crypto_toolchain 0.1.0

data/lib/crypto_toolchain/black_boxes/mt_19937_stream_cipher.rb

@@ -0,0 +1,47 @@
+module CryptoToolchain
+  module BlackBoxes
+    class MT19937StreamCipher
+      MAX_SEED = 0x0000ffff
+      class << self
+        def max_seed
+          @max_seed ||= MAX_SEED
+        end
+
+        def max_seed=(val)
+          @max_seed = val
+        end
+      end
+
+      def self.generate_token(length: 32, seed: Time.now.to_i)
+        new("A" * length, seed: seed).keystream.to_base64
+      end
+
+      def initialize(plaintext, seed: rand(0..(self.class.max_seed)))
+        @seed = seed & self.class.max_seed
+        @prng = CryptoToolchain::Utilities::MT19937.new(@seed)
+        @plaintext = plaintext
+      end
+
+      def encrypt(str = plaintext)
+        str ^ keystream
+      end
+
+      def decrypt(str)
+        str ^ keystream
+      end
+
+      def keystream
+        return @keystream if defined? @keystream
+        _keystream = (0..(plaintext.bytesize / 4)).each_with_object("") do |_, memo|
+          memo << [prng.extract].pack("L")
+        end
+        @keystream = _keystream[0...(plaintext.bytesize)]
+      end
+
+      private
+
+      attr_reader :plaintext, :prng, :seed
+
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes/netcat_cbc_padding_oracle.rb

@@ -0,0 +1,33 @@
+module CryptoToolchain
+  module BlackBoxes
+    class NetcatCbcPaddingOracle
+
+      attr_reader :ciphertext
+
+      def initialize(key: Random.new.bytes(16), iv: Random.new.bytes(16))
+        @key = key
+        @iv = iv
+        @ciphertext = Base64.strict_decode64('SNXIDUFQW0Ul6GXI4NyU/LMHl+vRlVIYp4pvFstfpP1n1C9Xhbl/bNip6mK5l7TMPS+vw247XTYK3LKIGT4AZVh6zUB97fN3fOamkLvzpmA=')
+      end
+
+      def execute(str)
+        handle = IO.popen(["nc", "bufferoverflow.disappointedmama.com", '6767'], "r+")
+        handle.puts(Base64.strict_encode64(str))
+        resp = handle.readpartial(1024).strip
+        handle.close
+        case resp
+        when "Failed to decrypt the message"
+          false
+        when "Successfully received and decrypted the message"
+          true
+        else
+          raise StandardError.new, "Unknown response `#{res}`"
+        end
+      end
+
+      private
+
+      attr_reader :key, :iv
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes/rsa_keypair.rb

@@ -0,0 +1,83 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module BlackBoxes
+    class RSAKeypair
+      PrivateKey = Struct.new(:d, :n)
+      PublicKey = Struct.new(:e, :n)
+
+      def initialize(bits: 1024)
+        @bits = bits
+        @p = OpenSSL::BN::generate_prime(bits/2).to_i
+        @q = OpenSSL::BN::generate_prime(bits/2).to_i
+        @n = @p * @q
+        et = (@p-1) * (@q-1)
+        @e = 3
+        @d = @e.invmod(et)
+      end
+
+      attr_reader :e, :bits
+
+      def encrypt(m, to: )
+        raise ArgumentError.new("Message should be a string") unless m.is_a?(String)
+        m.
+          to_number.
+          modpow(to.e, to.n).
+          to_bin_string
+      end
+
+      def decrypt(m)
+        raise ArgumentError.new("Message should be a string") unless m.is_a?(String)
+        m.
+          to_number.
+          modpow(private_key.d, private_key.n).
+          to_bin_string
+      end
+
+      def sign(plaintext)
+        blocksize = bits / 8
+        digest = CryptoToolchain::Utilities::SHA1.digest(plaintext)
+        asn = asn1(:sha1)
+        # the 4 is the mandatory 0x00 0x01 0xff 0x00
+        pad_num = blocksize - ( digest.bytesize + asn.bytesize + 4)
+        block = "\x00\x01\xff" + (0xff.chr * pad_num) + "\x00" + asn + digest
+        decrypt(block)
+      end
+
+      def verify(message, signature: , lazy: true)
+        raise("I can't not be lazy") unless lazy
+        enc = encrypt(signature, to: pubkey)
+        asn = ASN1.fetch(:sha1)
+        regex = /(?<padding>\x01\xff+\x00)(?<asn>.{#{asn.bytesize}})(?<hash>.{20})/m
+        begin
+          _padding, potential_asn, hash = enc.match(regex).captures
+        rescue
+          return false
+        end
+        potential_asn == asn && hash == CryptoToolchain::Utilities::SHA1.digest(message)
+      end
+
+      def public_key
+        @public_key ||= PublicKey.new(@e, @n)
+      end
+      alias_method :pubkey, :public_key
+
+      def private_key
+        @private_key ||= PrivateKey.new(@d, @n)
+      end
+      alias_method :privkey, :private_key
+
+      # Values from
+      # https://stackoverflow.com/questions/3713774/c-sharp-how-to-calculate-asn-1-der-encoding-of-a-particular-hash-algorithm
+      def asn1(hash_type)
+        raise ArgumentError.new("Only sha1 is supported") unless hash_type == :sha1
+        {
+          md5:    "0 0\f\x06\b*\x86H\x86\xF7\r\x02\x05\x05\x00\x04\x10",
+          sha1:   "0!0\t\x06\x05+\x0E\x03\x02\x1A\x05\x00\x04\x14",
+          sha256: "010\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\x04 ",
+          sha384: "0A0\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\x040",
+          sha512: "0Q0\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\x04@"
+        }.fetch(hash_type)
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes/rsa_parity_oracle.rb

