Thursday, April 27, 2017

Cryptopals Set 2

  • Challenge 9 and 15 PKCS#7 padding -- the challenges do not make clear that that if the final data block fits the data block perfectly (e.g. there are 16 bytes of data remaining in the final 16-byte block), an additional block should be appended as padding.
  • Challenge 14 Byte-at-a-time ECB decryption -- this is indeed a harder variant of challenge 12, since a random number of bytes being prefixed to the attacker-controlled text means that the oracle is not always reliable. From previous challenges, however, we know that repeating blocks are encrypted identically in ECB mode. We can therefore prepend the attacker-controlled text with two repeating blocks, i.e. have the oracle encrypt (random prefix || repeating blocks || attacker-controlled text || target-bytes). If we observe repeating blocks, we know where our attacker-controlled text begins (as a wrapper around the oracle function, call this "smart oracle"). Assuming that the random number of bytes prefixed is uniformly distributed over integers with some upper boundary N, it will take roughly N times more calls to the oracle to achieve a desirable result... which is reasonable as it scales linearly. I'm still missing something as the smart oracle sometimes fails, but decryption generally works after a few tries.