| 1 | ''' |
|---|
| 2 | A collection of tools to assist in analyzing encrypted blobs of data |
|---|
| 3 | through chosen plaintext attacks. |
|---|
| 4 | |
|---|
| 5 | Copyright (C) 2011-2012 Virtual Security Research, LLC |
|---|
| 6 | Copyright (C) 2014-2016 Blindspot Security LLC |
|---|
| 7 | Author: Timothy D. Morgan |
|---|
| 8 | |
|---|
| 9 | This program is free software: you can redistribute it and/or modify |
|---|
| 10 | it under the terms of the GNU Lesser General Public License, version 3, |
|---|
| 11 | as published by the Free Software Foundation. |
|---|
| 12 | |
|---|
| 13 | This program is distributed in the hope that it will be useful, |
|---|
| 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
|---|
| 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|---|
| 16 | GNU General Public License for more details. |
|---|
| 17 | |
|---|
| 18 | You should have received a copy of the GNU General Public License |
|---|
| 19 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
|---|
| 20 | ''' |
|---|
| 21 | |
|---|
| 22 | import sys |
|---|
| 23 | from buffertools import blockWiseDiff |
|---|
| 24 | |
|---|
| 25 | |
|---|
| 26 | # Chosen plaintext attack on ECB encryption |
|---|
| 27 | # |
|---|
| 28 | # The encryptionOracle should accept a single string argument, |
|---|
| 29 | # encrypt that argument as part of a larger (unknown) plaintext string, |
|---|
| 30 | # and then return the ciphertext. |
|---|
| 31 | # |
|---|
| 32 | # This function will then return a dictionary with information about the |
|---|
| 33 | # algorithm and chosen string attributes, including: |
|---|
| 34 | # block_size - the algorithm's block size |
|---|
| 35 | # chosen_offset - the chosen string's offset within the plaintext |
|---|
| 36 | # fragment_length - the length of a chosen from the chosen_offset to the |
|---|
| 37 | # end of its current block |
|---|
| 38 | # |
|---|
| 39 | def ECB_FindChosenOffset(encryptionOracle): |
|---|
| 40 | ret_val = {} |
|---|
| 41 | |
|---|
| 42 | # Guaranteed to have one block boundary on 128 bit block ciphers |
|---|
| 43 | chosen_length = 17 |
|---|
| 44 | chosen = 'O'*chosen_length |
|---|
| 45 | base = encryptionOracle(chosen) |
|---|
| 46 | |
|---|
| 47 | chosen = 'X' + 'O'*(chosen_length-1) |
|---|
| 48 | test_result = encryptionOracle(chosen) |
|---|
| 49 | |
|---|
| 50 | different_blocks = blockWiseDiff(1, base, test_result) |
|---|
| 51 | block_size = len(different_blocks) |
|---|
| 52 | # Sanity check |
|---|
| 53 | different_blocks = blockWiseDiff(block_size, base, test_result) |
|---|
| 54 | if different_blocks == None: |
|---|
| 55 | sys.stderr.write("ERROR: Block size test yielded undiff-able ciphertexts.\n") |
|---|
| 56 | return None |
|---|
| 57 | if len(different_blocks) > 1: |
|---|
| 58 | sys.stderr.write("ERROR: Block size test yielded multiple altered blocks (not ECB mode?).\n") |
|---|
| 59 | return None |
|---|
| 60 | |
|---|
| 61 | for i in range(2,chosen_length): |
|---|
| 62 | chosen = 'X'*i + 'O'*(chosen_length-i) |
|---|
| 63 | test_result = encryptionOracle(chosen) |
|---|
| 64 | different_blocks = blockWiseDiff(block_size, base, test_result) |
|---|
| 65 | |
|---|
| 66 | if different_blocks == None or len(different_blocks) == 0 or len(different_blocks) > 2: |
|---|
| 67 | sys.stderr.write("ERROR: Offset detection yielded inconsistent block diffs.\n") |
|---|
| 68 | return None |
|---|
| 69 | if len(different_blocks) == 2: |
|---|
| 70 | break |
|---|
| 71 | |
|---|
| 72 | ret_val['block_size'] = block_size |
|---|
| 73 | ret_val['fragment_length'] = i-1 |
|---|
| 74 | ret_val['chosen_offset'] = max(different_blocks)*block_size - ret_val['fragment_length'] |
|---|
| 75 | |
|---|
| 76 | return ret_val |
|---|
