# Error Propagation on Corrupted Cipher Text

1. Encrypt a <font color="yellow">64 bytes</font> long text file with <font color="yellow">AES-128</font>;

2. Flip a single bit, let’s say in the <font color="yellow">28th</font> byte, corrupted, which means you need to modify one bit in the cipher text;

3. Decrypt the modified cipher text using the correct key and IV;

4. How much info can you recover by decrypting the corrupted file, if the encryption mode is ECB, CBC, CFB, OFB, and CTR?

In [1]:
# visualization tools
import textwrap

color2num = dict(
    gray=30,
    red=31,
    green=32,
    yellow=33,
    blue=34,
    magenta=35,
    cyan=36,
    white=37,
    crimson=38,
)

def colorize(string, color, bold=True, highlight=False):
    """
    Colorize a string.

    This function was originally written by John Schulman.
    """
    attr = []
    num = color2num[color]
    if highlight:
        num += 10
    attr.append(str(num))
    if bold:
        attr.append("1")
    return "\x1b[%sm%s\x1b[0m" % (";".join(attr), string)

def visual_hex_diff(bstr_1, bstr_2, hex_names=("HEX 1", "HEX 2")):
    SEP = "   |   "
    print("  ", f"{hex_names[0]}".ljust(16 + 7), hex_names[1], sep=SEP)
    # block level
    hex_1, hex_2 = textwrap.wrap(bstr_1.hex(), 16), textwrap.wrap(bstr_2.hex(), 16)
    for i, (block_1, block_2) in enumerate(zip(hex_1, hex_2)):
        # byte level
        block_1, block_2 = textwrap.wrap(block_1, 2), textwrap.wrap(block_2, 2)
        block_2 = [colorize(v2, "red" if v1 != v2 else "green") for v1, v2 in zip(block_1, block_2)]
        print(str(i).rjust(2), " ".join(block_1).ljust(16 + 7), " ".join(block_2).ljust( 16 + 7), sep=SEP)

# Create random string

In [2]:
import random

random.seed(0)

PLAINTEXT_BYTES = 64
BLOCK_SIZE = 128 // 8 # AES block size

plaintext = bytes(random.randrange(256) for _ in range(PLAINTEXT_BYTES))

# save plaintext
with open("h1_plaintext_origin", "wb") as f:
    f.write(plaintext)

print(plaintext.hex(" "))

c5 d7 14 84 f8 cf 9b f4 b7 6f 47 90 47 30 80 4b 9e 32 25 a9 f1 33 b5 de a1 68 f4 e2 85 1f 07 2f cc 00 fc aa 7c a6 20 61 71 7a 48 e5 2e 29 a3 fa 37 9a 95 3f aa 68 93 e3 2e c5 a2 7b 94 5e 60 5f


## Available ciphers in openssl enc

In [3]:
!openssl enc --list | grep -aes-128

-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb              
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb              


In [4]:
BLOCK_SIZE = 128

# generate random key and iv
KEY = bytes(random.randrange(256) for _ in range(BLOCK_SIZE // 8))
IV = bytes(random.randrange(256) for _ in range(BLOCK_SIZE // 8))
print(KEY.hex(), IV.hex())

1085f3232d424c1329c88d786ed68ce6 fcb62aa63bf9ab617c088a3b70be57aa


In [5]:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.padding import PKCS7

def encrypt_corrupt_then_decrypt(plaintext, mode=modes.ECB(), corrupt_fn=lambda x: x):
    # create cipher
    cipher = Cipher(algorithms.AES(KEY), mode)
    encryptor, decryptor = cipher.encryptor(), cipher.decryptor()
    padder, unpadder = PKCS7(128).padder(), PKCS7(128).unpadder()

    # encrypt
    plaintext = padder.update(plaintext) + padder.finalize() if len(plaintext) % 16 else plaintext
    ciphertext = encryptor.update(plaintext) + encryptor.finalize()

    # corrupt
    ciphertext = corrupt_fn(ciphertext)

    # decrypt
    deciphertext = decryptor.update(ciphertext) + decryptor.finalize()
    deciphertext = unpadder.update(deciphertext) + unpadder.finalize() if len(plaintext) % 16 else deciphertext
    return ciphertext, deciphertext

