From 8595c70d789183c71dac1469eb8bd484284589c5 Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Tue, 23 Aug 2022 02:40:04 -0400 Subject: init --- index.html | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 index.html (limited to 'index.html') diff --git a/index.html b/index.html new file mode 100644 index 0000000..7b4572b --- /dev/null +++ b/index.html @@ -0,0 +1,148 @@ + + + + Forbidden Salamanders + + + + + + + +
+
+ + +
+

+ The FIPS-compliant sorcerer Roseacrucis uses the Advanced Encryption Standard in Galois/Counter Mode + to correspond with his retinue. The Library’s cryptanalysts + have intercepted the communication channel, but we need your + help to exploit their broken protocols. +

+

+ Choose one of the following missions. +

+

+ Nonce reuse. Due to rising entropy + prices, Roseacrucis has started to reuse nonces. You must perform the + Forbidden Attack in order to recover the authentication key and + forge arbitrary ciphertext. +

+

+ Nonce truncation. The sorcerer + aims to conserve bandwidth by truncating nonces from twelve bytes + to four. Use the enemy as a decryption oracle to once again, + recover the authentication key and forge arbitrary ciphertext. +

+

+ Key commitment. One of + our agents has infiltrated Roseacrucis’ inner circle, but all + secret keys are required to be surrendered to the + counterintelligence authority. Help her send ciphertexts to the + Library that decrypt to confidential information under one key, but + innocuous banter under another. +

+
+
+ + Though it is not required to complete your missions, we now + review the construction of AES-GCM. + +

+ AES-GCM is a block cipher that accepts a key of 16 bytes, + a nonce of 12 bytes, plaintext, and additional authenticated data. + It returns ciphertext and a message authentication code (MAC). +

+

+ The ciphertext is computed as in counter mode, whereas the MAC is computed using the algorithm GMAC. +

+

+ Let + \[ + m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1 + \] + \[ + \mathbb{K} = \mathbb{F}(2^{128})/m. + \] +

+

+ The finite field \(\mathbb{K}\) can be + interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\) + of degree less than \(128\). Multiplication + is performed modulo \(m\). This field is of characteristic 2; + e.g., \((\alpha^5 + \alpha+1)+(\alpha^5 + \alpha+1) = 0\). +

+

+ We interpret 16-byte blocks as elements in \(\mathbb{K}\) + in little-endian bit order: + \[ + b_0b_1b_2\ldots{}b_{127} \mapsto + b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127}, + \] + where \(b_0\) is the least significant bit of the first byte of + the block. +

+

+ 12-byte nonces are interpreted as 96-bit integers in big-endian byte order. +

+

+ Let \(\operatorname{Byte} = [0, 2^8-1]\). +

+
+
+

\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)

+
    +
  1. \( aad' = \operatorname{chunk}_{16}(aad, \operatorname{pad}=\mathtt{0x00}) \)
  2. +
  3. \( c' = \operatorname{chunk}_{16}(c, \operatorname{pad}=\mathtt{0x00}) \)
  4. +
  5. \( len = \operatorname{encode_{big}}(128\vert aad' \vert, 8) \mathbin\Vert \operatorname{encode_{big}}(128\vert c'\vert, 8) \)
  6. +
  7. \( blocks = aad' \mathbin\Vert c' \mathbin\Vert (len) \mathbin\Vert (s) \)
  8. +
  9. \( \operatorname{return} \sum\limits_{i=1}^{\vert blocks\vert} blocks_{\vert blocks \vert-i} h^{i-1}\)
  10. +
+
+
+
+
+

\(\operatorname{GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)

+
    +
  1. \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES-ECB}(k, n') \)
  2. +
  3. \( c = r \oplus m \)
  4. +
  5. \( h = \operatorname{AES-ECB}(k, 0) \)
  6. +
  7. \( s = \operatorname{AES-ECB}(k, 2^{32}n + 1) \)
  8. +
  9. \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)
  10. +
+
+

+ The authentication key \( h \) is independent of the + nonce \( n \). The constant term \( s \) acts as a blind to + hide the confidential block data in the MAC. Finally, note + that the polynomial computation reverses the order of the blocks. +

+
+ + + + + + + + -- cgit v1.2.3