# The crypto challenge
https://cryptopals.com/

第五部分開始!!

# Set5

## Diffi
雖然說是密碼學，不過第一個set大多是在處理資料轉換

> 處理 ``raw bytes`` 不要 encode 之後再處理， base64和 hex是印出來給大家看用的

用``binascii`` 這個函式庫做資料轉換

bytes([text[i] ^ text[32 + i] for i in range(16)]) ->

In [None]:
import binascii
import base64

x = '49276d206b696c6c696e6720796f757220627261696e206c696b65206120706f69736f6e6f7573206d757368726f6f6d' # raw hex
expectedY = 'SSdtIGtpbGxpbmcgeW91ciBicmFpbiBsaWtlIGEgcG9pc29ub3VzIG11c2hyb29t' # base64
decoded = binascii.unhexlify(x) # 傳回ascii string 
print decoded
print base64.b64decode(expectedY)
print decoded.encode('hex')
print base64.b64encode(decoded)
print decoded.encode('base64') # 有帶換行
y = base64.b64encode(decoded)
if y != expectedY:
    raise Exception(y + ' != ' + expectedY)

In [None]:
from binascii import a2b_hex, b2a_base64
## a2b_hex == binascii.unhexlify
print a2b_hex(x) 
print b2a_base64(a2b_hex(x))

### Fixed XOR

In [None]:
from Crypto.Util.strxor import strxor

encodedS = '1c0111001f010100061a024b53535009181c' # 相同長度
encodedT = '686974207468652062756c6c277320657965'
encodedExpectedU = '746865206b696420646f6e277420706c6179'

s = binascii.unhexlify(encodedS)
t = binascii.unhexlify(encodedT)
expectedU = binascii.unhexlify(encodedExpectedU)

u = strxor(s, t)
print u
print expectedU

也許可用syntax sugar但crypto每一function都要小心運用

In [None]:
print hex(int(encodedS, 16)^int(encodedT, 16))
"0x%0.2X" % (int(encodedS, 16)^int(encodedT, 16))

## Frequency of Characters
著名的頻率分析攻擊法，也就是說程式在求解的過程中怎樣才知道他解對了?

用英文字母的頻率來猜看看最有可能的``plaintext``

In [None]:
from Crypto.Util.strxor import strxor_c
import binascii
from Crypto.Util.strxor import strxor_c

# From http://www.data-compression.com/english.html
freqs = {
    'a': 0.0651738,
    'b': 0.0124248,
    'c': 0.0217339,
    'd': 0.0349835,
    'e': 0.1041442,
    'f': 0.0197881,
    'g': 0.0158610,
    'h': 0.0492888,
    'i': 0.0558094,
    'j': 0.0009033,
    'k': 0.0050529,
    'l': 0.0331490,
    'm': 0.0202124,
    'n': 0.0564513,
    'o': 0.0596302,
    'p': 0.0137645,
    'q': 0.0008606,
    'r': 0.0497563,
    's': 0.0515760,
    't': 0.0729357,
    'u': 0.0225134,
    'v': 0.0082903,
    'w': 0.0171272,
    'x': 0.0013692,
    'y': 0.0145984,
    'z': 0.0007836,
    ' ': 0.1918182 
}

def score(s):
    score = 0
    for i in s:
        c = i.lower()
        if c in freqs:
            score += freqs[c]
    return score

encodedS = '1b37373331363f78151b7f2b783431333d78397828372d363c78373e783a393b3736'
s = binascii.unhexlify(encodedS)
s

In [None]:
def breakSingleByteXOR(s):
    curr_score = 0
    best_str = ""
    number = 0
    for i in range(0, 256):
        if(score(strxor_c(s, i)) > curr_score):
            best_str = strxor_c(s, i)
            curr_score = score(strxor_c(s, i))
            number = i
    return [number, best_str]


print breakSingleByteXOR(s)

### Detecting the single char

In [None]:
import binascii

def decodeLines(filename):
    f = open(filename, 'r')
    for line in f:
        if line[-1] == '\n':
            line = line[:-1]
        s = binascii.unhexlify(line)
        yield s

def findSingleByteXOR(lines):
    brokenLines = [breakSingleByteXOR(l)[1] for l in lines]
    curr_score = 0
    number = 0
    best_str = ""
    for i in range(len(brokenLines)):
        if score(brokenLines[i]) > curr_score:
            curr_score = score(brokenLines[i])
            best_str =  brokenLines[i]
    return best_str

print findSingleByteXOR(decodeLines('Text/4.txt'))

### Repeating-key XOR

ord('') 得到ascii值

chr(97) 得到ascii字元

In [None]:
import binascii
from Crypto.Util.strxor import strxor_c

def encodeRepeatingKeyXor(s, key):
    return "".join([strxor_c(x[i] , ord(key[i % len(key)])) for i in range(len(x))])

x = b'''Burning 'em, if you ain't quick and nimble
I go crazy when I hear a cymbal'''
key = b'ICE'
encodedExpectedY = '0b3637272a2b2e63622c2e69692a23693a2a3c6324202d623d63343c2a26226324272765272a282b2f20430a652e2c652a3124333a653e2b2027630c692b20283165286326302e27282f'
Y = encodeRepeatingKeyXor(x, key)
encodedY = Y.encode('hex')
print encodedY
if encodedY != encodedExpectedY:
    raise Exception(encodedY + ' != ' + encodedExpectedY)

## Break the repeating XOR

challenge 6 是破解 Vigenere Cipher

先找出最可能的key長度(看slice後的hamming distance)

In [None]:
import base64
import itertools
from Crypto.Util.strxor import strxor

def getHammingDistance(x, y):
    return sum([bin(ord(x[i]) ^ ord(y[i])).count('1') for i in range(len(x))])

x = b'this is a test'
y = b'wokka wokka!!!'
expectedD = 37
d = getHammingDistance(x, y)
print d
if d != expectedD:
    raise Exception(encodedD + ' != ' + encodedExpectedD)

In [None]:
x = base64.b64decode(open('Text/6.txt', 'r').read())
def breakRepeatingKeyXor(x, k):
    blockstring = []
    blocks = [x[i:i+k] for i in range(0, len(x), k)]
    transposedBlocks = list(itertools.izip_longest(*blocks, fillvalue='0'))
    for i in range(len(transposedBlocks)):
        tmpblock = "".join([a for a in transposedBlocks[i]])
        blockstring.append(tmpblock)
    key = "".join([chr(breakSingleByteXOR(x)[0]) for x in blockstring])
    return key

def normalizedEditDistance(x, k):
    blocks = [x[i:i+k] for i in range(0, len(x), k)][0:4]
    pairs = list(itertools.combinations(blocks, 2))
    scores = [getHammingDistance(p[0], p[1])/float(k) for p in pairs][0:6]
    return sum(scores) / len(scores)

k = min(range(2, 41), key=lambda k: normalizedEditDistance(x, k))
k

再將原文slice後分成k組逐一攻破

In [None]:
key = breakRepeatingKeyXor(x, k)
y = encodeRepeatingKeyXor(x, key)
print key
print y

