1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
import binascii, secrets, io
from flask import Flask, render_template, request, redirect, url_for, send_file
from flask_wtf import FlaskForm
from flask_wtf.file import FileField, FileAllowed
from werkzeug.datastructures import CombinedMultiDict
from wtforms import StringField, RadioField
from wtforms.validators import DataRequired, Length, ValidationError, InputRequired
from Crypto.Cipher import AES
from aesgcmanalysis import xor, gmac, gcm_encrypt, nonce_reuse_recover_secrets, gf128_to_bytes, mac_truncation_recover_secrets, att_merge_jpg_bmp
app = Flask(__name__)
@app.route('/')
def index():
return render_template('index.html')
def hex_check(form, field):
if len(field.data) % 2 != 0:
raise ValidationError(f'not valid hex; must have even length')
if not all(c in '1234567890abcdef' for c in field.data):
raise ValidationError(f'not valid hex; contains non-hex character')
def not_equal_to(other):
def helper(form, field):
if other not in form:
return
if form[other].data == field.data:
raise ValidationError(f'must not be equal to {other}')
return helper
class NonceReuseForm(FlaskForm):
key = StringField('key', validators=[DataRequired(), Length(min=32, max=32), hex_check])
nonce = StringField('nonce', validators=[DataRequired(), Length(min=24, max=24), hex_check])
m1 = StringField('first message', validators=[DataRequired(), Length(min=1, max=64)])
m2 = StringField('second message', validators=[DataRequired(), Length(min=1, max=64), not_equal_to('m1')])
mf = StringField('forged message', validators=[DataRequired(), Length(min=1, max=64)])
@app.route('/nonce-reuse', methods=['GET', 'POST'])
def nonce_reuse():
form = NonceReuseForm(meta={'csrf': False})
key = nonce = None
m1 = m2 = mf = c_forged = ''
macs = None
if form.is_submitted():
key, nonce, m1, m2, mf = form.key.data, form.nonce.data, form.m1.data, form.m2.data, form.mf.data
if form.validate():
skey = binascii.unhexlify(key)
snonce = binascii.unhexlify(nonce)
c_forged, macs = solve_nonce_reuse(skey, snonce, bytes(m1, 'utf-8'), bytes(m2, 'utf-8'), bytes(mf, 'utf-8'))
return render_template('nonce-reuse.html', form=form, key=key, nonce=nonce, m1=m1, m2=m2, mf=mf, c_forged=c_forged, macs=macs)
def solve_nonce_reuse(k, nonce, m1, m2, mf):
aad1 = aad2 = b""
c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)
default_m1 = 'The universe (which others call the Library)'
default_m2 = 'From any of the hexagons one can see, interminably'
if k == b'tlonorbistertius' and nonce == b'JORGELBORGES' and m1 == default_m1 and m2 == default_m2:
possible_secrets = [(144676297626548424623350164317265032260,
137128696435097309357166918744288944691),
(176085395972970454284981815262084281580,
250035608282660492164551282952970544944)]
else:
possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
c_forged = xor(c1, xor(m1, mf))
aad_forged = b""
macs = []
for h, s in possible_secrets:
mac = gmac(h, s, aad_forged, c_forged)
macs.append((gf128_to_bytes(h), s, mac))
return c_forged, macs
class MACTruncationForm(FlaskForm):
key = StringField('key', validators=[DataRequired(), Length(min=32, max=32), hex_check])
nonce = StringField('nonce', validators=[DataRequired(), Length(min=24, max=24), hex_check])
mf = StringField('forged message', validators=[DataRequired(), Length(min=1, max=64)])
@app.route('/mac-truncation', methods=['GET', 'POST'])
def mac_truncation():
form = MACTruncationForm(meta={'csrf': False})
key = nonce = None
mf = ''
h = c_forged = mac = None
