1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
<!DOCTYPE html>
<html>
<head>
<title>Forbidden Salamanders</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" type="text/css" href="/static/styles.css">
<link rel="stylesheet" type="text/css" href="/forbidden-salamanders/static/styles.css">
<link rel="shortcut icon" type="image/x-icon" href="/forbidden-salamanders/static/favicon.ico">
</head>
<body>
<div class="container">
<div>
<div class="home">
<a href="/forbidden-salamanders" class="home-title">Forbidden Salamanders</a>
<span> at </span><a class="site" href="/">cyfraeviolae.org</a>
<a class="source" href="/git/forbidden-salamanders">[src]</a>
</div>
<div class="crumbs">
<a href="/forbidden-salamanders/key-commitment">key commitment</a>
<span class="sep"> · </span>
<a href="/forbidden-salamanders/nonce-reuse">nonce reuse</a>
<span class="sep"> · </span>
<a href="/forbidden-salamanders/mac-truncation">mac truncation</a>
</div>
</div>
<p>
The FIPS-compliant sorcerer Roseacrucis uses the <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode">Advanced Encryption Standard in Galois/Counter Mode</a>
to correspond with his retinue. The Library’s cryptanalysts
have intercepted the communication channel, but we need your
help to exploit their broken protocols.
</p>
<p>
Choose one of the following missions.
</p>
<p>
<strong><a href="/forbidden-salamanders/key-commitment">Key commitment</a>.</strong> One of
our agents has infiltrated Roseacrucis’ inner circle, but all
secret keys are required to be surrendered to the
counterintelligence authority. Help her send AES-GCM ciphertexts back to
the Library that decrypt to confidential information under one key,
but innocuous banter under another.
</p>
<p>
<strong><a href="/forbidden-salamanders/nonce-reuse">Nonce
reuse</a>.</strong> Due to rising entropy prices, Roseacrucis has
started to reuse AES-GCM nonces. You must perform the Forbidden Attack in order to
recover the authentication key and forge arbitrary ciphertext.
</p>
<p>
<strong><a href="/forbidden-salamanders/mac-truncation">MAC
truncation</a>.</strong> The sorcerer aims to conserve
bandwidth by truncating AES-GCM MACs. Use the enemy as a decryption
oracle to once again, recover the authentication key and forge
arbitrary ciphertext.
</p>
<br>
<details>
<summary>
Though it is not required to complete your missions, we now
review the construction of AES-GCM.
</summary>
<p>
AES-GCM is a block cipher that accepts a key of 16 bytes,
a nonce of 12 bytes, plaintext, and additional authenticated data.
It returns ciphertext and a message authentication code (MAC).
The construction is <a href="https://csrc.nist.gov/publications/detail/sp/800-38d/final">specified by NIST</a>.
</p>
<p>
The ciphertext is computed as in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)">counter mode</a>, whereas the MAC is computed using the algorithm GMAC.
</p>
<p>
Let
\[
m = \alpha^{128}+\alpha^7 + \alpha^2 + \alpha + 1
\]
\[
\mathbb{K} = \mathbb{F}_{2^{128}}/m.
\]
</p>
<p>
The finite field \(\mathbb{K}\) can be
interpreted as the set of polynomials with coefficients in \(\mathbb{F}_2\)
of degree less than \(128\). Multiplication
is performed modulo \(m\). This field is of characteristic 2;
e.g., \(2=0\), \(a=-a\), \((\alpha^5 + 1)+(\alpha^5 + 1) = 0\).
</p>
<p>
We interpret 16-byte blocks as elements in \(\mathbb{K}\)
in little-endian bit order:
\[
b_0b_1b_2\ldots{}b_{127} \mapsto
b_0 + b_1\alpha + b_2\alpha^2 + \ldots + b_{127}\alpha^{127},
\]
where \(b_0\) is the least significant bit of the first byte of
the block.
</p>
<p>
12-byte nonces are interpreted as 96-bit integers in big-endian
byte order. Let \(\operatorname{Byte} = [0, 2^8-1]\) and
\(x_i\) refer to the \(i\)th 16-byte chunk of the bytestring
\(x\).
</p>
<p>
\(\operatorname{encode_{big}}(x, n)\) encodes an integer \(x\) into \(n\) bytes in big-endian
byte order. \(\operatorname{pad_n}(x, p)\) pads the length of
the bytestring \(x\) to the nearest multiple of \(n\) with the
byte \(p\). \(\operatorname{AES}(k, x)\) refers to
the <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">128-bit AES block cipher</a>.
</p>
<br>
<div class="algorithm">
<p>\(\operatorname{GMAC}(h\in \mathbb{K}, s\in \mathbb{K}, aad\in \operatorname{Byte}^{y}, c\in \operatorname{Byte}^{z})\)</p>
<ol class="algorithm-code">
<li>\( len = \operatorname{encode_{big}}(8y, 8) \mathbin\Vert \operatorname{encode_{big}}(8z, 8) \)</li>
<li>\( blocks = \operatorname{pad}_{16}(aad, 0) \mathbin\Vert \operatorname{pad}_{16}(c, 0) \mathbin\Vert len \mathbin\Vert s \)</li>
<li>\( N = \frac{\vert blocks \vert}{16} \)</li>
<li>\( \operatorname{return} \sum\limits_{i=1}^{N} blocks_{N-i} h^{i-1}\)</li>
</ol>
</div>
<br>
<br>
<div class="algorithm">
<p>\(\operatorname{AES-GCM}(k\in \operatorname{Byte}^{16}, n\in \operatorname{Byte}^{12}, aad\in \operatorname{Byte}^{y}, m\in \operatorname{Byte}^{z})\)</p>
<ol class="algorithm-code">
<li> \( r = \mathop{\Vert}\limits_{n'=2^{32}n+2}^{2^{32}n+2^{32}-1} \operatorname{AES}(k, n') \)</li>
<li> \( c = r \oplus m \) </li>
<li> \( h = \operatorname{AES}(k, 0) \) </li>
<li> \( s = \operatorname{AES}(k, 2^{32}n + 1) \) </li>
<li> \( \operatorname{return} c, \operatorname{GMAC}(h, s, aad, c) \)</li>
</ol>
</div>
</details>
<script id="MathJax-script" async src="/forbidden-salamanders/static/tex-chtml.js"></script>
</body>
</html>
|