## AES

簡單的用Pycrypto AES練習

In [None]:
import base64
from Crypto.Cipher import AES

x = base64.b64decode(open('Text/7.txt', 'r').read())

key = b'YELLOW SUBMARINE'
cipher = AES.new(key, AES.MODE_ECB)
y = cipher.decrypt(x)
print(y)

In [None]:
import itertools

lines = decodeLines('Text/8.txt')

def score(x):
    k = 16
    blocks = [x[i:i+k] for i in range(0, len(x), k)]
    pairs = itertools.combinations(blocks, 2)
    same = 0
    count = 0
    for p in pairs:
        if p[0] == p[1]:
            same += 1
    return same

lineNumber = 1
for l in lines:
    if score(l) > 0:
        print(lineNumber)
    lineNumber += 1

# Set 2

## Padding

比較下列在python 2.7的行為

In [None]:
chr(97), chr(4), str(4)

In [3]:
from Crypto.Random import random

def to_bytes(n, length, endianess='big'):
    h = '%x' % n
    s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex')
    return s if endianess == 'big' else s[::-1]

def randbytes(k):
    return to_bytes(random.getrandbits(8*k), k)

def padPKCS7(x, k):
    ch = k - (len(x) % k)
    return x + chr(ch) * ch


x = b'YELLOW SUBMARINE'
expectedY = b'YELLOW SUBMARINE\x04\x04\x04\x04'
y = padPKCS7(x, 20)

print y
print expectedY

if y != expectedY:
    raise Exception(y + b' != ' + expectedY)

YELLOW SUBMARINE
YELLOW SUBMARINE


In [None]:
import base64
from Crypto.Cipher import AES
from Crypto.Util.strxor import strxor

class CBC:
    def __init__(self, ECB, IV):
        self._ECB = ECB
        self._IV = IV
        self._blocksize = 16

    def _getBlocks(self, s):
        return [s[i:i+self._blocksize] for i in range(0, len(s), self._blocksize)]

    def encrypt(self, plaintext):
        plainblocks = self._getBlocks(plaintext)
        ciphertext = b'' #binary string
        prev = self._IV
        for i in range(len(plainblocks)):
            plainblock = plainblocks[i]
            cipherblock = self._ECB.encrypt(strxor(plainblock, prev))
            ciphertext += cipherblock
            prev = cipherblock
        return ciphertext

    def decrypt(self, ciphertext):
        cipherblocks = self._getBlocks(ciphertext)
        plaintext = b''
        prev = self._IV
        for i in range(len(cipherblocks)):
            cipherblock = cipherblocks[i]
            plainblock = strxor(self._ECB.decrypt(cipherblock), prev)
            plaintext += plainblock
            prev = cipherblock
        return plaintext

x = base64.b64decode(open('Text/10.txt', 'r').read())
key = b'YELLOW SUBMARINE'
cipher = CBC(AES.new(key, AES.MODE_ECB), chr(0) * 16) # IV 全 ascii 0!
y = cipher.decrypt(x)
print(y)
z = cipher.encrypt(y)
if x != z:
    raise Exception(x + b' != ' + z)

### ECB, CBC Oracl

In [None]:
from Crypto.Cipher import AES
from Crypto.Random import random

def encryption_oracle(s):
    key = randbytes(16)
    cipher = AES.new(key, AES.MODE_ECB)
    if random.randint(0, 1) == 0:
        print('Encrypting with ECB')
    else:
        print('Encrypting with CBC')
        IV = randbytes(16)
        cipher = CBC(cipher, IV)
    s = randbytes(random.randint(5, 10)) + s + randbytes(random.randint(5, 10))
    s = padPKCS7(s, 16)
    return cipher.encrypt(s)

def detectMethod(encryption_oracle):
    s = chr(0) * 47 # s = bytes([0] * 47) in python 3
    t = encryption_oracle(s)
    if t[16:32] == t[32:48]:
        return 'ECB'
    return 'CBC'

print(detectMethod(encryption_oracle))

## Breaking ECB

第二個經典的例子破解ECB

```
AES-128-ECB(your-string || unknown-string, random-key)
```

1. Feed identical bytes of your-string to the function 1 at a time --- start with 1 byte ("A"), then "AA", then "AAA" and so on. Discover the block size of the cipher. You know it, but do this step anyway.

2. Detect that the function is using ECB. You already know, but do this step anyways.

3. Knowing the block size, craft an input block that is exactly 1 byte short (for instance, if the block size is 8 bytes, make "AAAAAAA"). Think about what the oracle function is going to put in that last byte position.

4. Make a dictionary of every possible last byte by feeding different strings to the oracle; for instance, "AAAAAAAA", "AAAAAAAB", "AAAAAAAC", remembering the first block of each invocation.

5. Match the output of the one-byte-short input to one of the entries in your dictionary. You've now discovered the first byte of unknown-string.

6. Repeat for the next byte.

In [None]:
from Crypto.Cipher import AES
import base64

encodedSuffix = b'''Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkg
aGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBq
dXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUg
YnkK'''
key = None

def encryption_oracle(s):
    global key
    if key is None:
        key = randbytes(16)
    cipher = AES.new(key, AES.MODE_ECB)
    s = padPKCS7(s + base64.b64decode(encodedSuffix), 16)
    return cipher.encrypt(s)

def findBlockSize(encryption_oracle):
    l = len(encryption_oracle(b'')) # 利用會padded的性質
    i = 1
    while True:
        s = chr(0) * i
        t = encryption_oracle(s)
        if len(t) != l:
            return len(t) - l
        i += 1

def confirmECB(encryption_oracle, blocksize):
    s = randbytes(blocksize) * 2
    t = encryption_oracle(s)
    if t[0:blocksize] != t[blocksize:2*blocksize]:
        raise Exception('Not using ECB')

def findNextByte(encryption_oracle, blocksize, knownBytes):
    s = chr(0) * (blocksize - (len(knownBytes) % blocksize) - 1)
    d = {}
    for i in range(256):
        t = encryption_oracle(s + knownBytes + chr(i))
        d[t[0:len(s) + len(knownBytes) + 1]] = i # 建構一個dictionary，利用ECB 明文對照密文會固定的特性
    t = encryption_oracle(s)
    u = t[0:len(s) + len(knownBytes) + 1]
    if u in d:
        return d[u]
    return None

blocksize = findBlockSize(encryption_oracle)
blocksize

In [None]:
confirmECB(encryption_oracle, blocksize) #若不是將產生exception
s = b''
while True:
    b = findNextByte(encryption_oracle, blocksize, s)
    if b is None:
        break
    s += chr(b)
print(s)

