crypto_toolchain 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 85833999c67482bc9ca5ef223a039b9a82c3675b
-  data.tar.gz: e1ab0345bc0a089458206def1cc30e47fb94bdd0
+SHA256:
+  metadata.gz: abf3eb1ea6db35f164ee955e811d817ce4a54ce5f8dbfb7c26622662fe15b7ac
+  data.tar.gz: f65fe236e0594960033508c94570cb147fbda144db077570e946e0733282e062
 SHA512:
-  metadata.gz: 180ebe2b0b30fb9666b2b0d1ad92ec0b6be2b124a6bdf70e7a3f7977e286e2c3479eca677d5fb2af99ae4569812da6201a836cf85f3c4e25cd8a9fe248a5db1d
-  data.tar.gz: 5075be9cac22c796664b0318287f37ff48cf22af86216d2ca70c5c0a5a7a8d165e6b888a1008a010139319b1f61784a884245a559d618d4f6def1b405f32b0be
+  metadata.gz: 7db6ff7adb0b11efd29a5fd987f71e1517d6be8509007f4092bcef3e74076c907ef6f59a3b3f98b84b589563611a85882d89a12cee7ed4c30d972753c5457f5e
+  data.tar.gz: a1632d18cab50cc48228ce4394f3edefc923eb7e692ba213ad9acce2ab0d3a7a7d91127f9dcb7168ae3fc279ac6eba47c4798dd77bdd9a58fdc3f73a48871718

data/.gitignore

@@ -10,6 +10,8 @@
 /test/version_tmp/
 /tmp/
 Gemfile.lock
+.ruby-version
+.rspec
 
 # Used by dotenv library to load environment variables.
 # .env

data/.travis.yml

@@ -3,3 +3,4 @@ language: ruby
 rvm:
   - 2.3.3
 before_install: gem install bundler -v 1.13.6
+script: travis_wait bundle exec rspec

data/README.md

@@ -1,3 +1,5 @@
+[![Build Status](https://travis-ci.org/ffleming/crypto_toolchain.svg?branch=master)](https://travis-ci.org/ffleming/crypto_toolchain)
+
 # CryptoToolchain
 
 This is a suite of tools for ruining the blue team's day with respect to crypto.
@@ -8,6 +10,8 @@ cryptographic vulnerabilities.
 
 NB: These will probably never be finished
 
+Add `--tag ~slow` to your `.rspec` file if you don't want to run slow tests.
+
 ## Cryptopals progress
 
 ### Set 1: Basics
@@ -71,8 +75,8 @@ NB: These will probably never be finished
 * [x] DSA nonce recovery from repeated nonce
 * [x] DSA parameter tampering
 * [x] RSA parity oracle
-* [ ] Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case)
-* [ ] Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)
+* [x] Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case)
+* [x] Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)
 
 ### Set 7: Hashes
 * [ ] CBC-MAC Message Forgery

data/lib/crypto_toolchain/black_boxes/rsa_keypair.rb

@@ -5,17 +5,17 @@ module CryptoToolchain
       PrivateKey = Struct.new(:d, :n)
       PublicKey = Struct.new(:e, :n)
 
-      def initialize(bits: 1024)
+      def initialize(bits: 1024, p: nil, q: nil)
         @bits = bits
-        @p = OpenSSL::BN::generate_prime(bits/2).to_i
-        @q = OpenSSL::BN::generate_prime(bits/2).to_i
+        @p = p || OpenSSL::BN::generate_prime(bits/2).to_i
+        @q = q || OpenSSL::BN::generate_prime(bits/2).to_i
         @n = @p * @q
         et = (@p-1) * (@q-1)
         @e = 3
         @d = @e.invmod(et)
       end
 
-      attr_reader :e, :bits
+      attr_reader :e, :bits, :p, :q
 
       def encrypt(m, to: )
         raise ArgumentError.new("Message should be a string") unless m.is_a?(String)
@@ -25,12 +25,17 @@ module CryptoToolchain
           to_bin_string
       end
 
