From c14d12e6bc997a1aa4d6ed8bde90c8dc9659f3a5 Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Tue, 30 Aug 2022 02:00:05 -0400 Subject: pdf pdf --- aesgcmanalysis.py | 63 ++++++++++++++++++++++++++++++++++++++--------------- static/ashbery.pdf | Bin 0 -> 47552 bytes static/bishop.pdf | Bin 0 -> 46289 bytes 3 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 static/ashbery.pdf create mode 100644 static/bishop.pdf diff --git a/aesgcmanalysis.py b/aesgcmanalysis.py index b73960e..12442c1 100644 --- a/aesgcmanalysis.py +++ b/aesgcmanalysis.py @@ -1,5 +1,5 @@ from binascii import unhexlify -import random, struct, hmac, itertools, math +import random, struct, hmac, itertools, math, secrets from Crypto.Cipher import AES import cryptography from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes @@ -746,15 +746,14 @@ def mac_truncation_recover_secrets(ct, mac, nonce, mac_bytes, aad, oracle, compu # Key Commitment Attack -def gmac_blind(k, nonce): - return bytes_to_gf128(ecb_encrypt(k, nonce + b'\x00\x00\x00\x01')) def encode_lengths(ad_length, ct_length): return struct.pack('>QQ', ad_length*8, ct_length*8) + def collide(k1, k2, nonce, c): - h1 = gmac_key(k1) - h2 = gmac_key(k2) - p1 = gmac_blind(k1, nonce) - p2 = gmac_blind(k2, nonce) + h1 = authentication_key(k1) + h2 = authentication_key(k2) + p1 = blind(k1, nonce) + p2 = blind(k2, nonce) assert len(c) % 16 == 0 mlen = len(c)//16+1 lens = bytes_to_gf128(encode_lengths(0, len(c) + 16)) @@ -783,22 +782,13 @@ def collide_penultimate(k1, k2, nonce, c): h1Running = gf128_exp(h1, 4) h2Running = gf128_exp(h2, 4) for i in reversed(range(0, mlen-2)): - # print(mlen+1-(i)) - # i = mlen-2-1-i hi = gf128_add(h1Running, h2Running) h1Running = gf128_mul(h1Running, h1) h2Running = gf128_mul(h2Running, h2) n+=1 - # hi = gf128_add(gf128_exp(h1, mlen+1-i), gf128_exp(h2, mlen+1-i)) - #print('block', i, pt[i*16:(i+1)*16], 'exp', mlen+1-i) acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) - # for i in range(0, mlen-2): - # print(i,mlen+1-i) - # hi = gf128_add(gf128_exp(h1, mlen+1-i), gf128_exp(h2, mlen+1-i)) - # acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) hi = gf128_add(gf128_exp(h1, 2), gf128_exp(h2, 2)) i = mlen-1 - #print('block', i, pt[i*16:(i+1)*16], 'exp', 2) acc = gf128_add(acc, gf128_mul(bytes_to_gf128(c[i*16:(i+1)*16]), hi)) inv = gf128_inv(gf128_add(gf128_exp(h1, 3), gf128_exp(h2, 3))) c_append = gf128_mul(acc, inv) @@ -811,7 +801,7 @@ def gctr_oneblock(k, pt, nonce): stream = ecb_encrypt(k, enckeyval) return xor(pt, stream) -def key_search(nonce, init_bytes1, init_bytes2): +def key_search_jpg_bmp(nonce, init_bytes1, init_bytes2): seen1 = dict() seen2 = dict() while True: @@ -827,7 +817,7 @@ def key_search(nonce, init_bytes1, init_bytes2): return seen1[ct2], k2 def att_merge_jpg_bmp(jpg, bmp, aad): - # Precomputed with key_search; works for any files + # Precomputed with key_search_jpg_bmp; works for any files k1 = unhexlify('8007941455b5af579bb12fff92ef31a3') k2 = unhexlify('14ef746e8b1792e52b1d22ef124fae97') nonce = b'JORGELBORGES' @@ -865,6 +855,43 @@ def att_merge_jpg_bmp(jpg, bmp, aad): return cfin, macfin +def key_search_pdf_pdf(): + a = ''' + %PDF-1.7 + %µ¶ + + 0 0 obj + <<>> + stream + '''.strip().encode('utf-8') + nonce = b'JORGELBORGES' + k1 = secrets.token_bytes(16) + m1 = a + b'\x0a' + c1 = gctr(k1, nonce, m1) + while True: + k2 = secrets.token_bytes(16) + m2 = gctr(k2, nonce, c1) + if m2[0] == b'%'[0] and b'\x0a' not in m2[:-1] and m2[-1] == b'\x0a'[0]: + return k1, k2, nonce, c1 + +def att_merge_pdf_pdf(pdf1, pdf2, aad): + # precomputed with key_search_pdf_pdf + k1 = binascii.unhexlify('c94a4dbd95faf02bdc0c39e0c0984299') + k2 = binascii.unhexlify('e4d26cdfbc732473103a5a887a755e19') + nonce = binascii.unhexlify('4a4f5247454c424f52474553') + r = binascii.unhexlify('ade70922bef96292d1b7d39d53140ed2229a6819eebe86f5a536ad7da256679ae12b88a8bbfad501') + + N = len(pdf1) + len(pdf2) + 1000 + pdf1stream = gctr(k1, nonce, b'\x00'*N) + pdf2stream = gctr(k2, nonce, b'\x00'*N) + + r += xor(pdf2, pdf2stream[len(r):]) + r += xor(b"\x0aendstream\x0aendobj\x0a", pdf1stream[len(r):]) + r += xor(pdf1, pdf1stream[len(r):]) + r += b'\x00' * (16 - (len(r) % 16)) + + return collide(k1, k2, nonce, r) + # Demos def forbidden_attack_demo(): diff --git a/static/ashbery.pdf b/static/ashbery.pdf new file mode 100644 index 0000000..b03dbcd Binary files /dev/null and b/static/ashbery.pdf differ diff --git a/static/bishop.pdf b/static/bishop.pdf new file mode 100644 index 0000000..16779ec Binary files /dev/null and b/static/bishop.pdf differ -- cgit v1.2.3