summaryrefslogtreecommitdiff
path: root/app.py
blob: 2177e9c2d2e18868824790b02d45039c4cb9f069 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

import binascii

from flask import Flask, render_template, request, redirect, url_for

from aesgcmanalysis import xor, gmac, gcm_encrypt, nonce_reuse_recover_secrets, gf128_to_bytes

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/nonce-reuse', methods=['GET', 'POST'])
def nonce_reuse():
    key = nonce = c_forged = macs = None
    m1 = m2 = mf = ''
    if request.method == 'POST':
        key = binascii.unhexlify(request.form['key'])
        nonce = binascii.unhexlify(request.form['nonce'])
        m1 = request.form['m1']
        m2 = request.form['m2']
        mf = request.form['mf']
        c_forged, macs = solve(key, nonce, bytes(m1, 'ascii'), bytes(m2, 'ascii'), bytes(mf, 'ascii'))
    return render_template('nonce-reuse.html', key=key, nonce=nonce, m1=m1, m2=m2, mf=mf, c_forged=c_forged, macs=macs)

def solve(k, nonce, m1, m2, mf):
    aad1 = aad2 = b""
    c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
    c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)

    possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
    c_forged = xor(c1, xor(m1, mf))
    aad_forged = b""
    macs = []
    for h, s in possible_secrets:
        mac = gmac(h, s, aad_forged, c_forged)
        macs.append((gf128_to_bytes(h), s, mac))
    return c_forged, macs
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-16 23:28:54 +0000