## Utils

In [1]:
import jwt
import requests

In [6]:
def send_request(url): 
    response = requests.get(url)

    if(response.status_code == 200): 
        data = response.json()
        return data 
    
    print(response.status_code)
    return None 


# JSON WEB TOKENS

### Token Appreciation

In [12]:
encoded_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiY3J5cHRve2p3dF9jb250ZW50c19jYW5fYmVfZWFzaWx5X3ZpZXdlZH0iLCJ1c2VyIjoiQ3J5cHRvIE1jSGFjayIsImV4cCI6MjAwNTAzMzQ5M30.shKSmZfgGVvd2OSB2CGezzJ3N6WAULo3w9zCl_T47KQ'

payload = jwt.decode(encoded_jwt, options = {'verify_signature': False}) 

print(payload['flag'])

crypto{jwt_contents_can_be_easily_viewed}


### JWT Sessions

https://stackoverflow.com/questions/33265812/best-http-authorization-header-type-for-jwt

Authorization is the flag 

### No Way Jose

In [42]:
header = {
    "alg": "none",  # Signing algorithm (e.g., HMAC SHA256)
    "typ": "JWT"     # Token type
}

payload = {
    'username': 'kriska', 
    'admin':True,
}

forgery = jwt.encode(payload,key=None, headers=header)


url = 'https://web.cryptohack.org/no-way-jose/authorise/'+forgery+'/'

data = send_request(url)

data

{'response': 'Welcome admin, here is your flag: crypto{The_Cryptographic_Doom_Principle}'}

### JWT Secrets

In [45]:
key = "secret"

payload = {

    'username':'kriska', 
    'admin': True

}

forgery = jwt.encode(payload,key=key)

url = 'https://web.cryptohack.org/jwt-secrets/authorise/'+forgery+'/'

data = send_request(url)

data

{'response': 'Welcome admin, here is your flag: crypto{jwt_secret_keys_must_be_protected}'}

### RSA or HMAC?

In [69]:
header = {
    
    'alg': 'HS256', 
    'typ': 'JWT'

}
payload = {
    'username':'kriska', 
    'admin':True
}


url = 'https://web.cryptohack.org/rsa-or-hmac/get_pubkey/'

e = send_request(url)['pubkey']

forgery = jwt.encode(payload,e,headers=header)

url ='https://web.cryptohack.org/rsa-or-hmac/authorise/'+forgery+'/'

send_request(url)

{'response': 'Welcome admin, here is your flag: crypto{Doom_Principle_Strikes_Again}'}

### JSON in JSON

The name kinda suggests it, we send another json with admin: True, since code checks for arbitrary word admin, it should gives us access 

In [66]:
username = "user\", \"admin\": \"True"
# we close with " the username part, then we have to escape the "admin" we say True but don't close the last one since the script that does encoding will do it for us

url = 'https://web.cryptohack.org/json-in-json/create_session/'+username+'/'

data = send_request(url)

token = data['session']

url = 'https://web.cryptohack.org/json-in-json/authorise/'+token+'/'

send_request(url)

{'response': 'Welcome admin, here is your flag: crypto{https://owasp.org/www-community/Injection_Theory}'}

### RSA or HMAC? PART 2 

Used this script to derive public key from my signature
https://github.com/FlorianPicca/JWT-Key-Recovery

In [3]:
print('crypto{thanks_silentsignal_for_inspiration}')

crypto{thanks_silentsignal_for_inspiration}


# TLS PART 1: THE PROTOCOL

### Secure Protocols

Three more things apart from CIA triad: 
1. Interoperability - aims to ensure that two devices can communicate even if they are using different TLS implementations which support different sets of algortithms 
2. Extensibility - means TLS can support many extra use-cases through optional extensions without overcomplicating the core protocol 
3. Efficiency - important so that the performance cost of TLS is not too high, especially on low-end devices where cryptographic operations are slow 

In [1]:
print("Let's Encrypt")

Let's Encrypt


### Sharks on the Wire 

In [2]:
print(15)

15


### TLS Handshake

First when we type cryptohack.org into address bar, a DNS request is made to translate the domain name into an IP address 

The safe browsing feature reaches out to Google server to check that cryptohack.org is not a malicious domain 

A TCP three-way handshake (SYN, SYN-ACK, ACK) was initiated between our laptop and port 443 (the TLS port) of the server. This negotiates a stable connection between the two computers over the Internet before real data transfer could start 

A TLS ClientHello is sent to the server. It is sending bunch of parameters, such as ciphers it supports. An ACK TCP packet sent from the server ACKnowledging it received the packet from our laptop. 

