Shulou(Shulou.com)05/31 Report--

This article will explain the example analysis of Paddind Oracle Attack for you in detail. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Applicable conditions

The encryption mode is AES.CBC mode

Known encrypted cipher

Known initial iv at the time of encryption

Attack principle

If the plaintext is too long, it needs to be decrypted block by block, but the iv has been changed, and the process is exactly the same.

For each piece of plaintext, decrypt bit by bit from back to front.

Let's take a look at the CBC classic picture first.

When encrypting

When decrypting

Attack implementation

There is a server, which will return whether the ciphertext is correct or not after decryption (padding), and then return the decrypted state, so we can get the intermediate state I after encryption and before XOR with iv, then we find that IPCC ⊕ P, and C is known, we can get the original plaintext P through XOR, so the next main contradiction is to obtain the intermediate state I.

We choose to build iv=\ x000016. After sending the iv to the server, we will do the padding test, assuming that the last bit of P is X, then the server will determine that it is correct if and only if the result after padding is 0x01 (P ⊕ I ⊕ 0x01), then we can burst test the bit iv. When the server returns correctly, there is a good chance that we will get the correct I, so we enumerate from the lowest bit When the bit is correct, then the previous bit begins to enumerate, knowing that all the bits are taken, that is, when I is known, and finally using I ⊕ IV to get the plaintext P of the block.

Then change the IV to the ciphertext of the previous block and repeat the above operation.

Example 1. 0xGame Padding Oracle

Here is a standard example problem, the relevant analysis as above, here to demonstrate the specific operation.

Random analysis. Jpg

Here because of laziness, I ran several times after manually changing the code, because this thing exploded for a ridiculously long time, debug nightmare

From string import digits, ascii_lettersfrom pwn import * from hashlib import sha256from Crypto.Util.number import * import os

Table = digits+ascii_lettersr = remote ("49.235.239.97", "10003")

Def proof_of_work (): rev = r.recvuntil ("sha256 (XXXX+") suffix = r.recv (16). Decode () r.recvuntil ("=") res = r.recv (64). Decode () def f (x): hashresult = hashlib.sha256 ((x+suffix). Encode (). Hexdigest () if hashresult = res:return 1else:return 0prefix = util.iters.mbruteforce

Def read_data (): r.recvuntil ("iv:") iv = r.recvuntil ('\ n') [:-1] .decode () iv = bytearray.fromhex (iv) r.recvuntil ("crypttext:") qwq = r.recvuntil ('\ n') [:-1] .decode () cbc = bytearray.fromhex (qwq) return iv,cbc,qwq

Proof_of_work () print ('Successfully pass the data') iv,cbc,qwq=read_data () mid = [] print ('Successfully read the data') # print ('iv =', iv) # print ('cbc =', cbc) # print (cbc.hex () [64:])

R.recvuntil ('>')

Iv = bytearray.fromhex (qwq) [16:32] print (iv) new_iv = bytearray (b'\ x00mm 16) count = 1for i in range (16): for j in range: new_ IV [15-I] = jr.sendline ('1') r.recvuntil ('(in hex):') r.sendline (str (new_iv.hex ()) r.recvuntil ('(in hex):') r.sendline (str (cbc.hex ()) [64 : 96]) back = r.recvline (keepends = False) r.recvuntil ('>') if (baked goods'in back): print (back) J) ans = j ^ countbreakcount + = 1mid.append (ans) for m in range: new_ IV [m] = count ^ mid [15murm] find =''for i in range (16): find + = hex (IV [I] ^ mid [15muri]) [2:] .rjust (2) flag = bytearray.fromhex (find) print (flag) r.interactive () on Paddind Oracle Attack's example Analysis Hope that the above content can be helpful to you, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.