Set 3, challenge 17: CBC Padding Oracle

Author: redshiftzero

cryptopals/block.py

@@ -7,6 +7,7 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes
 
+from cryptopals.exceptions import BadPaddingValidation
 from cryptopals.frequency import TEST_CHARACTERS
 from cryptopals.padding import pkcs_7, remove_pkcs_7
 from cryptopals.utils import xor
@@ -175,3 +176,11 @@ def construct_ecb_attack_dict(
         dict_to_construct[ciphertext] = char
 
     return dict_to_construct
+
+
+def cbc_padding_oracle(key: bytes, ciphertext: bytes, iv: bytes) -> bool:
+    try:
+        decrypted_plaintext = aes_cbc_decrypt(key, ciphertext, iv, remove_padding=True)
+        return True
+    except BadPaddingValidation:
+        return False

cryptopals/cbc_padding.py

@@ -0,0 +1,124 @@
+import math
+import os
+from typing import List, Optional
+
+from cryptopals.block import cbc_padding_oracle
+
+
+def flip_nth_bit(text: bytes, num: int):
+    modified = text[:num] + bytes([text[num] ^ 1]) + text[num + 1 :]
+    return modified
+
+
+class Solver(object):
+    def __init__(self, block_size: int, iv: bytes, key: bytes, ciphertext: bytes):
+        self.block_size = block_size
+        self.ciphertext = ciphertext
+
+        # We won't look at these, these would be used by the server
+        self.iv = iv
+        self.key = key
+
+        self.reconstructed_bytes = []  # type: List
+        self.debug = False  # type: bool
+
+    def _decrypt_single_block(self, block_num):
+        previous_block_ciphertext = self.ciphertext[
+                (block_num - 2)
+                * self.block_size : (block_num - 1)
+                * self.block_size
+            ]
+        this_block_ciphertext = self.ciphertext[
+            (block_num - 1) * self.block_size : block_num * self.block_size
+        ]
+
+        block_cipher_outputs_prior_to_xor = []
+
+        for byte_num in range(self.block_size, 0, -1):
+
+            valid_padding_byte = self.block_size - byte_num + 1
+            found_a_byte = False
+
+            for num in range(255):
+                num_of_prefix_bytes = byte_num - 1
+
+                test_block = b'0' * num_of_prefix_bytes + bytes(
+                    [num]
+                )
+
+                # Now add the byte that will be padding for the bytes we've already
+                # reconstructed.
+                for block_cipher_output_byte in block_cipher_outputs_prior_to_xor:
+                    padding_byte = block_cipher_output_byte ^ valid_padding_byte
+                    test_block = test_block + bytes([padding_byte])
+
+                full_test_ciphertext = test_block + this_block_ciphertext
+
+                # Note that we're passing in the key and IV but we're only
+                # returning whether or not the padding is valid, not the
+                # decrypted content.
+                valid_padding = cbc_padding_oracle(
+                    self.key, full_test_ciphertext, self.iv
+                )
+
+                if not valid_padding:
+                    continue
+
+                block_cipher_output_byte = num ^ valid_padding_byte
+                plaintext_byte = (
+                    previous_block_ciphertext[num_of_prefix_bytes]
+                    ^ block_cipher_output_byte
+                )
+
+                # Handling the padding block by ensuring we get the choice of
+                # num correct (e.g. if the second to last byte in the block
+                # happens to be 2, we will get valid padding for _two_ possible
+                # bytes in the last byte position).
+                byte_num_to_edit = self.block_size + byte_num - 2
+                degeneracy_ciphertext = flip_nth_bit(
+                    full_test_ciphertext, byte_num_to_edit - self.block_size
+                )
+                if cbc_padding_oracle(self.key, degeneracy_ciphertext, self.iv):
+                    pass
+                else:
+                    continue
+
+                if self.debug:  # Fail when we get a byte wrong before going any further
+                    try:
+                        expected_byte = self.plaintext_bytes[
+                                self.block_size * (block_num - 1) + byte_num - 1]
+                        assert plaintext_byte == expected_byte
+                    except AssertionError:
+                        breakpoint()
+
+                found_a_byte = True
+
+                # Save the reconstructed byte and the output of the block cipher
+                # prior to XOR as we'll need it for the next byte to reconstruct.
+                block_cipher_outputs_prior_to_xor = [
+                    block_cipher_output_byte
+                ] + block_cipher_outputs_prior_to_xor
+                self.reconstructed_bytes = [
+                    plaintext_byte
+                ] + self.reconstructed_bytes
+
+                break
+
+            if self.debug and not found_a_byte:
+                breakpoint()
+            elif not found_a_byte:
+                raise Exception("Did not reconstruct a byte this block!")
+
+    def run(self, plaintext_bytes) -> List:
+        self.plaintext_bytes = plaintext_bytes
+        self.num_blocks = math.ceil(len(plaintext_bytes) / self.block_size)
+
+        # We start at rightmost block and move right to left.
+        for block_num in range(self.num_blocks, 0, -1):
+            if block_num == 1:
+                # We don't have the IV to decrypt further, so we stop here.
+                break
+
+            self._decrypt_single_block(block_num)
+
+        return self.reconstructed_bytes