The server sends TLS ServerHello, Change Cipher Spec and Applciation Data messages. The server sends back its own parameters, then signals Change Cipher Spec which means it is switching over to sending encrypted communications from now on. Then the server sends its TLS certificate encrypted. 

An Online Certificate Status Protocol (OCSP) connection was made from our laptop to an OCSP server, to check the TLS certificate 

Our laptop sends a Change Cipher Spec message to say it will be switching to an encrypted communication and it final makes a HTTP request requesting a cryptohack homepage 

The server is sending the contents over HTTP wrapped in TLS 

In [3]:
print('67c6bf8ffda56fcb359fba7f0149f85422223cf021ab1a0af701de5dd2091498')

67c6bf8ffda56fcb359fba7f0149f85422223cf021ab1a0af701de5dd2091498


### Saying Hello 

TLS connections begin with a handshake, where client and server agree on parameters that will define the rest of connection. The shared secret is computed and used for symmetric encryption later on. 

At high level TLS messages are called records. Record has a short header that contains infromation about TLS version, the content type of the message(handshake, change cipher spec, application data and alert) and the data length. Then the data flows 

ClientHello contains: 
- A list of cipher suites it supports 
- The highest TLS version it supports 
- A list of extensions and compression methods it supports 
- A random number (used to provide entropy in the key exchange)
- A session ID to identify the connection 

In [5]:
print('ECDHE-RSA-AES256-GCM-SHA384')

ECDHE-RSA-AES256-GCM-SHA384


### Decrypting TLS 1.2 

In [6]:
print(bytes.fromhex('54686520666c61672069733a2063727970746f7b7765616b6e65737365735f6f665f6e6f6e5f657068656d6572616c5f6b65795f65786368616e67657d').decode('utf-8'))

The flag is: crypto{weaknesses_of_non_ephemeral_key_exchange}


### Decrypting TLS 1.3

In [1]:
print('crypto{export_SSLKEYLOGFILE}')

crypto{export_SSLKEYLOGFILE}


### Authenticated Handshake

In [6]:
from scapy.all import * 
pcap_file = "data/no-finished-tls3.pcapng"

packets = rdpcap(pcap_file)

for p in packets: 
    if TLS in p: 
        tls_handshake = p[TLS]

NameError: name 'TLS' is not defined

In [16]:
import hmac
import hashlib
import struct

from math import ceil


HASH_ALG = hashlib.sha384
HASH_LEN = HASH_ALG().digest_size


def tls_HMAC(k, b, algorithm):
    return bytearray(hmac.new(k, b, algorithm).digest())


def HKDF_expand(prk, info, length, algorithm):
    hash_len = algorithm().digest_size
    t = bytearray()
    okm = bytearray()
    for i in range(1, ceil(length / hash_len)+2):
        t = tls_HMAC(prk, t + info + bytearray([i]), algorithm)
        okm += t
    return okm[:length]


def HKDF_expand_label(secret, label, hashValue, length, algorithm):
    hkdfLabel = bytearray()
    hkdfLabel += struct.pack('>H', length)
    seq = bytearray(b"tls13 ") + label
    hkdfLabel += bytearray([len(seq)]) + seq
    seq = hashValue
    hkdfLabel += bytearray([len(seq)]) + seq

    return HKDF_expand(secret, hkdfLabel, length, algorithm)


def verify_data(finished_key, transcript, hash_alg):
    transcript_hash = hash_alg(transcript).digest()
    return tls_HMAC(finished_key, transcript_hash, hash_alg)


