CBC Padding Oracle Attack
原理:
https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
https://www.jianshu.com/p/1851f778e579
https://www.cnblogs.com/LittleHann/p/3391393.html
总结:
在加密解密中,为了针对不同长度的明文都能进行加密,经常会有分组与填充的情况。对于CBC模式,经常使用的模式是PKCS#5,即:最后缺少x字节,就填充x字节的x。
同时,在解密的过程中,一旦解密出来的结果不符合PKCS#5的填充规则,那么会给出与正确解密不一致的提示信息,这就给了攻击者暴力破解的可乘之机。
题目链接:
https://github.com/sonickun/ctf-crypto-writeups/tree/master/2016/hack.lu-ctf/cryptolocker
先分析题目的关键代码
class AESCipher(object):
def __init__(self, key):
self.bs = 32
self.key = key
def encrypt(self, raw):
raw = self._pad(AESCipher.str_to_bytes(raw))
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return iv + cipher.encrypt(raw)
def _pad(self, s):
return s + (self.bs - len(s) % self.bs) * AESCipher.str_to_bytes(chr(self.bs - len(s) % self.bs))AES加密,16个字节一组,以PKCS#5方式填充,CBC模式
user_input = sys.argv[2].encode('utf-8')
assert len(user_input) == 8
i = len(user_input) // 4
keys = [ # Four times 256 is 1024 Bit strength!! Unbreakable!!
hashlib.sha256(user_input[0:i]).digest(),
hashlib.sha256(user_input[i:2*i]).digest(),
hashlib.sha256(user_input[2*i:3*i]).digest(),
hashlib.sha256(user_input[3*i:4*i]).digest(),
]
s = SecureEncryption(keys)自己的密钥为8位,分成4组,不够的程序自动填充
所以,满足攻击条件,我们只需要暴力密钥,然后对明文解密,根据padding的情况是不是符合格式来判断密钥是否正确即可。暴力成功后,直接解密得到flag
import sys
import hashlib
from AESCipher import *
import string
import itertools
class SecureEncryption(object):
def __init__(self, keys):
#assert len(keys) == 4
self.keys = keys
self.ciphers = []
for i in range(len(keys)):
self.ciphers.append(AESCipher(keys[i]))
def enc(self, plaintext): # Because one encryption is not secure enough
one = self.ciphers[0].encrypt(plaintext)
two = self.ciphers[1].encrypt(one)
three = self.ciphers[2].encrypt(two)
ciphertext = self.ciphers[3].encrypt(three)
return ciphertext
def dec(self, ciphertext):
three = AESCipher._unpad(self.ciphers[3].decrypt(ciphertext))
two = AESCipher._unpad(self.ciphers[2].decrypt(three))
one = AESCipher._unpad(self.ciphers[1].decrypt(two))
plaintext = AESCipher._unpad(self.ciphers[0].decrypt(one))
return plaintext
def mydec(self, ciphertext):
tmp = ciphertext
for i in range(len(self.keys)-1):
tmp = AESCipher._unpad(self.ciphers[len(self.keys)-i-1].decrypt(tmp))
plaintext = self.ciphers[0].decrypt(tmp)
return plaintext
def checkPadding1(plain):
padlen = ord(plain[-1])
pad = chr(padlen)*padlen
if plain[-padlen:] != pad or padlen > 32 or padlen == 1:
return False
else:
return True
def checkPadding2(plain):
pad = chr(16)*16
if len(plain) > 1 and plain[-16:] == pad:
return True
else:
return False
cipher = open("flag.encrypted", "rb").read()
keys = []
password = ""
charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
for i in range(4):
for c in itertools.product(charset, repeat=2):
user_input = "".join(c)
tmp_keys = keys[:]
tmp_keys.insert(0, hashlib.sha256(user_input).digest())
s = SecureEncryption(tmp_keys)
plain = s.mydec(cipher)
if i == 3:
if checkPadding1(plain):
keys = tmp_keys[:]
password = user_input + password
print "[+] found password:", password
open("flag.odt", "wb").write(AESCipher._unpad(plain))
break
else:
if checkPadding2(plain):
keys = tmp_keys[:]
password = user_input + password
print "[+] found password:", password
break
代码即为链接中的solver.py
学到了一个新的暴力姿势:
charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
for c in itertools.product(charset, repeat=2):
user_input = "".join(c)
京公网安备 11010502036488号