## An ECB/CBC detection oracle

Now that you have ECB and CBC working:

Write a function to generate a random AES key; that's just 16 random bytes.

Write a function that encrypts data under an unknown key --- that is, a function that generates a random key and encrypts under it.

The function should look like: 

```
encryption_oracle(your-input)
=> [MEANINGLESS JIBBER JABBER]
```

Under the hood, have the function append 5-10 bytes (count chosen randomly) before the plaintext and 5-10 bytes after the plaintext.

Now, have the function choose to encrypt under ECB 1/2 the time, and under CBC the other half (just use random IVs each time for CBC). Use `rand(2)` to decide which to use.

Detect the block cipher mode the function is using each time. You should end up with a piece of code that, pointed at a black box that might be encrypting ECB or CBC, tells you which one is happening.


In [1]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from os import urandom
from random import randint

https://docs.python.org/3/library/random.html#random.randint

In [2]:
# Returns 5-10 random bytes (count chosen randomly).
def random_bytes():
    count = randint(5, 10)
    return urandom(count)

CBC mode API (Pycryptodome) already creates a random IV, see https://www.pycryptodome.org/src/cipher/classic#cbc-mode.

In [35]:
# Returns (ciphertext, mode:string) tuple.
def encryption_oracle(plaintext):
    key = urandom(AES.block_size) # Generate a random AES key.
    # Append 5-10 bytes (count chosen randomly) before the plaintext and 5-10 bytes after the plaintext.
    plaintext = random_bytes() + plaintext + random_bytes()
    
    # Encrypt under ECB 1/2 the time, and under CBC the other half.
    cipher = None
    if randint(0, 1) == 0:
        cipher = AES.new(key, AES.MODE_ECB)
    else:
        cipher = AES.new(key, AES.MODE_CBC)

    padded = pad(plaintext, cipher.block_size)
    return cipher.encrypt(padded), "cbc" if hasattr(cipher, 'iv') else "ecb"

In [34]:
test, mode = encryption_oracle(b'test')
print(test, mode)

b"\xf6@\x03>\x06K\x81\x1d\xf6\x05\xd7;\xd7\xbb\x9b)\xb1k,\x04'`\x94\x1f\xf5X\x11J/\xa9\xeb\xa7" cbc


Borrow `detect_ecb` function from challenge 8.

In [6]:
# Returns (is_ecb:boolean, counts:dict) tuple, given ciphertext.
def detect_ecb(ciphertext):
    assert len(ciphertext) % AES.block_size == 0
    counts = {}
    for i in range(0, len(ciphertext), AES.block_size):
        block = ciphertext[i:i + AES.block_size]
        if block not in counts:
            counts[block] = 0
        counts[block] += 1
    return max(counts.values()) > 1, counts

Craft an input to expose ECB.

In [9]:
NUM_BLOCKS = 9
input = b'\x00' * AES.block_size * NUM_BLOCKS
input

b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

In [39]:
ciphertext, mode = encryption_oracle(input)
is_ecb, counts = detect_ecb(ciphertext)
print(mode, is_ecb)

ecb True
