summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore3
-rw-r--r--aesgcmanalysis.py3
-rw-r--r--app.py27
-rw-r--r--templates/nonce-truncation.html2
4 files changed, 21 insertions, 14 deletions
diff --git a/.gitignore b/.gitignore
index 22546a2..14835b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,5 +2,4 @@
tmp
venv/
ad.np
-ad-small.np
-squares.np
+square_basis.np
diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py
index 4b7e32c..338a104 100644
--- a/aesgcmanalysis.py
+++ b/aesgcmanalysis.py
@@ -795,6 +795,3 @@ def nonce_truncation_demo():
h, s = nonce_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle, compute_T_once=mac_bytes==1)
assert h == authentication_key(k)
-
-if __name__ == "__main__":
- nonce_truncation_demo()
diff --git a/app.py b/app.py
index efc45bf..9aade4e 100644
--- a/app.py
+++ b/app.py
@@ -54,7 +54,16 @@ def solve_nonce_reuse(k, nonce, m1, m2, mf):
c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)
- possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
+ default_m1 = 'The universe (which others call the Library)'
+ default_m2 = 'From any of the hexagons one can see, interminably'
+ if k == b'tlonorbistertius' and nonce == b'JORGELBORGES' and m1 == default_m1 and m2 == default_m2:
+ possible_secrets = [(144676297626548424623350164317265032260,
+ 137128696435097309357166918744288944691),
+ (176085395972970454284981815262084281580,
+ 250035608282660492164551282952970544944)]
+ else:
+ possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
+
c_forged = xor(c1, xor(m1, mf))
aad_forged = b""
macs = []
@@ -84,15 +93,17 @@ def nonce_truncation():
mf=mf, h=h, c_forged=c_forged, mac=mac)
def solve_nonce_truncation(k, nonce, mf):
- aad = b""
m = secrets.token_bytes(512)
+ aad = b""
c, mac = gcm_encrypt(k, nonce, aad, m, mac_bytes=1)
-
- def oracle(base, aad, mac, nonce):
- cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1)
- cipher.update(aad)
- cipher.decrypt_and_verify(base, mac)
- h, s = nonce_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle)
+ if k == b'tlonorbistertius' and nonce == b'JORGELBORGES':
+ h, s = 176085395972970454284981815262084281580, 48
+ else:
+ def oracle(base, aad, mac, nonce):
+ cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1)
+ cipher.update(aad)
+ cipher.decrypt_and_verify(base, mac)
+ h, s = nonce_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle)
c_forged, aad_forged = xor(c, xor(m, mf)), b""
mac = gmac(h, s, aad_forged, c_forged)
return gf128_to_bytes(h), c_forged, mac[:1]
diff --git a/templates/nonce-truncation.html b/templates/nonce-truncation.html
index aacaacb..0095bb1 100644
--- a/templates/nonce-truncation.html
+++ b/templates/nonce-truncation.html
@@ -108,7 +108,7 @@
</div>
{% endif %}
<br>
- <detail>
+ <details>
<summary>
Attack outline.
</summary>