Breaking my Security Assignments

37 points by zk

tonyarkles

One of my regrets from taking Computer Security in undergrad was that I had figured out a plan to steal one of the CTF boxes and bring it to class but I chickened out. Using traceroute I had figured out which floor of the computer science building it was in, and then I figured out how to wake up the screen over Remote Desktop. I could see it on the other side of a window in a room. I was friends with most of the janitorial staff; I was the president of the student society and often enough locked myself out of private study rooms or meeting rooms, and they were pretty generous about helping out if that happened.

Mostly I didn’t do it because I didn’t want the janitors to get in trouble for helping me steal it. But man… it would have been the funniest thing.

tuxes

Fun story.

That crypto scheme looks fishy. With just plain AES (and no integrity, e.g. HMAC or GCM), then if you have a valid token for Ex11, you can craft a valid token for any other exercise (say, Ex12) by incrementing the corresponding byte in the ciphertext. That will decrypt to “Ex12” just fine.

Partly this depends on which block mode your Java security provider chooses for the underspecified “Cipher.getInstance(“AES”)”.

See more:

https://en.m.wikipedia.org/wiki/Block_cipher_mode_of_operation . Check out the CTR diagram. ciphertext = plaintext XOR AES(key,iv, counter). I.e. modify the ciphertext and you can predict what the corresponding plaintext will be. A forged token!
https://en.m.wikipedia.org/wiki/Malleability_(cryptography) more on this issue.
https://en.m.wikipedia.org/wiki/Authenticated_encryption
https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/misc/if.html

davmac

With just plain AES (and no integrity, e.g. HMAC or GCM), then if you have a valid token for Ex11, you can craft a valid token for any other exercise (say, Ex12) by incrementing the corresponding byte in the ciphertext. That will decrypt to “Ex12” just fine.

Partly this depends on which block mode your Java security provider chooses for the underspecified “Cipher.getInstance(“AES”)”.

Just requesting “AES” is supposed to give you “raw” AES without any block chaining transform, so I don’t think the example is exploitable that way. Because each token is only one block there isn’t any need for block chaining.
- tuxes
  
  From https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html :
  
  A transformation is of the form: “algorithm/mode/padding” or “algorithm” (in the latter case, provider-specific default values for the mode and padding scheme are used).
  
  i.e. there’s still a block cipher mode selected, it’s just left for the provider to choose.
  - davmac
    
    That is what it says, but the default provider just gives back raw AES, as far as I can tell. (And I doubt they would be bundling another provider). Technically it is AES with “ECB” block mode which is really just saying that there is no block chaining, each block is independently encrypted/decrypted, and there is no IV. I.e. although ECB is described as a block mode, it’s effectively just “use the cipher and don’t do any transform on the output”.
    
    If it was using any other block mode, it would use a randomly generated IV, and since the code doesn’t account for that (doesn’t set a specific IV), there would be no way to verify the token as the IV would not be known (and it’s not possible to decrypt the token without the IV).
    
    tuxes
    
    Ah, yes, you’re right. TIL, thanks.