Math Functions in AES and Sage

16/01/19 — capitol

sunset

AES, also known as Rijndael, performs its operations in a Galois field of 28. It’s a construct where multiplication, division, addition and subtraction have new meanings and implementations. We will look at how these work and how Sage have made our life easier by implementing them for us.

One way to view the numbers in the field is that they represent polynomials. 0x53 is 01010011 in binary, or the polynomial x6 + x4 + x + 1.

Addition and Subtraction

Since all operations in the field are reduced with modulo 2, addition and subtraction become XOR. This is easiest demonstrated with a few examples borrowed from Wikipedia.

p1 p2 p1 + p2 (normal algebra) p1 + p2 in GF(2n)
x3 + x + 1 x3 + x2 2x3 + x2 + x + 1 x2 + x + 1
x4 + x2 x6 + x2 x6 + x4 + 2x2 x6 + x4
x + 1 x2 + 1 x2 + x + 2 x2 + x
x3 + x x2 + 1 x3 + x2 + x + 1 x3 + x2 + x + 1
x2 + x x2 + x 2x2 + 2x 0

Or seen in Sage:

R.<x> = PolynomialRing(GF(2^8), 'x')
S.<a> = QuotientRing(R, R.ideal(x^8 + x^4 + x^3 + x + 1))

z3 = a^3 + a + 1
z4 = a^3 + a^2
print(z3 + z4)

which prints a^2 + a + 1.

Multiplication

This gets a lot more complicated. If we continue to look at the numbers as polynomials, then all multiplication in GF(28) happens modulo x8 + x4 + x3 + x + 1.

The reason that it’s not a straight modulo operation is that if it were then the multiplication of two numbers could result in 0, which wouldn’t work.

An example is 0x53 * 0xCA = 0x01, since:

(x6 + x4 + x + 1)(x7 + x6 + x3 + x)

= (x13 + x12 + x9 + x7) + (x11 + x10 + x7 + x5) + (x8 + x7 + x4 + x2) + (x7 + x6 + x3 + x)

= x13 + x12 + x11 + x10 + x9 + x8 + x6 + x5 + x4 + x3 + x2 + x

And x13 + x12 + x11 + x10 + x9 + x8 + x6 + x5 + x4 + x3 + x2 + x modulo x8 + x4 + x3 + x + 1 is 1.

We can also see this in Sage:

R.<x> = PolynomialRing(GF(2^8), 'x')
S.<a> = QuotientRing(R, R.ideal(x^8 + x^4 + x^3 + x + 1))

z1 = a^6 + a^4 + a + 1
z2 = a^7 + a^6 + a^3 + a
print(z1 * z2)

which prints 1.

Exponentiation

Generally easy, since exponentiation is just repeated multiplication, but some of the numbers in AES have interesting properties. When you multiply those numbers with themselves they traverse all 255 non-zero numbers in the field. They are called generators and here is a list of them:

0x03 0x05 0x06 0x09 0x0b 0x0e 0x11 0x12 0x13 0x14 0x17 0x18 0x19 0x1a 0x1c 0x1e
0x1f 0x21 0x22 0x23 0x27 0x28 0x2a 0x2c 0x30 0x31 0x3c 0x3e 0x3f 0x41 0x45 0x46
0x47 0x48 0x49 0x4b 0x4c 0x4e 0x4f 0x52 0x54 0x56 0x57 0x58 0x59 0x5a 0x5b 0x5f
0x64 0x65 0x68 0x69 0x6d 0x6e 0x70 0x71 0x76 0x77 0x79 0x7a 0x7b 0x7e 0x81 0x84
0x86 0x87 0x88 0x8a 0x8e 0x8f 0x90 0x93 0x95 0x96 0x98 0x99 0x9b 0x9d 0xa0 0xa4
0xa5 0xa6 0xa7 0xa9 0xaa 0xac 0xad 0xb2 0xb4 0xb7 0xb8 0xb9 0xba 0xbe 0xbf 0xc0
0xc1 0xc4 0xc8 0xc9 0xce 0xcf 0xd0 0xd6 0xd7 0xda 0xdc 0xdd 0xde 0xe2 0xe3 0xe5
0xe6 0xe7 0xe9 0xea 0xeb 0xee 0xf0 0xf1 0xf4 0xf5 0xf6 0xf8 0xfb 0xfd 0xfe 0xff