-      def decrypt(m)
+      def decrypt(m, pad: false)
         raise ArgumentError.new("Message should be a string") unless m.is_a?(String)
-        m.
-          to_number.
-          modpow(private_key.d, private_key.n).
-          to_bin_string
+        decrypted = m.
+                      to_number.
+                      modpow(private_key.d, private_key.n).
+                      to_bin_string
+        if pad
+          pad_to_key_size(decrypted)
+        else
+          decrypted
+        end
       end
 
       def sign(plaintext)
@@ -78,6 +83,14 @@ module CryptoToolchain
           sha512: "0Q0\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\x04@"
         }.fetch(hash_type)
       end
+
+      def pad_to_key_size(str)
+        padded = str.dup
+        while padded.bytesize < bits / 8
+          padded = "\x00#{padded}"
+        end
+        padded
+      end
     end
   end
 end

data/lib/crypto_toolchain/black_boxes/rsa_padding_oracle.rb

@@ -0,0 +1,17 @@
+module CryptoToolchain
+  module BlackBoxes
+    class RSAPaddingOracle
+      def initialize(keypair: CryptoToolchain::BlackBoxes::RSAKeypair.new(bits: 256))
+        @keypair = keypair
+      end
+
+      attr_reader :keypair
+
+      def execute(str)
+        keypair.
+          decrypt(str, pad: true).
+          is_pkcs1_5_padded?(keypair.bits)
+      end
+    end
+  end
+end

data/lib/crypto_toolchain/black_boxes.rb

@@ -15,6 +15,7 @@ require "crypto_toolchain/black_boxes/rsa_keypair"
 require "crypto_toolchain/black_boxes/rsa_unpadded_message_recovery_oracle"
 require "crypto_toolchain/black_boxes/rsa_parity_oracle"
 require "crypto_toolchain/black_boxes/dsa_keypair"
+require "crypto_toolchain/black_boxes/rsa_padding_oracle"
 
 module CryptoToolchain
   module BlackBoxes

data/lib/crypto_toolchain/extensions/integer_extensions.rb

@@ -87,4 +87,13 @@ class Integer
     product
   end
   alias_method :modpow, :modexp
+
+  def updiv(other)
+    quot, remainder = self.divmod(other)
+    if remainder == 0
+      quot
+    else
+      quot + 1
+    end
+  end
 end

data/lib/crypto_toolchain/extensions/string_extensions.rb

@@ -123,10 +123,21 @@ class String
     end
   end
 
+  def pad_pkcs1_5(bits)
+    len = bits / 8
+    if self.bytesize > len - 11
+      raise ArgumentError.new("String #{self.inspect} is too long to pad with PKCS#1v1.5, length: #{self.bytesize}")
+    end
+    padstring = (len - 3 - self.bytesize).times.with_object("") { |_, memo| memo << rand(1..255).chr }
+    "\x00\x02#{padstring}\x00#{self}"
+  end
+
+  def is_pkcs1_5_padded?(bits)
+    self[0..1] == "\x00\x02"
+  end
+
   def is_pkcs7_padded?(blocksize = CryptoToolchain::AES_BLOCK_SIZE)
-    # if self.size != blocksize
-      return in_blocks(blocksize).last.is_block_pkcs7_padded?(blocksize)
-    # end
+    return in_blocks(blocksize).last.is_block_pkcs7_padded?(blocksize)
   end
 
   def without_pkcs7_padding(blocksize = CryptoToolchain::AES_BLOCK_SIZE, raise_error: false)