cryptopals/padding.py

@@ -16,6 +16,8 @@ def pkcs_7(plaintext: bytes, block_len: int) -> bytes:
 
 def remove_pkcs_7(plaintext: bytes) -> bytes:
     num_bytes_of_padding = int.from_bytes(plaintext[-1:], byteorder="little")
+    if num_bytes_of_padding == 0:
+        raise BadPaddingValidation
 
     unpadded_plaintext = plaintext
     for _ in range(num_bytes_of_padding):

tests/data/17.txt

@@ -0,0 +1,10 @@
+MDAwMDAwTm93IHRoYXQgdGhlIHBhcnR5IGlzIGp1bXBpbmc=
+MDAwMDAxV2l0aCB0aGUgYmFzcyBraWNrZWQgaW4gYW5kIHRoZSBWZWdhJ3MgYXJlIHB1bXBpbic=
+MDAwMDAyUXVpY2sgdG8gdGhlIHBvaW50LCB0byB0aGUgcG9pbnQsIG5vIGZha2luZw==
+MDAwMDAzQ29va2luZyBNQydzIGxpa2UgYSBwb3VuZCBvZiBiYWNvbg==
+MDAwMDA0QnVybmluZyAnZW0sIGlmIHlvdSBhaW4ndCBxdWljayBhbmQgbmltYmxl
+MDAwMDA1SSBnbyBjcmF6eSB3aGVuIEkgaGVhciBhIGN5bWJhbA==
+MDAwMDA2QW5kIGEgaGlnaCBoYXQgd2l0aCBhIHNvdXBlZCB1cCB0ZW1wbw==
+MDAwMDA3SSdtIG9uIGEgcm9sbCwgaXQncyB0aW1lIHRvIGdvIHNvbG8=
+MDAwMDA4b2xsaW4nIGluIG15IGZpdmUgcG9pbnQgb2g=
+MDAwMDA5aXRoIG15IHJhZy10b3AgZG93biBzbyBteSBoYWlyIGNhbiBibG93

tests/test_block.py

@@ -7,6 +7,7 @@
     aes_cbc_decrypt,
     aes_cbc_encrypt,
     detect_ecb_use,
+    cbc_padding_oracle,
     ecb_encrypt_append,
     ecb_encrypt_prepend_and_append,
     cbc_encrypt_prepend_and_append,
@@ -15,7 +16,8 @@
     construct_ecb_attack_dict,
 )
 from cryptopals.frequency import TEST_CHARACTERS
-from cryptopals.utils import base64_to_bytes, hex_to_bytes
+from cryptopals.padding import pkcs_7, remove_pkcs_7
+from cryptopals.utils import base64_to_bytes, hex_to_bytes, xor
 
 
 BLOCK_SIZE = 16

tests/test_cbc_padding.py

@@ -0,0 +1,44 @@
+import os
+import random
+
+from cryptopals.block import aes_cbc_encrypt
+from cryptopals.cbc_padding import Solver
+from cryptopals.padding import pkcs_7
+from cryptopals.utils import base64_to_bytes
+
+
+def test_cbc_padding_oracle():
+    # Set 3, challenge 17 CBC Padding Oracle
+
+    path_to_test_data = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)), "data/17.txt"
+    )
+
+    with open(path_to_test_data, "r") as f:
+        plaintexts = f.read().split("\n")
+
+    block_size = 16
+    key = os.urandom(block_size)
+    iv = os.urandom(block_size)
+
+    plaintext = random.choice(plaintexts)
+    unpadded_plaintext_bytes = base64_to_bytes(plaintext)
+    plaintext_bytes = pkcs_7(unpadded_plaintext_bytes, block_size)
+    ciphertext = aes_cbc_encrypt(key, unpadded_plaintext_bytes, iv)
+
+    cbc_solver = Solver(block_size, iv, key, ciphertext)
+    reconstructed_bytes = cbc_solver.run(plaintext_bytes)
+
+    # Since I'm pretending as if I didn't know the IV, I'm going to compare
+    # only the blocks that were *not* constructed by XORing with the IV. 
+    # As an attacker I could guess e.g. that the IV was all 0s or some other
+    # insecure default that might have been due to an insecure default in the
+    # crypto library used by the developer.
+    result_without_iv_based_block = "".join([chr(x) for x in reconstructed_bytes])
+    plaintext_without_iv_based_block = plaintext_bytes[
+            2
+            * cbc_solver.block_size : (cbc_solver.num_blocks - 1)
+            * cbc_solver.block_size
+        ].decode("utf-8")
+
+    assert plaintext_without_iv_based_block in result_without_iv_based_block

tests/test_padding.py

@@ -28,7 +28,8 @@ def test_removal_of_pkcs_7(test_input, expected):
 
 @pytest.mark.parametrize(
     "test_input",
-    [("ICE ICE BABY\x01\x02\x03\x04"), ("ICE ICE BABY\x05\x05\x05\x05"), ("YE\x03")],
+    [("ICE ICE BABY\x01\x02\x03\x04"), ("ICE ICE BABY\x05\x05\x05\x05"), ("YE\x03"),
+     ("ICE ICE BABY HI\x00")],
 )
 def test_removal_of_pkcs_7_raises_exception_invalid_padding(test_input):
     with pytest.raises(BadPaddingValidation):