We could write a small Sage program to print a complete loop for the generator 3:

R.<x> = PolynomialRing(GF(2^8), 'x')
S.<a> = QuotientRing(R, R.ideal(x^8 + x^4 + x^3 + x + 1))

z5 = a^0
z6 = a + 1

for i in range(16):
    s = ""
    for j in range(16):
        X1_bitvec = ''.join(map(str, z5.list()));
        X1 = Integer(str(X1_bitvec)[::-1], base=2);
        s += "0x%02X " % (X1)
        z5 *= z6
    print(s)

which prints this:

0x01 0x03 0x05 0x0F 0x11 0x33 0x55 0xFF 0x1A 0x2E 0x72 0x96 0xA1 0xF8 0x13 0x35 
0x5F 0xE1 0x38 0x48 0xD8 0x73 0x95 0xA4 0xF7 0x02 0x06 0x0A 0x1E 0x22 0x66 0xAA 
0xE5 0x34 0x5C 0xE4 0x37 0x59 0xEB 0x26 0x6A 0xBE 0xD9 0x70 0x90 0xAB 0xE6 0x31 
0x53 0xF5 0x04 0x0C 0x14 0x3C 0x44 0xCC 0x4F 0xD1 0x68 0xB8 0xD3 0x6E 0xB2 0xCD 
0x4C 0xD4 0x67 0xA9 0xE0 0x3B 0x4D 0xD7 0x62 0xA6 0xF1 0x08 0x18 0x28 0x78 0x88 
0x83 0x9E 0xB9 0xD0 0x6B 0xBD 0xDC 0x7F 0x81 0x98 0xB3 0xCE 0x49 0xDB 0x76 0x9A 
0xB5 0xC4 0x57 0xF9 0x10 0x30 0x50 0xF0 0x0B 0x1D 0x27 0x69 0xBB 0xD6 0x61 0xA3 
0xFE 0x19 0x2B 0x7D 0x87 0x92 0xAD 0xEC 0x2F 0x71 0x93 0xAE 0xE9 0x20 0x60 0xA0 
0xFB 0x16 0x3A 0x4E 0xD2 0x6D 0xB7 0xC2 0x5D 0xE7 0x32 0x56 0xFA 0x15 0x3F 0x41 
0xC3 0x5E 0xE2 0x3D 0x47 0xC9 0x40 0xC0 0x5B 0xED 0x2C 0x74 0x9C 0xBF 0xDA 0x75 
0x9F 0xBA 0xD5 0x64 0xAC 0xEF 0x2A 0x7E 0x82 0x9D 0xBC 0xDF 0x7A 0x8E 0x89 0x80 
0x9B 0xB6 0xC1 0x58 0xE8 0x23 0x65 0xAF 0xEA 0x25 0x6F 0xB1 0xC8 0x43 0xC5 0x54 
0xFC 0x1F 0x21 0x63 0xA5 0xF4 0x07 0x09 0x1B 0x2D 0x77 0x99 0xB0 0xCB 0x46 0xCA 
0x45 0xCF 0x4A 0xDE 0x79 0x8B 0x86 0x91 0xA8 0xE3 0x3E 0x42 0xC6 0x51 0xF3 0x0E 
0x12 0x36 0x5A 0xEE 0x29 0x7B 0x8D 0x8C 0x8F 0x8A 0x85 0x94 0xA7 0xF2 0x0D 0x17 
0x39 0x4B 0xDD 0x7C 0x84 0x97 0xA2 0xFD 0x1C 0x24 0x6C 0xB4 0xC7 0x52 0xF6 0x01 

Logarithms

When we have this table we can answer the question How many times must I multiply 3 with itself to get number x? by turning it inside out:

G = GF(2^8)
R.<x> = PolynomialRing(G, 'x')
S.<a> = QuotientRing(R, R.ideal(x^8 + x^4 + x^3 + x + 1))

z5 = a^0
z6 = a + 1

log_array = [None for v in range(256)]

for i in range(16):
    for j in range(16):
        X1_bitvec = ''.join(map(str, z5.list()));
        X1 = Integer(str(X1_bitvec)[::-1], base=2);
        z5 *= z6
        log_array[X1] = i * 16 + j;

for i in range(16):
    s = ""
    for j in range(16):
        if log_array[i * 16 + j] == None:
            s += "none "
        else:
            s += "0x%02X " % (log_array[i * 16 + j])
    print(s)

