In [6]:
from sys import exit
from Crypto.Util.number import bytes_to_long, inverse, long_to_bytes
import random
import string
from pwn import *
CHARSET = string.ascii_uppercase + string.ascii_lowercase + string.digits
from Crypto.Cipher import ChaCha20, ChaCha20_Poly1305
from Crypto.Hash import Poly1305

## **B√†i to√°n ChaCha Slide**

### 1. Th√†nh ph·∫ßn c·ªßa ChaCha20-Poly1305

Thu·∫≠t to√°n n√†y k·∫øt h·ª£p hai th√†nh ph·∫ßn ch√≠nh:

#### **ChaCha20 ‚Üí M√£ h√≥a d·ªØ li·ªáu**
- ƒê√¢y l√† m·ªôt **stream cipher** (m√£ d√≤ng) m·∫°nh m·∫Ω, an to√†n v√† nhanh ch√≥ng.
- N√≥ nh·∫≠n v√†o:
  - **Kh√≥a 256-bit** (32 byte).
  - **Nonce 96-bit** (12 byte).
  - **Counter 32-bit** (4 byte).
- ChaCha20 t·∫°o ra m·ªôt **chu·ªói byte ng·∫´u nhi√™n (keystream)** v√† th·ª±c hi·ªán ph√©p **XOR v·ªõi plaintext** ƒë·ªÉ t·∫°o ra ciphertext.

#### **Poly1305 ‚Üí T·∫°o v√† x√°c th·ª±c m√£ MAC (Message Authentication Code)**
- Poly1305 l√† m·ªôt thu·∫≠t to√°n t·∫°o m√£ x√°c th·ª±c th√¥ng ƒëi·ªáp (**MAC**) ƒë·ªÉ ƒë·∫£m b·∫£o r·∫±ng d·ªØ li·ªáu kh√¥ng b·ªã thay ƒë·ªïi.
- N√≥ nh·∫≠n v√†o **m·ªôt kh√≥a 128-bit** v√† t·∫°o ra **m·ªôt tag 16 byte (128-bit)**.
- **Tag n√†y ƒë∆∞·ª£c g·ª≠i k√®m v·ªõi b·∫£n m√£** ƒë·ªÉ ki·ªÉm tra t√≠nh to√†n v·∫πn khi gi·∫£i m√£.

### 2. Gi·∫£i th√≠ch m√£ ngu·ªìn

D∆∞·ªõi ƒë√¢y l√† ph·∫ßn ph√¢n t√≠ch m√£ ngu·ªìn ch√≠nh:

#### **1. Kh·ªüi t·∫°o v√† sinh kh√≥a**
```python
import secrets
import hashlib
from Crypto.Cipher import ChaCha20_Poly1305

flag = open("flag.txt").read().strip()

def shasum(x):
    return hashlib.sha256(x).digest()

key = shasum(shasum(secrets.token_bytes(32) + flag.encode()))
```
**Gi·∫£i th√≠ch:**
- `secrets.token_bytes(32)`: Sinh m·ªôt chu·ªói ng·∫´u nhi√™n 32 byte.
- `flag.encode()`: Chuy·ªÉn ƒë·ªïi n·ªôi dung c·ªßa `flag.txt` th√†nh bytes.
- `shasum()`: H√†m bƒÉm SHA-256 hai l·∫ßn ƒë·ªÉ t·∫°o **kh√≥a 256-bit** an to√†n.

#### **2. Sinh Nonce ng·∫´u nhi√™n**
```python
nonce = secrets.token_bytes(12)
```
**Gi·∫£i th√≠ch:**
- Sinh m·ªôt **nonce 12 byte (96-bit)** ng·∫´u nhi√™n cho m·ªói l·∫ßn m√£ h√≥a.
- Nonce **ph·∫£i duy nh·∫•t** ƒë·ªÉ ƒë·∫£m b·∫£o an to√†n.

