Assignment #2 - AES-CTR

In cryptography, there are many ways to make a secure scheme weak by neglecting just one small detail. Some of these mistakes are not uncommon even among security practitioners. In this assignment, you will play the role of the attacker and see how easy it is to exploit one such oversight.

One by one, ten plaintext sentences (in ASCII, including spaces, starting with a capital letter) were encrypted using 256-bit key AES in CTR mode. Each of the sentences is short enough to fit into two AES blocks (the rest of the second block is padded with sufficiently many zero bytes so that the total length of the padded sentence is exactly 32 bytes — e.g., b'This is a two block sentence.\x00\x00\x00' in Python notation) and the $n$-th sentence begins at the beginning of the $(2n-1)$-th block for all $n \in \{1, 2, \ldots, 10\}$. Unfortunately, the counter got reset to the string of 128 zero bits each time a sentence was being encrypted (thus the value b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\0x00') was used for the first block of each sentence, while the value b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\0x01' was used for the second block of each sentence). You have intercepted the concatenation of the ciphertexts (in hexadecimal, i.e., base 16); you can find it on this server under the path /hw02/input/1234, where you replace 1234 with your UCO.

Tasks

1. Divide the intercepted text into the ten individual ciphertexts (whose length is twice the AES block length). Note the difference between block length and key length.
2. Try to observe a pattern in the endings of the ciphertexts (if you don’t see any, you probably did not solve step 1 correctly). Use this together with your knowledge of the CTR mode and the padding to recover the last few characters of the encrypted counter.
   Hint: You can see how CTR works with random nonce - in our case, the nonce is equal to the array of zero bytes!
3. Guess more of the sentence endings in order to recover more bytes of the encrypted counter.
   Hint: the ASCII sentences must be meaningful.
4. Repeat step 3 until you recover all sentences as well as both blocks of the encrypted counter. We will call the concatenation of the two encrypted counter blocks the keystream.
5. New information has arrived! The hexadecimal value provided in the input file is the used key (in previous tasks) encrypted the same way as all of the sentences. In other words, the key (as a message) is encrypted by AES-CTR using the same key and the same counter (128 zero bits). Reconstruct the key.
6. Use Python (e.g. hazmat) and encrypt the concatenation of all padded sentences (each with the same padding as before) with AES-CTR using the same key as before, but this time correctly incrementing the counter for each block and each sentence.
   Hint: you already know the first two output blocks; you can use them as a sanity check.
7. Describe what you did in the previous steps (1-5) and explain the principles that allowed you to recover the encrypted counter and the plaintexts. Focus on the concepts, not the details. What’s the main reason that allowed you to perform the attack?

Submission

Submit two files solution.txt and src6.py (if you did not implement step 6, submit an empty file), into the HW02 vault.

• Submit a text file named solution.txt whose first three lines are (all in hexadecimal):
  • The keystream (the result of step 4)
  • The AES key (the result of step 5)
  • The properly encrypted concatenated padded sentences (the result of step 6)
  • The rest of the file should contain your reasoning from step 7
• Also, submit a Python file named src6.py with the source code you used for encryption in step 6. The code should be commented on – comments should shortly explain what the used functions do.

You can find an example solution in the file example_solution.txt in the IS here (the values are just an illustration, while the reasoning shows what level of detail we expect). Please make sure to use the same formatting (no string prefix, one newline character) for your submission as in the example, otherwise you might lose points.