Which prints this table:

none 0xFF 0x19 0x01 0x32 0x02 0x1A 0xC6 0x4B 0xC7 0x1B 0x68 0x33 0xEE 0xDF 0x03 
0x64 0x04 0xE0 0x0E 0x34 0x8D 0x81 0xEF 0x4C 0x71 0x08 0xC8 0xF8 0x69 0x1C 0xC1 
0x7D 0xC2 0x1D 0xB5 0xF9 0xB9 0x27 0x6A 0x4D 0xE4 0xA6 0x72 0x9A 0xC9 0x09 0x78 
0x65 0x2F 0x8A 0x05 0x21 0x0F 0xE1 0x24 0x12 0xF0 0x82 0x45 0x35 0x93 0xDA 0x8E 
0x96 0x8F 0xDB 0xBD 0x36 0xD0 0xCE 0x94 0x13 0x5C 0xD2 0xF1 0x40 0x46 0x83 0x38 
0x66 0xDD 0xFD 0x30 0xBF 0x06 0x8B 0x62 0xB3 0x25 0xE2 0x98 0x22 0x88 0x91 0x10 
0x7E 0x6E 0x48 0xC3 0xA3 0xB6 0x1E 0x42 0x3A 0x6B 0x28 0x54 0xFA 0x85 0x3D 0xBA 
0x2B 0x79 0x0A 0x15 0x9B 0x9F 0x5E 0xCA 0x4E 0xD4 0xAC 0xE5 0xF3 0x73 0xA7 0x57 
0xAF 0x58 0xA8 0x50 0xF4 0xEA 0xD6 0x74 0x4F 0xAE 0xE9 0xD5 0xE7 0xE6 0xAD 0xE8 
0x2C 0xD7 0x75 0x7A 0xEB 0x16 0x0B 0xF5 0x59 0xCB 0x5F 0xB0 0x9C 0xA9 0x51 0xA0 
0x7F 0x0C 0xF6 0x6F 0x17 0xC4 0x49 0xEC 0xD8 0x43 0x1F 0x2D 0xA4 0x76 0x7B 0xB7 
0xCC 0xBB 0x3E 0x5A 0xFB 0x60 0xB1 0x86 0x3B 0x52 0xA1 0x6C 0xAA 0x55 0x29 0x9D 
0x97 0xB2 0x87 0x90 0x61 0xBE 0xDC 0xFC 0xBC 0x95 0xCF 0xCD 0x37 0x3F 0x5B 0xD1 
0x53 0x39 0x84 0x3C 0x41 0xA2 0x6D 0x47 0x14 0x2A 0x9E 0x5D 0x56 0xF2 0xD3 0xAB 
0x44 0x11 0x92 0xD9 0x23 0x20 0x2E 0x89 0xB4 0x7C 0xB8 0x26 0x77 0x99 0xE3 0xA5 
0x67 0x4A 0xED 0xDE 0xC5 0x31 0xFE 0x18 0x0D 0x63 0x8C 0x80 0xC0 0xF7 0x70 0x07 

One can notice that the first value is none. That is because multiplying two none-zero numbers never results in zero.

Division

We can use the logarithm table to perform division, because if a = gx and b = gy, then a/b = gx/gy = gx-y = g(x-y) mod 255 where g is one of the generators we talked about earlier.

To take an example, 49 / 11 becomes 347 / 3104 by looking up the numbers 49 and 11 in the logarithm table above. 49 is 0x31 so row 4 column 2 which reads 0x2F or 47 in decimal. 11 is 0x0B so row 1 column 12 which reads 0x68 which is 104 in decimal.

347 / 3104 becomes 347 - 104 mod 255 or 3198. 198 is 0xC6 so by looking in row 13 column 7 of the exponent table we find the value 0x07, which is the answer.

