crypto_toolchain 0.1.0

data/lib/crypto_toolchain/tools/ctr_bitflip_attack.rb

@@ -0,0 +1,24 @@
+# encoding; ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class CtrBitflipAttack
+      def initialize(target: CryptoToolchain::BlackBoxes::CtrBitflipTarget.new)
+        @target = target
+      end
+
+      def execute
+        easy = ":admin<true:" #only need to flip the last bit of bytes at indices 32, 38, 43
+        crypted = target.encrypt(easy)
+        crypted.
+          flip(7, byte_index: 32).
+          flip(7, byte_index: 38).
+          flip(7, byte_index: 43)
+      end
+
+      private
+
+      attr_reader :target
+
+    end
+  end
+end

data/lib/crypto_toolchain/tools/determine_blocksize.rb

@@ -0,0 +1,20 @@
+module CryptoToolchain
+  module Tools
+    module DetermineBlocksize
+      def blocksize
+        return @blocksize if defined?(@blocksize)
+        original_size = oracle.encrypt("A").length
+        i = 2
+        loop do
+          plain = "A" * i
+          len = oracle.encrypt(plain).length
+          if len != original_size
+            @blocksize = len - original_size
+            return @blocksize
+          end
+          i += 1
+        end
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/dsa_recover_nonce_from_signatures.rb

@@ -0,0 +1,53 @@
+module CryptoToolchain
+  module Tools
+    # Recovers private key from message signatures signed with the same nonce (k)
+    # This means that they have the same r values
+    class DSARecoverNonceFromSignatures
+      class Input
+        def initialize(r: , s: , message: )
+          @r = r.to_i
+          @s = s.to_i
+          @message = message
+          @hash = CryptoToolchain::Utilities::SHA1.hexdigest(message)
+        end
+        attr_reader :r, :s, :message, :hash
+      end
+
+      def initialize(inputs, q: DSA_Q)
+        @targets = targets_for(inputs)
+        validate_targets!
+        @q = q
+      end
+      attr_reader :targets, :q
+
+      def execute(params: true)
+        t1 = targets.first
+        t2 = targets.last
+        m1 = t1.hash.hex
+        m2 = t2.hash.hex
+        s1 = t1.s
+        s2 = t2.s
+        # (a + b) mod n = [(a mod n) + (b mod n)] mod n.
+        top = (m1 - m2) % q
+        k = top * (s1 - s2).invmod(q)
+        # numerator = ((m1 % q) - (m2 % q)) % q
+        k
+      end
+
+      def validate_targets!
+        r1 = targets.first.r
+        targets[1..-1].each do |t|
+          raise ArgumentError.new("All r-values must be identical") unless t.r == r1
+        end
+      end
+
+      def targets_for(inputs)
+        inputs.
+          group_by {|inp| inp.r }.
+          select {|k, v| v.length > 1 }.
+          values.
+          first
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/dsa_recover_private_key_from_nonce.rb

@@ -0,0 +1,39 @@
+module CryptoToolchain
+  module Tools
+    class DSARecoverPrivateKeyFromNonce
+      def initialize(public_key: , message: , r: , s: , p: DSA_P, q: DSA_Q, g: DSA_G)
+        @public_key = numberize(public_key)
+        @p = p
+        @q = q
+        @g = g
+        @r = numberize(r)
+        @s = numberize(s)
+        @message = message
+      end
+
+      attr_reader :public_key, :message, :r, :s, :p, :q, :g
+
+      def valid_k?(k)
+        x = private_key_from(k: k)
+        kp = CryptoToolchain::BlackBoxes::DSAKeypair.new(p: p, q: q, g: g, private_key: x)
+        kp.public_key == public_key
+      end
+
+      def private_key_from(k: )
+        #     (s * k) - H(msg)
+        # x = ----------------  mod q
+        #             r
+        numerator = ((s * k) - CryptoToolchain::Utilities::SHA1.digest(message).to_number) % q
+        denominator = r.invmod(q)
+        ((numerator * denominator) % q).to_bin_string
+      end
+
+      def execute(min: 1, max: 0xffffffff)
+        (min..max).each do |k|
+          return private_key_from(k: k) if valid_k?(k)
+        end
+        raise RuntimeError.new("Could not recover key")
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/ecb_cut_and_paste_attack.rb

