[Crypto] C4: leaky power xp0int Posted on Nov 23 2018 ? 边信道攻击 ? ? CPA ? ? 能量分析 ? https://hitcon.org/2015/ENT/PDF/Power%20Analysis%20Attacks_JP,%20YH.pdf 脆弱性主要来自第一轮AddRoundKey和SubBytes和ShiftRows 假设的密钥中的某一个字节和明文的对应位置异或再查找SBOX,hamming weight计算出这个过程中产生的假设的能量。假设的能量和真实的能量计算pearson相关系数(绝对值),假设的密钥变化时相关系数最大时,能量变化最接近,假设的密钥就是正确的。再用相同的方法破解出完整的密钥。 然而我并不会jwe aes 128 gcm解密,以为算错了,赛后看wp才知道怎么解密。TAT ```python import json from base64 import urlsafe_b64decode from binascii import hexlify import numpy as np from Crypto.Cipher import AES from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from scipy.stats import pearsonr SBOX = [ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16, ] # calculate hypothetical intermediate value def calc_iv(p, k): return SBOX[p ^ k] # hamming distance def HD(a, b): count = 0 while a | b != 0: if a & 1 != b & 1: count += 1 a >>= 1 b >>= 1 return count # hamming weight def HW(a): return HD(a, 0) HW_TABLE = [HW(x) for x in range(0x100)] plaintexts_cols = np.load('plaintexts.npy').transpose() powertraces = np.load('powertraces.npy') numtry, numpower = np.shape(powertraces) powertraces_cols = powertraces.transpose() high_hypo_key = [] low_hypo_key = [] for i in range(16): pcol = plaintexts_cols[i] highest = lowest = 0 highest_ppnt = lowest_ppnt = 0 highest_kpnt = lowest_kpnt = 0 for key_pnt in range(0x100): hypopower = np.array([HW_TABLE[calc_iv(b, key_pnt)] for b in pcol]) for j in range(numpower): corr, pval = pearsonr(powertraces_cols[j], hypopower) if corr > highest: highest = corr highest_ppnt = j highest_kpnt = key_pnt if corr < lowest: lowest = corr lowest_ppnt = j lowest_kpnt = key_pnt print(i, highest, highest_ppnt, highest_kpnt) high_hypo_key.append(highest_kpnt) print(i, lowest, lowest_ppnt, lowest_kpnt) low_hypo_key.append(lowest_kpnt) high_key = bytes(high_hypo_key) low_key = bytes(low_hypo_key) print(len(high_key), hexlify(high_key)) print(len(low_key), hexlify(low_key)) b64d = lambda x: urlsafe_b64decode(str(x) + '=' * ((4 - len(x) % 4) % 4)) jwe = json.load(open('instructions_corrected.jwe')) ciphertext = b64d(jwe['ciphertext']) iv = b64d(jwe['iv']) tag = b64d(jwe['tag']) decryptor = Cipher( algorithms.AES(low_key), modes.GCM(iv, tag), backend=default_backend()).decryptor() plaintext = decryptor.update(ciphertext).decode() print(plaintext) ``` ``` (venv) λ python crack.py 0 0.6235373724389712 114 211 0 -0.864475340612614 148 210 1 0.665800498875515 210 223 1 -0.8440273391864009 1701 222 2 0.614331752059924 306 160 2 -0.8537738941711083 341 160 3 0.6423300400706865 402 86 3 -0.8373798368827572 436 87 4 0.6375106008273518 498 208 4 -0.757379737720213 532 209 5 0.6719557453955896 594 21 5 -0.8498901516750693 2994 20 6 0.6179771538740079 2534 95 6 -0.7668631808119761 2444 95 7 0.6231260856938708 786 69 7 -0.8475243129408507 2872 69 8 0.6703828923865357 882 102 8 -0.7369442781782859 917 103 9 0.7095431615720739 978 151 9 -0.8199745878479294 1012 150 10 0.7153802649812145 1074 150 10 -0.8510449875644455 1109 150 11 0.6871832223824869 1170 97 11 -0.8095920176359938 1205 96 12 0.7190740164721233 1266 37 12 -0.8308649556693755 1301 36 13 0.6566935113531981 1362 166 13 -0.8985382818832175 1398 167 14 0.6977116838218662 1458 3 14 -0.8377841580416852 1492 3 15 0.6727102924919851 1554 178 15 -0.854737268807917 1588 178 16 b'd3dfa056d0155f456697966125a603b2' 16 b'd2dea057d1145f456796966024a703b2' CONFIDENTIAL To disable C4, you will need: - 6 bits of Dragon Sumac - 1 nibble of Winter Spice - 1 byte of Drake Cardamom - 1 flag with value flag-e2f27bac480a7857de45 - 2 diskfulls of Tundra Chives - 5 forks Grind the Dragon Sumac in a cup, making sure you don't break the cup as it's probably a delicate cup. Add a sprinkle of liquid ice to turn it into a cream-like paste, then add the Winter Spice, first almost everything, then the last tiny remnants. Fill a pan with elemental water, add the mixture and cool it down with how cool you are, then bring the mixture to a boil. Let it cool down to the body temperature of a reptile before adding the Drake Cardamom and Tundra Chives, all at once of one, then half at a time of the other. Bring everything back to a boil, turn of the heat, mix with the forks and let everything cool down. If you touch the liquid and it burns you, it hasn't cooled down enough. Whisk the mixture heavily to aerate it. Stop when it's frothy. Drinking the potion will disable C4. note: A small, but very cold amount is needed for the potion to be effective. Mixing it in a milkshake could work, but be wary of brain freeze. ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Math] C8: captcha [Programming] C1: dot-n-dash
没有帐号? 立即注册