data/lib/crypto_toolchain/tools/rsa_padding_oracle_attack.rb

@@ -0,0 +1,124 @@
+# encoding: ASCII-8BIT
+module CryptoToolchain
+  module Tools
+    class RSAPaddingOracleAttack
+    end
+  end
+end
+
+class CryptoToolchain::Tools::RSAPaddingOracleAttack
+  def initialize(oracle: BlackBoxes::RSAPaddingOracle.new, n: , e: 3)
+    @oracle = oracle
+    @n = n
+    @e = e
+  end
+  attr_reader :n, :oracle, :e
+
+  def check(int)
+    oracle.execute(str_for(int))
+  end
+
+  def str_for(int)
+    str = int.to_bin_string
+    pad = "\x00" * (n.bit_length.updiv(8) - str.bytesize)
+    "#{pad}#{str}"
+  end
+
+  def execute(ciphertext)
+    s = 1
+    @c0 = ciphertext.to_number
+    intervals = [ [ (2*big_b), (3*big_b ) ] ]
+    i = 1
+    loop do
+      if i == 1
+        #2a
+        s = start_search()
+      elsif intervals.length > 1
+        #2b
+        s += 1
+        s += 1 until check((@c0 * s.modpow(e, n)) % n)
+      elsif intervals.length == 1
+        #2c
+        a, b = intervals.first
+
+        if a == b
+          return str_for(a)
+        end
+        s = search_with_single_interval(a, b, s)
+      end
+
+      # 3
+      intervals = calculate_intervals(intervals, s)
+      i += 1
+    end
+  end
+
+
+  def calculate_intervals(intervals, s)
+    new_intervals = []
+    intervals.each do |a, b|
+      min_r = (a * s - 3 * big_b + 1).updiv(n)
+      max_r = (b * s - 2 * big_b) / n
+      (min_r..max_r).each do |r|
+        aa = [a, (2 * big_b + r * n).updiv(s)].max
+        bb = [b, ((3 * big_b - 1 + r * n) / s)].min
+
+        new_intervals = add_interval(new_intervals, aa, bb)
+      end
+    end
+    new_intervals
+  end
+
+  def add_interval(intervals, lower, upper)
+    matched = false
+    new_intervals = intervals.map do |a, b|
+      if b < lower || a > upper
+        # interval to be added does not overlap an existing interval - persist the existing interval
+        # if we never overlap an interval, we'll add the [lower, upper] interval later
+        [a, b]
+      else
+        # interval to be added overlaps - extend that interval according to [lower, upper]
+        matched = true
+        [
+          [lower, a].min,
+          [upper, b].max
+        ]
+      end
+    end
+    if matched
+      new_intervals
+    else
+      new_intervals.push([lower, upper])
+    end
+  end
+
+  def start_search
+    s1 = n.updiv(3 * big_b)
+    loop do
+      c = (@c0 * s1.modpow(e, n)) % n
+      if check(c)
+        return s1
+      end
+      s1 += 1
+    end
+  end
+
+  def search_with_single_interval(a, b, s)
+    r = (2 * (b * s - 2 * big_b)) / (n)
+    s = (2 * big_b + r * n) / (b)
+
+    until check((@c0 * s.modpow(e,n)) % n)
+      s += 1
+      if s > (3 * big_b + r * n) / a
+        r += 1
+        s = (2 * big_b + r * n) / b
+      end
+    end
+    s
+  end
+
+  def big_b
+    k = oracle.keypair.bits / 8
+    2**(8 * (k - 2))
+  end
+end

data/lib/crypto_toolchain/tools.rb

@@ -18,6 +18,7 @@ require "crypto_toolchain/tools/low_exponent_rsa_signature_forgery"
 require "crypto_toolchain/tools/dsa_recover_private_key_from_nonce"
 require "crypto_toolchain/tools/dsa_recover_nonce_from_signatures"
 require "crypto_toolchain/tools/rsa_parity_oracle_attack"
+require "crypto_toolchain/tools/rsa_padding_oracle_attack"
 
 module CryptoToolchain
   module Tools

data/lib/crypto_toolchain/version.rb

@@ -1,3 +1,3 @@
 module CryptoToolchain
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/crypto_toolchain.rb

@@ -7,6 +7,7 @@ require "uri"
 require 'json'
 require 'securerandom'
 require "bigdecimal"
+require 'openssl'
 require "crypto_toolchain/version"
 require "crypto_toolchain/extensions"
 require "crypto_toolchain/utilities"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypto_toolchain
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Forrest Fleming
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-11-09 00:00:00.000000000 Z
+date: 2018-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry-byebug
@@ -132,7 +132,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
-- ".rspec"
 - ".travis.yml"
 - Gemfile
 - Guardfile
@@ -159,6 +158,7 @@ files:
 - lib/crypto_toolchain/black_boxes/mt_19937_stream_cipher.rb
 - lib/crypto_toolchain/black_boxes/netcat_cbc_padding_oracle.rb
 - lib/crypto_toolchain/black_boxes/rsa_keypair.rb
+- lib/crypto_toolchain/black_boxes/rsa_padding_oracle.rb
 - lib/crypto_toolchain/black_boxes/rsa_parity_oracle.rb
 - lib/crypto_toolchain/black_boxes/rsa_unpadded_message_recovery_oracle.rb
 - lib/crypto_toolchain/black_boxes/sha1_mac.rb
@@ -196,6 +196,7 @@ files:
 - lib/crypto_toolchain/tools/mt_19937_seed_recoverer.rb
 - lib/crypto_toolchain/tools/mt_19937_stream_cipher_seed_recoverer.rb
 - lib/crypto_toolchain/tools/rsa_broadcast_attack.rb
+- lib/crypto_toolchain/tools/rsa_padding_oracle_attack.rb
 - lib/crypto_toolchain/tools/rsa_parity_oracle_attack.rb
 - lib/crypto_toolchain/tools/rsa_unpadded_message_recovery_attack.rb
 - lib/crypto_toolchain/tools/sha1_length_extension_attack.rb
@@ -225,7 +226,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Crypto toolchain for CTFs and so on

data/.rspec

@@ -1,2 +0,0 @@
---format documentation
---color