From d4e149445bda4a73dc3bb987e6ba296c7d6fe84e Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Wed, 24 Aug 2022 00:38:04 -0400 Subject: work --- index.html | 148 ------------------------------------------------------------- 1 file changed, 148 deletions(-) delete mode 100644 index.html (limited to 'index.html') diff --git a/index.html b/index.html deleted file mode 100644 index 1fd52b1..0000000 --- a/index.html +++ /dev/null @@ -1,148 +0,0 @@ - - - - Forbidden Salamanders - - - - - - - -
-
- - -
-

- The FIPS-compliant sorcerer Roseacrucis uses the Advanced Encryption Standard in Galois/Counter Mode - to correspond with his retinue. The Library’s cryptanalysts - have intercepted the communication channel, but we need your - help to exploit their broken protocols. -

-

- Choose one of the following missions. -

-

- Nonce - reuse. Due to rising entropy prices, Roseacrucis has - started to reuse nonces. You must perform the Forbidden Attack in order to - recover the authentication key and forge arbitrary ciphertext. -

-

- Nonce truncation. The sorcerer - aims to conserve bandwidth by truncating nonces from twelve bytes - to four. Use the enemy as a decryption oracle to once again, - recover the authentication key and forge arbitrary ciphertext. -

-

- Key commitment. One of - our agents has infiltrated Roseacrucis’ inner circle, but all - secret keys are required to be surrendered to the - counterintelligence authority. Help her send ciphertexts to the - Library that decrypt to confidential information under one key, but - innocuous banter under another. -

-
-
- - Though it is not required to complete your missions, we now - review the construction of AES-GCM. - -

- AES-GCM is a block cipher that accepts a key of 16 bytes, - a nonce of 12 bytes, plaintext, and additional authenticated data. - It returns ciphertext and a message authentication code (MAC). -

-

- The ciphertext is computed as in counter mode, whereas the MAC is computed using the algorithm GMAC. -

-

- Let - \[ - m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1 - \] - \[ - \mathbb{K} = \mathbb{F}(2^{128})/m. - \] -

-

- The finite field \(\mathbb{K}\) can be - interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\) - of degree less than \(128\). Multiplication - is performed modulo \(m\). This field is of characteristic 2; - e.g., \((\alpha^5 + 1)+(\alpha^5 + 1) = 0\). -

-

- We interpret 16-byte blocks as elements in \(\mathbb{K}\) - in little-endian bit order: - \[ - b_0b_1b_2\ldots{}b_{127} \mapsto - b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127}, - \] - where \(b_0\) is the least significant bit of the first byte of - the block. -

-

- 12-byte nonces are interpreted as 96-bit integers in big-endian - byte order. Let \(\operatorname{Byte} = [0, 2^8-1]\) and - \(x_i\) refer to the \(i\)th 16-byte chunk of the bytestring - \(x\). -

-

- \(\operatorname{encode_{big}}(x, n)\) encodes an integer \(x\) into \(n\) bytes in big-endian - byte order. \(\operatorname{pad_n}(x, p)\) pads the length of - the bytestring \(x\) to the nearest multiple of \(n\) with the - byte \(p\). \(\operatorname{AES}(k, x)\) refers to - the 128-bit AES block cipher. -

-
-
-

\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)

-
    -
  1. \( len = \operatorname{encode_{big}}(8y, 8) \mathbin\Vert \operatorname{encode_{big}}(8z, 8) \)
  2. -
  3. \( blocks = \operatorname{pad}_{16}(aad, 0) \mathbin\Vert \operatorname{pad}_{16}(c, 0) \mathbin\Vert len \mathbin\Vert s \)
  4. -
  5. \( N = \frac{\vert blocks \vert}{16} \)
  6. -
  7. \( \operatorname{return} \sum\limits_{i=1}^{N} blocks_{N-i} h^{i-1}\)
  8. -
-
-
-
-
-

\(\operatorname{AES-GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)

-
    -
  1. \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES}(k, n') \)
  2. -
  3. \( c = r \oplus m \)
  4. -
  5. \( h = \operatorname{AES}(k, 0) \)
  6. -
  7. \( s = \operatorname{AES}(k, 2^{32}n + 1) \)
  8. -
  9. \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)
  10. -
-
-
- - - - - - - - -- cgit v1.2.3