@@ -0,0 +1,14 @@
+module CryptoToolchain
+  module BlackBoxes
+    class RSAParityOracle
+      def initialize(keypair)
+        @keypair = keypair
+      end
+      attr_reader :keypair
+
+      def execute(ciphertext)
+        keypair.decrypt(ciphertext).to_number & 1
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes/rsa_unpadded_message_recovery_oracle.rb

@@ -0,0 +1,24 @@
+module CryptoToolchain
+  module BlackBoxes
+    class RSAUnpaddedMessageRecoveryOracle
+
+      attr_reader :keypair
+
+      def initialize(keypair: CryptoToolchain::BlackBoxes::RSAKeypair.new)
+        @keypair = keypair
+        @seen = []
+      end
+
+      def execute(ciphertext)
+        hsh = Digest::SHA256.hexdigest(ciphertext)
+        raise ArgumentError.new("Already decrypted") if @seen.include?(hsh)
+        @seen << hsh
+        keypair.decrypt(ciphertext)
+      end
+
+      def encrypt(ciphertext)
+        keypair.encrypt(ciphertext, to: keypair.public_key)
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes/sha1_mac.rb

@@ -0,0 +1,20 @@
+module CryptoToolchain
+  module BlackBoxes
+    class SHA1Mac
+      attr_reader :key
+
+      def initialize(key: Random.new.bytes(16))
+        @key = key
+      end
+
+      def mac(str)
+        concat = key + str
+        CryptoToolchain::Utilities::SHA1.hexdigest(concat)
+      end
+
+      def valid?(message: , mac: )
+        self.mac(message) == mac
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes.rb

@@ -0,0 +1,22 @@
+require "crypto_toolchain/black_boxes/ecb_or_cbc_encryptor"
+require "crypto_toolchain/black_boxes/ecb_prepend_chosen_plaintext_oracle"
+require "crypto_toolchain/black_boxes/ecb_interpolate_chosen_plaintext_oracle"
+require "crypto_toolchain/black_boxes/ecb_cut_and_paste_target"
+require "crypto_toolchain/black_boxes/cbc_bitflip_target"
+require "crypto_toolchain/black_boxes/cbc_padding_oracle"
+require "crypto_toolchain/black_boxes/netcat_cbc_padding_oracle"
+require "crypto_toolchain/black_boxes/mt_19937_stream_cipher"
+require "crypto_toolchain/black_boxes/aes_ctr_editor"
+require "crypto_toolchain/black_boxes/ctr_bitflip_target"
+require "crypto_toolchain/black_boxes/cbc_iv_equals_key_target"
+require "crypto_toolchain/black_boxes/sha1_mac"
+require "crypto_toolchain/black_boxes/md4_mac"
+require "crypto_toolchain/black_boxes/rsa_keypair"
+require "crypto_toolchain/black_boxes/rsa_unpadded_message_recovery_oracle"
+require "crypto_toolchain/black_boxes/rsa_parity_oracle"
+require "crypto_toolchain/black_boxes/dsa_keypair"
+
+module CryptoToolchain
+  module BlackBoxes
+  end
+end

