Class: Analyzers::CbcMac::VariableLength::Analyzer

Inherits:
Object
  • Object
show all
Defined in:
lib/crypto-toolbox/analyzers/cbc_mac/variable_length/analyzer.rb

Instance Method Summary collapse

Constructor Details

#initialize(oracle_class = ::Analyzers::CbcMac::VariableLength::Oracles::Tcp, block_length = 32) ⇒ Analyzer

This class implements an attack on CBC-MAC with variable length. This issue is known for a long time and thus should be avoided by any implementation. However this code shows how to forge a tag in this mode and can be seen das a PoC.

Thanks to Matthew Green for this great article about the potential implementation problems of CBC-MAC: blog.cryptographyengineering.com/2013/02/why-i-hate-cbc-mac.html

This class has the VL (variable length) suffix it its name to make100% clear that this attack works only on this condition



18
19
20
 
# File 'lib/crypto-toolbox/analyzers/cbc_mac/variable_length/analyzer.rb', line 18

def initialize(oracle_class = ::Analyzers::CbcMac::VariableLength::Oracles::Tcp,block_length=32)
  @oracle = oracle_class.new
end

Instance Method Details

#analyze(target_message) ⇒ Object

NOTE: handle too short messages properly



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/crypto-toolbox/analyzers/cbc_mac/variable_length/analyzer.rb', line 23

def analyze(target_message)
  @oracle.connect

  # split the target message into chunks of size N (e.g. 32)
  target_bufs = CryptBuffer(target_message).chunks_of(32)

  # receive the valid mac for the first chunk of the target message
  tag1 = CryptBuffer(@oracle.mac(target_bufs[0]))

  attack_message = assemble_malicious_message(target_bufs,tag1)
  forged_tag = @oracle.mac(attack_message)

  ret = @oracle.verify(target_message, forged_tag)

  report_result(ret,forged_tag)
  
  @oracle.disconnect          
end