In [6]:
def visual_bits_diff(a, b):
    bit_str = lambda x: list(bin(int(x,16))[2:].rjust(8, "0"))
    a, b = bit_str(a), bit_str(b)
    b = [colorize(v2, "red" if v1 != v2 else "green") for v1, v2 in zip(a, b)]
    print("Before Flipping: \t{}\nAfter Flipping: \t{}".format(" ".join(a), " ".join(b)))

def flip_one_bit(x, index=0, bit_position=0):
    int_list = list(x)
    original_int = int_list[index]
    int_list[index] ^= (1 << bit_position)
    visual_bits_diff(bytes([original_int]).hex(), bytes([int_list[index]]).hex())
    return bytes(int_list)

In [7]:
flip_one_bit(b"01", 0, 3)

Before Flipping: 	0 0 1 1 0 0 0 0
After Flipping: 	[32;1m0[0m [32;1m0[0m [32;1m1[0m [32;1m1[0m [31;1m1[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m


b'81'

In [8]:
flip_one_bit(b"0", 0, 7)

Before Flipping: 	0 0 1 1 0 0 0 0
After Flipping: 	[31;1m1[0m [32;1m0[0m [32;1m1[0m [32;1m1[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m


b'\xb0'

## ECB

In [9]:
from functools import partial

ciphertext, deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.ECB())
corrupted_ciphertext, corrupted_deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.ECB(), partial(flip_one_bit, index=27, bit_position=0))
visual_hex_diff(ciphertext, corrupted_ciphertext, ["ciphertext", "corrupted ciphertext"])
visual_hex_diff(deciphertext, corrupted_deciphertext, ["deciphertext", "corrupted deciphertext"])

Before Flipping: 	0 1 0 1 1 1 0 0
After Flipping: 	[32;1m0[0m [32;1m1[0m [32;1m0[0m [32;1m1[0m [32;1m1[0m [32;1m1[0m [32;1m0[0m [31;1m1[0m
     |   ciphertext                |   corrupted ciphertext
 0   |   b0 7a 37 e2 9c 41 78 5f   |   [32;1mb0[0m [32;1m7a[0m [32;1m37[0m [32;1me2[0m [32;1m9c[0m [32;1m41[0m [32;1m78[0m [32;1m5f[0m
 1   |   81 94 05 f3 b4 60 d7 9f   |   [32;1m81[0m [32;1m94[0m [32;1m05[0m [32;1mf3[0m [32;1mb4[0m [32;1m60[0m [32;1md7[0m [32;1m9f[0m
 2   |   7a de 5d 3d 61 1d c7 7f   |   [32;1m7a[0m [32;1mde[0m [32;1m5d[0m [32;1m3d[0m [32;1m61[0m [32;1m1d[0m [32;1mc7[0m [32;1m7f[0m
 3   |   45 63 d6 5c b1 83 98 83   |   [32;1m45[0m [32;1m63[0m [32;1md6[0m [31;1m5d[0m [32;1mb1[0m [32;1m83[0m [32;1m98[0m [32;1m83[0m
 4   |   0e 42 8c 06 9e da 56 e6   |   [32;1m0e[0m [32;1m42[0m [32;1m8c[0m [32;1m06[0m [32;1m9e[0m [32;1mda[0m [32;1m56[0m [32;1me6[0m
 5   |   32 67 4d b9 c2 ac 54 

## CBC

In [10]:
ciphertext, deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.CBC(IV))
corrupted_ciphertext, corrupted_deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.CBC(IV), partial(flip_one_bit, index=27, bit_position=1))
visual_hex_diff(ciphertext, corrupted_ciphertext, ["ciphertext", "corrupted ciphertext"])
visual_hex_diff(deciphertext, corrupted_deciphertext, ["deciphertext", "corrupted deciphertext"])