data/lib/crypto_toolchain/diffie_hellman/messages.rb

@@ -0,0 +1,53 @@
+module CryptoToolchain
+  module DiffieHellman
+    module Messages
+      class Die ; end
+
+      class PeerAddress
+        def initialize(peer: , channel: , initial: false)
+          @peer = peer
+          @channel = channel
+          @initial = initial
+        end
+        attr_reader :peer, :channel, :initial
+        alias_method :initial?, :initial
+        attr_accessor :pubkey, :shared_secret
+      end
+
+      class KeyExchange
+        def initialize(peer: , pubkey: , p: nil, g: nil, initial: false)
+          if initial && (p.nil? || g.nil?)
+            raise ArgumentError.new("Initial message must provide p and g")
+          end
+          @p = p
+          @g = g
+          @pubkey = pubkey
+          @peer = peer
+          @initial = initial
+        end
+        attr_reader :p, :g, :peer, :pubkey, :initial
+        alias_method :initial?, :initial
+
+        def to_s
+          "PEER: #{peer.name} P: #{p} G: #{g} PUBKEY: #{pubkey % 1000}"
+        end
+      end
+
+      class Datum
+        def initialize(peer: , contents: , initial: false)
+          @peer = peer
+          @contents = contents
+          @initial = initial
+        end
+
+        def decrypt(key: )
+          iv = contents[0..15]
+          contents[16..-1].decrypt_cbc(key: key, iv: iv)
+        end
+
+        attr_reader :peer, :contents, :initial
+        alias_method :initial?, :initial
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/diffie_hellman/mitm.rb

@@ -0,0 +1,52 @@
+Thread.abort_on_exception = true
+module CryptoToolchain
+  module DiffieHellman
+    class MITM < Peer
+      def initialize(debug: false, name: "MITM", p: NIST_P, g: NIST_G, peer_a: , peer_b: , pubkey: nil)
+        @peer_a = peer_a
+        @peer_b = peer_b
+        @pubkey = pubkey
+        super(debug: debug, name: name, p: p, g: g)
+        [peer_a, peer_b].each do |peer|
+          puts "Adding #{peer.name} to #{name} at startup" if debug
+          add_address(peer)
+        end
+      end
+
+      def peer_address_response(msg)
+        send_msg other_peer(msg.peer), my_address_message(initial: msg.initial)
+      end
+
+      def do_key_exchange
+        msg = Messages::KeyExchange.new(peer: self, pubkey: pubkey, p: p, g: g, initial: true)
+        [peer_a, peer_b].each do |peer|
+          info_for(peer).update(p: p, g: g)
+          send_msg(peer, msg)
+        end
+      end
+
+      def key_exchange_response(msg)
+        info = info_for(msg.peer)
+        info.update(pubkey: msg.pubkey)
+        secret_override = invalid_pubkey? ? 0 : nil
+        info.set_shared_secret(privkey, override: secret_override)
+        puts "#{name} generated secret #{info.shared_secret} for #{msg.peer.name}" if debug
+      end
+
+      def datum_response(msg)
+        data = msg.decrypt(key: info_for(msg.peer).session_key)
+        puts "#{name} got message containing #{data} from #{msg.peer.name}" if debug
+        other = other_peer(msg.peer)
+        encrypted = encrypted_message_for(other, message: data, initial: msg.initial)
+        send_msg(other, encrypted)
+        @received_messages << ReceivedMessage.new(from: msg.peer.name, contents: data)
+      end
+
+      def other_peer(peer)
+        peer == peer_a ? peer_b : peer_a
+      end
+
+     attr_reader :peer_a, :peer_b
+    end
+  end
+end