@@ -0,0 +1,47 @@
+module CryptoToolchain
+  module Tools
+    class EcbCutAndPasteAttack
+      include DetermineBlocksize
+      def initialize(replace: "user",
+                     with: "admin",
+                     oracle: CryptoToolchain::BlackBoxes::EcbCutAndPasteTarget.new,
+                     initial: "charlesisagood@dog.com"
+                    )
+        @oracle = oracle
+        @replace = replace
+        @replacement = with
+        @initial = initial
+      end
+
+      def execute
+        without_text_to_change + replaced_text_only
+      end
+
+      private
+
+      attr_reader :oracle, :replace, :replacement, :initial
+
+      def without_text_to_change
+        (0...Float::INFINITY).each do |i|
+          input = initial + "X" * i
+          oracle.profile_for(input).in_blocks(blocksize).each do |block|
+            if block.start_with?(replace)
+              return oracle.encrypt(input).in_blocks(blocksize)[0..-2].join
+            end
+          end
+        end
+      end
+
+      def replaced_text_only
+        (0...Float::INFINITY).each do |i|
+          input = initial + "X" * i + replacement
+          oracle.profile_for(input).in_blocks(blocksize).each_with_index do |block, bi|
+            if block.start_with?(replacement)
+              return oracle.encrypt(input).in_blocks(blocksize)[bi]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/ecb_interpolate_chosen_plaintext_attack.rb

@@ -0,0 +1,72 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class EcbInterpolateChosenPlaintextAttack
+      include DetermineBlocksize
+      PAD = "A".freeze
+
+      # oracle must return an encrypted string via #encrypt
+      def initialize(oracle: CryptoToolchain::BlackBoxes::EcbInterpolateChosenPlaintextOracle.new)
+        @oracle = oracle
+        unless oracle.encrypt(PAD * blocksize * 10).is_ecb_encrypted?(@blocksize)
+          raise ArgumentError.new("Oracle does not appear to encrypt with ECB")
+        end
+      end
+
+      def execute
+        (0..Float::INFINITY).each_with_object("") do |block_index, solved|
+          from_block = (0...blocksize).each_with_object("") do |i, solved_in_block|
+            padding_length = blocksize - (solved_in_block.bytes.length) - 1
+            padding = PAD * padding_length
+            target = oracle_encrypt(padding).in_blocks(blocksize)[block_index + prefix_offset]
+            dict = (0..255).map(&:chr).each_with_object({}) do |chr, memo|
+              guess = padding + solved + solved_in_block + chr
+              output = oracle_encrypt(guess).in_blocks(blocksize)[block_index + prefix_offset]
+              memo[output] = chr
+              break(memo) if output == target
+            end
+            if !dict.has_key?(target)
+              return "#{solved}#{solved_in_block}"
+            end
+            solved_in_block << dict.fetch(target)
+          end
+          solved << from_block
+        end
+      end
+
+      private
+
+      attr_reader :oracle
+
+      def oracle_encrypt(str)
+        oracle.encrypt(PAD * prefix_padding_length + str)
+      end
+
+      def prefix_offset
+        @prefix_offset ||= large_padding.index(first_repeated_block)
+      end
+
+      def large_padding(large_pad_size = 1024)
+        @large_padding ||= oracle.encrypt(PAD * large_pad_size).in_blocks(blocksize)
+      end
+
+      def first_repeated_block
+        @first_repeated_block ||= large_padding.
+          group_by(&:itself).
+          sort_by {|k, v| v.length }.
+          last.
+          first
+      end
+
+      def prefix_padding_length
+        return @prefix_padding_length if defined?(@prefix_padding_length)
+        (0..Float::INFINITY).each do |i|
+          if oracle.encrypt(PAD * i).in_blocks(blocksize).include?(first_repeated_block)
+            @prefix_padding_length = i - blocksize
+            return @prefix_padding_length
+          end
+        end
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/ecb_prepend_chosen_plaintext_attack.rb