client_hello = bytes.fromhex("000400010006000c29ea9e42000008004500022d6b1a40004006b40dac107086b23e4acec36601bb9b37f00e7031e9ba5018faf01bc300001603010200010001fc0303d8c7c79e62892bd09bafe063b1f948880855589ef13eb847ca27e8436aa6ad8020e9319bcbc7a532d08e0aa9597740d8467a3452ad54693c6004d5e7e43fa37cd800b6130213031301c02cc03000a3009fcca9cca8ccaac0afc0adc0a3c09fc05dc061c057c05300a7c02bc02f00a2009ec0aec0acc0a2c09ec05cc060c056c05200a6c024c028006b006ac073c07700c400c3006d00c5c023c02700670040c072c07600be00bd006c00bfc00ac0140039003800880087c019003a0089c009c01300330032009a009900450044c0180034009b0046009dc0a1c09dc051009cc0a0c09cc050003d00c0003c00ba00350084002f0096004100ff010000fd000000180016000013746c73332e63727970746f6861636b2e6f7267000b000403000102000a00160014001d0017001e0019001801000101010201030104337400000010000e000c02683208687474702f312e31001600000017000000310000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602002b0009080304030303020301002d00020101003300260024001d0020f54b4d2a777319ad3dc6cd8239025f24b547cce209feb5b60aeaec25cb63af1b0015002800000000000000000000000000000000000000000000000000000000000000000000000000000000")

