0, len(c) + 16))
@@ -783,22 +782,13 @@ def collide_penultimate(k1, k2, nonce, c):
h1Running = gf128_exp(h1, 4)
h2Running = gf128_exp(h2, 4)
for i in reversed(range(0, mlen-2)):
- # print(mlen+1-(i))
- # i = mlen-2-1-i
hi = gf128_add(h1Running, h2Running)
h1Running = gf128_mul(h1Running, h1)
h2Running = gf128_mul(h2Running, h2)
n+=1
- # hi = gf128_add(gf128_exp(h1, mlen+1-i), gf128_exp(h2, mlen+1-i))
- #print('block', i, pt[i*16:(i+1)*16], 'exp', mlen+1-i)
acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi))
- # for i in range(0, mlen-2):
- # print(i,mlen+1-i)
- # hi = gf128_add(gf128_exp(h1, mlen+1-i), gf128_exp(h2, mlen+1-i))
- # acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi))
hi = gf128_add(gf128_exp(h1, 2), gf128_exp(h2, 2))
i = mlen-1
- #print('block', i, pt[i*16:(i+1)*16], 'exp', 2)
acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi))
inv = gf128_inv(gf128_add(gf128_exp(h1, 3), gf128_exp(h2, 3)))
c_append = gf128_mul(acc, inv)
@@ -811,7 +801,7 @@ def gctr_oneblock(k, pt, nonce):
stream = ecb_encrypt(k, enckeyval)
return xor(pt, stream)
-def key_search(nonce, init_bytes1, init_bytes2):
+def key_search_jpg_bmp(nonce, init_bytes1, init_bytes2):
seen1 = dict()
seen2 = dict()
while True:
@@ -827,7 +817,7 @@ def key_search(nonce, init_bytes1, init_bytes2):
return seen1[ct2], k2
def att_merge_jpg_bmp(jpg, bmp, aad):
- # Precomputed with key_search; works for any files
+ # Precomputed with key_search_jpg_bmp; works for any files
k1 = unhexlify('8007941455b5af579bb12fff92ef31a3')
k2 = unhexlify('14ef746e8b1792e52b1d22ef124fae97')
nonce = b'JORGELBORGES'
@@ -865,6 +855,43 @@ def att_merge_jpg_bmp(jpg, bmp, aad):
return cfin, macfin
+def key_search_pdf_pdf():
+ a = '''
+ %PDF-1.7
+ %µ¶
+
+ 0 0 obj
+ <<>>
+ stream
+ '''.strip().encode('utf-8')
+ nonce = b'JORGELBORGES'
+ k1 = secrets.token_bytes(16)
+ m1 = a + b'\x0a'
+ c1 = gctr(k1, nonce, m1)
+ while True:
+ k2 = secrets.token_bytes(16)
+ m2 = gctr(k2, nonce, c1)
+ if m2[0] == b'%'[0] and b'\x0a' not in m2[:-1] and m2[-1] == b'\x0a'[0]:
+ return k1, k2, nonce, c1
+
+def att_merge_pdf_pdf(pdf1, pdf2, aad):
+ # precomputed with key_search_pdf_pdf
+ k1 = binascii.unhexlify('c94a4dbd95faf02bdc0c39e0c0984299')
+ k2 = binascii.unhexlify('e4d26cdfbc732473103a5a887a755e19')
+ nonce = binascii.unhexlify('4a4f5247454c424f52474553')
+ r = binascii.unhexlify('ade70922bef96292d1b7d39d53140ed2229a6819eebe86f5a536ad7da256679ae12b88a8bbfad501')
+
+ N = len(pdf1) + len(pdf2) + 1000
+ pdf1stream = gctr(k1, nonce, b'\x00'*N)
+ pdf2stream = gctr(k2, nonce, b'\x00'*N)
+
+ r += xor(pdf2, pdf2stream[len(r):])
+ r += xor(b"\x0aendstream\x0aendobj\x0a", pdf1stream[len(r):])
+ r += xor(pdf1, pdf1stream[len(r):])
+ r += b'\x00' * (16 - (len(r) % 16))
+
+ return collide(k1, k2, nonce, r)
+
# Demos
def forbidden_attack_demo():
diff --git a/static/ashbery.pdf b/static/ashbery.pdf
new file mode 100644
index 0000000..b03dbcd
--- /dev/null
+++ b/static/ashbery.pdf
Binary files differ
diff --git a/static/bishop.pdf b/static/bishop.pdf
new file mode 100644
index 0000000..16779ec
--- /dev/null
+++ b/static/bishop.pdf
Binary files differ