0x07 could also be written as a polynomial: x2 + x + 1

Or we could use the built in division support in Sage:

R.<x> = PolynomialRing(GF(2^8), 'x')
S.<a> = QuotientRing(R, R.ideal(x^8 + x^4 + x^3 + x + 1))

z7 = a^3 + a + 1
z8 = x^5 + a^4 + 1
print(z8 / z7)

Which prints: a^2 + a + 1

Postface

By understanding how the basic math functions work we have now laid a foundation to try to understand more advanced analyses of AES, but that will be another blog post.

Our 35C3 in pictures

07/01/19 — capitol

flags

IMG_20181226_172847.jpg IMG_20181226_183925.jpg IMG_20181226_184915.jpg IMG_20181226_191638.jpg IMG_20181227_122834.jpg IMG_20181227_183001.jpg IMG_20181228_125036.jpg IMG_20181228_191912.jpg IMG_20181229_151045.jpg IMG_20181229_151111.jpg IMG_20181229_174306.jpg IMG_20181229_194702.jpg IMG_20181229_201539.jpg IMG_20181229_214217.jpg IMG_20181230_135220.jpg IMG_20181230_135635.jpg IMG_20181230_135652.jpg IMG_20181230_135959.jpg IMG_20181230_155941.jpg IMG_20181230_160057.jpg IMG_20181230_165822.jpg

Solution to 35C3 Junior CTF challenge flags

05/01/19 — capitol

flags

Name:

flags

Category:

web

Points:

500 (variable)

Writeup

This was the challenge we got:

Fun with flags: http://35.207.169.47

Flag is at /flag

Difficulty estimate: Easy

Walkthrough

We got the server side code, which looks like this:

<?php
  highlight_file(__FILE__);
  $lang = $_SERVER['HTTP_ACCEPT_HEADER'] ?? 'ot';
  $lang = explode(',', $lang)[0];
  $lang = str_replace('../', '', $lang);
  $c = file_get_contents("flags/$lang");
  if (!$c) $c = file_get_contents("flags/ot");
  echo '<img src="data:image/jpeg;base64,' . base64_encode($c) . '">');

The objective was to read the file at /flag on the file system. When loading the web page, one is most likely to get a warning from PHP hinting that there is no file at the flags/$lang path from PHP, where $lang is the user’s language.

The embedded PHP suggests that whatever is at that file path is Base64 encoded and pushed directly into the image part of the page response.

By manipulating the Accept-Language request header, one can alter what file is requested. But, all input values are sanitised by replacing "../" in the input string with "".

By changing the request header to

Accept-Language: ....//....//....//....//flag

the image header turns into

<img src="data:image/jpeg;base64,MzVjM190aGlzX2ZsYWdfaXNfdGhlX2JlNXRfZmw0Zwo=">

which, when decoded, yields the flag 35c3\_this\_flag\_is\_the\_be5t\_fl4g.

Solution to 35C3 Junior CTF challenge Decrypted

04/01/19 — capitol

cube_root

Name:

Decrypted

Category:

crypto

Points:

500 (variable)

Writeup

This challenge was a part of a group of 12 challenges that all shared the same large code base.

The function that we needed to crack in order to get the flag was this one:

@app.route("/wee/encryptiontest", methods=["GET"])
def encryptiontest():
    global encrypted
    if not encrypted:
        wee = """
        # we use weelang to encrypt secrets completely secret

        record pubkey
            n: string
            e: string
        end

        var key = pubkey('951477056381671188036079180681828396446164466568923964269373812360568216940258578681673755725586138473475522188240856850626984093905399964041687626629414562063470963902807801143023140969
20823423927677839717181758259182700869005678976353417411986304610681351575086373354375831981119478424684513892149555631145818047853885655084250969268639667911790304014860764271083257383802727400495207251674916842
54346976900167073270029894070147537353137306531896615417508808552131659375645782924643791678577787591364741734258313403069197056729334867119393339537506377299674551184754083697516025382028181906639397068860930465
26104043062374288648189070207772477271879494000411582080352364098957455090381238978031676375437980396931371164061080967754225429135119036489128165414029872153856547376448552882344531325480944511714482341088742350
11009737276674836492694100044152415782485951155734267352438805604935836260092517229999071999887386803819455546500803649793294581284534063885339973272198722848685819397907391376176037076960934762279549898730682241
31342367496077356579676679029666679967972413646887939190664453605477491938458252983426262889901587301497273983541920536923607163838510512716185590750480128002352503878370525735411578459589488569540357589151578719
93646182544696043757263004887914724250286341123038686355398997399922927237477691269351791943572679717263938613148630387793458838416117454016370454288153779764863162055098229903413503857354581027436855574871814478
74723799961787902440740395490598696972133680325877451439760094717565024267419349661465226715875381735013630562026807645781307072609924868164261206320317044245340505145587752470936697306277403704477207972070374382
86953511989843348305321935645259169014617255384187145173023908500495438565426993913390759768430286540045521692775713390171616970133736227701154066810802949947906265571171298204579880459740095301856221139515408199
39983153190486345031549722007896699102268137425607039925174692583738394816628508716999668221820730737934785438568198334912127263127241407430459511422030656861043544813130287622862247904749760983465608684778389799
70377087793187526885852470299176745072077367763985697993040450875510062484434182989649790682452018005103877912656386045303903577945538773305634383377680271619413807252827814278690190434340737764900098814225536986
0324110311816186668720584468851089864315465497405748709976389375632079690963423708940060402561050963276766635011726613211018206198125893007608417148033891841809', '3')