#### **3. H√†m m√£ h√≥a**
```python
def encrypt(message):
    cipher = ChaCha20_Poly1305.new(key=key, nonce=nonce)
    ciphertext, tag = cipher.encrypt_and_digest(message)
    return ciphertext + tag + nonce
```
**Gi·∫£i th√≠ch:**
- `ChaCha20_Poly1305.new(key=key, nonce=nonce)`: T·∫°o ƒë·ªëi t∆∞·ª£ng m√£ h√≥a.
- `encrypt_and_digest(message)`:
  - M√£ h√≥a `message`.
  - Sinh **MAC tag** ƒë·ªÉ ƒë·∫£m b·∫£o t√≠nh to√†n v·∫πn.
- Tr·∫£ v·ªÅ **ciphertext + tag + nonce** ƒë·ªÉ d√πng khi gi·∫£i m√£.

#### **4. H√†m gi·∫£i m√£**
```python
def decrypt(message_enc):
    ciphertext = message_enc[:-28]
    tag = message_enc[-28:-12]
    nonce = message_enc[-12:]
    cipher = ChaCha20_Poly1305.new(key=key, nonce=nonce)
    plaintext = cipher.decrypt_and_verify(ciphertext, tag)
    return plaintext
```
**Gi·∫£i th√≠ch:**
- `message_enc[:-28]`: L·∫•y **ciphertext** t·ª´ ƒë·∫ßu ƒë·∫øn -28 byte cu·ªëi.
- `message_enc[-28:-12]`: L·∫•y **tag (16 byte)**.
- `message_enc[-12:]`: L·∫•y **nonce (12 byte)**.
- `decrypt_and_verify(ciphertext, tag)`:
  - Gi·∫£i m√£ **ciphertext**.
  - X√°c th·ª±c **tag** ƒë·ªÉ ƒë·∫£m b·∫£o d·ªØ li·ªáu kh√¥ng b·ªã thay ƒë·ªïi.

#### **5. M√£ h√≥a & Gi·∫£i m√£ th·ª≠ nghi·ªám**
```python
messages = [
    "Did you know that ChaCha20-Poly1305 is an authenticated encryption algorithm?",
    "That means it protects both the confidentiality and integrity of data!"
]

goal = "But it's only secure if used correctly!"

for message in messages:
    print("Plaintext: " + repr(message))
    message = message.encode()
    print("Plaintext (hex): " + message.hex())
    ciphertext = encrypt(message)
    print("Ciphertext (hex): " + ciphertext.hex())
    print()
```
**Gi·∫£i th√≠ch:**
- M√£ h√≥a hai th√¥ng ƒëi·ªáp th·ª≠ nghi·ªám.
- Chuy·ªÉn ƒë·ªïi sang **hex** ƒë·ªÉ hi·ªÉn th·ªã d·ªØ li·ªáu m√£ h√≥a.

#### **6. Nh·∫≠n ƒë·∫ßu v√†o t·ª´ ng∆∞·ªùi d√πng & Gi·∫£i m√£**
```python
user = bytes.fromhex(input("What is your message? "))
user_message = decrypt(user)
print("User message (decrypted): " + repr(user_message))

if goal in repr(user_message):
    print(flag)
```
**Gi·∫£i th√≠ch:**
- Ng∆∞·ªùi d√πng nh·∫≠p d·ªØ li·ªáu ƒë√£ m√£ h√≥a ·ªü d·∫°ng **hex**.
- Gi·∫£i m√£ v√† ki·ªÉm tra xem th√¥ng ƒëi·ªáp c√≥ ch·ª©a c√¢u `"But it's only secure if used correctly!"` hay kh√¥ng.
- N·∫øu ƒë√∫ng ‚Üí In ra **flag**.

---
### **3. T√≥m t·∫Øt**
- **ChaCha20-Poly1305** l√† m·ªôt thu·∫≠t to√°n m√£ h√≥a ƒë∆∞·ª£c x√°c th·ª±c (**AEAD**).
- **ChaCha20** ƒë·ªÉ m√£ h√≥a, **Poly1305** ƒë·ªÉ x√°c th·ª±c t√≠nh to√†n v·∫πn.
- **Nonce 12 byte** gi√∫p ƒë·∫£m b·∫£o t√≠nh an to√†n (kh√¥ng ƒë∆∞·ª£c tr√πng l·∫∑p).
- **K·∫øt h·ª£p m√£ h√≥a & x√°c th·ª±c** gi√∫p tr√°nh t·∫•n c√¥ng s·ª≠a ƒë·ªïi d·ªØ li·ªáu.
- **L∆∞u √Ω:** N·∫øu nonce b·ªã l·∫∑p l·∫°i, d·ªØ li·ªáu c√≥ th·ªÉ b·ªã t·∫•n c√¥ng.

