Skip to content
/ ecbacp Public

Simple tool for ECB adaptive chosen plaintext attack

License

Notifications You must be signed in to change notification settings

tabneib/ecbacp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ECB Adaptive Chosen Plaintext

This is a simple tool I wrote while solving a challenge at overthewire. It aims to automatically launch an adaptive chosen plaintext attack against some application using blockcipher in ECB operation mode. When all the assumptions are fulfilled it can brute force the whole secret plaintext.

Assumptions

  • The attacker has unlimited access to the encrypting function of the target. This means he can commands the target to encrypt stuff for him for an infinite number of times.
  • All texts are ASCII strings.
  • The input string (the payload) of the attacker will be prepended by a (unknown) prefix and appended by a suffix which is the secret plaintext.

This is how the end input to be encrypted looks like:

+--------+-------+
|     prefix     |
+        +-------+
|        |       |
+--------+       +
|     payload    |
+        +-------+
|        |       |
+--------+       +
|     suffix     |
+        +-------+
|        |       |
+--------+       +
| PKCS#7 padding |
+--------+-------+
  • PKCS#7 padding is used.
  • The input of the attacker is not escaped/truncated before the encryption.

The attack

The attack contains two phases: a prepartion phase and a brute-forcing phase.

  1. Preparation
    In this phase the length of the prefix and suffix is determined. First, a long string of some junk character is encrypted as the probing payload. Due to the semantically insecurity of ECB the attacker can recognize pattern in the returned ciphertext. Based on this information the attacker can find out the length of the prefix. Having this information he can further calculate the length of the suffix by stepwisely increasing the payload length and observing changes in the ciphertext.

  2. Brute-forcing
    In this phase the attacker determines the secret suffix character by character. Based on the information from the previous phase he can craft the payload such that the payload is "padded" by the next unknown character of the suffix. He then tries out all possible characters until the corresponding ciphertext block matches the expected one (which is the one yielded by the real character).

Guessing the first character of the suffix:

+--------+-----+-+
|     prefix     |
+        +-----+-+
|        |       |
+--------+       +
|     payload    |
+              +-+
|              |C|
+--------+-----+ +
|     suffix     |
+        +-----+-+
|        |       |
+--------+       +
| PKCS#7 padding |
+--------+-----+-+

Usage

This tool is modular in the way how data is encrypted. You have to implement your own encryption module in the package encryption. Your module must provide an encrypt function which takes a string and returns the hex string of the corresponding ciphertext.

The default encryption module is noencrypt which does nothing but adding a prefix, a suffix and padding according to PKCS#7.

Test

The encryption module natas is an example of a module that sends input to a web application for it to be processed and encrypted there, and returns what the web application returns to it. This module was used to solve the natas28 challenge, but due to input escaping only one character of the suffix could be determined. To run the test and print out all sent payloads:

python3 ecbacp.py --enc natas --probe 20 -v

About

Simple tool for ECB adaptive chosen plaintext attack

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages