unicornsasfuel / cryptanalib3 Goto Github PK

RSA OAEP padding oracle attack [http://dl.acm.org/citation.cfm?id=704143]

[http://www.dsi.unive.it/~focardi/RSA-padding-oracle/#BFKSST12] presents an optimized version of the bleichenbacher algorithm.

Standardize all function help blurbs to this:

"""
Function does XYZ.

Inputs:
``bytes`` sample - The sample to process.

Outputs:
``(bytes, int)`` - The processed sample and its length.

Raises:
``ValueError`` when the sample is too short.
"""

As of now, ca3.modern.dsa_repeated_nonce_attack() has SHA1 hard-coded as the hash algorithm to use, but some systems choose to use other hash functions, such as SHA256.

It would be relatively easy to either pass an object with a method digest(self, plaintext) that returns a raw hash digest with the hash function desired, or perhaps just any hash function hash_function(plaintext) that as before, returns a raw hash digest.

There is an attack on ECB where a secret appended to user input, encrypted, and disclosed in encrypted form can be obtained in plaintext form by bytewise brute force with carefully aligned boundaries. This attack is already implemented as ca3.ecb_cpa_decrypt.

This attack ALSO applies to CBC mode when a static IV is in use. It's a common flaw to use a static IV with CBC mode, and as such this is a very practical attack. We should add this attack to cryptanalib.

If the modulus recovery fails but GCD(states) > 1, it is often because the recovered modulus RM is a multiple of the actual modulus.

We can ceil_divide RM by the largest known state to get the maximum divisor by which to divide RM, check which of those are factors of RM, and try each in descending order, recovering a potential a constant and checking a/m until we find, or fail to find, the actual modulus.

Investigate if chi-square frequency analysis is more effective than what we're currently doing.

Perfect code coverage is tough, but there are a few things that really should have tests:

• Morse code encode / decode
• break_ascii_shift()
• show_histogram()
• make_polybius_square()
• polybius_decrypt()
• libc rand() next/prev state wrappers
• unsuccessful rsa-crt fault attack
• recovery of rsa modulus from signatures

from @sonOfRa:

There's two versions of this algorithm:

The local version that uses Floyd's cycle finding algorithm to find collisions
The distributed version that uses Distinguished Points to find collisions
The code I have uses the latter (it can just be used on a single computer, using multiple cores).

The algorithm can be used when given a Point Q, and its generator P, to find k such that k*P = Q. For small curves (40 bit) the algorithm finishes in below 5 seconds on my machine. For a larger (70 bit) curve, it took about 12 hours to find a collision. For large curves (>128 bit) it is unlikely to finish in a reasonable time frame.

The algorithm is also portable to "regular" Discrete Logarithms (used in DHKE): Given a group element x and its generator g, find k such that g^k = x

This issue is mostly a reminder for myself so I can find this again and port and contribute my code when I find the time.

It would be cool to have a function whose prototype is like:

rebuild_rsa_key(p=None, q=None, d=None, dp=None, dq=None, N=None, e=None, c=None, m=None)

It would step through a bunch of use cases to see if it could reconstruct the rest of the key. Mostly useful for CTF stuff, but would be nice once we have functions that could be used to recover a single factor or some such.

There's a tool called pasteurize, part of the future module, that may allow this code to work in Python2, and thus Jython.

ca3 is currently very English-centric insofar as several functions are coded to expect English text frequency instead of other human languages like German or data formats like JSON. It would be great if, across all of ca3, we supported the use of alternate plaintext frequency distribution data.

Add multithreading support to functions like BB98 and the padding oracle attacks to speed them up

This would be useful for fault injection against hardware that performs RSA private key operations. ca3 already has RSA-CRT fault attack code, but the non-CRT variant of the attack gets into a little more crazy math.