### Parsing Cookie

In [None]:
from Crypto.Cipher import AES

def encode_profile(profile):
    s = b''
    def sanitize(s):
        return s.replace(b'&', b'').replace(b'=', b'')
    for kv in profile:
        sanitizedKV = [sanitize(x.encode('ascii')) for x in kv]
        if s != b'':
            s += b'&'
        s += sanitizedKV[0] + b'=' + sanitizedKV[1]
    return s

def profile_for(email):
    profile = [
        ['email', email],
        ['uid', '10'],
        ['role', 'user']
        ]
    return encode_profile(profile)

key = randbytes(16)

def encrypt_profile_for(email):
    cipher = AES.new(key, AES.MODE_ECB)
    encoded_profile = padPKCS7(profile_for(email), 16)
    return cipher.encrypt(encoded_profile)

def unpadPKCS7(s):
    i = s[-1]
    return s[0:-ord(i)]

def decrypt_profile(s):
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted_profile = unpadPKCS7(cipher.decrypt(s))
    pairs = decrypted_profile.split(b'&')
    profile = []
    for p in pairs:
        profile += [[x.decode('ascii') for x in p.split(b'=')]]
    return profile

email1 = 'foo@bar.coadmin' + ('\x0b' * 11) #直接cut and paste來取得admin的密文~~~
x1 = encrypt_profile_for(email1)
email2 = 'foo@bar.commm'
x2 = encrypt_profile_for(email2)
x = x2[0:32] + x1[16:32]
y = decrypt_profile(x)
print y

多加一串 random 在前面

```
AES-128-ECB(random-prefix || attacker-controlled || target-bytes, random-key)
```

In [None]:
from Crypto.Cipher import AES
from Crypto.Random import random
import base64

key = None
prefix = None

def encryption_oracle(s):
    global key
    global prefix
    if key is None:
        key = randbytes(16)
    if prefix is None:
        # TODO(phonchi): Extend to arbitrary sizes.
        randcount = random.randint(16, 32)
        prefix = randbytes(randcount)
    cipher = AES.new(key, AES.MODE_ECB)
    s = padPKCS7(prefix + s + base64.b64decode(encodedSuffix), 16)
    return cipher.encrypt(s)

def getBlocks(s, blocksize):
    return [s[i:i+blocksize] for i in range(0, len(s), blocksize)]

def findPrefixBlock(encryption_oracle, blocksize):
    x1 = encryption_oracle(b'')
    x2 = encryption_oracle(b'0')
    blocks1 = getBlocks(x1, blocksize)
    blocks2 = getBlocks(x2, blocksize)
    for i in range(len(blocks1)):
        if blocks1[i] != blocks2[i]:
            return i

def findPrefixSizeModBlockSize(encryption_oracle, blocksize):
    def has_equal_block(blocks):
        for i in range(len(blocks) - 1):
            if blocks[i] == blocks[i+1]:
                return True
        return False

    for i in range(blocksize):
        s = chr(0) * (2*blocksize + i)
        t = encryption_oracle(s)
        blocks = getBlocks(t, blocksize)
        if has_equal_block(blocks):
            return blocksize - i

    raise Exception('Not using ECB')

def findPrefixSize(encryption_oracle, blocksize):
    return blocksize*findPrefixBlock(encryption_oracle, blocksize) + findPrefixSizeModBlockSize(encryption_oracle, blocksize)

def findNextByte(encryption_oracle, blocksize, prefixsize, knownBytes):
    k1 = blocksize - (prefixsize % blocksize)
    k2 = blocksize - (len(knownBytes) % blocksize) - 1
    k3 = prefixsize - (prefixsize % blocksize)
    s = chr(0) * (k1 + k2)
    d = {}
    for i in range(256):
        t = encryption_oracle(s + knownBytes + chr(i))
        d[t[k3+k1:k3+k1+k2 + len(knownBytes) + 1]] = i
    t = encryption_oracle(s)
    u = t[k3+k1:k3+k1+k2 + len(knownBytes) + 1]
    if u in d:
        return d[u]
    return None

blocksize = findBlockSize(encryption_oracle)
prefixsize = findPrefixSize(encryption_oracle, blocksize)
s = b''
while True:
    b = findNextByte(encryption_oracle, blocksize, prefixsize, s)
    if b is None:
        break
    s +=chr(b)
print(s)

### Padding Validation

In [None]:
s = b'ICE ICE BABY\x04\x04\x04\x04'
chr(0)

In [None]:
def unpadPKCS7(s):
    i = s[-1]
    if (i == chr(0)) or (s[-ord(i):] != i * ord(i)):
        raise ValueError('bad padding')
    return s[0:-ord(i)]


print(unpadPKCS7(b'ICE ICE BABY\x04\x04\x04\x04'))
try:
    unpadPKCS7(b'ICE ICE BABY\x05\x05\x05\x05')
    raise Exception('passes unexpectedly')
except ValueError:
    print "value error 1"
try:
    unpadPKCS7(b'ICE ICE BABY\x01\x02\x03\x04')
    raise Exception('passes unexpectedly')
except ValueError:
    print "value error 2"

## CBC bitflipping attacks

產生一把隨機的 AES key.

用前面的 padding 和 CBC來寫兩個 function

- 第一個 function 可以輸入任意一字串然後前面附加
```
"comment1=cooking%20MCs;userdata="
```
後面附加
```
";comment2=%20like%20a%20pound%20of%20bacon"
```
function 必須 quote out the ";" and "=" 字元

function 要pad 到16-byte AES 位元長 然後用該 random AES key加密

- 第二個function 去 decrypt 字串然後找看看 ";admin=true;" 有沒有在裡面，並回傳 True 或 False

用 crypto性質來破解，而不要直接從 user input 下手(第一個function 要判斷合法 input)，也就是說在不知道key的情況下來改變我們想要的ciphertext。

> CBC mode的性質為在ciphertext block的 1-bit error會:
> 1. 完全打亂該error存在的block 
> 2. 產生相同的 1-bit error 在下一個 ciphertext block.