if form.is_submitted():
key, nonce, mf = form.key.data, form.nonce.data, form.mf.data
if form.validate():
skey = binascii.unhexlify(key)
snonce = binascii.unhexlify(nonce)
h, c_forged, mac = solve_mac_truncation(skey, snonce, bytes(mf, 'utf-8'))
return render_template('mac-truncation.html', form=form, key=key, nonce=nonce,
mf=mf, h=h, c_forged=c_forged, mac=mac)
def solve_mac_truncation(k, nonce, mf):
m = secrets.token_bytes(512)
aad = b""
c, mac = gcm_encrypt(k, nonce, aad, m, mac_bytes=1)
if k == b'tlonorbistertius' and nonce == b'JORGELBORGES':
h, s = 176085395972970454284981815262084281580, 48
else:
def oracle(base, aad, mac, nonce):
cipher = AES.new(k, mode=AES.MODE_GCM, nonce=nonce, mac_len=1)
cipher.update(aad)
cipher.decrypt_and_verify(base, mac)
h, s = mac_truncation_recover_secrets(c, mac, nonce, 1, aad, oracle)
c_forged, aad_forged = xor(c, xor(m, mf)), b""
mac = gmac(h, s, aad_forged, c_forged)
return gf128_to_bytes(h), c_forged, mac[:1]
class RequiredIf(InputRequired):
# adapted from https://stackoverflow.com/a/8464478
# a validator which makes a field required if
# another field is set and has a truthy value
def __init__(self, other_field_name, other_field_val, *args, **kwargs):
self.other_field_name = other_field_name
self.other_field_val = other_field_val
super(RequiredIf, self).__init__(*args, **kwargs)
def __call__(self, form, field):
other_field = form._fields.get(self.other_field_name)
if other_field is None:
raise Exception('no field named "%s" in form' % self.other_field_name)
if other_field.data == self.other_field_val:
super(RequiredIf, self).__call__(form, field)
def FileSizeLimit(max_bytes, magic_start=None, magic_end=None):
# adapted from https://stackoverflow.com/a/67172432
def file_length_check(form, field):
if not field.data:
return
s = field.data.read()
n = len(s)
if n > max_bytes:
raise ValidationError(f"File size must be less than {max_bytes}B")
if magic_start and not s.startswith(magic_start):
raise ValidationError(f"Not a valid file; wrong initial magic bytes")
if magic_end and not s.endswith(magic_end):
raise ValidationError(f"Not a valid file; wrong final magic bytes")
field.data.seek(0)
return file_length_check
class KeyCommitmentForm(FlaskForm):
mode = RadioField('mode', choices=[('sample', 'sample'), ('custom', 'custom')], validators=[DataRequired()])
jpeg = FileField('jpeg_file', validators=[FileAllowed(['jpg', 'jpeg']),
RequiredIf('mode', 'custom'), FileSizeLimit(150000, b'\xff\xd8', b'\xff\xd9')])
bmp = FileField('bmp_file', validators=[FileAllowed(['bmp']),
RequiredIf('mode', 'custom'), FileSizeLimit(50000, b'\x42\x4d')])
@app.route('/key-commitment', methods=['GET', 'POST'])
def key_commitment():
form = KeyCommitmentForm(CombinedMultiDict((request.files, request.form)), meta={'csrf': False})
k1 = None
k2 = None
nonce = None
c = None
if form.is_submitted():
if form.validate():
if form.mode.data == 'sample':
# jpeg_bytes = open('static/axolotl.jpg', 'rb').read()
# bmp_bytes = open('static/kitten.bmp', 'rb').read()
return send_file('static/sample-polyglot.enc',
mimetype='application/octet-stream', as_attachment=True, download_name="polyglot.enc")
else:
jpeg_bytes = form.jpeg.data.read()
bmp_bytes = form.bmp.data.read()
c, mac = att_merge_jpg_bmp(jpeg_bytes, bmp_bytes, aad=b"")
ct = c + mac
f = io.BytesIO(ct)
return send_file(f, mimetype='application/octet-stream', as_attachment=True, download_name="polyglot.enc")
return render_template('key-commitment.html', form=form, k1=k1, k2=k2, nonce=nonce, c=c)
|
