diff options
| -rw-r--r-- | templates/key-commitment.html | 27 | ||||
| -rw-r--r-- | templates/mac-truncation.html | 2 | ||||
| -rw-r--r-- | templates/nonce-reuse.html | 8 |
3 files changed, 22 insertions, 15 deletions
diff --git a/templates/key-commitment.html b/templates/key-commitment.html index da11bf7..f3a309e 100644 --- a/templates/key-commitment.html +++ b/templates/key-commitment.html @@ -150,6 +150,10 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go This attack was shown by Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, and Joanne Woodage in <a href="https://eprint.iacr.org/2019/016">Fast Message Franking: From Invisible Salamanders to Encryptment</a>. </p> + <p> + After reviewing the collisions below for JPEG/BMP files and PDF/PDF files, the reader is encouraged to try + to construct an attack for a different pair of file formats. + </p> <h4>Colliding MACs</h4> <p> First, we will describe a general strategy to create a ciphertext that yields the same MAC @@ -209,8 +213,9 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go <pre> %PDF-1.7 %µ¶</pre> - The header is followed by a sequence of objects. A simple object containing a stream is shown below, with the data - for the object inserted at <code>[DATA]</code>. + The header is followed by a sequence of objects. A simple object + with id <code>1 0</code> containing a stream is shown below, with + the data for the stream inserted at <code>[DATA]</code>. <pre> 1 0 obj <<>> @@ -218,15 +223,15 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go [DATA] endstream endobj</pre> - At the end of the file, an <code>xref</code> table determines how the objects are layed out in space, - and finally, the file ends with the line <code>%%EOF</code>, after which no more bytes are read by the PDF parser. + At the end of the file, an <code>xref</code> table summarizes the byte offsets of each object in the file. + The file ends with the line <code>%%EOF</code>. </p> <p> - Our strategy will be to place a new stream object at the beginning of the first PDF file. This object - will include the entirety of the second PDF file. Because the - <code>xref</code> table does not reference this new object, the - first PDF will not attempt to render the additional data. - </p> + Our strategy will be to place a new, unused stream object at the beginning of the first PDF file. This object + will include the entirety of the second PDF file. When decrypted under \(k_1\), the second PDF file + will not be rendered as it is included only in an unused object. When decrypted under \(k_2\), the initial + bytes of the first PDF and stream object opening will be commented out, so the second PDF file is rendered. + </p> <p> Fix an arbitrary nonce \(n\) and key \(k_1\). We need our ciphertext header \(c_H\) to decrypt to the following plaintext \(m_H\) under \(k_1\). We choose the object ID <code>0 0 @@ -399,10 +404,10 @@ go build -o /tmp/decrypt-aes-gcm /tmp/decrypt-aes-gcm.go </details> <details> <summary> - Show me the code. + Example with code. </summary> <pre> -from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import att_merge_jpg_bmp +from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import att_merge_jpg_bmp, att_merge_pdf_pdf with open('first.jpg', 'rb') as h: jpg = h.read() diff --git a/templates/mac-truncation.html b/templates/mac-truncation.html index 24d4889..742a0c8 100644 --- a/templates/mac-truncation.html +++ b/templates/mac-truncation.html @@ -352,7 +352,7 @@ </details> <details id="show-code"> <summary> - Show me the code. + Example with code. </summary> <pre> from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, mac_truncation_recover_secrets diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index eff36b4..5412050 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -165,8 +165,9 @@ <p> We plug \(h\) back into the first equation to recover \(s\), and we can forge the MAC for arbitary ciphertext under the same nonce. - Note that there may be multiple possible monomial roots; in this - case, one can check each possibility against the enemy. + Note that there may be multiple possible roots; in this + case, one can check each possibility against the enemy, or perform + the attack twice on two pairs of intercepted messages. </p> <p> One can use SageMath to compute factors of a polynomial: @@ -189,6 +190,7 @@ for factor, _ in p.factor(): <ul> <li>The gcd of two polynomials is unique only up to multiplication by a non-zero constant because “greater” is defined for polynomials in terms of degree. When used in algorithms, gcd refers to the <em>monic</em> gcd, which is unique.</li> <li>The <a href="https://math.stackexchange.com/a/943626/1084004">inverse Frobenius automorphism</a> (i.e., square root) in \(\mathbb{F}_{2^{128}}\) is given by \(\sqrt{x} = x^{2^{127}}\).</li> + <li>The authentication key <strong>must</strong> appear in one of the linear factors (those of the form \(y+h\)). This allows one to skip parts of the distinct-degree factorization and equal-degree factorization, making the algorithm much faster. Exercise: prove this claim.</li> </ul> <p> Readers who wish to implement this attack themselves can try @@ -198,7 +200,7 @@ for factor, _ in p.factor(): </details> <details> <summary> - Show me the code. + Example with code. </summary> <pre> from <a href="/git/forbidden-salamanders">aesgcmanalysis</a> import xor, gmac, gcm_encrypt, gcm_decrypt, nonce_reuse_recover_secrets |