# Sheet 3: Block Cipher Operating Modes - Exercises

## 🎯 Learning Objectives
By the end of this notebook, you should understand:
- Different AES operating modes (ECB, CBC)
- Proper padding techniques (PKCS7)
- Security implications of each mode
- Meet-in-the-middle attack principles
- Performance considerations in cryptography

## 📚 Prerequisites
- Basic understanding of symmetric encryption
- AES block cipher fundamentals (16-byte blocks)
- Python cryptography library basics

## ✅ Progress Tracker
- [ ] **Exercise 1**: AES-ECB implementation and analysis
- [ ] **Exercise 2**: AES-CBC with initialization vectors
- [ ] **Exercise 3**: Padding schemes and edge cases
- [ ] **Exercise 4**: Meet-in-the-middle attack on 2AES
- [ ] **Exercise 5**: Security analysis and comparison

---

**⚠️ Important**: This notebook uses real cryptographic functions. In production, always use well-tested libraries and follow security best practices!

In [None]:
# Setup
import sys
sys.path.append('../implementations')

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
import time

# Helper functions
def bytes_to_hex(data):
    return data.hex()

def hex_to_bytes(hex_string):
    return bytes.fromhex(hex_string)

print("🔐 Ready to explore AES and operating modes!")

## Exercise 1: AES-ECB Implementation

**🎯 Goal**: Implement AES-ECB and understand its characteristics

**📖 Background**: ECB (Electronic Codebook) mode encrypts each 16-byte block independently using the same key. This is the simplest mode but has security weaknesses.

**Task**: Encrypt/decrypt "Dies ist ein Test" with AES-ECB using key "einszweidreivier"

### TODO 1.1: Implement AES-ECB functions

In [ ]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from Crypto.Random import get_random_bytes

def aes_ecb_encrypt(key, plaintext):
    """
    Encrypt plaintext using AES-ECB mode
    
    Steps:
    1. Convert inputs to bytes if needed
    2. Add PKCS7 padding to plaintext
    3. Create AES cipher in ECB mode
    4. Encrypt and return result
    
    Args:
        key (str/bytes): Encryption key
        plaintext (str/bytes): Message to encrypt
    
    Returns:
        bytes: Encrypted ciphertext
    """
    # TODO: Convert key to bytes if it's a string
    if isinstance(key, str):
        key = # TODO: Convert to bytes
    
    # TODO: Convert plaintext to bytes if needed
    if isinstance(plaintext, str):
        plaintext = # TODO: Convert to bytes
    
    # TODO: Add PKCS7 padding (AES block size is 16 bytes)
    padded_plaintext = # TODO: Use pad() function
    
    # TODO: Create AES cipher in ECB mode
    cipher = # TODO: Create cipher object
    
    # TODO: Encrypt and return
    return # TODO: Encrypt the padded plaintext

def aes_ecb_decrypt(key, ciphertext):
    """
    Decrypt ciphertext using AES-ECB mode
    
    Args:
        key (str/bytes): Decryption key
        ciphertext (bytes): Encrypted data
    
    Returns:
        bytes: Decrypted plaintext
    """
    # TODO: Convert key to bytes if needed
    if isinstance(key, str):
        key = # TODO: Convert to bytes
    
    # TODO: Create AES cipher in ECB mode
    cipher = # TODO: Create cipher object
    
    # TODO: Decrypt
    padded_plaintext = # TODO: Decrypt ciphertext
    
    # TODO: Remove padding and return
    return # TODO: Use unpad() function

# TODO 1.2: Test your implementation
def test_aes_ecb():
    """Test AES-ECB with given values"""
    plaintext = "Dies ist ein Test"
    key = "einszweidreivier"
    
    print("🔐 Testing AES-ECB Implementation")
    print("-" * 40)
    print(f"Plaintext: '{plaintext}'")
    print(f"Key: '{key}'")
    
    # TODO: Encrypt the message
    try:
        ciphertext = # TODO: Call your encrypt function
        print(f"Ciphertext (hex): {ciphertext.hex()}")
        
        # TODO: Decrypt the message
        decrypted = # TODO: Call your decrypt function
        decrypted_str = decrypted.decode('utf-8')
        print(f"Decrypted: '{decrypted_str}'")
        
        # Verify round-trip
        success = decrypted_str == plaintext
        print(f"Round-trip successful: {'✅' if success else '❌'}")
        
        return ciphertext
        
    except Exception as e:
        print(f"❌ Error: {e}")
        return None

# TODO 1.3: Uncomment to test your implementation
# test_result = test_aes_ecb()

## Exercise 2: AES-CBC Implementation

**🎯 Goal**: Implement AES-CBC mode and understand the role of initialization vectors

**📖 Background**: CBC (Cipher Block Chaining) mode XORs each plaintext block with the previous ciphertext block before encryption. This creates dependency between blocks and requires an initialization vector (IV).