In [None]:
from Crypto.Cipher import AES

x = ""
key = randbytes(16)
iv = randbytes(16)

def encryptParams(userdata):
    userdata = userdata.replace(';', '%3B').replace('=', '%3D')
    x1 = b'comment1=cooking%20MCs;userdata='
    x2 = b';comment2=%20like%20a%20pound%20of%20bacon'
    params = x1 + userdata.encode('ascii') + x2
    cipher = CBC(AES.new(key, AES.MODE_ECB), iv)
    return cipher.encrypt(padPKCS7(params, 16))

def decryptParamsAndCheckAdmin(encryptedParams):
    cipher = CBC(AES.new(key, AES.MODE_ECB), iv)
    paddedParams = cipher.decrypt(encryptedParams)
    params = unpadPKCS7(paddedParams)
    print params
    return params.find(b';admin=true;') != -1
encryptParams('XXXXXXXXXXXXXXXX:admin<true:XXXX')[1], len(encryptParams('XXXXXXXXXXXXXXXX:admin<true:XXXX'))
x = list(encryptParams('XXXXXXXXXXXXXXXX:admin<true:XXXX'))

In [None]:
x[32] = strxor_c(x[32], 1)
x[38] = strxor_c(x[38], 1)
x[43] = strxor_c(x[43], 1)
"".join(x)

In [None]:
print decryptParamsAndCheckAdmin("".join(x))

# Set 3
## CBC Padding Oracle

利用padding oracl的 side channel(對或錯來破解)

In [None]:
from Crypto.Util.strxor import strxor_c
from Crypto.Util.strxor import strxor
chr(5)

In [None]:
from Crypto.Cipher import AES
from Crypto.Random import random
import base64
from Crypto.Util.strxor import strxor_c

strings = [
    b'MDAwMDAwTm93IHRoYXQgdGhlIHBhcnR5IGlzIGp1bXBpbmc=',
    b'MDAwMDAxV2l0aCB0aGUgYmFzcyBraWNrZWQgaW4gYW5kIHRoZSBWZWdhJ3MgYXJlIHB1bXBpbic=',
    b'MDAwMDAyUXVpY2sgdG8gdGhlIHBvaW50LCB0byB0aGUgcG9pbnQsIG5vIGZha2luZw==',
    b'MDAwMDAzQ29va2luZyBNQydzIGxpa2UgYSBwb3VuZCBvZiBiYWNvbg==',
    b'MDAwMDA0QnVybmluZyAnZW0sIGlmIHlvdSBhaW4ndCBxdWljayBhbmQgbmltYmxl',
    b'MDAwMDA1SSBnbyBjcmF6eSB3aGVuIEkgaGVhciBhIGN5bWJhbA==',
    b'MDAwMDA2QW5kIGEgaGlnaCBoYXQgd2l0aCBhIHNvdXBlZCB1cCB0ZW1wbw==',
    b'MDAwMDA3SSdtIG9uIGEgcm9sbCwgaXQncyB0aW1lIHRvIGdvIHNvbG8=',
    b'MDAwMDA4b2xsaW4nIGluIG15IGZpdmUgcG9pbnQgb2g=',
    b'MDAwMDA5aXRoIG15IHJhZy10b3AgZG93biBzbyBteSBoYWlyIGNhbiBibG93'
]

key = randbytes(16)

def ciphertext_oracle():
    s = base64.b64decode(random.choice(strings))
    iv = randbytes(16)
    cipher = CBC(AES.new(key, AES.MODE_ECB), iv)
    return (iv, cipher.encrypt(padPKCS7(s, 16)))

def padding_oracle(iv, s):
    cipher = CBC(AES.new(key, AES.MODE_ECB), iv)
    paddedT = cipher.decrypt(s)
    try:
        t = unpadPKCS7(paddedT)
    except ValueError:
        return False
    return True

def decipher_last_block_previous_byte(iv, s, padding_oracle, knownI, knownP):
    k = len(knownI) + 1
    prefix = randbytes(16 - k)
    for i in range(256):
        c1 = s[-32:-16] if len(s) > 16 else iv
        if k == 16:
            c1p = chr(i) + "".join([strxor_c(ch , k) for ch in knownI])
        else:
            c1p = prefix + chr(i) + "".join([strxor_c(ch , k) for ch in knownI])            
        sp = s[:-32] + c1p + s[-16:]
        if padding_oracle(iv, sp):
            iPrev = i ^ k
            pPrev = strxor_c(c1[-k], iPrev)
            return chr(iPrev) + knownI , pPrev + knownP
    raise Exception('unexpected')

def decipher_last_block(iv, s, padding_oracle):
    knownI = b''
    knownP = b''
    for i in range(16):
        (knownI, knownP) = decipher_last_block_previous_byte(iv, s, padding_oracle, knownI, knownP)
    return knownP

def decipher(iv, s, padding_oracle):
    knownP = b''
    for i in range(len(s) / 16):
        st = s if i == 0 else s[:-i * 16]
        knownP = decipher_last_block(iv, st, padding_oracle) + knownP
    return unpadPKCS7(knownP)

(iv, s) = ciphertext_oracle()
print decipher(iv, s, padding_oracle)

### CTR Mode

```
key=YELLOW SUBMARINE
nonce=0
format=64 bit unsigned little endian nonce,64 bit little endian block count (byte count / 16)
```

In [None]:
import base64
import struct
from Crypto.Cipher import AES
from Crypto.Util.strxor import strxor

class CTR:
    def __init__(self, ECB, nonce):
        self._ECB = ECB
        self._nonce = nonce
        self._blocksize = 16
        self._keybytes = b''
        self._blockcount = 0

    def encrypt(self, plaintext):
        # Work around strxor() not handling zero-length strings
        # gracefully.
        if len(plaintext) == 0:
            return b''

        keystream = self._keybytes
        while len(keystream) < len(plaintext):
            keyblock = self._ECB.encrypt(struct.pack('<QQ', self._nonce, self._blockcount))
            keystream += keyblock
            self._blockcount += 1

        if len(keystream) > len(plaintext):
            self._keybytes = keystream[len(plaintext):]
            keystream = keystream[:len(plaintext)]

        return strxor(plaintext, keystream)

    def decrypt(self, ciphertext):
        return self.encrypt(ciphertext)

x = base64.b64decode('L77na/nrFsKvynd6HzOoG7GHTLXsTVu9qvY/2syLXzhPweyyMTJULu/6/kXX0KSvoOLSFQ==')

key = b'YELLOW SUBMARINE'
cipher1 = CTR(AES.new(key, AES.MODE_ECB), 0)
y = cipher1.decrypt(x)
print(y)
cipher2 = CTR(AES.new(key, AES.MODE_ECB), 0)
z = cipher2.encrypt(y)
if x != z:
    raise Exception(x + b' != ' + z)

