diff options
Diffstat (limited to 'templates/index.html')
-rw-r--r-- | templates/index.html | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/templates/index.html b/templates/index.html new file mode 100644 index 0000000..fdcddd8 --- /dev/null +++ b/templates/index.html @@ -0,0 +1,148 @@ +<!DOCTYPE html> +<html> + <head> + <title>Forbidden Salamanders</title> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + <link rel="stylesheet" type="text/css" href="/static/styles.css"> + <link rel="stylesheet" type="text/css" href="/forbidden-salamanders/static/styles.css"> + <link rel="shortcut icon" type="image/x-icon" href="/forbidden-salamanders/static/favicon.ico"> + </head> + <body> + <div class="container"> + <div> + <div class="home"> + <a href="/forbidden-salamanders" class="home-title">Forbidden Salamanders</a> + <span> at </span><a href="/">cyfraeviolae.org</a> + </div> + <div class="crumbs"> + <a href="/git/forbidden-salamanders">source code</a> + <span class="sep"> · </span> + <a href="/forbidden-salamanders/nonce-reuse">aes-gcm nonce reuse</a> + <span class="sep"> · </span> + <a href="/forbidden-salamanders/nonce-truncation">aes-gcm nonce truncation</a> + <span class="sep"> · </span> + <a href="/forbidden-salamanders/key-commitment">aes-gcm key commitment</a> + </div> + </div> + <p> + The FIPS-compliant sorcerer Roseacrucis uses the <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">Advanced Encryption Standard in Galois/Counter Mode</a> + to correspond with his retinue. The Library’s cryptanalysts + have intercepted the communication channel, but we need your + help to exploit their broken protocols. + </p> + <p> + Choose one of the following missions. + </p> + <p> + <strong><a href="/forbidden-salamanders/nonce-reuse">Nonce + reuse</a>.</strong> Due to rising entropy prices, Roseacrucis has + started to reuse nonces. You must perform the Forbidden Attack in order to + recover the authentication key and forge arbitrary ciphertext. + </p> + <p> + <strong><a href="#">Nonce truncation</a>.</strong> The sorcerer + aims to conserve bandwidth by truncating nonces from twelve bytes + to four. Use the enemy as a decryption oracle to once again, + recover the authentication key and forge arbitrary ciphertext. + </p> + <p> + <strong><a href="#">Key commitment</a>.</strong> One of + our agents has infiltrated Roseacrucis’ inner circle, but all + secret keys are required to be surrendered to the + counterintelligence authority. Help her send ciphertexts to the + Library that decrypt to confidential information under one key, but + innocuous banter under another. + </p> + <br> + <details> + <summary> + Though it is not required to complete your missions, we now + review the construction of AES-GCM. + </summary> + <p> + AES-GCM is a block cipher that accepts a key of 16 bytes, + a nonce of 12 bytes, plaintext, and additional authenticated data. + It returns ciphertext and a message authentication code (MAC). + </p> + <p> + The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC. + </p> + <p> + Let + \[ + m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1 + \] + \[ + \mathbb{K} = \mathbb{F}(2^{128})/m. + \] + </p> + <p> + The finite field \(\mathbb{K}\) can be + interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\) + of degree less than \(128\). Multiplication + is performed modulo \(m\). This field is of characteristic 2; + e.g., \((\alpha^5 + 1)+(\alpha^5 + 1) = 0\). + </p> + <p> + We interpret 16-byte blocks as elements in \(\mathbb{K}\) + in little-endian bit order: + \[ + b_0b_1b_2\ldots{}b_{127} \mapsto + b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127}, + \] + where \(b_0\) is the least significant bit of the first byte of + the block. + </p> + <p> + 12-byte nonces are interpreted as 96-bit integers in big-endian + byte order. Let \(\operatorname{Byte} = [0, 2^8-1]\) and + \(x_i\) refer to the \(i\)th 16-byte chunk of the bytestring + \(x\). + </p> + <p> + \(\operatorname{encode_{big}}(x, n)\) encodes an integer \(x\) into \(n\) bytes in big-endian + byte order. \(\operatorname{pad_n}(x, p)\) pads the length of + the bytestring \(x\) to the nearest multiple of \(n\) with the + byte \(p\). \(\operatorname{AES}(k, x)\) refers to + the <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">128-bit AES block cipher</a>. + </p> + <br> + <div class="algorithm"> + <p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p> + <ol class="algorithm-code"> + <li>\( len = \operatorname{encode_{big}}(8y, 8) \mathbin\Vert \operatorname{encode_{big}}(8z, 8) \)</li> + <li>\( blocks = \operatorname{pad}_{16}(aad, 0) \mathbin\Vert \operatorname{pad}_{16}(c, 0) \mathbin\Vert len \mathbin\Vert s \)</li> + <li>\( N = \frac{\vert blocks \vert}{16} \)</li> + <li>\( \operatorname{return} \sum\limits_{i=1}^{N} blocks_{N-i} h^{i-1}\)</li> + </ol> + </div> + <br> + <br> + <div class="algorithm"> + <p>\(\operatorname{AES-GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p> + <ol class="algorithm-code"> + <li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES}(k, n') \)</li> + <li> \( c = r \oplus m \) </li> + <li> \( h = \operatorname{AES}(k, 0) \) </li> + <li> \( s = \operatorname{AES}(k, 2^{32}n + 1) \) </li> + <li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li> + </ol> + </div> + </details> + <!-- <script id="MathJax-script" async src="/forbidden-salamanders/static/mathjax.js"></script> --> + <!-- <script type="text/x-mathjax-config"> --> + <!-- MathJax.Hub.Config({ TeX: { extensions: ["AMSmath.js", "AMSsymbols.js"] }}); --> + <!-- </script> --> +<script> +MathJax = { + tex: { + extensions: ["AMSmath.js", "AMSsymbols.js"] + } +}; +</script> +<script id="MathJax-script" async + src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"> +</script> + </body> +</html> |