{"id":3135,"date":"2021-05-04T10:57:33","date_gmt":"2021-05-04T08:57:33","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3135"},"modified":"2023-12-19T20:01:00","modified_gmt":"2023-12-19T19:01:00","slug":"crypto-notes","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3135","title":{"rendered":"Crypto notes"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">This page con\u00adtains var\u00adi\u00adous unstruc\u00adtured notes about cryp\u00adto relat\u00aded things.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">General notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>If you find some\u00adwhere that some\u00adthing should be ran\u00addom, but it isn\u2019t, this is already an impor\u00adtant finding.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Stream Ciphers<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>A stream cipher encrypts a clear\u00adt\u00adext bit for bit or char\u00adac\u00adter for char\u00adac\u00adter (nor\u00admal\u00adly via <span class=\"caps\">XOR<\/span>) with a secret key. It pro\u00adduces a <strong>key stream<\/strong> which it XORs with the <strong>clear\u00adt\u00adext stream<\/strong> to cre\u00adate the <strong>cipher stream<\/strong>.<\/li><li>The secret lies in the secret key (= called <em><span class=\"caps\">IV<\/span> ini\u00adtial\u00adiza\u00adtion vec\u00adtor<\/em>) and the algorithm.<\/li><li>The <span class=\"caps\">IV<\/span> <strong>must not<\/strong> used twice or an attack\u00ader can retrieve the clear\u00adt\u00adext via XOR\u00ading both cap\u00adtured ciphertexts.<\/li><li>The algo\u00adrithm <strong>must have<\/strong> a large peri\u00adod and must nev\u00ader repeat the same encryp\u00adtion pattern.<\/li><li>Before an algo\u00adrithm pro\u00adduces the same key stream again, the key\/<span class=\"caps\">IV<\/span> must be changed (= rotated).<\/li><li>A longer <span class=\"caps\">IV<\/span> pro\u00advides more infor\u00adma\u00adtion for the algo\u00adrithm so that the peri\u00adod <strong>can be longer<\/strong> before key rota\u00adtion is needed.<\/li><li>A short\u00ader <span class=\"caps\">IV<\/span> pro\u00advides less infor\u00adma\u00adtion for the algo\u00adrithm so that the peri\u00adod <strong>must be short\u00ader<\/strong> before key rota\u00adtion is needed.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Block Ciphers<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>A block cipher encrypts a fixed-length clear\u00adt\u00adext block with a key of the same length as the block into a cipher\u00adtext&nbsp;block.<\/li><li>If a clear\u00adt\u00adext is short\u00ader as the block\u00adsize, padding has to been&nbsp;used.<\/li><li>If a clear\u00adt\u00adext is longer as the block\u00adsize, the clear\u00adt\u00adext has to been split into mul\u00adti\u00adple blocks.<\/li><li>A block cipher mode deter\u00admines how a clear\u00adt\u00adext block is trans\u00adformed into a cipher\u00adtext block. The main ones&nbsp;are:<ul><li><strong><span class=\"caps\">ECB<\/span> Elec\u00adtron\u00adic Code\u00adbook Mode<\/strong>: Each block is encrypt\u00aded with the same&nbsp;key.<ul><li>It often pro\u00adduces pat\u00adterns. A clear\u00adt\u00adext block is always encrypt\u00aded to the same cipher\u00adtext if their lenghts match.<\/li><li><strong>Look for repeat\u00adable parts in the ciphertext.&nbsp;<\/strong><\/li><\/ul><\/li><li><strong><span class=\"caps\">CBC<\/span> Cipher Block Chain\u00ading Mode<\/strong>: Like <span class=\"caps\">ECB<\/span>, but before each round, the key block is XOR\u2019d with a chang\u00ading val\u00adue. There\u00adfore the key block looks dif\u00adfer\u00adent at each round and thus the same clear\u00adt\u00adext won\u2019t pro\u00adduce the same ciphertext.<ul><li>For the first round, anoth\u00ader ini\u00adtial val\u00adue is needed.<\/li><li>From the sec\u00adond round on, usu\u00adal\u00adly a part of the pre\u00advi\u00adous\u00adly gen\u00ader\u00adat\u00aded cipher\u00adtext block is&nbsp;used.<\/li><li>This means also that if one block is cor\u00adrupt\u00aded, the clear\u00adt\u00adext from this block on is&nbsp;lost.<\/li><li>This method works only sequentially.<\/li><\/ul><\/li><li><strong><span class=\"caps\">CTR<\/span> Counter Mode<\/strong>: Like <span class=\"caps\">ECB<\/span>, but the chang\u00ading val\u00adue before each round is a val\u00adue from a seri\u00adal\u00adized sequence which can be pre\u00addict\u00aded. Nor\u00admal\u00adly increas\u00ading numbers.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Heuristics to determine the crypto algorithm<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Look to the size of mul\u00adti\u00adple encrypt\u00aded&nbsp;files.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Is the size always even\u00adly divis\u00adi\u00adble by&nbsp;8?<ul><li>Maybe a stream cipher, <span class=\"caps\">RC4<\/span><\/li><\/ul><\/li><li>Is the size always even\u00adly divis\u00adi\u00adble by&nbsp;16?<ul><li>Maybe <span class=\"caps\">AES<\/span><\/li><\/ul><\/li><li>Is the size some\u00adtimes divis\u00adi\u00adble by 16, some\u00adtimes by&nbsp;8?