server_hello = bytes.fromhex("000000010006005056fe5af200000800450012191cba00008006f281b23e4aceac10708601bbc3667031e9ba9b37f2135018faf02baf0000160303007a0200007603032ce8accef17501fe4fc76ef5184fc43ac9c42b49138de575cf26fd46575488f420e9319bcbc7a532d08e0aa9597740d8467a3452ad54693c6004d5e7e43fa37cd8130200002e002b0002030400330024001d0020ead5ed6ad655b389fa0e5a2b765cf2ca78ea4d6a8137f51d590432dcf610891e1403030001011703030024e013089ae936892a92ab61b72cdaa8541bb7da45c9d00f387907ef3ced0add0873c3eabf1703030fd6f4da8b520d94b97bfc7db2ac08af5b152acf2075c022050aabd7ecbf6846c680d38503c4f8abba96bfa1434c6a8f0f222eb9f1e2123629a391a9c433408b4ef97e215887057167989412ce5e8bd0c512f99edd3863c36aa387bf8d1984413c34057bcb64b9a3720a79cd1f390627ab49d533e9770377fab1edaf01a46dd4208538e365c655ed5ce798e7ad59f944fb55d58cb971943753b77fa7e391c2a8f6719f04cc50314e498f3e778518555a74906ae09c8f2e1cb4b45b52e15fffcbe592bc06c919787120ff9fd0b45c4a65583f7713c9f2492dcf32642c86ed3ad26060541e83b9f10a24a31b214f34315060e2790f6b6475da9174c04c60152f0e99511d84b020182cf765b213ca458c0d5ea32d032fb62832a19f1e989feb980bb91615d6d0d59041cc62acaf21136bb2b391adf8071446c22c3ebda4e5c1c72f8105d8381ba242b94f46eadf88aafc7219ef77ed6389c9f82bb2722d2f000fc9887d9fcb9454c0328bf06178ce69e8cfb7b88678c2100e9736150eef41883ed3e40cd0ab5ea2ddae068f604b9cc56f6e81ed8d3449c5467036ebfc1feb034943146ec75cb9653a3d44553c5353b53b44bb1bbd4fb2b24542fdc161d6732f23a434cc9836b3a397bba2d282d0da03422d4aea0adb611f3f0b17ce1f45e684e06220b519c32cf72d4d1128f0eb9872b9d4e60bb12da3b1e66733d8fe71019d30302a85c8f5661f56fdb7da7b86da6c8606e3d062a97b568040bb7a5059908b067f8b6f4ff868863d8b65e64dd5ada6827d389ca4cda5a90dd37aa5dc0819ac0af03ba5ff776d396c772d1a3e8170149b441c6bf80f721a5207af37aefc9769f7cb12e9420aa0b04cadc5e0ef64271ebef4943dfe0ae86a1ddda71a1be06c26e6ca2fc2378cd007c8eca503812e195915ffcceb7c5df538a1e13f3369e16e1d8cd65ccdeb1d1eaccfec729ae60c387c6f576bb4452c3073cc32f9f7d25b52dd234c5d89d5731b6fbf851cc4b6b948121d4e989e42f54a19c1ded42e52e82835f7b1329cf2a0a32d99c9fff80d411ef53508d4b1f8045710202333e6715d16969b2793ff4006f071b9140a8d035dfb1226da5e2d8ef1e38d4907bc05907e27b843eb918a6ae14fb0427d02d71fa9c1142e94f1e398176746419f720808e41d23ed4a71a41ffe063a379b4f112a80f5c65a9c8edc25da1120cb4e70225963c5cab174668974ae216a1ef9019bbbb6d30a36e92da7179117c6ea65fc5f2c81a8e4fee608c6e6fdfd653d6ddc7776e95efde2394619ea19529ec8550468a04032830976ce4d0cf504a38d310d98a279c1bcb39d6205a8046b4263ec8a2d2d9db53a378cc6cca82920ee14956aa9ed879e25fcefeeef3050a7bbe004bc09c2638fdc7c3e382ab2fff7f9ca56c51fb3d613d8401ce13b3fd65cc858efee081218a7d7636b7fd5fb7489726e883df1151c5d68d95ddad71aad44a80c4cfec3f9561ecc547810c469427a3241f7a4169f474b1633334df5590bbd290747d9f1f84eb0745b418aa4400c1e31e4b3bf8d16a7f4baa3efd667c690076e7fb60237d896e0a87f029f7738c5fa8a35daebf2c9b7db6f4562aef72cbe8d2632af105fd2d2918b1d1853605a6e135c195763e38c529af39156f0da082af740bc8485bc0f05499dd00d10980a69a2ad06b638ea842b21eae984cce160f3ba180a6ea8b22e2f148918a04066670333d6ea297e8f2a67806b680181a5b7933a4c31dba6f6da04650c812f2c55bea5aa42beb541ff295152f5ebc0a87c42819ea429a0f74b61323781d2ebd275828f9dcead0c91a02cafd7391a4f8be0bf58522c1557fddf0113