CryptoToolchain

This is a suite of tools for ruining the blue team's day with respect to crypto.

It is mostly based on the Matasano/Cryptopals challenges, because they lead you by the hand down the garden path to breaking a good number of common cryptographic vulnerabilities.

NB: These will probably never be finished

Add --tag ~slow to your .rspec file if you don't want to run slow tests.

Cryptopals progress

Set 1: Basics

• [x] Convert hex to base64
• [x] Fixed XOR
• [x] Single-byte XOR cipher
• [x] Detect single-character XOR
• [x] Implement repeating-key XOR
• [x] Break repeating-key XOR
• [x] AES in ECB mode
• [x] Detect AES in ECB mode

Set 2: Block crypto

• [x] Implement PKCS#7 padding
• [x] Implement CBC mode
• [x] An ECB/CBC detection oracle
• [x] Byte-at-a-time ECB decryption (Simple)
• [x] ECB cut-and-paste
• [x] Byte-at-a-time ECB decryption (Harder)
• [x] PKCS#7 padding validation
• [x] CBC bitflipping attacks

Set 3: Block & stream crypto

• [x] The CBC padding oracle
• [x] Implement CTR, the stream cipher mode
• [x] Break fixed-nonce CTR mode using substitutions
• [x] Break fixed-nonce CTR statistically
• [x] Implement the MT19937 Mersenne Twister RNG
• [x] Crack an MT19937 seed
• [x] Clone an MT19937 RNG from its output
• [x] Create the MT19937 stream cipher and break it

Set 4: Stream crypto & randomness

• [x] Break "random access read/write" AES CTR
• [x] CTR bitflipping
• [x] Recover the key from CBC with IV=Key
• [x] Implement a SHA-1 keyed MAC
• [x] Break a SHA-1 keyed MAC using length extension
• [x] Break an MD4 keyed MAC using length extension
• [x] Implement and break HMAC-SHA1 with an artificial timing leak
  • See timing_attack for a timing attack tool
  • See camelflage for the vulnerable server
• [x] Break HMAC-SHA1 with a slightly less artificial timing leak
  • See timing_attack for a timing attack tool
  • See camelflage for the vulnerable server

Set 5: Diffie-Hellman & friends

• [x] Implement Diffie-Hellman
• [x] Implement a MITM key-fixing attack on Diffie-Hellman with parameter injection
• [x] Implement DH with negotiated groups, and break with malicious "g" parameters
• [x] Implement Secure Remote Password (SRP)
• [x] Break SRP with a zero key
• [x] Offline dictionary attack on simplified SRP
• [x] Implement RSA
• [x] Implement an E=3 RSA Broadcast attack

Set 6: RSA & DSA

• [x] Implement unpadded message recovery oracle
• [x] Bleichenbacher's e=3 RSA Attack
• [x] DSA key recovery from nonce
• [x] DSA nonce recovery from repeated nonce
• [x] DSA parameter tampering
• [x] RSA parity oracle
• [x] Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case)
• [x] Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)

Set 7: Hashes

• [ ] CBC-MAC Message Forgery
• [ ] Hashing with CBC-MAC
• [ ] Compression Ratio Side-Channel Attacks
• [ ] Iterated Hash Function Multicollisions
• [ ] Kelsey and Schneier's Expandable Messages
• [ ] Kelsey and Kohno's Nostradamus Attack
• [ ] MD4 Collisions
• [ ] RC4 Single-Byte Biases

Set 8: Abstract Algebra

• [ ] Diffie-Hellman Revisited: Small Subgroup Confinement
• [ ] Pollard's Method for Catching Kangaroos
• [ ] Elliptic Curve Diffie-Hellman and Invalid-Curve Attacks
• [ ] Single-Coordinate Ladders and Insecure Twists
• [ ] Duplicate-Signature Key Selection in ECDSA (and RSA)
• [ ] Key-Recovery Attacks on ECDSA with Biased Nonces
• [ ] Key-Recovery Attacks on GCM with Repeated Nonces
• [ ] Key-Recovery Attacks on GCM with a Truncated MAC