@@ -0,0 +1,42 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class EcbPrependChosenPlaintextAttack
+      include DetermineBlocksize
+      PAD = "A".freeze
+
+      # oracle must return an encrypted string via #encrypt
+      def initialize(oracle: CryptoToolchain::BlackBoxes::EcbPrependChosenPlaintextOracle.new)
+        @oracle = oracle
+        unless oracle.encrypt(PAD * blocksize * 10).is_ecb_encrypted?(@blocksize)
+          raise ArgumentError.new("Oracle does not appear to encrypt with ECB")
+        end
+      end
+
+      def execute
+        (0..Float::INFINITY).each_with_object("") do |block_index, solved|
+          from_block = (0...blocksize).each_with_object("") do |i, solved_in_block|
+            padding_length = blocksize - (solved_in_block.bytes.length) - 1
+            padding = PAD * padding_length
+            target = oracle.encrypt(padding).in_blocks(blocksize)[block_index]
+            dict = (0..255).map(&:chr).each_with_object({}) do |chr, memo|
+              guess = padding + solved + solved_in_block + chr
+              output = oracle.encrypt(guess).in_blocks(blocksize)[block_index]
+              memo[output] = chr
+              break(memo) if output == target
+            end
+            if !dict.has_key?(target)
+              return "#{solved}#{solved_in_block}"
+            end
+            solved_in_block << dict.fetch(target)
+          end
+          solved << from_block
+        end
+      end
+
+      private
+
+      attr_reader :oracle
+    end
+  end
+end

data/lib/crypto_toolchain/tools/interactive_xor.rb

@@ -0,0 +1,51 @@
+#encoding ASCII-8BIT
+#
+# nonce = 0
+# key = "a'\xC2[R\xEE\x8F2K\xBA\xCA\x980\x9Bb\xD5"
+# _plains = File.read("spec/fixtures/3-19.txt").split("\n").map(&:strip).map(&:from_base64)
+# ciphertexts = _plains.map {|pl| pl.encrypt_ctr(key: key, nonce: nonce, blocksize: 16)}
+# CryptoToolchain::Tools::InteractiveXor.new(ciphertexts).execute
+#
+module CryptoToolchain
+  module Tools
+    class InteractiveXor
+      attr_reader :ciphertexts
+      def initialize(ciphertexts)
+        @ciphertexts = ciphertexts
+      end
+
+      def execute
+        binding.pry
+      end
+
+      def validate_length!(plains)
+        len = plains.first.length
+        plains.each do |pl|
+          raise ArgumentError.new("must have same length") unless pl.length == len
+        end
+      end
+
+      def keys_for(plains, index)
+        plains.map.with_index do |pl|
+          len = [pl.length, ciphertexts[index].length].min
+          ciphertexts[index][0...len] ^ pl[0...len]
+        end
+      end
+
+      # index is the index of the ciphertext against which you are making an attempt
+      # Plains are the plaintexts you want to try as possibilities
+      def attempt(index, *plains)
+        validate_length!(plains)
+        keys = keys_for(plains, index)
+        ciphertexts.each_with_index do |ct, i|
+          line = keys.map do |k|
+            _len = [ct.bytesize, k.bytesize].min
+            ct[0..._len] ^ k[0..._len]
+          end.join("     |     ")
+          puts "#{i}\t#{line}"
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/low_exponent_rsa_signature_forgery.rb

@@ -0,0 +1,27 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class LowExponentRSASignatureForgery
+      def initialize(message: , keypair: )
+        @keypair = keypair
+        @message = message
+      end
+      attr_reader :keypair, :message
+
+      def execute
+        digest = CryptoToolchain::Utilities::SHA1.digest(message)
+        asn = ASN1.fetch(:sha1)
+        max = (keypair.bits / 8) - (asn.bytesize + digest.bytesize + 3)
+        (1..max).reverse_each do |padlen|
+          forged = "\x01\xff\x00#{asn}#{digest}#{0.chr * padlen}".
+            to_number.
+            root(3, round: :up).
+            to_bin_string
+          found = keypair.verify(message, signature: forged)
+          return forged if found
+        end
+        raise RuntimeError.new("Couldn't forge a signature")
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/md4_length_extension_attack.rb