**Security Note**: CBC is more secure than ECB because identical plaintext blocks produce different ciphertext blocks.

### TODO 2.1: Implement AES-CBC functions

def aes_cbc_encrypt(key, plaintext, iv=None):
    """
    Encrypt plaintext using AES-CBC mode
    
    Args:
        key (str/bytes): Encryption key
        plaintext (str/bytes): Message to encrypt
        iv (bytes): Initialization vector (generated if None)
    
    Returns:
        tuple: (ciphertext, iv) both as bytes
    """
    # TODO: Convert inputs to bytes
    if isinstance(key, str):
        key = # TODO: Convert to bytes
    if isinstance(plaintext, str):
        plaintext = # TODO: Convert to bytes
    
    # TODO: Generate IV if not provided
    if iv is None:
        iv = # TODO: Generate random 16-byte IV
    
    # TODO: Add PKCS7 padding
    padded_plaintext = # TODO: Add padding
    
    # TODO: Create AES cipher in CBC mode
    cipher = # TODO: Create cipher with IV
    
    # TODO: Encrypt and return both ciphertext and IV
    ciphertext = # TODO: Encrypt
    return (ciphertext, iv)

def aes_cbc_decrypt(key, ciphertext, iv):
    """
    Decrypt ciphertext using AES-CBC mode
    
    Args:
        key (str/bytes): Decryption key
        ciphertext (bytes): Encrypted data
        iv (bytes): Initialization vector used for encryption
    
    Returns:
        bytes: Decrypted plaintext
    """
    # TODO: Convert key to bytes if needed
    if isinstance(key, str):
        key = # TODO: Convert to bytes
    
    # TODO: Create AES cipher in CBC mode with IV
    cipher = # TODO: Create cipher
    
    # TODO: Decrypt and remove padding
    padded_plaintext = # TODO: Decrypt
    plaintext = # TODO: Remove padding
    
    return plaintext

# TODO 2.2: Test CBC implementation
def test_aes_cbc():
    """Test AES-CBC implementation"""
    test_key = "mysecretkey12345"  # 16 bytes
    test_message = "This is a test message for CBC mode!"
    
    print("🔗 Testing AES-CBC Implementation")
    print("-" * 40)
    print(f"Key: '{test_key}'")
    print(f"Message: '{test_message}'")
    
    try:
        # TODO: Encrypt with CBC
        ciphertext, iv = # TODO: Call your encrypt function
        print(f"IV (hex): {iv.hex()}")
        print(f"Ciphertext (hex): {ciphertext.hex()}")
        
        # TODO: Decrypt with CBC
        decrypted = # TODO: Call your decrypt function
        decrypted_str = decrypted.decode('utf-8')
        print(f"Decrypted: '{decrypted_str}'")
        
        # Verify
        success = decrypted_str == test_message
        print(f"Round-trip successful: {'✅' if success else '❌'}")
        
        return (ciphertext, iv)
        
    except Exception as e:
        print(f"❌ Error: {e}")
        return None

# TODO 2.3: Compare ECB vs CBC security
def demonstrate_ecb_vs_cbc():
    """Show why ECB is insecure compared to CBC"""
    key = "mysecretkey12345"
    
    # Message with repeated blocks
    message = "SAME BLOCK HERE!!" + "SAME BLOCK HERE!!" + "Different block."
    
    print("🔍 ECB vs CBC Security Demonstration")
    print("-" * 45)
    print(f"Message with repeated content: '{message[:32]}...'")
    
    # TODO: Encrypt with ECB
    ecb_ciphertext = # TODO: Use your ECB function
    
    # TODO: Encrypt with CBC  
    cbc_ciphertext, iv = # TODO: Use your CBC function
    
    print(f"ECB ciphertext: {ecb_ciphertext.hex()}")
    print(f"CBC ciphertext: {cbc_ciphertext.hex()}")
    
    # TODO: Analyze the first two 16-byte blocks
    ecb_block1 = ecb_ciphertext[:16].hex()
    ecb_block2 = ecb_ciphertext[16:32].hex()
    cbc_block1 = cbc_ciphertext[:16].hex()
    cbc_block2 = cbc_ciphertext[16:32].hex()
    
    print(f"\nECB Block 1: {ecb_block1}")
    print(f"ECB Block 2: {ecb_block2}")
    print(f"ECB blocks identical: {'✅' if ecb_block1 == ecb_block2 else '❌'}")
    
    print(f"\nCBC Block 1: {cbc_block1}")
    print(f"CBC Block 2: {cbc_block2}")
    print(f"CBC blocks identical: {'✅' if cbc_block1 == cbc_block2 else '❌'}")
    
    print("\n💡 ECB reveals patterns, CBC doesn't!")

# TODO 2.4: Uncomment to test
# test_aes_cbc()
# demonstrate_ecb_vs_cbc()

## Exercise 3: Meet-in-the-Middle Attack

**🎯 Goal**: Understand and implement a meet-in-the-middle attack on 2AES

**📖 Background**: 2AES encrypts with two different keys sequentially:
```
C = AES_k2(AES_k1(P))
```
A naive brute force would require 2^(128+128) = 2^256 operations. The meet-in-the-middle attack reduces this to just 2×2^128 operations!

**Attack Principle**:
1. Try all possible k1, compute intermediate = AES_k1(P), store in table
2. Try all possible k2, compute candidate = AES_decrypt_k2(C)
3. Check if candidate matches any stored intermediate
4. If match found, you have both keys!

### Given Data for Attack

# Attack data (keys are only 16 bits for feasibility)
p1 = b'Das ist ein Test'
c1 = bytes.fromhex("d011ebb754c1f786b5b8576457c2104e")
p2 = b'Wir knacken 2AES'  
c2 = bytes.fromhex("4894511486656bfbf6740a7e80affd5f")

print("📊 Attack Data:")
print(f"P1: {p1}")
print(f"C1: {c1.hex()}")
print(f"P2: {p2}")
print(f"C2: {c2.hex()}")

def create_16bit_key(key_int):
    """
    Convert 16-bit integer to 16-byte AES key
    
    Args:
        key_int (int): 16-bit key value (0-65535)
    
    Returns:
        bytes: 16-byte AES key with leading zeros
    """
    # TODO: Convert 16-bit int to 2 bytes, then pad to 16 bytes
    key_bytes = # TODO: Convert to 2 bytes (big-endian)
    # TODO: Pad with 14 zero bytes to make 16-byte key
    return # TODO: Return padded key

def meet_in_middle_attack(p1, c1, p2, c2):
    """
    Perform meet-in-the-middle attack on 2AES
    
    Algorithm:
    1. Build forward table: for all k1, compute AES_k1(p1) and AES_k1(p2)
    2. Build backward: for all k2, compute AES_decrypt_k2(c1) and AES_decrypt_k2(c2)  
    3. Find matches between forward and backward results
    4. Verify candidate key pairs
    
    Args:
        p1, p2 (bytes): Known plaintexts
        c1, c2 (bytes): Corresponding ciphertexts
    
    Returns:
        tuple: (k1, k2) if found, None otherwise
    """
    print("🔍 Starting meet-in-the-middle attack...")
    print("Building forward table (trying all k1 values)...")
    
    # TODO: Build forward table
    forward_table = {}  # Maps intermediate -> k1
    
    for k1_int in range(2**16):  # Try all 16-bit keys
        # TODO: Create AES key from integer
        k1 = create_16bit_key(k1_int)
        
        try:
            # TODO: Encrypt both plaintexts with k1
            cipher1 = AES.new(k1, AES.MODE_ECB)
            cipher2 = AES.new(k1, AES.MODE_ECB)
            
            # We need to pad plaintexts for AES
            p1_padded = pad(p1, 16)
            p2_padded = pad(p2, 16)
            
            intermediate1 = # TODO: Encrypt p1
            intermediate2 = # TODO: Encrypt p2
            
            # TODO: Store in forward table
            # Use tuple of both intermediates as key
            key = (intermediate1, intermediate2)
            forward_table[key] = k1_int
            
        except:
            continue
        
        if k1_int % 10000 == 0:
            print(f"  Processed {k1_int}/65536 k1 values...")
    
    print(f"Forward table built with {len(forward_table)} entries")
    print("Searching backward (trying all k2 values)...")
    