        fun encrypt(message: string, key: pubkey): string
            return bigModPow(strToBig(message), key.e, key.n)
        end

        fun get_cypher(key: pubkey): string
            var message = '{}'
            return encrypt(message, key)
        end

        alert(get_cypher(key))
        """.format(DECRYPTED)
        encrypted = runwee(wee)
    return jsonify({"enc": encrypted})

And calling that function gave us this ciphertext in form of a large number:

650802889626540392576254226480769958677174063746262298961949406725587937603370598056914641680440287141866554424868358513810586735136666559905873773370795301824775736764582520414393058823900835653671443326759384479590622850329114068561701339992264327486363426970702107667234446480134526246514585103292832378240690398119481568246551291749012927947948046185733533974179911092159848587

The encryption code is a simple school book example on how to implement RSA with a classical mistake of not using any padding.

The public key is also quite big, 2466 decimal digits, or 8192 bits. The encrypted flag is not that big however: 381 decimal digits, or 1266 bits. This makes the modulus part of RSA to not kick in, and the RSA algorithm is reduced from

y = x^e mod n

to

y = x^e

And this is trivially solved by taking the cube root of the number since the exponent, key.e, is 3.

We wrote this sage program to solve it:

from sage.crypto.util import bin_to_ascii, ascii_to_bin

a = Integer(650802889626540392576254226480769958677174063746262298961949406725587937603370598056914641680440287141866554424868358513810586735136666559905873773370795301824775736764582520414393058823900835653671443326759384479590622850329114068561701339992264327486363426970702107667234446480134526246514585103292832378240690398119481568246551291749012927947948046185733533974179911092159848587)
p = pow(a, 1/3)
pa = p.ceil().binary()
pb = "00" + pa;
print(bin_to_ascii(pb))

The flag was: 35C3_OUR_CRYPTO_IS_AS_LEGIT_AS_MOST_CRYPTO_CURRENCIES

Solution to 35C3 Junior CTF challenge DANCEd

03/01/19 — capitol

danced

Name:

DANCEd

Category:

crypto

Points:

500 (variable)

Writeup

This was the challenge description:

Sign up now, for the dance class you always wanted to visit! Totally secure, totally awesome! But be quick, the first few spots are already taken!

nc 35.207.159.114 1337

Source

Difficulty estimate: Medium

And we also got the source for the server, written in Go, here.

The server logic is pretty straightforward. You log in to it using Telnet and can do two things that matter: either register yourself for a dance class, or list all the existing registrations which are encrypted.

Reading through the server code shows that for each encryption, a 64 byte “random” number is generated based on the number of previous registrations, 2 secret numbers and a lot of fixed values. That random number is then XORed to the combination of dance class and name. We guess that the flag is in the name of the first registrant.