data/lib/crypto_toolchain/diffie_hellman/peer.rb

@@ -0,0 +1,130 @@
+module CryptoToolchain
+  module DiffieHellman
+    class Peer
+      def initialize(debug: false, name: SecureRandom.uuid, p: NIST_P, g: NIST_G)
+        @addresses = {}
+        @channel = Queue.new
+        @name = name
+        @debug = debug
+        @p = p
+        @g = g
+        @received_messages = []
+      end
+
+      def process!
+        when_ready do
+          msg = channel.pop
+          message_type = msg.class.to_s.split(':').last
+          if msg.respond_to?(:peer)
+            puts "#{name} got #{message_type} from #{msg.peer.name}" if debug
+          end
+          method = "#{message_type}_response".snakecase
+          unless self.respond_to?(method)
+            raise ArgumentError.new("Don't know how to process method :#{method}")
+          end
+          begin
+            send(method, msg)
+          rescue ReceivedDie
+            break
+          end
+        end
+      end
+      alias_method :process, :process!
+
+      def die_response(msg)
+        raise ReceivedDie
+      end
+
+      def add_address(peer)
+        @addresses[peer.name] ||= PeerInfo.new(peer: peer, channel: peer.channel )
+      end
+
+      def peer_address_response(msg)
+        add_address(msg.peer)
+        if msg.initial?
+          send_msg msg.peer, my_address_message
+        end
+        puts "#{name} added #{msg.peer.name}" if debug
+      end
+
+      def key_exchange_response(msg)
+        info = info_for(msg.peer)
+        if msg.initial?
+          @p = msg.p
+          @g = msg.g
+        end
+        info.update(p: p, g: g, pubkey: msg.pubkey)
+        info.set_shared_secret(privkey)
+        if debug
+          puts "#{name} will use p = #{p}"
+          puts "#{name} will use g = #{g}"
+          puts "#{name} thinks #{msg.peer.name} has pubkey #{msg.pubkey}"
+          puts "#{name} generated secret #{info.shared_secret} for #{msg.peer.name}"
+        end
+        my_pubkey_msg = Messages::KeyExchange.new(peer: self, pubkey: pubkey, initial: false)
+        send_msg msg.peer, my_pubkey_msg if msg.initial?
+      end
+
+      def datum_response(msg)
+        data = msg.decrypt(key: info_for(msg.peer).session_key)
+        puts "#{name} got message containing #{data} from #{msg.peer.name}" if debug
+        if msg.initial?
+          encrypted = encrypted_message_for(msg.peer, message: data, initial: false)
+          send_msg(msg.peer, encrypted)
+        end
+        @received_messages << ReceivedMessage.new(from: msg.peer.name, contents: data)
+      end
+
+      def when_ready
+        loop do
+          while(channel.empty?)
+            sleep 0.001
+          end
+          yield
+        end
+      end
+
+      def send_msg(peer, message)
+        puts "#{name} sends #{message.class.to_s.split(':').last} to #{peer.name}" if debug
+        peer.channel.enq(message)
+      end
+
+      def info_for(peer)
+        addresses.fetch(peer.name)
+      end
+
+      def pubkey
+        raise RuntimeError.new("Can't generate public key until p has been set") if p.nil?
+        raise RuntimeError.new("Can't generate public key until g has been set") if g.nil?
+        @pubkey ||= g.modexp(privkey, p)
+      end
+
+      def privkey
+        raise RuntimeError.new("Can't generate private key until p has been set") if p.nil?
+        @privkey ||= rand(1..0xffffffff) % p
+      end
+
+      def my_address_message(initial: false)
+        Messages::PeerAddress.new(peer: self, channel: self.channel, initial: initial)
+      end
+
+      def encrypted_message_for(peer, message: , initial: false)
+        key = info_for(peer).session_key
+        iv = Random.new.bytes(16)
+        encrypted = (iv + message.encrypt_cbc(key: key, iv: iv))
+        Messages::Datum.new(peer: self, contents: encrypted, initial: initial)
+      end
+
+      def valid_pubkey?
+        pubkey < p
+      end
+
+      def invalid_pubkey?
+        !valid_pubkey?
+      end
+
+      attr_reader :addresses, :channel, :name, :debug, :p, :g, :received_messages
+      alias_method :debug?, :debug
+    end
+  end
+end

data/lib/crypto_toolchain/diffie_hellman/peer_info.rb

@@ -0,0 +1,43 @@
+module CryptoToolchain
+  module DiffieHellman
+    class PeerInfo
+      def initialize(peer: , channel: , pubkey: nil, p: nil, g: nil)
+        @peer = peer
+        @channel = channel
+        @pubkey = pubkey
+        @p = p
+        @g = g
+      end
+      attr_reader :peer, :channel, :shared_secret
+      attr_accessor :p, :g, :pubkey
+
+      def to_h
+        {
+          name:   peer.name,
+          p:      p,
+          g:      g,
+          pubkey: pubkey,
+          secret: shared_secret
+        }
+      end
+
+      def set_shared_secret(privkey, override: nil)
+        @shared_secret = override ? override : pubkey.modexp(privkey, p)
+      end
+
+      def session_key
+        if shared_secret.nil?
+          raise ArgumentError.new("Session key requires a shared secret")
+        end
+        @session_key ||= CryptoToolchain::Utilities::SHA1.bindigest(shared_secret.to_s)[0..15]
+      end
+
+      def update(hsh)
+        hsh.each do |k, v|
+          self.send("#{k}=", v) unless v.nil?
+        end
+      end
+
+    end
+  end
+end

data/lib/crypto_toolchain/diffie_hellman/received_message.rb

@@ -0,0 +1,17 @@
+module CryptoToolchain
+  module DiffieHellman
+    class ReceivedMessage
+      def initialize(from: , contents: )
+        @from = from
+        @contents = contents
+      end
+
+      def ==(other)
+        unless other.is_a?(CryptoToolchain::DiffieHellman::ReceivedMessage)
+          raise ArgumentError.new("Cannot coerce #{other.clas} to ReceivedMessage")
+        end
+      end
+      attr_reader :from, :contents
+    end
+  end
+end

data/lib/crypto_toolchain/diffie_hellman.rb

@@ -0,0 +1,10 @@
+require "crypto_toolchain/diffie_hellman/messages"
+require "crypto_toolchain/diffie_hellman/peer_info"
+require "crypto_toolchain/diffie_hellman/peer"
+require "crypto_toolchain/diffie_hellman/mitm"
+require "crypto_toolchain/diffie_hellman/received_message"
+module CryptoToolchain
+  module DiffieHellman
+    ReceivedDie = Class.new(RuntimeError)
+  end
+end

data/lib/crypto_toolchain/extensions/integer_extensions.rb

@@ -0,0 +1,90 @@
+# encoding: ASCII-8BIT
+class Integer
+  def to_hex_string
+    ret = to_s(16)
+    if ret.length.odd?
+      ret = "0#{ret}"
+    end
+    ret
+  end
+
+  def to_bin_string
+    to_hex_string.from_hex
+  end
+
+  def to_bits(pack_arg = "L>")
+    [self].pack(pack_arg).to_bits
+  end
+
+  def lrot(num)
+    ((self << num) & 0xffffffff) |
+      ((self & 0xffffffff) >> (32 - num))
+  end
+
+  def rrot(num)
+    ((self & 0xffffffff) >> num) |
+      ((self << (32 - num)) & 0xffffffff)
+  end
+
+  # From Wikipedia:
+  # https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm#Pseudocode
+  def invmod(n)
+    a = self
+    t = 0
+    new_t = 1
+    r = n
+    new_r = a
+    while new_r != 0
+        quotient = r / new_r
+        t, new_t = new_t, (t - quotient * new_t)
+        r, new_r = new_r, (r - quotient * new_r)
+    end
+    raise ArgumentError.new("#{self} is not invertible") if r > 1
+    t += n if t < 0
+    t
+  end
+  alias_method :mod_inverse, :invmod
+  alias_method :modinv, :invmod
+
+  # https://rosettacode.org/wiki/Nth_root#Ruby
+  # (with modifications)
+  ROUNDING = %i(up down none)
+  def root(n, round: :down)
+    raise ArgumentError.new("round must be in [#{ROUNDING.join(', ')}]") unless ROUNDING.include?(round)
+    raise ArgumentError.new("Can't be called on 0") if self == 0
+    x = self
+    loop do
+      prev = x
+      x = ((n - 1) * prev) + (self / (prev ** (n - 1)))
+      x /= n
+      break if (prev - x) <= 0
+    end
+    if x**n == self
+      x
+    else
+      case round
+      when :up
+        x+1
+      when :down
+        x
+      when :none
+        raise ArgumentError.new("#{self} has no #{n}th root")
+      end
+    end
+  end
+
+  def modexp(exponent, mod)
+    raise ArgumentError.new("Exponent must be non-negative") if exponent < 0
+    product = 1
+    base = self % mod
+    while exponent > 0
+      if exponent & 0x01 == 1
+        product = (product * base) % mod
+      end
+      exponent = exponent >> 1
+      base = (base**2) % mod
+    end
+    product
+  end
+  alias_method :modpow, :modexp
+end

data/lib/crypto_toolchain/extensions/object_extensions.rb

@@ -0,0 +1,24 @@
+# encoding: ASCII-8BIT
+class Object
+  # Transcribed from http://cryptopals.com/sets/5/challenges/40
+  def chinese_remainder(residues, mods)
+    mod_product = ->(without) { mods.inject(:*) / without }
+    sum = 0
+    residues.zip(mods) do |(residue, mod)|
+      mp = mod_product.call(mod)
+      sum += residue * mp * mp.invmod(mod)
+    end
+    sum % mods.inject(:*)
+  end
+
+  def numberize(n)
+    if n.respond_to?(:to_number)
+      n.to_number
+    elsif n.is_a?(Numeric)
+      n
+    else
+      raise ArgumentError, "#{n} cannot be numberized"
+    end
+  end
+end
+