In [None]:
from Crypto.Cipher import AES
from Crypto.Util.strxor import strxor
import base64
import binascii
import itertools

strings = [
    b'SSBoYXZlIG1ldCB0aGVtIGF0IGNsb3NlIG9mIGRheQ==',
    b'Q29taW5nIHdpdGggdml2aWQgZmFjZXM=',
    b'RnJvbSBjb3VudGVyIG9yIGRlc2sgYW1vbmcgZ3JleQ==',
    b'RWlnaHRlZW50aC1jZW50dXJ5IGhvdXNlcy4=',
    b'SSBoYXZlIHBhc3NlZCB3aXRoIGEgbm9kIG9mIHRoZSBoZWFk',
    b'T3IgcG9saXRlIG1lYW5pbmdsZXNzIHdvcmRzLA==',
    b'T3IgaGF2ZSBsaW5nZXJlZCBhd2hpbGUgYW5kIHNhaWQ=',
    b'UG9saXRlIG1lYW5pbmdsZXNzIHdvcmRzLA==',
    b'QW5kIHRob3VnaHQgYmVmb3JlIEkgaGFkIGRvbmU=',
    b'T2YgYSBtb2NraW5nIHRhbGUgb3IgYSBnaWJl',
    b'VG8gcGxlYXNlIGEgY29tcGFuaW9u',
    b'QXJvdW5kIHRoZSBmaXJlIGF0IHRoZSBjbHViLA==',
    b'QmVpbmcgY2VydGFpbiB0aGF0IHRoZXkgYW5kIEk=',
    b'QnV0IGxpdmVkIHdoZXJlIG1vdGxleSBpcyB3b3JuOg==',
    b'QWxsIGNoYW5nZWQsIGNoYW5nZWQgdXR0ZXJseTo=',
    b'QSB0ZXJyaWJsZSBiZWF1dHkgaXMgYm9ybi4=',
    b'VGhhdCB3b21hbidzIGRheXMgd2VyZSBzcGVudA==',
    b'SW4gaWdub3JhbnQgZ29vZCB3aWxsLA==',
    b'SGVyIG5pZ2h0cyBpbiBhcmd1bWVudA==',
    b'VW50aWwgaGVyIHZvaWNlIGdyZXcgc2hyaWxsLg==',
    b'V2hhdCB2b2ljZSBtb3JlIHN3ZWV0IHRoYW4gaGVycw==',
    b'V2hlbiB5b3VuZyBhbmQgYmVhdXRpZnVsLA==',
    b'U2hlIHJvZGUgdG8gaGFycmllcnM/',
    b'VGhpcyBtYW4gaGFkIGtlcHQgYSBzY2hvb2w=',
    b'QW5kIHJvZGUgb3VyIHdpbmdlZCBob3JzZS4=',
    b'VGhpcyBvdGhlciBoaXMgaGVscGVyIGFuZCBmcmllbmQ=',
    b'V2FzIGNvbWluZyBpbnRvIGhpcyBmb3JjZTs=',
    b'SGUgbWlnaHQgaGF2ZSB3b24gZmFtZSBpbiB0aGUgZW5kLA==',
    b'U28gc2Vuc2l0aXZlIGhpcyBuYXR1cmUgc2VlbWVkLA==',
    b'U28gZGFyaW5nIGFuZCBzd2VldCBoaXMgdGhvdWdodC4=',
    b'VGhpcyBvdGhlciBtYW4gSSBoYWQgZHJlYW1lZA==',
    b'QSBkcnVua2VuLCB2YWluLWdsb3Jpb3VzIGxvdXQu',
    b'SGUgaGFkIGRvbmUgbW9zdCBiaXR0ZXIgd3Jvbmc=',
    b'VG8gc29tZSB3aG8gYXJlIG5lYXIgbXkgaGVhcnQs',
    b'WWV0IEkgbnVtYmVyIGhpbSBpbiB0aGUgc29uZzs=',
    b'SGUsIHRvbywgaGFzIHJlc2lnbmVkIGhpcyBwYXJ0',
    b'SW4gdGhlIGNhc3VhbCBjb21lZHk7',
    b'SGUsIHRvbywgaGFzIGJlZW4gY2hhbmdlZCBpbiBoaXMgdHVybiw=',
    b'VHJhbnNmb3JtZWQgdXR0ZXJseTo=',
    b'QSB0ZXJyaWJsZSBiZWF1dHkgaXMgYm9ybi4=',
]

# Generated randomly.
key = b'\xa3\xc9\xe7\xedmZU\x1e\xac\x15\xe2\xaf\xb4$\xa9{'

def encryptString(s):
    cipher = CTR(AES.new(key, AES.MODE_ECB), 0)
    return cipher.encrypt(s)

encryptedStrings = [encryptString(base64.b64decode(s)) for s in strings]

def getPrintableKeyChar(encryptedStrings, i):
    for j in range(256):
        decrypted = [strxor_c(x[i], j) for x in encryptedStrings]
        if all([x in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ,' for x in decrypted]):
            yield j # 產生iterator

def extendKey(k, ciphertext, guess):
    return k + "".join([ strxor(guess[i], ciphertext[len(k) + i]) for i in range(len(guess))])

ks = [getPrintableKeyChar(encryptedStrings, i) for i in range(10)]
ks

In [None]:
# k = "".join(list(itertools.islice(itertools.product(*ks), 1))[0])
k = "".join([chr(strk) for strk in list(itertools.islice(itertools.product(*ks), 1))[0]])
k

In [None]:
k = extendKey(k, encryptedStrings[1], b'h ')
k = extendKey(k, encryptedStrings[3], b'entury ')
k = extendKey(k, encryptedStrings[5], b'ss ')
k = extendKey(k, encryptedStrings[3], b'se')
k = extendKey(k, encryptedStrings[5], b'rds')
k = extendKey(k, encryptedStrings[0], b' ')
k = extendKey(k, encryptedStrings[29], b'ght')
k = extendKey(k, encryptedStrings[4], b' ')
k = extendKey(k, encryptedStrings[27], b'd')
k = extendKey(k, encryptedStrings[4], b'ead')
k = extendKey(k, encryptedStrings[37], b'n,')
kl = len(k)
decrypted = [strxor(x[:kl], k[:len(x)]) + x[kl:] for x in encryptedStrings]
for i in range(len(decrypted)):
    if decrypted[i] != base64.b64decode(strings[i]):
        raise Exception('Invalid decryption')
    print(decrypted[i])

In [17]:
from Crypto.Util.strxor import strxor
import base64
import itertools

strings = [base64.b64decode(x) for x in open('Text/20.txt', 'r').read().split('\n')]
strings = strings[:-1]

encryptedStrings = [encryptString(s) for s in strings]
transposedStrings = list(zip(*strings))
"".join(transposedStrings[0])

NameError: name 'encryptString' is not defined

In [None]:
def breakSameKey(strings):
    transposedStrings = list(zip(*strings))
    key = [chr(breakSingleByteXOR("".join(x))[0]) for x in transposedStrings]
    return "".join(key)
key = breakSameKey(encryptedStrings)
key

