set7: task49: completed

1 files changed, 131 insertions, 0 deletions

diff --git a/set7/task49.c b/set7/task49.c
new file mode 100644
index 0000000..62650ba
--- /dev/null
+++ b/set7/task49.c
@@ -0,0 +1,131 @@
+#include "../lib/lib.h"
+#include "../lib/lib2.h"
+#include "../lib/lib3.h"
+#include "../lib/lib4.h"
+#include "../lib/lib5.h"
+#include <time.h>
+#include <openssl/aes.h>
+
+
+int cbc_mac(char *msg, unsigned int msg_len, char *iv, char *key, char *mac)
+{
+	int padding_len = 0;
+
+	char *msg_padded = __pkcs7_padding(msg, msg_len, 16, &padding_len);
+	char *res = malloc(msg_len+padding_len);
+	aes_cbc(msg_padded, msg_len+padding_len, res, key, iv, 1);
+	char *ciphertext = malloc(msg_len+padding_len);
+	memcpy(mac, &res[msg_len+padding_len-16], 16);
+}
+
+int cbc_mac_forge_controlled_iv(char *msg_is, char *msg_should, char *iv)
+{
+	// generate iv and mac and concat all
+	// msg_is XOR iv == msg_should XOR iv2
+	// simple bit flipping...yeah brute force it here...ugly but well
+	int i;
+	char __iv[17];
+	char s, j;
+	char test;
+	for(i=0;i<16;i++) {
+		s = msg_is[i] ^ iv[i];
+		for(j=0;j<256;j++) {
+			test = msg_should[i] ^ j;
+			if(s == test) {
+				__iv[i] = j;
+				break;
+			}
+		}
+	}
+	memcpy(iv, __iv, 16);
+	
+}
+/**
+  * part1: control over the IV
+  * like the assignment says you have full control over the first block of the
+  * message. the first block is from=id and 16 byte long (with AES128).
+  * so as long as the id is <= 11 byte you can put whatever id you want there
+  *
+  **/
+
+void part1()
+{
+	int i;
+	char *key = "WULLEWUPP";
+	char iv[17];
+	char mac[16];
+	char hex_mac[32];
+	// only works if id is of equal length
+	char *msg = "from=0xb8000&to=0xb8000&amount=1000000";
+	char *msg_should = "from=franzie&to=0xb8000&amount=1000000";
+
+	memset(iv, 0, 17);
+	cbc_mac(msg, strlen(msg), iv, key, &mac[0]);
+	hex_binary_to_string(mac, hex_mac, 16);
+	printf("mac is: %s\n", hex_mac);
+	memset(iv, 0, 17);
+	memset(mac, 0, 16);
+	printf("forge iv which does not change the MAC but the message...\n");
+	cbc_mac_forge_controlled_iv(msg, msg_should, iv);
+	// give in the changed message
+	// print compute iv
+	hex_binary_to_string(iv, hex_mac, 16);
+	printf("computed iv is: %s\n", hex_mac);
+	cbc_mac(msg_should, strlen(msg_should), iv, key, &mac[0]);
+	hex_binary_to_string(mac, hex_mac, 16);
+	printf("forged mac is: %s\n", hex_mac);
+}
+
+/**
+  * part2: CBC-MAC length extension
+  *
+  **/
+void part2()
+{
+	// length extension attack
+	int i;
+	char *key = "WULLEWUPP";
+	int pad_len = 0;
+	char *trans_begin = "from=franzie&tx_list=werner:100";
+	unsigned int trans_begin_len = strlen(trans_begin);
+	char *new_transaction = ";0xb8000:2000000";
+	unsigned int nt_len = strlen(new_transaction);
+	char *nt_forge = malloc(nt_len);
+	char mac[17];
+	char hex_mac[32];
+	char forged_mac[16];
+
+	// get MAC(trans_begin)
+	printf("part2: length extension\n");
+	memset(mac, 0, 16);
+	memset(iv, 0, 16);
+	cbc_mac(trans_begin, trans_begin_len, iv, key, mac);
+	memcpy(nt_forge, new_transaction, nt_len);
+
+	// mac from: MAC(org.msg) ^ new_transaction[0] || new_transaction[1:]
+	memset(iv, 0, 16);
+	for(i=0;i<16;i++)
+		nt_forge[i] = mac[i] ^ new_transaction[i];
+	cbc_mac(nt_forge, nt_len, iv, key, forged_mac);
+	hex_binary_to_string(forged_mac, hex_mac, 16);
+	printf("forged mac of is: %s\n", hex_mac);
+
+
+	// send extended transaction list which has the same MAC as forged_mac
+	char *trans_begin_padded = __pkcs7_padding(trans_begin, trans_begin_len, 16, &pad_len);
+	char *concat_string = malloc(trans_begin_len+pad_len+nt_len);
+	memcpy(concat_string, trans_begin_padded, trans_begin_len+pad_len);
+	memcpy(&concat_string[trans_begin_len+pad_len], new_transaction, nt_len);
+
+	printf("sending message...\n");
+	printf("%s %s\n", concat_string, hex_mac);
+	memset(iv, 0, 16);
+	cbc_mac(concat_string, trans_begin_len+pad_len+nt_len, iv, key, mac);
+	if(memcmp(forged_mac, mac, 16) == 0)
+		printf("MAC is ok, transaction accepted\n");
+}
+int main()
+{
+	part1();
+	part2();
+}