### Challenge 37: Break SRP with a zero key

[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)

In [4]:
from Crypto.Util import number
from Crypto.Random import random
from Crypto.Hash.SHA256 import SHA256Hash

import cryptopals as cp

<div class="alert alert-block alert-info">

Get your SRP working in an actual client-server setting. "Log in" with a valid password using the protocol.

Now log in without your password by having the client send 0 as its "A" value. What does this to the "S" value that both sides compute?

Now log in without your password by having the client send N, N*2, &c.

<div class="alert alert-block alert-warning">
    
#### **Cryptanalytic MVP award**

Trevor Perrin and Nate Lawson taught us this attack 7 years ago. It is excellent. Attacks on DH are tricky to "operationalize". But this attack uses the same concepts, and results in auth bypass. Almost every implementation of SRP we've ever seen has this flaw; if you see a new one, go look for this bug.

</div>
</div>

In [5]:
class session:
    
    def __init__(self, user_name, salt, A, B):
        
        hash_out = SHA256Hash((str(A) + str(B)).encode()).digest().hex()
        self.salt = salt
        self.user_name = user_name
        self.A = A
        self.B = B
        self.u = pow(g, int(hash_out, 16), N)
        
class server:

    class password_entry:
    
        def __init__(self, salt, v):
        
            self.salt = salt
            self.v = v
    
    g = 2
    k = 3
    N = int('e7bd694dded5483a8083fe55c063b0180887542ef644e655d13d40bd1cd808f1'\
            'a9bca3c012478f7cf744222ccf7580036af82c589375e2dddffb6d698e177884'\
            '2594a439e123cd0fc91fbb017bfa7ff312c270d1b0f01def9f31db62872d3cb4'\
            'ed7d62448f13fb1742933223753be04ff20ce0903718f54406305cf6617212bf'\
            '27db2986654a09fbfe6b56445b1af6805384d483be70fc2f6c96a87ebd47e28a'\
            'ffb1b28b0c3b416fa49e4cef5e1a55e7268431c67d3a80daa0a16ddfe6f335e7'\
            'ecd98587a2348bf2e1cde93d42be6f7497fd23d3e74448218f9d0c7143f53773'\
            'c9afeb953fd02623380ffe2ba756668bbf4fdc9c5f56819c09ec055ba01b0447', 16)
    
    def __init__(self):
        
        self.users = {}
        self.current_session = None
    
    def add_user(self, user_name, password):
    
        # Generate random salt (64-bit integer)
        salt = random.randint(0, 2**64-1)
        x = int(SHA256Hash((str(salt) + password).encode()).digest().hex(), 16)
        v = pow(self.g, x, self.N)
        record = self.password_entry(salt, v)
        self.users[user_name] = record
        
    def initialize_session(self, user_name, A):
        
        salt = self.users[user_name].salt
        v = self.users[user_name].v
        
        b = random.randint(0, 2**64-1) % N
        B = (k*v + pow(g, b, N)) % N
        
        self.current_session = session(user_name, salt, A, B)
        u = self.current_session.u
        
        S_server = pow (A * pow(v, u, N), b, N)
        self.S = S_server
        self.current_session_key = SHA256Hash(str(S_server).encode()).digest()
        
        return(salt, B)
    
    def validate_session(self, C_Proof):
        
        S_Proof = SHA256Hash(self.current_session_key + 
                             str(self.current_session.salt).encode()).digest()
        
        if S_Proof == C_Proof:
            return_data = 'OK'
        else:
            return(random.Random.get_random_bytes(16))
        
        CT = cp.AESEncrypt(return_data, self.current_session_key)
        return(CT)
        

In [6]:
myserver = server()
myserver.add_user('somebody@gmail.com', 'password123')
myserver.add_user('user2', 'goofy')
myserver.add_user('user3', 'pluto')
myserver.add_user('user4@hellokitty.com', 'purrrfect')

This will emulate the client code:

In [7]:
g = 2
k = 3
N = int('e7bd694dded5483a8083fe55c063b0180887542ef644e655d13d40bd1cd808f1'\
            'a9bca3c012478f7cf744222ccf7580036af82c589375e2dddffb6d698e177884'\
            '2594a439e123cd0fc91fbb017bfa7ff312c270d1b0f01def9f31db62872d3cb4'\
            'ed7d62448f13fb1742933223753be04ff20ce0903718f54406305cf6617212bf'\
            '27db2986654a09fbfe6b56445b1af6805384d483be70fc2f6c96a87ebd47e28a'\
            'ffb1b28b0c3b416fa49e4cef5e1a55e7268431c67d3a80daa0a16ddfe6f335e7'\
            'ecd98587a2348bf2e1cde93d42be6f7497fd23d3e74448218f9d0c7143f53773'\
            'c9afeb953fd02623380ffe2ba756668bbf4fdc9c5f56819c09ec055ba01b0447', 16)

In [8]:
# Generate ephemeral private and public key for a new session

a = random.randint(0, 2**64-1) % N
A = pow(g, a, N)

P = 'purrrfect'

[salt, B] = myserver.initialize_session('user4@hellokitty.com', A)
client_session = session('user4@hellokitty.com', salt, A, B)
u = client_session.u

mySHA = SHA256Hash(bytes(str(salt) + P, 'utf-8'))
x = int(mySHA.digest().hex(), 16)
S_client = pow(B - k * pow(g, x, N), a + u * x, N)
K_client = SHA256Hash(str(S_client).encode()).digest()

C_Proof = SHA256Hash(K_client + str(salt).encode()).digest()
server_response_CT = myserver.validate_session(C_Proof)

response = cp.strip_PKCS7_pad(cp.AESDecrypt(server_response_CT, K_client))

print(response.decode())

OK


Check what happens if we supply a bad password.  The server should just return random gibberish.

In [9]:
a = random.randint(0, 2**64-1) % N
A = pow(g, a, N)

P = 'badpwd'

[salt, B] = myserver.initialize_session('user4@hellokitty.com', A)
client_session = session('user4@hellokitty.com', salt, A, B)
u = client_session.u

mySHA = SHA256Hash(bytes(str(salt) + P, 'utf-8'))
x = int(mySHA.digest().hex(), 16)
S_client = pow(B - k * pow(g, x, N), a + u * x, N)
K_client = SHA256Hash(str(S_client).encode()).digest()

C_Proof = SHA256Hash(K_client + str(salt).encode()).digest()
server_response_CT = myserver.validate_session(C_Proof)

response = cp.AESDecrypt(server_response_CT, K_client)

print(response.hex())

14bc6a097cd963cac044aa3a7050bdb3


---
### **The attacks**

<div class="alert alert-block alert-info">

Now log in without your password by having the client send 0 as its "A" value. What does this to the "S" value that both sides compute?

</div>

---

Looking at the server's calculation of its shared secret:  $$S_{Server} = (Av^{u})^{b} = 0 $$

I.e., we can force the server to use a shared secret of ```0``` by providing a public key of ```A=0```.  Nice.

---

In [10]:
A = 0
P = ''

[salt, B] = myserver.initialize_session('user4@hellokitty.com', A)
S_client = 0
K_client = SHA256Hash(str(S_client).encode()).digest()
C_Proof = SHA256Hash(K_client + str(salt).encode()).digest()
server_response_CT = myserver.validate_session(C_Proof)

response = cp.strip_PKCS7_pad(cp.AESDecrypt(server_response_CT, K_client))
print(response.decode())

OK


<div class="alert alert-block alert-info">

Now log in without your password by having the client send N, N*2, &c.

</div>

In [11]:
A = N
P = ''

[salt, B] = myserver.initialize_session('user4@hellokitty.com', A)
S_client = 0
K_client = SHA256Hash(str(S_client).encode()).digest()
C_Proof = SHA256Hash(K_client + str(salt).encode()).digest()
server_response_CT = myserver.validate_session(C_Proof)

response = cp.strip_PKCS7_pad(cp.AESDecrypt(server_response_CT, K_client))
print(response.decode())

OK


---
As expected -- A = N is A = 0 in modulo N arithmetic.  This would work for any multiple of N.

---

[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)