    # TODO: Search backward
    for k2_int in range(2**16):
        # TODO: Create AES key from integer
        k2 = create_16bit_key(k2_int)
        
        try:
            # TODO: Decrypt both ciphertexts with k2
            cipher1 = AES.new(k2, AES.MODE_ECB) 
            cipher2 = AES.new(k2, AES.MODE_ECB)
            
            candidate1 = # TODO: Decrypt c1
            candidate2 = # TODO: Decrypt c2
            
            # TODO: Check if this combination exists in forward table
            key = (candidate1, candidate2)
            if key in forward_table:
                k1_int = forward_table[key]
                print(f"\n🎉 Potential match found!")
                print(f"k1 = {k1_int} (0x{k1_int:04x})")
                print(f"k2 = {k2_int} (0x{k2_int:04x})")
                
                # TODO: Verify the solution
                return verify_2aes_keys(k1_int, k2_int, p1, c1, p2, c2)
                
        except:
            continue
        
        if k2_int % 10000 == 0:
            print(f"  Processed {k2_int}/65536 k2 values...")
    
    print("❌ No solution found")
    return None

def verify_2aes_keys(k1_int, k2_int, p1, c1, p2, c2):
    """
    Verify that the found keys actually work for 2AES
    
    Returns:
        tuple: (k1_int, k2_int) if verification successful, None otherwise
    """
    try:
        k1 = create_16bit_key(k1_int)
        k2 = create_16bit_key(k2_int)
        
        # Test encryption: C = AES_k2(AES_k1(P))
        for p, c in [(p1, c1), (p2, c2)]:
            # TODO: Apply 2AES encryption
            p_padded = pad(p, 16)
            
            # First encryption with k1
            cipher1 = AES.new(k1, AES.MODE_ECB)
            intermediate = # TODO: Encrypt with k1
            
            # Second encryption with k2  
            cipher2 = AES.new(k2, AES.MODE_ECB)
            result = # TODO: Encrypt with k2
            
            # TODO: Check if result matches expected ciphertext
            if result != c:
                print(f"❌ Verification failed for keys k1={k1_int}, k2={k2_int}")
                return None
        
        print(f"✅ Verification successful!")
        print(f"Found 2AES keys: k1={k1_int} (0x{k1_int:04x}), k2={k2_int} (0x{k2_int:04x})")
        return (k1_int, k2_int)
        
    except Exception as e:
        print(f"❌ Verification error: {e}")
        return None

# TODO 3.1: Uncomment to run the attack (WARNING: Takes several minutes!)
# print("⚠️  This attack will take 2-5 minutes to complete...")
# result = meet_in_middle_attack(p1, c1, p2, c2)

## Exercise 4: Security Analysis and Comparison

**🎯 Goal**: Analyze and compare the security properties of different operating modes

### TODO 4.1: Mode Comparison Analysis

def analyze_mode_properties():
    """
    Analyze key properties of different AES modes
    """
    print("🔒 AES Operating Modes Security Analysis")
    print("=" * 50)
    
    # TODO: Fill in the security analysis
    modes_analysis = {
        "ECB": {
            "description": "Electronic Codebook - each block encrypted independently",
            "advantages": [
                # TODO: List ECB advantages
                # Hint: Simplicity, parallelization, no error propagation
            ],
            "disadvantages": [
                # TODO: List ECB disadvantages  
                # Hint: Pattern leakage, identical blocks, not semantically secure
            ],
            "use_cases": [
                # TODO: When might ECB be appropriate?
                # Hint: Random data, single block encryption
            ]
        },
        "CBC": {
            "description": "Cipher Block Chaining - each block XORed with previous ciphertext",
            "advantages": [
                # TODO: List CBC advantages
                # Hint: Hides patterns, semantically secure, widely supported
            ],
            "disadvantages": [
                # TODO: List CBC disadvantages
                # Hint: Sequential encryption, error propagation, IV requirement
            ],
            "use_cases": [
                # TODO: When is CBC appropriate?
                # Hint: File encryption, secure communications
            ]
        }
    }
    