fe844847efdb17b1d83c11b0333fa31fa2cb71b23d9786327cc740028511adae53987490528c8db0f9f55898c190ce485376985493e79553fb956d7a5b05e60a3bc60dd88da605adaca3f9a70f0a71236732b200315a62b38db05a8794794a2c524dada6689feb68d38e17b1bb5d2546d4b0b0733f3ca3584a2b1790909ffa53e4a6161cea5e34d82db61594c4d629341f13e5a418d9778e76faa7a59efc98b76dfea9e0f168de6e17a40205783a1b7b0c0350ff215f12633cf2b6339a4786608be5171743fae8b3888f3f9f0e13056eba2df9469dcc5fb19f2dcd4b4dd18db9a9ebde374f3edd427ab7db12b4b0daf773125aee0c0372046eccefa7f8a271b7851aefaf515fe0eb0d07491e7b0864bf7ef2a06c52dec956640d580474e7b619e1b39c7fa1458c6612057026b93938f1aa2eaf13d0102d1a3ff63d9e161fa444fa2caf8501fe08d29f942dd2e1c6453523c70ca2d92cb8164767f248f3bafdbfb6fb3a18479d76ab3a067b006b624a37c95f89b3d94dfa86ff481b1144b4cccc8d9649d43714c71f8e0119d4398fdab4a893d3965891a9d15642340d9edc7b74cad23a02c66722acfed716b66957c97ca508380e826ab7157bf2ac41a377f14df512426359dd9cf213c6be5c940ad9b0ec590975b480d1508ec3040b87a3dd75d498888c668733ff41c139c03b400b335cd73c11058504f2530ef0b1deee6361ac9525f4b8379edf928b661d265e44cb865cc065431876bf176a3b05b3a1f09d258a207d0d34b392d83d7636cdc3bfe3ccb2557a24dfe15f52247f1f20d96ffb74deb97f74a074f393821a4e20e76492f2653a6f3420cdbb9a12b9a390f975244f3068ee9c6152692f27524457cf67614836c3a238607bd55899a3a0471b45534742f0907637675fbce34b983b0c8bd687abb04dbc0d9ad67242c9d33b103e74965963a7ed1edb3bfb3c57dbf00e555d1dbf333ec1f4daedddc49a642568b76a34374a7641c90888b25e448c35794e67f0907a8ed087b8bf62f9579385383c4d0a05e1b848c09e16112370ccfabf3c73b2a96a484b0a80f1b67d1a16a831b75d10acf9df786adade3e0b67b134f43afdb4798b0acf905532066fc5280bdea236b3f45fc8eb96c8fbf1c8ce3ab6319dbcc30c81c9f081b43cfae9b10c9443beabe51e853090b8905a1605396117968420e69d2f8273317cc8b82dc131dbf38c4f6efd3517439ff6acea0e50a6cae1014409e8cec0a9d48a2e062341e40ca69cfc2fd0433a804e0336ef30c7a9346ac0d33af98754fe543dcefc51be2e0adf2fa1400fcd72711e324320c15fdb213208832ab59c4b004b4fb82cb170f4005cb0d6f4d6b1d1d0373879dc82c29fdd67122153bf6fb724626de15a6ef62d80e8293e18650f9b87d1d391354c1a9ebd2b8c021e5def21dc7a5939d10fe8d5ae08c81b957900473255c0d156a0e46e1b363ccd5e36d1e43c37a7cfac26c8e1045d38caa638b36f2000b8a2a6b99e8f4b10dbea3027ccd7b20a307bee8877d091e25d7eedbd920a9bf08a5991fbae40dfbf211d470e6e6fc27f4df68813951e455e7aa0855043b3368c111631c3eefaa327235122340994f4435bffded6ecdf325ae8ef9a322ee9e7dad7ce500c7a1c54c8f4d310c644133c14c6cc345c963efbd17cad00e9c36a417b4e2fcd1808fb2afa0f856b8ca8553737da11535f83417997df91f76e6fc3ad1c926fe3b6de29e4d167fe887a7168f71057c3394677afeeb5445b2d1be080ee55fa992a09dbe37932b554abd69d50088112639d0cacaf06e19cd1cda91fc6f243e0210b8cd7ef8073df1a8584be2e58e864c2638255db18574ae442da91897f5a2dcf60dd683bcf8e254950441d196c3c0b99883153717f8e693c4db0773fad209b421623d5733c8b1c33dd6911fe86c0d46430760a1f0592dee626cdd9ac0e9cdf5122b29fb5d0c7a27560744d0cd5cebfff2e57f506221a17d0c328ce58063040dbe515425df7d56e2376d7cf81f72155c6d76f42c1087b06eb827f24b4f5596cfe541044bc3aa98c1a0760f54cc9622717e121508ab98823ae008ec3e19f2ab9f40698c56f8fa85a4943a43fb3111bac53489a6bbfa9582d2a2374a3457f1c8bb21ece02e42627638e74e7c2d25fd09cd28b5038495adeaa535d9828cade2d96a196574c9ea759dbda83f4b166dbd616c221451e54ce1fb0a577d927e7a6839cd95f84c9af0609955285d8314d3df41ccbeae58f372cf12fabf334c2ee705f7edfb654fa0433e69226e1483afdd301fd01944f4ef1070f5f03d25ab32df0d765f0984e8718b1236d74c6ae334d35d93ce69865a750cb50e966dc59a6aa3d51bea3cfcb22d76d94d47fc8f36035e220b695e993cb3634a5796538c498c876289c171c3a8506ff7a5f50ce71ab4c4221f0e997fbbedfec263201631dec96233069d9012ff89728a9d8f8b6ea70916aadb4533fc37bcff8eb13fcb6e17094fd385e09e7abe0855163c0869384fecef12b477e55ee843ce756ef2a7fcf63e631fe36141548a9c6122e9209f9c93270869d14b564a7e939888f42896b330f9b6d86098629737cfda44e5c24e87431f7da5d07120abd181ec93d2f95544e001c8f04c5cd042ba49d84763bca6085337b9c8ad1163680a2a3b212db58045bd1b73ff0755b27154a4227d63664890dc0651feeb1fd1d1c18c459ab164ce19683f6f17539f101d36a1324bd05b5e143d9861c746805dad0879357a52461824c41a9a6024864ab0a64a96fce5405c853fca6ce898e3c3e16f27213cf9cdf442433f664cbcd120c31b205f5385c5bcff2ec2994f67ae7533200b2ffabec9211f13d92ae53fa74691cd624218607e678b16d2869ab08be5f1824acc6375a5d0fa795a5b0d5917d705ecfa121f6f795548fd7b9ed7f0752153ee1d97dd05e89e4c5aa94027b63c384843a611092d86f6e5a12afb8c32a00282003c63edfc9fa27c8db56545235bd03ac363c8708eafad8da0e7de369033077377ad83a7371a95e041b09e20a929e4baaab6b620157810d7fd9ed467fe8522b0f78c515c2508b86403f50a7f943b54d1ee78a29c977090fc5c90da3cd0e88af93c5e60e421ecde19adc8d211f301693ff90d0c1327acdea1acf362e03334a6f3b54f4ebe7b65710042a3905078e5e99a200f7b8f00db24f479b8befd580c1d5a5a2d2521c543a5f1f31c926ef20c7aa76d6c8aede16a72482000908a02523bd7ff2f3030b000da6e45d28c9930449bf3acd3c5dacc20739ebd0e97071a5fb8345c2e744543face87181e7ed8d3f1f8c5ed0726a9ddb96e1b54f956b69368932e6e4231530801b3e6f0c4b26358bec7b2f400da95b4c6476e83316943483735f7dd7b27c58715c068d583e0e8bde16d845551d69bd7d5c1a1abaf12116f7d01959d3860332436fb12e4ef0a55f8b29f58063856dbc04af39be703c3b38a8a49d7a68a8e5e33abc6d34975c2526e288be160bd9b37cdfc614d14cf72a386e380d290cadaaa45b01fa90dec8ae4a8f2d51397c68746d8ebf3d5c6d6ffcf9e9801b7426063d79f9bb8733fcfc6379f90a33c8f1843ffb7448d085e899d39140589719c0ab89e94266b82fcd72972912bc96db4b2fa1901e10bcebf72bb17e42c09dff8359278a1a8b85c2e3442910b6d27a5b944a783a29e089eb1ca422d7f285fe94c4f5ebf716068b200215b555597f43ac5ea05d11098b01bd087987ce7dab1ecad03f2a4f7a2c98aa2a5948f49bf97bf0bdf31a7a325ab0818b7035f73e81697dfd5467ce9bc1f3a18e7419909e151cd7bd9d2edf9cd8abce2af53a8070d7289d36a83098130809a2a509d08be022f24efd865c8fa4d95a8435d196e41684545ec2971703030119917c129e8ce781b7bce6775741dfe5cc98ee493aac2d081c92013cb6981436179f4a76b306dd07d34cca2a67c28150b8c8495665f2a929262c0747b96272eaefc17ce5f784557fa51c70f73e4234b2d45557a181d5853a7612cf87bdd8fb5c6213d6d5cff1ec24fcbbe8ce090bb301a5edb0f372a1c6af31db841698f3711c87cfb68be6c1cd865e417797c86f24dbe35d88de54308e6818ffa69188782c6f5e38d1c2d9150577ce9254fba248224070c8479d7a45d185335b26ad0ebefd99eaedeb4eb7eb97b5fbe08d8d3cc54594806c6ec297a9b44fb61e37d3d7085125cac54ce8711e299df23f43ee25e1e95b3748c98f64660fc77ced1d95a1f745e6404d1d3f42bff7d96493529f800d77d86d10311e5be2b520cc6f1703030045f349c32b71fb9cd28dd64bc1debae9d3e8ea741f146b16f65101d028b9c660d66331c6ac6901e439094e92f77af5368500fc853135f6d1e3a756de7159643a48cffe1a62cc")

