Padding Oracle Attack

相关原理

占坑(大概不填了)

测试代码

使用aes测试(理论上所有使用CBC的分组加密都有这个问题)

readme

  1. 适用范围:CBC分组加密密码,PKCS#5或PKCS#7 padding方式
  2. try_dec输入bytes的待解密文本,输出True为可通过unpad,输出False为不通过unpad
  3. 如果给iv可以解密所有密文,否则不能解密第一组
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util import number
from Crypto.Util.strxor import strxor
import os

def pad(plain):
'''
using pkcs#7 standard
'''
to_pad = 16 - len(plain) % 16
return plain + number.long_to_bytes(to_pad)*to_pad

def unpad(cipher):
if cipher[-1] > 16 or cipher[-1] == 0:
raise Exception
cipher_len = len(cipher)
for i in range(cipher_len - 1, cipher_len - cipher[-1] - 1, -1):
if cipher[i] != cipher[-1]:
raise Exception
return cipher[:-cipher[-1]]

iv = os.urandom(16)
key = os.urandom(16)

aes = AES.new(key, AES.MODE_CBC, iv)
plain_text = b"VT-x or AMD-v virtualization must be enabled"
# 3 groups
padded = pad(plain_text)
cipher = aes.encrypt(padded)

def try_dec(cipher):
try:
x = aes.decrypt(cipher)
plain = unpad(x)
# print(x)
return True
except:
return False

# ♂ it

# if the system give you the iv
cipher = iv+cipher

block_len = 16

cipher_len = len(cipher)
groups = [ cipher[i:i + block_len] for i in range(0, cipher_len, block_len) ]
groups_len = len(groups)
res = b''

for group_num in range(groups_len-2, -1, -1):
# last num
cipher_array = bytearray(cipher)
intermediary = bytearray(block_len)
flag = 0
for i in range(256):
cipher_array[block_len * group_num + block_len - 1] = i
test_cipehr = bytes(cipher_array)
if try_dec(test_cipehr):
if i == cipher[block_len * group_num + block_len - 1]: continue
intermediary[block_len - 1] = 1 ^ i
flag = 1
if not flag:
intermediary[block_len - 1] = 1 ^ cipher[block_len * group_num + block_len - 1]
# rest num
for i in range(block_len - 2, -1, -1):
fill_value = block_len - i
for j in range(i+1, block_len):
cipher_array[block_len * group_num + j] = intermediary[j] ^ fill_value
for j in range(256):
cipher_array[block_len * group_num + i] = j
test_cipehr = bytes(cipher_array)
if try_dec(test_cipehr):
intermediary[i] = fill_value ^ j

res = strxor(groups[group_num], bytes(intermediary)) + res
cipher = cipher[:-block_len]

print(res)
知识共享许可协议
本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。