üìå **·ª®ng d·ª•ng th·ª±c t·∫ø:** ChaCha20-Poly1305 ƒë∆∞·ª£c d√πng trong **TLS 1.3**, **WireGuard VPN**, **Google QUIC**, v.v.

---



Plaintext: 'Did you know that ChaCha20-Poly1305 is an authenticated encryption algorithm?'

Plaintext (hex): 44696420796f75206b6e6f7720746861742043686143686132302d506f6c793133303520697320616e2061757468656e7469636174656420656e6372797074696f6e20616c676f726974686d3f

Ciphertext (hex): 4409dfba5e1543bfb845547f0fd69002d943760163394820073a595db852221b9afcf218e54161fe528a5dbd820f1cb1eb35bbc77fe66cdb81107f6f4f552590a2f3faefca0d5e14b4c21a59b855fdb6013b212fa70643a3e7bd6b82c47bb6d444b0bd8969c6404331


Plaintext: 'That means it protects both the confidentiality and integrity of data!'

Plaintext (hex): 54686174206d65616e732069742070726f746563747320626f74682074686520636f6e666964656e7469616c69747920616e6420696e74656772697479206f66206461746121

Ciphertext (hex): 5408daee071753febd581b615b828811c217500a760900235a7e1c2da3563e0acaa3a95ee55624f148c35da49f1300fffe32bc8662ed7c9e830c75694f053e9fedf9bbfac74b9123572f8ccae8412719da26c5329a757bb6d444b0bd8969c6404331


What is your message? 

In [90]:
plain_lst = [
    '54686174206d65616e732069742070726f746563747320626f74682074686520636f6e666964656e7469616c69747920616e6420696e74656772697479206f66206461746121',
]
cipher_lst = [
    '0614c67712c32e2d19fd60ede85edd57d566bdd40ffcb392280be984980e3e949c9fe1d5be63ec45902ad126d32b1d0015e29ce2e6d3dbc026c6210f738ea6e4ff41e5a332bad4ae06fee783391b5b29be9bc17fc1e75d94bc5b64e87657df83df03',
]
plain_text = bytes.fromhex(plain_lst[0])
cipher_temp = bytes.fromhex(cipher_lst[0])
cipher_text = cipher_temp[:-28]
tag = cipher_temp[-28:-12]
nonce = cipher_temp[-12:]

assert(len(plain_text) == len(cipher_text))
keystream = bytes([p ^ c for p, c in zip(plain_text, cipher_text)])

plain = "But it's only secure if used correctly! ow that ChaCha20-Poly1305 isdk"
plain_bytes = plain.encode()
cipher = bytes([p ^ k for p, k in zip(plain_bytes, keystream)])

# poly1305_mac = Poly1305.new(key=keystream[:32], cipher=ChaCha20, nonce=nonce)
# poly1305_mac.update(cipher)
# computed_tag = poly1305_mac.digest()

poly1305_mac = Poly1305.new(key=keystream[:32], cipher=ChaCha20, nonce=nonce)
poly1305_mac.update(cipher_text)
print(poly1305_mac.hexdigest())
print(tag.hex())

# res = cipher + computed_tag + nonce
# # print(computed_tag)
# print(len(plain), len(cipher), len(computed_tag), len(nonce), len(keystream))
# print(res.hex())


c79702ed7f39b755428e11f8d8a70aa5
d4ae06fee783391b5b29be9bc17fc1e7


In [None]:
# L·ªùi gi·∫£i ho√†n ch·ªânh:
plain_lst = []
cipher_lst = []

port = 49585
r = remote('verbal-sleep.picoctf.net', port)

get_success = r.recvuntil("to guess it:  ").decode()
cipher_text = r.recvline(keepends=False).strip().decode()
# r.sendline('1337')

get_success = r.recvuntil("What would you like to do?").decode()
get_success = r.recvline(keepends=False).strip().decode()