    for mode, properties in modes_analysis.items():
        print(f"\n📋 {mode} Mode Analysis:")
        print(f"Description: {properties['description']}")
        print("Advantages:")
        for adv in properties['advantages']:
            print(f"  ✅ {adv}")
        print("Disadvantages:")
        for dis in properties['disadvantages']:
            print(f"  ❌ {dis}")
        print("Best use cases:")
        for use in properties['use_cases']:
            print(f"  🎯 {use}")

def padding_oracle_demo():
    """
    Demonstrate why proper padding validation is critical
    """
    print("\n🚨 Padding Oracle Attack Concept")
    print("-" * 35)
    
    key = b"mysecretkey12345"
    message = "Secret message!"
    
    # Encrypt with CBC
    ciphertext, iv = aes_cbc_encrypt(key, message)
    
    print(f"Original message: '{message}'")
    print(f"Ciphertext: {ciphertext.hex()}")
    
    # TODO: Simulate padding oracle attack concept
    print("\n🔍 Padding Oracle Attack Simulation:")
    print("An attacker could exploit improper padding validation by:")
    print("1. Modifying ciphertext bytes")
    print("2. Observing server responses (padding valid/invalid)")
    print("3. Using responses to deduce plaintext byte by byte")
    
    # Demo: Modify last byte and check padding
    modified_ciphertext = bytearray(ciphertext)
    modified_ciphertext[-1] ^= 0x01  # Flip last bit
    
    try:
        # This will likely fail due to padding error
        decrypted = aes_cbc_decrypt(key, bytes(modified_ciphertext), iv)
        print(f"Modified decryption succeeded: {decrypted}")
    except:
        print("❌ Modified ciphertext failed padding validation")
        print("💡 Padding errors leak information to attackers!")

def performance_comparison():
    """
    Compare performance of different modes
    """
    import time
    
    print("\n⚡ Performance Comparison")
    print("-" * 25)
    
    # Test data
    key = b"mysecretkey12345"
    test_data = b"A" * 1000  # 1KB of data
    
    # TODO: Measure ECB performance
    start_time = time.time()
    for _ in range(1000):
        # TODO: Encrypt with ECB
        encrypted = aes_ecb_encrypt(key, test_data)
    ecb_time = time.time() - start_time
    
    # TODO: Measure CBC performance  
    start_time = time.time()
    for _ in range(1000):
        # TODO: Encrypt with CBC
        encrypted, iv = aes_cbc_encrypt(key, test_data)
    cbc_time = time.time() - start_time
    
    print(f"ECB encryption (1000x 1KB): {ecb_time:.4f} seconds")
    print(f"CBC encryption (1000x 1KB): {cbc_time:.4f} seconds")
    print(f"Performance difference: {(cbc_time/ecb_time - 1)*100:.1f}% slower for CBC")
    
    # TODO: Analysis questions for students
    print("\n🤔 Think about:")
    print("- Why might CBC be slower than ECB?")
    print("- Is the performance difference significant?")
    print("- When is security worth the performance cost?")

# TODO 4.2: Run the analysis
# Uncomment each function as you complete the TODOs
# analyze_mode_properties()
# padding_oracle_demo() 
# performance_comparison()

## 🎉 Excellent Work!

If you've completed all exercises, you now have hands-on experience with:

✅ **AES Operating Modes**
- ECB implementation and security weaknesses
- CBC implementation with proper IV usage
- Performance and security trade-offs

✅ **Cryptanalytic Techniques**
- Meet-in-the-middle attack principles
- Time-memory trade-offs in cryptanalysis
- Complexity reduction strategies

✅ **Security Analysis**
- Pattern analysis in different modes
- Padding oracle attack concepts
- Real-world security considerations

### 🚀 Next Steps
1. Implement other modes (CTR, GCM, OFB)
2. Study authenticated encryption modes
3. Explore side-channel attack resistance
4. Practice with larger, more realistic datasets

### 🔬 Research Questions
- How do modern authenticated encryption modes like GCM address the weaknesses you observed?
- What are the practical limitations of meet-in-the-middle attacks on real systems?
- How can padding oracle vulnerabilities be prevented in practice?

### 💼 Real-World Applications
Consider how these concepts apply to:
- HTTPS/TLS encryption
- Database encryption
- File system encryption
- Messaging app security

**Great job exploring the fascinating world of cryptographic operating modes! 🔐**