@@ -0,0 +1,30 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class MD4LengthExtensionAttack
+      def initialize(message: , add: , mac: , key_length: )
+        @message = message
+        @mac = mac
+        @add = add
+        @key_length = key_length
+      end
+
+      # @return Array [msg, digest] Message that can be validated
+      def execute
+        dummy_key = "A" * key_length
+        padding = CryptoToolchain::Utilities::MD4.padding(dummy_key + message)
+        [
+          message + padding + add,
+          CryptoToolchain::Utilities::MD4.hexdigest(add,
+                                                     state: mac,
+                                                     append_length: (padding + message + dummy_key).length
+                                                    )
+        ]
+      end
+
+      attr_reader :message, :mac, :add, :key_length
+
+    end
+  end
+end
+

data/lib/crypto_toolchain/tools/mt_19937_seed_recoverer.rb

@@ -0,0 +1,27 @@
+module CryptoToolchain
+  module Tools
+    class MT19937SeedRecoverer
+      def initialize(extracted, start: default_start, finish: Time.now.to_i)
+        @extracted = extracted
+        @start = start
+        @finish = finish
+      end
+
+      def execute
+        (start..finish).each do |seed|
+          if CryptoToolchain::Utilities::MT19937.new(seed).extract == extracted
+            return seed
+          end
+        end
+        raise RuntimeError, "Did not find the seed; consider expanding start and finish"
+      end
+
+      attr_reader :extracted, :start, :finish
+
+      # One hour ago
+      def default_start
+        Time.now.to_i - (3600)
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/mt_19937_stream_cipher_seed_recoverer.rb

@@ -0,0 +1,40 @@
+module CryptoToolchain
+  module Tools
+    class MT19937StreamCipherSeedRecoverer
+      class << self
+        def recover_from(ciphertext: , seed: )
+          stream = CryptoToolchain::BlackBoxes::MT19937StreamCipher.new(ciphertext, seed: seed)
+          stream.decrypt(ciphertext)
+        end
+
+        def valid_token?(tok, start: Time.now.to_i - 5, finish: Time.now.to_i)
+          (start..finish).each do |seed|
+            if tok == CryptoToolchain::BlackBoxes::MT19937StreamCipher.generate_token(seed: seed)
+              return true
+            end
+          end
+          false
+        end
+        alias_method :valid_token, :valid_token?
+      end
+
+      def initialize(ciphertext: , known: )
+        @ciphertext = ciphertext
+        @known = known
+      end
+
+      def execute
+        (0..CryptoToolchain::BlackBoxes::MT19937StreamCipher::MAX_SEED).each do |seed|
+          cipher = CryptoToolchain::BlackBoxes::MT19937StreamCipher.new(ciphertext, seed: seed)
+          if cipher.decrypt(ciphertext).include?(known)
+            return seed
+          end
+        end
+        raise RuntimeError.new, "Could not recover seed"
+      end
+
+      attr_reader :known, :ciphertext
+
+    end
+  end
+end

data/lib/crypto_toolchain/tools/rsa_broadcast_attack.rb

@@ -0,0 +1,21 @@
+module CryptoToolchain
+  module Tools
+    class RSABroadcastAttack
+      Input = Struct.new(:ciphertext, :public_key)
+      def initialize(inputs)
+        @e = inputs.length
+        @inputs = inputs
+      end
+      attr_reader :inputs, :e
+
+      def execute
+        residues = inputs.map(&:ciphertext)
+        mods = inputs.map {|i| i.public_key.n }
+        result = chinese_remainder(residues, mods)
+        result.root(e).
+          to_s(16).
+          from_hex
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/rsa_parity_oracle_attack.rb

@@ -0,0 +1,33 @@
+module CryptoToolchain
+  module Tools
+    class RSAParityOracleAttack
+      def initialize(oracle: , n: , e: 3)
+        @oracle = oracle
+        @n = n
+        @e = e
+      end
+      attr_reader :n, :oracle, :e
+
+      def execute(_ciphertext, output: false)
+        ciphertext = _ciphertext.to_number
+        min = BigDecimal(0)
+        max = BigDecimal(n)
+        mid = max/2
+        mult = 2.modpow(e, n)
+        Math.log2(n).ceil.times do
+          mid = (min + max) / 2
+          ciphertext = ((ciphertext) * mult) % n
+          if oracle.execute(ciphertext.to_bin_string) == 0
+            max = mid
+          else
+            min = mid
+          end
+          if output
+            print "\e[2J\e[f\r#{max.to_i.to_bin_string.gsub(/[^[:print:]]/, '*')}"
+          end
+        end
+        max.to_i.to_bin_string
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/rsa_unpadded_message_recovery_attack.rb