In [None]:
key = strxor_c(encryptedStrings[0][0] , ord('I')) + key[1:]
key = extendKey(key, encryptedStrings[13], b'-M ')
key = extendKey(key, encryptedStrings[16], b'ime ')
key = extendKey(key, encryptedStrings[1], b'htnin')
key = extendKey(key, encryptedStrings[2], b'y')
key = extendKey(key, encryptedStrings[6], b'ty')
key = extendKey(key, encryptedStrings[0], b'i')
key = extendKey(key, encryptedStrings[3], b'n up')
key = extendKey(key, encryptedStrings[7], b'ession')
key = extendKey(key, encryptedStrings[4], b'or ')
key = extendKey(key, encryptedStrings[1], b'ghtenin')
key = extendKey(key, encryptedStrings[17], b'able')
key = extendKey(key, encryptedStrings[11], b'st')
key = extendKey(key, encryptedStrings[2], b'k')
key = extendKey(key, encryptedStrings[12], b'nk')
key = extendKey(key, encryptedStrings[26], b've ')
key = extendKey(key, encryptedStrings[41], b'll')
key = extendKey(key, encryptedStrings[21], b'ace')
key = extendKey(key, encryptedStrings[26], b'hole scenery')
kl = len(key)
for i in range(len(encryptedStrings)):
    s = encryptedStrings[i]
    decrypted = strxor(s[:kl], key[:len(s)]) + s[kl:]
    if decrypted != strings[i]:
        raise Exception('Invalid decryption')
    print(i, decrypted)

## MT19937

In [None]:
class MT19937:
    def __init__(self, seed):
        self._index = 0
        self._MT = [0] * 624
        self._MT[0] = seed & 0xffffffff
        for i in range(1, 624):
            self._MT[i] = ((0x6c078965 * (self._MT[i-1] ^ (self._MT[i-1] >> 30))) + i) & 0xffffffff

    def uint32(self):
        if self._index == 0:
            self.generate_numbers()

        y = self._MT[self._index]
        y ^= (y >> 11)
        y ^= ((y << 7) & 0x9d2c5680)
        y ^= ((y << 15) & 0xefc60000)
        y ^= (y >> 18)

        self._index = (self._index + 1) % 624
        return y

    def generate_numbers(self):
        for i in range(624):
            y = (self._MT[i] & 0x80000000) + (self._MT[(i+1) % 624] & 0x7fffffff)
            self._MT[i] = self._MT[(i + 397) % 624] ^ (y >> 1)
            if y % 2 != 0:
                self._MT[i] ^= 0x9908b0df


expectedNumbers = [int(x) for x in open('Text/21.txt', 'r').read().split('\n')[:-1]]
seed = 5489
x = MT19937(seed)
for i in range(1000):
    a = x.uint32()
    if a != expectedNumbers[i]:
        raise Exception(str(i) + ' ' + a + ' != ' + expectedNumbers[i])

In [None]:
from Crypto.Random import random
import time

t = int(time.time())
t += random.randint(40, 1000)
seed = int(t)
print(seed)
rng = MT19937(seed)
x = rng.uint32()
print(x)

t += random.randint(40, 1000)
for i in range(2000):
    k = t - i
    rng2 = MT19937(k)
    y = rng2.uint32()
    if x == y:
        print(k)

### Clone an MT19937 RNG from its output

In [None]:
from Crypto.Random import random

def getMSB(x, n):
    if n < 0:
        return 0
    return (x >> (31 - n)) & 1

def setMSB(x, n, b):
    return x | (b << (31 - n))

def undoRightShiftXor(y, s):
    z = 0
    for i in range(32):
        z = setMSB(z, i, getMSB(y, i) ^ getMSB(z, i - s))
    return z

def getLSB(x, n):
    if n < 0:
        return 0
    return (x >> n) & 1

def setLSB(x, n, b):
    return x | (b << n)

def undoLeftShiftXorAnd(y, s, k):
    z = 0
    for i in range(32):
       z = setLSB(z, i, getLSB(y, i) ^ (getLSB(z, i - s) & getLSB(k, i)))
    return z

def untemper(y):
    y = undoRightShiftXor(y, 18)
    y = undoLeftShiftXorAnd(y, 15, 0xefc60000)
    y = undoLeftShiftXorAnd(y, 7, 0x9d2c5680)
    y = undoRightShiftXor(y, 11)
    return y

seed = random.getrandbits(32)
rng = MT19937(seed)
MT = [0] * 624
for i in range(624):
    MT[i] = untemper(rng.uint32())
rng2 = MT19937(0)
rng2._MT = MT

for i in range(1000):
    a = rng.uint32()
    b = rng2.uint32()
    if a != b:
        raise Exception(str(i) + ' ' + str(a) + ' != ' + str(b))

### Create the MT19937 stream cipher

In [None]:
from Crypto.Util.strxor import strxor
from Crypto.Random import random
import struct
import time

class MT19937Cipher:
    def __init__(self, key):
        self._rng = MT19937(key & 0xffff)
        self._keybytes = b''

    def encrypt(self, plaintext):
        # Work around strxor() not handling zero-length strings
        # gracefully.
        if len(plaintext) == 0:
            return b''

        keystream = self._keybytes
        while len(keystream) < len(plaintext):
            keyblock = struct.pack('<L', self._rng.uint32())
            keystream += keyblock

        if len(keystream) > len(plaintext):
            self._keybytes = keystream[len(plaintext):]
            keystream = keystream[:len(plaintext)]

        return strxor(plaintext, keystream)

    def decrypt(self, ciphertext):
        return self.encrypt(ciphertext)

key = random.getrandbits(16)

def encryption_oracle(plaintext):
    prefix = randbytes(random.randint(4, 20))
    cipher = MT19937Cipher(key)
    return cipher.encrypt(prefix + plaintext)

def recover_key(encryption_oracle):
    plaintext = b'0' * 14
    ciphertext = encryption_oracle(plaintext)
    prefix_len = len(ciphertext) - len(plaintext)
    for i in range(2**16-1):
        cipher = MT19937Cipher(i)
        s = cipher.encrypt(b'0' * len(ciphertext))
        if ciphertext[prefix_len:] == s[prefix_len:]:
            return i
    raise Exception('unexpected')

print(key, recover_key(encryption_oracle))

def token_oracle():
    seed = int(time.time())
    cipher = MT19937Cipher(seed)
    plaintext = b'0' * random.randint(4, 20)
    return cipher.encrypt(plaintext)

def is_token_for_current_time(token):
    seed = int(time.time())
    cipher = MT19937Cipher(seed)
    plaintext = b'0' * len(token)
    return cipher.encrypt(plaintext) == token

x = token_oracle()
print(x, is_token_for_current_time(x))

# Set4
## Stream Cipher

In [None]:
from Crypto.Cipher import AES
from Crypto.Random import random
import base64
import struct

key = randbytes(16)
nonce = random.getrandbits(64)

def ciphertext_oracle():
    ecb_ciphertext = base64.b64decode(open('Text/25.txt', 'r').read())
    ecb_key = b'YELLOW SUBMARINE'
    ecb_cipher = AES.new(ecb_key, AES.MODE_ECB)
    plaintext = ecb_cipher.decrypt(ecb_ciphertext)
    cipher = CTR(AES.new(key, AES.MODE_ECB), nonce)
    return cipher.encrypt(plaintext)

def edit(ciphertext, offset, newtext):
    cipher = CTR(AES.new(key, AES.MODE_ECB), nonce)
    cipher.encrypt(b'\x00' * offset)
    return ciphertext[0:offset] + cipher.encrypt(newtext)

ciphertext = ciphertext_oracle()
plaintext = edit(ciphertext, 0, ciphertext)
print(plaintext)