Before Flipping: 	0 0 0 1 1 0 0 1
After Flipping: 	[32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m1[0m [32;1m1[0m [32;1m0[0m [31;1m1[0m [32;1m1[0m
     |   ciphertext                |   corrupted ciphertext
 0   |   2c f6 2e 7e 50 95 57 6b   |   [32;1m2c[0m [32;1mf6[0m [32;1m2e[0m [32;1m7e[0m [32;1m50[0m [32;1m95[0m [32;1m57[0m [32;1m6b[0m
 1   |   44 60 f1 3c 25 fb 75 c2   |   [32;1m44[0m [32;1m60[0m [32;1mf1[0m [32;1m3c[0m [32;1m25[0m [32;1mfb[0m [32;1m75[0m [32;1mc2[0m
 2   |   7d 1e 2b cb bd 6f f8 d2   |   [32;1m7d[0m [32;1m1e[0m [32;1m2b[0m [32;1mcb[0m [32;1mbd[0m [32;1m6f[0m [32;1mf8[0m [32;1md2[0m
 3   |   97 79 65 19 0c f2 5c 80   |   [32;1m97[0m [32;1m79[0m [32;1m65[0m [31;1m1b[0m [32;1m0c[0m [32;1mf2[0m [32;1m5c[0m [32;1m80[0m
 4   |   c5 ed db 5a 21 d9 d2 da   |   [32;1mc5[0m [32;1med[0m [32;1mdb[0m [32;1m5a[0m [32;1m21[0m [32;1md9[0m [32;1md2[0m [32;1mda[0m
 5   |   12 2c 57 e0 96 26 41 

In [13]:
visual_bits_diff("e5","e7")

Before Flipping: 	1 1 1 0 0 1 0 1
After Flipping: 	[32;1m1[0m [32;1m1[0m [32;1m1[0m [32;1m0[0m [32;1m0[0m [32;1m1[0m [31;1m1[0m [32;1m1[0m


Observation: 
1) Complete corruption of the corresponding block of plaintext 
2) Inverts the corresponding bit in the following block of plaintext
3) The rest of the blocks remains intact

## OFB

In [12]:
ciphertext, deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.OFB(IV))
corrupted_ciphertext, corrupted_deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.OFB(IV), partial(flip_one_bit, index=27, bit_position=2))
visual_hex_diff(ciphertext, corrupted_ciphertext, ["ciphertext", "corrupted ciphertext"])
visual_hex_diff(deciphertext, corrupted_deciphertext, ["deciphertext", "corrupted deciphertext"])

Before Flipping: 	0 0 0 1 1 0 0 1
After Flipping: 	[32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m1[0m [32;1m1[0m [31;1m1[0m [32;1m0[0m [32;1m1[0m
     |   ciphertext                |   corrupted ciphertext
 0   |   c4 06 4c 9d 13 e4 22 66   |   [32;1mc4[0m [32;1m06[0m [32;1m4c[0m [32;1m9d[0m [32;1m13[0m [32;1me4[0m [32;1m22[0m [32;1m66[0m
 1   |   28 b0 83 9d c2 0b f5 b7   |   [32;1m28[0m [32;1mb0[0m [32;1m83[0m [32;1m9d[0m [32;1mc2[0m [32;1m0b[0m [32;1mf5[0m [32;1mb7[0m
 2   |   39 87 84 10 dd fa f6 ea   |   [32;1m39[0m [32;1m87[0m [32;1m84[0m [32;1m10[0m [32;1mdd[0m [32;1mfa[0m [32;1mf6[0m [32;1mea[0m
 3   |   42 3c 8f 19 a6 be 37 3a   |   [32;1m42[0m [32;1m3c[0m [32;1m8f[0m [31;1m1d[0m [32;1ma6[0m [32;1mbe[0m [32;1m37[0m [32;1m3a[0m
 4   |   dc aa 6c 32 bf 23 e4 72   |   [32;1mdc[0m [32;1maa[0m [32;1m6c[0m [32;1m32[0m [32;1mbf[0m [32;1m23[0m [32;1me4[0m [32;1m72[0m
 5   |   3a e0 9a e8 19 49 c5 

In [14]:
visual_bits_diff("e2","e6")

Before Flipping: 	1 1 1 0 0 0 1 0
After Flipping: 	[32;1m1[0m [32;1m1[0m [32;1m1[0m [32;1m0[0m [32;1m0[0m [31;1m1[0m [32;1m1[0m [32;1m0[0m


### CFB

In [15]:
ciphertext, deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.CFB(IV))
corrupted_ciphertext, corrupted_deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.CFB(IV), partial(flip_one_bit, index=27, bit_position=3))
visual_hex_diff(ciphertext, corrupted_ciphertext, ["ciphertext", "corrupted ciphertext"])
visual_hex_diff(deciphertext, corrupted_deciphertext, ["deciphertext", "corrupted deciphertext"])