@@ -0,0 +1,49 @@
+module CryptoToolchain
+  module Tools
+    class RSAUnpaddedMessageRecoveryAttack
+
+      attr_reader :oracle, :s
+
+      def initialize(oracle: , s: 2)
+        @oracle = oracle
+        @s = s
+      end
+
+      def execute(ciphertext)
+        plaintext(
+          p_prime(
+            c_prime(
+              ciphertext.to_number
+            )
+          )
+        )
+      end
+
+      private
+
+      def e
+        oracle.keypair.e
+      end
+
+      def n
+        oracle.keypair.public_key.n
+      end
+
+      def c_prime(c)
+        (s.modpow(e, n) * c) % n
+      end
+
+      def p_prime(_c_prime)
+        oracle.execute(
+          _c_prime.to_bin_string
+        ).to_number
+      end
+
+      def plaintext(_p_prime)
+        (
+          (_p_prime * s.invmod(n)) % n
+        ).to_bin_string
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/tools/sha1_length_extension_attack.rb

@@ -0,0 +1,30 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class SHA1LengthExtensionAttack
+      def initialize(message: , add: , mac: , key_length: )
+        @message = message
+        @mac = mac
+        @add = add
+        @key_length = key_length
+      end
+
+      # @return Array [msg, digest] Message that can be validated
+      def execute
+        dummy_key = "A" * key_length
+        padding = CryptoToolchain::Utilities::SHA1.padding(dummy_key + message)
+        [
+          message + padding + add,
+          CryptoToolchain::Utilities::SHA1.hexdigest(add,
+                                                     state: mac,
+                                                     append_length: (padding + message + dummy_key).length
+                                                    )
+        ]
+      end
+
+      attr_reader :message, :mac, :add, :key_length
+
+    end
+  end
+end
+

data/lib/crypto_toolchain/tools.rb

@@ -0,0 +1,31 @@
+require "crypto_toolchain/tools/determine_blocksize"
+require "crypto_toolchain/tools/ecb_prepend_chosen_plaintext_attack"
+require "crypto_toolchain/tools/ecb_interpolate_chosen_plaintext_attack"
+require "crypto_toolchain/tools/ecb_cut_and_paste_attack"
+require "crypto_toolchain/tools/cbc_bitflip_attack"
+require "crypto_toolchain/tools/cbc_padding_oracle_attack"
+require "crypto_toolchain/tools/interactive_xor"
+require "crypto_toolchain/tools/mt_19937_seed_recoverer"
+require "crypto_toolchain/tools/mt_19937_stream_cipher_seed_recoverer"
+require "crypto_toolchain/tools/aes_ctr_recoverer"
+require "crypto_toolchain/tools/ctr_bitflip_attack"
+require "crypto_toolchain/tools/cbc_iv_equals_key_attack"
+require "crypto_toolchain/tools/sha1_length_extension_attack"
+require "crypto_toolchain/tools/md4_length_extension_attack"
+require "crypto_toolchain/tools/rsa_broadcast_attack"
+require "crypto_toolchain/tools/rsa_unpadded_message_recovery_attack"
+require "crypto_toolchain/tools/low_exponent_rsa_signature_forgery"
+require "crypto_toolchain/tools/dsa_recover_private_key_from_nonce"
+require "crypto_toolchain/tools/dsa_recover_nonce_from_signatures"
+require "crypto_toolchain/tools/rsa_parity_oracle_attack"
+
+module CryptoToolchain
+  module Tools
+    def self.detect_single_character_xor(bytestring, non_printable: true)
+      arr = non_printable ? (0..255).map(&:chr).to_a : CryptoToolchain::PRINTABLE_CHARACTERS
+      arr.sort_by do |chr|
+        (chr.repeat_to(bytestring.length) ^ bytestring).score
+      end.last
+    end
+  end
+end