### CTR bitflipping

In [None]:
from Crypto.Cipher import AES
from Crypto.Random import random


key = randbytes(16)
nonce = random.getrandbits(64)

def encryptParams(userdata):
    userdata = userdata.replace(';', '%3B').replace('=', '%3D')
    x1 = b'comment1=cooking%20MCs;userdata='
    x2 = b';comment2=%20like%20a%20pound%20of%20bacon'
    params = x1 + userdata.encode('ascii') + x2
    cipher = CTR(AES.new(key, AES.MODE_ECB), nonce)
    return cipher.encrypt(padPKCS7(params, 16))

def decryptParamsAndCheckAdmin(encryptedParams):
    cipher = CTR(AES.new(key, AES.MODE_ECB), nonce)
    paddedParams = cipher.decrypt(encryptedParams)
    params = unpadPKCS7(paddedParams)
    return params.find(b';admin=true;') != -1

x = list(encryptParams(':admin<true:'))
x[32] = strxor_c(x[32], 1)
x[38] = strxor_c(x[38], 1)
x[43] = strxor_c(x[43], 1)

print(decryptParamsAndCheckAdmin("".join(x)))
#x[32] ^= 1
#x[38] ^= 1
#x[43] ^= 1
#print(decryptParamsAndCheckAdmin(bytes(x)))

### Recover the key from CBC with IV=Key

為了省頻寬用 key 和 IV 相同是不安全的, Attacker 可以修改 ciphertext 來得到Key~

In [None]:
from Crypto.Cipher import AES

key = randbytes(16)

def encryptParams(userdata):
    userdata = userdata.replace(';', '%3B').replace('=', '%3D')
    x1 = b'comment1=cooking%20MCs;userdata='
    x2 = b';comment2=%20like%20a%20pound%20of%20bacon'
    params = x1 + userdata.encode('ascii') + x2
    cipher = CBC(AES.new(key, AES.MODE_ECB), key)
    return cipher.encrypt(padPKCS7(params, 16))

def decryptParamsAndCheckAdmin(encryptedParams):
    cipher = CBC(AES.new(key, AES.MODE_ECB), key)
    paddedParams = cipher.decrypt(encryptedParams)
    params = unpadPKCS7(paddedParams)
    if any([x > 127 for x in params]):
        raise ValueError(params)
    return params.find(b';admin=true;') != -1

c = encryptParams('')
c = c[0:16] + (b'\x00' * 16) + c[0:16] + c[48:]
try:
    decryptParamsAndCheckAdmin(c)
    raise Exception('unexpected')
except ValueError as e:
    text = e.args[0]
    extracted_key = "".join([strxor(text[i], text[32 + i]) for i in range(16)])
    print(extracted_key)
    if extracted_key != key:
        raise Exception(extracted_key + ' != ' + key)

In [23]:
message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
a = [ord(i) for i in message[:64]]
b = 0x67452301 ^ 0xefcdab89
b ^ 0xefcdab89

1732584193

### SHA1
To do fix it...

In [56]:
from Crypto.Util.strxor import strxor
# Taken from https://github.com/sfstpala/SlowSHA
class SHA1 (object):
    _default_h0, _default_h1, _default_h2, _default_h3, _default_h4, = (
        0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0)

    def __init__(self, message, h0 = _default_h0, h1 = _default_h1, h2 = _default_h2, h3 = _default_h3, h4 = _default_h4, length = None):
        self._h0 = h0
        self._h1 = h1
        self._h2 = h2
        self._h3 = h3
        self._h4 = h4
        if length is None:
            length = len(message) * 8
        length = bin(length)[2:].rjust(64, "0")
        while len(message) > 64:
            self._handle(''.join(bin(ord(i))[2:].rjust(8, "0") for i in message[:64]))
            message = message[64:]
        message = ''.join(bin(ord(i))[2:].rjust(8, "0") for i in message) + "1"
        message += "0" * ((448 - len(message) % 512) % 512) + length
        for i in range(len(message) // 512):
            self._handle(message[i * 512:i * 512 + 512])


    def _handle(self, chunk):

        lrot = lambda x, n: (x << n) | (x >> (32 - n))
        w = []

        for j in range(len(chunk) // 32):
            w.append(int(chunk[j * 32:j * 32 + 32], 2))

        for i in range(16, 80):
            w.append(lrot(w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16], 1)
                & 0xffffffff)

        a = self._h0
        b = self._h1
        c = self._h2
        d = self._h3
        e = self._h4
        for i in range(80):

            if i <= i <= 19:
                f, k = d ^ (b & (c ^ d)), 0x5a827999
            elif 20 <= i <= 39:
                f, k = b ^ c ^ d, 0x6ed9eba1
            elif 40 <= i <= 59:
                f, k = (b & c) | (d & (b | c)), 0x8f1bbcdc
            elif 60 <= i <= 79:
                f, k = b ^ c ^ d, 0xca62c1d6
                
            temp = lrot(a, 5) + f + e + k + w[i] & 0xffffffff
            a, b, c, d, e = temp, a, lrot(b, 30), c, d

        self._h0 = (self._h0 + a) & 0xffffffff
        self._h1 = (self._h1 + b) & 0xffffffff
        self._h2 = (self._h2 + c) & 0xffffffff
        self._h3 = (self._h3 + d) & 0xffffffff
        self._h4 = (self._h4 + e) & 0xffffffff

    def _digest(self):
        return (self._h0, self._h1, self._h2, self._h3, self._h4)

    def hexdigest(self):
        return ''.join(hex(i)[2:].rjust(8, "0")
            for i in self._digest())

    def digest(self):
        hexdigest = self.hexdigest()
        tmpstr = []
        for i in range(len(hexdigest)/ 2):
            tmpstr.append(hexdigest[i * 2:i * 2 + 2])
        return tmpstr

def authSHA1(key, message):
    return SHA1(key + message).digest()

In [57]:
SHA1("").digest() # https://en.wikipedia.org/wiki/SHA-1

['da',
 '39',
 'a3',
 'ee',
 '5e',
 '6b',
 '4b',
 '0d',
 '32',
 '55',
 'bf',
 'ef',
 '95',
 '60',
 '18',
 '90',
 'af',
 'd8',
 '07',
 '09']