Before Flipping: 	0 1 0 0 1 0 1 1
After Flipping: 	[32;1m0[0m [32;1m1[0m [32;1m0[0m [32;1m0[0m [31;1m0[0m [32;1m0[0m [32;1m1[0m [32;1m1[0m
     |   ciphertext                |   corrupted ciphertext
 0   |   c4 06 4c 9d 13 e4 22 66   |   [32;1mc4[0m [32;1m06[0m [32;1m4c[0m [32;1m9d[0m [32;1m13[0m [32;1me4[0m [32;1m22[0m [32;1m66[0m
 1   |   28 b0 83 9d c2 0b f5 b7   |   [32;1m28[0m [32;1mb0[0m [32;1m83[0m [32;1m9d[0m [32;1mc2[0m [32;1m0b[0m [32;1mf5[0m [32;1mb7[0m
 2   |   94 b9 81 8b cd f5 9b 6b   |   [32;1m94[0m [32;1mb9[0m [32;1m81[0m [32;1m8b[0m [32;1mcd[0m [32;1mf5[0m [32;1m9b[0m [32;1m6b[0m
 3   |   40 ac c5 4b cd 8d ab 9b   |   [32;1m40[0m [32;1mac[0m [32;1mc5[0m [31;1m43[0m [32;1mcd[0m [32;1m8d[0m [32;1mab[0m [32;1m9b[0m
 4   |   56 a5 15 06 e2 ba 6b 72   |   [32;1m56[0m [32;1ma5[0m [32;1m15[0m [32;1m06[0m [32;1me2[0m [32;1mba[0m [32;1m6b[0m [32;1m72[0m
 5   |   b6 76 aa 29 76 3c 12 

In [16]:
visual_bits_diff("e2","ea")

Before Flipping: 	1 1 1 0 0 0 1 0
After Flipping: 	[32;1m1[0m [32;1m1[0m [32;1m1[0m [32;1m0[0m [31;1m1[0m [32;1m0[0m [32;1m1[0m [32;1m0[0m


Observation:
1) Complete corruption of the next block of plaintext 
2) Inverts the corresponding bit in the block of plaintext
3) The rest of the blocks remains intact

### CTR

In [17]:
ciphertext, deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.CTR(IV))
corrupted_ciphertext, corrupted_deciphertext = encrypt_corrupt_then_decrypt(plaintext, modes.CTR(IV), partial(flip_one_bit, index=27, bit_position=6))
visual_hex_diff(ciphertext, corrupted_ciphertext, ["ciphertext", "corrupted ciphertext"])
visual_hex_diff(deciphertext, corrupted_deciphertext, ["deciphertext", "corrupted deciphertext"])

Before Flipping: 	1 0 0 0 0 0 0 0
After Flipping: 	[32;1m1[0m [31;1m1[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m
     |   ciphertext                |   corrupted ciphertext
 0   |   c4 06 4c 9d 13 e4 22 66   |   [32;1mc4[0m [32;1m06[0m [32;1m4c[0m [32;1m9d[0m [32;1m13[0m [32;1me4[0m [32;1m22[0m [32;1m66[0m
 1   |   28 b0 83 9d c2 0b f5 b7   |   [32;1m28[0m [32;1mb0[0m [32;1m83[0m [32;1m9d[0m [32;1mc2[0m [32;1m0b[0m [32;1mf5[0m [32;1mb7[0m
 2   |   64 db 65 95 15 55 98 a5   |   [32;1m64[0m [32;1mdb[0m [32;1m65[0m [32;1m95[0m [32;1m15[0m [32;1m55[0m [32;1m98[0m [32;1ma5[0m
 3   |   9e 0d 5f 80 fe 3b 1b e4   |   [32;1m9e[0m [32;1m0d[0m [32;1m5f[0m [31;1mc0[0m [32;1mfe[0m [32;1m3b[0m [32;1m1b[0m [32;1me4[0m
 4   |   8b 14 62 bb d4 d0 ca 89   |   [32;1m8b[0m [32;1m14[0m [32;1m62[0m [32;1mbb[0m [32;1md4[0m [32;1md0[0m [32;1mca[0m [32;1m89[0m
 5   |   45 7d 5c 02 e1 83 91 

In [18]:
visual_bits_diff("e2","a2")

Before Flipping: 	1 1 1 0 0 0 1 0
After Flipping: 	[32;1m1[0m [31;1m0[0m [32;1m1[0m [32;1m0[0m [32;1m0[0m [32;1m0[0m [32;1m1[0m [32;1m0[0m
