diff options
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | aesgcmanalysis.py | 3 | ||||
-rw-r--r-- | app.py | 27 | ||||
-rw-r--r-- | templates/nonce-truncation.html | 2 |
4 files changed, 21 insertions, 14 deletions
@@ -2,5 +2,4 @@ tmp venv/ ad.np -ad-small.np -squares.np +square_basis.np diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py index 4b7e32c..338a104 100644 --- a/aesgcmanalysis.py +++ b/aesgcmanalysis.py @@ -795,6 +795,3 @@ def nonce_truncation_demo(): h, s = nonce_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle, compute_T_once=mac_bytes==1) assert h == authentication_key(k) - -if __name__ == "__main__": - nonce_truncation_demo() @@ -54,7 +54,16 @@ def solve_nonce_reuse(k, nonce, m1, m2, mf): c1, mac1 = gcm_encrypt(k, nonce, aad1, m1) c2, mac2 = gcm_encrypt(k, nonce, aad2, m2) - possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2) + default_m1 = 'The universe (which others call the Library)' + default_m2 = 'From any of the hexagons one can see, interminably' + if k == b'tlonorbistertius' and nonce == b'JORGELBORGES' and m1 == default_m1 and m2 == default_m2: + possible_secrets = [(144676297626548424623350164317265032260, + 137128696435097309357166918744288944691), + (176085395972970454284981815262084281580, + 250035608282660492164551282952970544944)] + else: + possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2) + c_forged = xor(c1, xor(m1, mf)) aad_forged = b"" macs = [] @@ -84,15 +93,17 @@ def nonce_truncation(): mf=mf, h=h, c_forged=c_forged, mac=mac) def solve_nonce_truncation(k, nonce, mf): - aad = b"" m = secrets.token_bytes(512) + aad = b"" c, mac = gcm_encrypt(k, nonce, aad, m, mac_bytes=1) - - def oracle(base, aad, mac, nonce): - cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1) - cipher.update(aad) - cipher.decrypt_and_verify(base, mac) - h, s = nonce_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle) + if k == b'tlonorbistertius' and nonce == b'JORGELBORGES': + h, s = 176085395972970454284981815262084281580, 48 + else: + def oracle(base, aad, mac, nonce): + cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1) + cipher.update(aad) + cipher.decrypt_and_verify(base, mac) + h, s = nonce_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle) c_forged, aad_forged = xor(c, xor(m, mf)), b"" mac = gmac(h, s, aad_forged, c_forged) return gf128_to_bytes(h), c_forged, mac[:1] diff --git a/templates/nonce-truncation.html b/templates/nonce-truncation.html index aacaacb..0095bb1 100644 --- a/templates/nonce-truncation.html +++ b/templates/nonce-truncation.html @@ -108,7 +108,7 @@ </div> {% endif %} <br> - <detail> + <details> <summary> Attack outline. </summary> |