server_encrypted_extensions = tls_handshake_messages['server_encrypted_extensions']

server_certificate_message = tls_handshake_messages['certificate']

server_certificateverify_message = tls_handshake_messages['certificate_verify']

server_finished = tls_handshake_messages['server_finished']


client_handshake_traffic_secret = bytes.fromhex("d8c7c79e62892bd09bafe063b1f948880855589ef13eb847ca27e8436aa6ad80ca8fb94500b13314d4c47158b1e9c7e5d3374cf9c5703b6d8ab879e99af1529d0e013b84ae1e7b15233ff64a1ed6e06c")

finished_key = HKDF_expand_label(
    client_handshake_traffic_secret, b"finished", b"", HASH_LEN, HASH_ALG)

transcript = client_hello + server_hello + \
    server_encrypted_extensions + server_certificate_message + \
    server_certificateverify_message + server_finished

client_finished = verify_data(finished_key, transcript, HASH_ALG).hex()
print(client_finished)

TypeError: can't concat list to bytes

# CLOUD

### Megalomaniac 1

**Key Hierarchy** 

Password is chosen by the user. From this password an encryption and authentication key is derived. The authentication key is used to identify users. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user. 

For every account there is a set of asymmetirc keys: 
1. RSA key pair for sharing data with other users 
2. A Curve25519 key pair for exchanging chat keys for chat funcionality
3. A Ed25519 key pair for signing the other keys 

Furthermore for every file or folder uploaded by the user, a new symmetric encryption key called a *node* key is generated. 

The private asymmetric keys and the node keys are encrypted by the client with the master key using AES-ECB and stored on servers to support access from multiple devices. A user on a new device can enter their password, authenticate, fetch the encrypted key material and decrypt it with the encryption key derived from the pasword 

**RSA Key Recovery Attack** 

MEGA uses RSA encryption for sharing node keys between users, to exchaneg a session ID with the user at login and in a legacy key transfer for the MEGA chat. Each user has a public RSA key $pk_{share}$ user by other users or MEGA to encrypt data for the owner, and a private key $sk_share$ used by the user themselves to decrypt data shared with them. The private RSA key is stored for the user in ecrypted form on MEGA's servers. 

There is a way to recover the private key due to lack of integrity protection of the encrypted keys stored for users on MEGA's servers. An entity controling MEGA's core infrastructure can tamper with the encrypted RSA private key and deceive client into leaking information about one of the prime factors of the RSA modulus during the session ID exchange. More specifically, the session ID that the client decrypts with the mauled private key and sends to the server will reveal whether the prime is smaller or greater than an adversarially chosen value. This enables binary search for the prime factor, with one comparison per client login attempt, allowing adversary to recover the RSA key with 1023 client logins. Using lattices this can be reduced to 512. 




In [11]:
import telnetlib 
import json
from Crypto.Util.number import long_to_bytes



HOST = 'socket.cryptohack.org' 
PORT = 13408 
tn = telnetlib.Telnet(HOST, PORT)


def readline():
    return tn.read_until(b"\n")

def json_recv():
    line = readline()
    return json.loads(line.decode())

def json_send(hsh):
    request = json.dumps(hsh).encode()
    tn.write(request)

print(readline())
print(readline())
print(readline())
print(readline())

r = json_recv()
print(r)

b'NEW CLIENT REGISTRATION :\n'
b'Email : alice@CH.org\n'
b'Username : Alice\n'
b'New client is uploading crypto material...\n'
{'auth_key_hashed': '46683aa506d4ff56b85479fbfbf308c903a267e764bfcabe9500bd3738ae220e', 'master_key_enc': 'db67c6461da5b3d8c07f5b1afa0391a8', 'share_key_pub': [19823144983847953960208803964985300498372134515778131891707424179777482232126903055611349667426398968100104386452411690298223818382018158572051754296215578445419648937067716269822495529068511713674624662705036625636305099499267128519775245577982152988603425115347293290086413919763930468223742231951011257867205791634733996936120354070659841991598694734448267452825871444638971470431193711646331142297019919437179885906618842237929791404441332426480354119122598511844791829009484640526410123213292706897386605053267471794199243020849318556306255342433176016575206179079080606408072106285247835256626727597481899057019, 65537], 'share_key_enc': '06de4b6fd763783a53760cdd7941af43b02a0c6f1c83185033297e04e03a45811cd7

### Megalomaniac 2

https://eprint.iacr.org/2022/914