From 7872bbcaf421bbb2fd3ab5fb1283e9cb8282a02f Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Wed, 24 Aug 2022 16:21:17 -0400 Subject: work --- templates/index.html | 13 +++++++++---- templates/nonce-reuse.html | 23 +++++++++++++++-------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/templates/index.html b/templates/index.html index fdcddd8..baf6a6d 100644 --- a/templates/index.html +++ b/templates/index.html @@ -18,11 +18,13 @@
source code · - aes-gcm nonce reuse + nonce reuse +

@@ -37,9 +39,10 @@

Nonce reuse. Due to rising entropy prices, Roseacrucis has - started to reuse nonces. You must perform the Forbidden Attack in order to + started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to recover the authentication key and forge arbitrary ciphertext.

+
@@ -64,6 +68,7 @@ AES-GCM is a block cipher that accepts a key of 16 bytes, a nonce of 12 bytes, plaintext, and additional authenticated data. It returns ciphertext and a message authentication code (MAC). + The construction is specified by NIST.

The ciphertext is computed as in counter mode, whereas the MAC is computed using the algorithm GMAC. diff --git a/templates/nonce-reuse.html b/templates/nonce-reuse.html index 2637d50..e60cc95 100644 --- a/templates/nonce-reuse.html +++ b/templates/nonce-reuse.html @@ -18,16 +18,18 @@

Nonce reuse. Due to rising entropy - prices, Roseacrucis has started to reuse nonces. You must perform the + prices, Roseacrucis has started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to recover the authentication key and forge arbitrary ciphertext.

@@ -160,10 +162,15 @@ polynomial.

- We plug \(h\) back into the first equation to recover \(s\), - and finally, we can forge the MAC for arbitary ciphertext under the - same nonce. Note that there may be multiple possible monomial roots; - in this case, one can check each possibility online. + We plug \(h\) back into the first equation to recover \(s\), and we + can forge the MAC for arbitary ciphertext under the same nonce. + Note that there may be multiple possible monomial roots; in this + case, one can check each possibility against the enemy. +

+

+ Readers who wish to implement this attack themselves can try + Cryptopals; specifically + Set 8 Problem 62.

-- cgit v1.2.3