To be able to decrypt the first registration, we first need to figure out the two secret numbers that are used to generate the 64 byte number. The generating function looks like this:

func doubleRound(block *[4][4]uint32) {
    for i := 0; i < 4; i++ {
        block[(1+i)%4][i] = block[(1+i)%4][i] ^ bits.RotateLeft32(block[(0+i)%4][i]+block[(3+i)%4][i], 7)
        block[(2+i)%4][i] = block[(2+i)%4][i] ^ bits.RotateLeft32(block[(1+i)%4][i]+block[(0+i)%4][i], 9)
        block[(3+i)%4][i] = block[(3+i)%4][i] ^ bits.RotateLeft32(block[(2+i)%4][i]+block[(1+i)%4][i], 13)
        block[(0+i)%4][i] = block[(0+i)%4][i] ^ bits.RotateLeft32(block[(3+i)%4][i]+block[(2+i)%4][i], 18)
    }
    for i := 0; i < 4; i++ {
        block[i][(1+i)%4] = block[i][(1+i)%4] ^ bits.RotateLeft32(block[i][(0+i)%4]+block[i][(3+i)%4], 7)
        block[i][(2+i)%4] = block[i][(2+i)%4] ^ bits.RotateLeft32(block[i][(1+i)%4]+block[i][(0+i)%4], 9)
        block[i][(3+i)%4] = block[i][(3+i)%4] ^ bits.RotateLeft32(block[i][(2+i)%4]+block[i][(1+i)%4], 13)
        block[i][(0+i)%4] = block[i][(0+i)%4] ^ bits.RotateLeft32(block[i][(3+i)%4]+block[i][(2+i)%4], 18)
    }
}

func generateKeyStream(count uint32) []byte {
    key := [8]uint32{0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff}
    block := [4][4]uint32{
        {0x61707865, key[0], key[1], key[2]},
        {key[3], 0x3320646e, nonce[0], nonce[1]},
        {count, 0x00000000, 0x79622d32, key[4]},
        {key[5], key[6], key[7], 0x6b206574}}

    for i := 0; i < 10; i++ {
        doubleRound(&block)
    }
    for c := 0; c < 4; c++ {
        for r := 0; r < 4; r++ {
            fmt.Printf("%08x ", block[c][r])
        }
        fmt.Printf("\n")
    }

    var stream []byte
    current := make([]byte, 4)
    for c := 0; c < 4; c++ {
        for r := 0; r < 4; r++ {
            binary.LittleEndian.PutUint32(current, block[c][r])
            stream = append(stream, current...)
        }
    }
    return stream
}

Analyzing the doubleRound() function shows that no information is lost in the transformations that happen, so it can easily be reversed like this:

func doubleRoundReverse(block *[4][4]uint32) {
    for i := 3; i >= 0; i-- {

        block[i][(0+i)%4] = block[i][(0+i)%4] ^ bits.RotateLeft32(block[i][(3+i)%4]+block[i][(2+i)%4], 18)
        block[i][(3+i)%4] = block[i][(3+i)%4] ^ bits.RotateLeft32(block[i][(2+i)%4]+block[i][(1+i)%4], 13)
        block[i][(2+i)%4] = block[i][(2+i)%4] ^ bits.RotateLeft32(block[i][(1+i)%4]+block[i][(0+i)%4], 9)
        block[i][(1+i)%4] = block[i][(1+i)%4] ^ bits.RotateLeft32(block[i][(0+i)%4]+block[i][(3+i)%4], 7)
    }

    for i := 3; i >= 0; i-- {

        block[(0+i)%4][i] = block[(0+i)%4][i] ^ bits.RotateLeft32(block[(3+i)%4][i]+block[(2+i)%4][i], 18)
        block[(3+i)%4][i] = block[(3+i)%4][i] ^ bits.RotateLeft32(block[(2+i)%4][i]+block[(1+i)%4][i], 13)
        block[(2+i)%4][i] = block[(2+i)%4][i] ^ bits.RotateLeft32(block[(1+i)%4][i]+block[(0+i)%4][i], 9)
        block[(1+i)%4][i] = block[(1+i)%4][i] ^ bits.RotateLeft32(block[(0+i)%4][i]+block[(3+i)%4][i], 7)
    }
}

Given this, we can perform the following steps to decrypt the flag.

  • Make a reservation with a name consisting of 56 characters, to get 64 bytes of ciphertext
  • XOR that ciphertext with the known plaintext, in order to get the generated key
  • Run that key through our reversed function to unshuffle all the bits and get us the two secret numbers
  • Use those two numbers and position number 0 to decrypt the first entry

This worked, and we got the flag: 35C3_DJ_B3RNSTE1N_IN_TH3_H0USE