1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
import binascii
from flask import Flask, render_template, request, redirect, url_for
from aesgcmanalysis import xor, gmac, gcm_encrypt, nonce_reuse_recover_secrets, gf128_to_bytes
app = Flask(__name__)
@app.route('/')
def index():
return render_template('index.html')
@app.route('/nonce-reuse', methods=['GET', 'POST'])
def nonce_reuse():
key = nonce = c_forged = macs = None
m1 = m2 = mf = ''
if request.method == 'POST':
key = binascii.unhexlify(request.form['key'])
nonce = binascii.unhexlify(request.form['nonce'])
m1 = request.form['m1']
m2 = request.form['m2']
mf = request.form['mf']
c_forged, macs = solve(key, nonce, bytes(m1, 'ascii'), bytes(m2, 'ascii'), bytes(mf, 'ascii'))
return render_template('nonce-reuse.html', key=key, nonce=nonce, m1=m1, m2=m2, mf=mf, c_forged=c_forged, macs=macs)
def solve(k, nonce, m1, m2, mf):
aad1 = aad2 = b""
c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)
possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
c_forged = xor(c1, xor(m1, mf))
aad_forged = b""
macs = []
for h, s in possible_secrets:
mac = gmac(h, s, aad_forged, c_forged)
macs.append((gf128_to_bytes(h), s, mac))
return c_forged, macs
|