In [59]:
from Crypto.Random import random
import struct

def padSHA1(s):
    l = len(s) * 8
    s += b'\x80'
    s += b'\x00' * ((56 - (len(s) % 64)) % 64)
    s += struct.pack('>Q', l)
    return s

keylen = random.randint(0, 100)
key = randbytes(keylen)

def validate(message, digest):
    global key
    print (authSHA1(key, message), digest)
    return authSHA1(key, message) == digest

message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
messageDigest = authSHA1(key, message)


def forgeHash(keylen, message, digest, suffix):
    paddedForgedMessageWithKey = padSHA1(key + message) + suffix
    forgedMessage = paddedForgedMessageWithKey[keylen:]
    #h = struct.unpack('>5I', digest)
    h=[]
    h.append(int("".join(digest[0:3]), 16))
    h.append(int("".join(digest[4:7]), 16))
    h.append(int("".join(digest[8:11]), 16))
    h.append(int("".join(digest[12:15]), 16))
    h.append(int("".join(digest[16:19]), 16))
    forgedDigest = SHA1(suffix, h[0], h[1], h[2], h[3], h[4], len(paddedForgedMessageWithKey) * 8).digest()
    return (forgedMessage, forgedDigest)

def forgeValidatingHash(maxkeylen, message, digest, suffix):
    for i in range(maxkeylen):
        (forgedMessage, forgedDigest) = forgeHash(i, message, digest, suffix)
        if validate(forgedMessage, forgedDigest):
            return(forgedMessage, forgedDigest)
    raise Exception('unexpected')

print(forgeValidatingHash(100, message, messageDigest, b';admin=true'))

(['7c', '3b', '1f', '86', '70', 'c3', '1c', '6f', '6d', '9a', 'e6', '51', '39', '63', '9d', 'e0', 'ef', '69', '33', 'c5'], ['f0', 'c4', '3e', '31', '77', '4e', 'e9', '20', 'cc', '01', 'a2', '48', '2d', '72', '4b', 'fe', 'd0', '86', '67', '46'])
(['0b', '85', 'da', 'eb', '8a', '8f', 'e6', 'c5', '88', '2f', 'b4', 'b8', 'd9', '7f', '84', '3a', 'a0', '87', '0a', 'de'], ['f0', 'c4', '3e', '31', '77', '4e', 'e9', '20', 'cc', '01', 'a2', '48', '2d', '72', '4b', 'fe', 'd0', '86', '67', '46'])
(['7d', 'bd', '15', '0b', 'd8', 'c6', 'db', 'd6', '9f', '14', '6d', 'f9', '69', 'd9', '77', 'cb', 'bb', 'e6', 'b3', 'cd'], ['f0', 'c4', '3e', '31', '77', '4e', 'e9', '20', 'cc', '01', 'a2', '48', '2d', '72', '4b', 'fe', 'd0', '86', '67', '46'])
(['1b', '25', 'b4', 'db', '7c', '34', 'ad', '28', '3b', '95', 'ee', '8e', '41', '7b', '1e', '00', '2b', '1c', 'a4', '11'], ['f0', 'c4', '3e', '31', '77', '4e', 'e9', '20', 'cc', '01', 'a2', '48', '2d', '72', '4b', 'fe', 'd0', '86', '67', '46'])
(['f0', '70', 'c6', 

Exception: unexpected

In [37]:
a = ['7b', 'd9', 'a0', 'd9', '84', 'be', '49', '35', '97', '83', '86', 'c3', 'cc', '65', '37', '0e', 'ab', '23', '43', 'c3']

TypeError: ord() expected a character, but string of length 2 found

In [49]:
import binascii
import sys
import time
import urllib.request

def isValidSignature(file, signature):
    start = time.perf_counter()
    try:
        response = urllib.request.urlopen('http://localhost:9000/test?file=' + file + '&signature=' + signature)
        end = time.perf_counter()
        if response.status != 200:
            raise Exception('unexpected status ' + str(response.status))
        return (True, end - start)
    except urllib.error.HTTPError as e:
        end = time.perf_counter()
        if e.code != 500:
            raise
        return (False, end - start)

def guessNextByte(file, knownBytes, delay):
    suffixlen = 20 - len(knownBytes)
    expectedDuration = delay * len(knownBytes) + 0.01
    start = time.perf_counter()

    def print_info(i):
        end = time.perf_counter()
        print('Made {0} requests in {1:.2f}s; rps = {2:.2f}, max rps = {3:.2f}'.format(i, end - start, i / (end - start), 1 / expectedDuration))

    for i in range(256):
        suffix = bytes([i]) + (b'\x00' * (suffixlen - 1))
        signature = knownBytes + suffix
        _, duration = isValidSignature(file, binascii.hexlify(signature).decode('ascii'))
        if duration > expectedDuration + 0.8 * delay:
            print_info(i)
            return knownBytes + bytes([i])

    raise Exception('unexpected')

file = sys.argv[1]
knownBytes = b''
DELAY = 0.05
for i in range(20):
    knownBytes = guessNextByte(file, knownBytes, DELAY)
    print(binascii.hexlify(knownBytes))
print(binascii.hexlify(knownBytes))
if not isValidSignature(file, binascii.hexlify(knownBytes).decode('ascii'))[0]:
    raise Exception('unexpected')

ImportError: No module named request

In [50]:
from Crypto.Util.strxor import strxor_c
from Crypto.Util.strxor import strxor
import binascii
import http.server
import socketserver
import time
import urllib.parse
import util

PORT = 9000
DELAY = 0.05

blocksize = 64
key = util.randbytes(100)

def sha1(x):
    return challenge28.SHA1(x).digest()

def hmacSHA1(key, message):
    if len(key) > blocksize:
        key = sha1(key)
    if len(key) < blocksize:
        key += b'\x00' * (blocksize - len(key))

    opad = strxor_c(key, 0x5c)
    ipad = strxor_c(key, 0x36)

    return sha1(opad + sha1(ipad + message))

def insecure_compare(x, y):
    if len(x) != len(y):
        return False
    for i in range(len(x)):
        if x[i] != y[i]:
            return False
        time.sleep(DELAY)
    return True

last_file = b''

class RequestHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        global last_file
        result = urllib.parse.urlparse(self.path)
        if result.path == '/test':
            q = urllib.parse.parse_qs(result.query)
            file = q['file'][0].encode('ascii')
            digest = hmacSHA1(key, file)
            signature = binascii.unhexlify(q['signature'][0])
            if file != last_file:
                last_file = file
                print('New file:', file, binascii.hexlify(digest))
            print(binascii.hexlify(digest), binascii.hexlify(signature))
            if insecure_compare(digest, signature):
                self.send_error(200)
            else:
                self.send_error(500)
        else:
            self.send_error(500)

def serve_forever(delay):
    global DELAY
    DELAY = delay
    socketserver.TCPServer.allow_reuse_address = True
    httpd = socketserver.TCPServer(("", PORT), RequestHandler)
    print("serving at port {0} with delay {1}".format(PORT, DELAY))
    httpd.serve_forever()

serve_forever(DELAY)

ImportError: No module named http.server