<ul><li>Maybe <span class=\"caps\">DES<\/span>\/<span class=\"caps\">3DES<\/span><\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Checking entropy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check the entropy of the data: (<a href=\"https:\/\/gchq.github.io\/CyberChef\/\">CyberChef<\/a>, pcaphistogram.py)<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>High\u00ader entropy: Prob\u00ada\u00adbly encrypted.<\/li><li>Low\u00ader entropy: Prob\u00ada\u00adbly (part\u00adly) compressed<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Use <code>tcpick -r t.pcap -wR<\/code> to extract the raw data with\u00adout <span class=\"caps\">TCP<\/span>\/<span class=\"caps\">IP<\/span> head\u00aders. Then use <code>ent<\/code> to cal\u00adcu\u00adlate the entropy of the <span class=\"caps\">TCP<\/span> streams.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attacking <span class=\"caps\">CBC<\/span> Cipher Block Chaining Mode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>You found out that a CBC-based <span class=\"caps\">ID<\/span> is used some\u00adwhere and stores come con\u00adtent you want to change. For exam\u00adple, a web appli\u00adca\u00adtion stores the user id in a cookie.<\/li><li>The cook\u00adie has the fol\u00adlow\u00ading val\u00adue: <code>U2FsdGVkX19TNGlhPemU\/Ob\/PhaDjIBTnsIkwsNfeGg=<\/code>. This rep\u00adre\u00adsents your <span class=\"caps\">UID<\/span>&nbsp;1042.<\/li><li>You want to change this val\u00adue to <span class=\"caps\">UID<\/span> 1000 to be rec\u00adog\u00adnized as admin\u00adis\u00adtra\u00adtor by the web application.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Preper\u00ada\u00adtion: Let\u2019s cre\u00adate a cipher\u00adtext and encrypt and decrypt it. Note that we use a ran\u00addom pass\u00adword here which does\u00adn\u2019t mat\u00adter because we are going to change only the encod\u00aded <span class=\"caps\">UID<\/span> val\u00adue and the serv\u00ader will decrypt out pro\u00advid\u00aded val\u00adues with\u00adout the need for us to know the server\u2019s password.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/\/ Create the file with the value and encrypt and decrypt.\n$ echo \"1042\" &gt; uid.cleartext\n$ openssl enc -aes-128-cbc -in uid.cleartext -out uid.ciphertext \/\/ Typed \"password\" at the password prompt.\n$ openssl enc -aes-128-cbc -d -in uid.ciphertext -pass pass:password\n1042\n\n\/\/ Convert binary file into hex string.\n$ cat uid.ciphertext | xxd --plain -c 100 &gt; uid.hexstring\n\n\/\/ Convert from hex string into a binary file again.\n$ cat uid.hexstring | xxd -r -p &gt; uid_new.ciphertext\n\n\/\/ Check that both files are identical.\n$ md5sum uid_new.ciphertext  uid.ciphertext\nc95fbe7ded09bab641141296ddb6125d  uid_new.ciphertext\nc95fbe7ded09bab641141296ddb6125d  uid.ciphertext\n\n\/\/ This leads us to the following one liner which we can play:\n$ echo 53616c7465645f5f533469613de994fce6ff3e16838c80539ec224c2c35f7868 | xxd -r -p | openssl enc -aes-128-cbc -d -in -  -pass pass:password\n1042<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Hash length extension attack<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A web\u00adserv\u00ader offers a file to down\u00adload but also requires a hash to \u201cprove\u201d that you are allowed to down\u00adload this file. You know one file and hash: <code>\/download\/?file=public.pdf&amp;h=905d6439e669681be03727687de68d47<\/code><\/li><li>You want to down\u00adload arbi\u00adtrary files now: For exam\u00adple: <code>\/download\/?file=\/etc\/passwd&amp;h=???<\/code><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To do this, we are using <a href=\"https:\/\/github.com\/iagox86\/hash_extender\">hash_extender<\/a>. Its readme con\u00adtains a good expla\u00adna\u00adtion how it works. Note that it only works if the serv\u00ader <em>prepends<\/em> the secret.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Cre\u00adate a new sig\u00adna\u00adture and <span class=\"caps\">URL<\/span> string with some\u00adthing like:<br><code>.\/hash_extender -d public.pdf -s 676dc17ec36bc6f200595e4a5ad0a9b2cee0c8b3 -a ..\/secret.pdf --format sha1 -l 9 --out-data-format html<\/code><\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This page con\u00adtains var\u00adi\u00adous unstruc\u00adtured notes about cryp\u00adto relat\u00aded things. Gen\u00ader\u00adal notes If you find some\u00adwhere that some\u00adthing should be ran\u00addom, but it isn\u2019t, this is already an impor\u00adtant find\u00ading. Stream Ciphers A stream cipher encrypts a clear\u00adt\u00adext bit for bit or char\u00adac\u00adter for char\u00adac\u00adter (nor\u00admal\u00adly via <span class=\"caps\">XOR<\/span>) with a secret key. It pro\u00adduces&nbsp;a&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[401,402,403,404,405,400],"class_list":["post-3135","post","type-post","status-publish","format-standard","hentry","category-general","tag-block-cipher","tag-ciphers","tag-crypto","tag-cryptography","tag-iv","tag-stream-cipher"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3135"}],"version-history":[{"count":13,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3135\/revisions"}],"predecessor-version":[{"id":3179,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3135\/revisions\/3179"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}