How to crack sha256 used as streamcipher with known or guessable block

cn flag

Using SHA-256 as a stream cipher appears to bear cryptographic weaknesses, however, I am not quite sure how to implement them in decryption.

Assume that I have an encryption function using 64-byte blocks. I encrypt each of the blocks with the hash of the previous to produce my ciphertext. The weak link here is, that I know, or can guess the very first block of bytes.

In one of the posts linked below, I read:

I should mention that if there is any full block of known or guessable plaintext in your message, your scheme is easily broken because given pad(i) anyone can compute pad(i+1). So guess one block of plaintext, XOR it against the ciphertext to recover a possible pad value, then compute the next pad value and see if the recovered ciphertext in that block seems valid.

Can anyone elaborate on what exactly is meant here? If I know the first block, do I xor it against the hashed first block? If so how does that help me crack the next hashes that are H(prevHashedBlock + currentPlaintextBlock)?

I am aware this has to do with hashing states and such but I haven't found much on the web.

I have read the following posts:
Is it feasible to build a stream cipher from a cryptographic hash function?
Is SHA-256 secure as a CTR block cipher?

in flag

There is no such weakness if SHA-256 is used in CTR mode. ChaCha20 is already one built in this way.

You are using SHA-256 in a chaining way to output a stream to encrypt the message with x-or;

\begin{align} O_1 & = H(key) \oplus H(message)\\ O_i & = H(O_{i-1}) \end{align}

Then the encryption is executed with x-oring $O_i$s.

$$C_i = P_i \oplus O_i$$

Now assume that you have a known-plaintext for some block $j$. This means that you get $O_j$

$$O_j = P_j \oplus C_j$$

Now use the stream producing equation

\begin{align} O_{j+1} &= H(O_j)\\ O_{j+2} &= H(O_{j+1})\\ \vdots \quad & \quad\quad\vdots \\ O_{j+t} &= H(O_{j+t-1})\\ \vdots \quad & \quad\quad\vdots \\ \end{align}

As you can see, you get the rest of the stream output from the position $j$. If you have the first position then you will get all.

This is the weakness of such a scheme on the other hand the CTR mode is designed for PRFs and it is common to initialize it with some good hash functions.

See with an image

enter image description here

As one can see, if you get any of the output $O_j$ then you can get the rest due to the hash chaining.

CrazyPhil avatar
cn flag
So XORing Oj with Cj should yield the plaintext of block j? Thanks for the image, it helped me understand your explanation better.
CrazyPhil avatar
cn flag
Furthermore, what exactly is Oj? Because it obviously isn't the finshed hash, correct? Because H(key+ptxt) = C1 not O1; so when decrypting this in a program, how would I yield O1?
kelalaka avatar
in flag
That is why I draw it. Sometimes an image can tell a thousand words. $O_j$'s are the output of the hash function. When decrypting just x-or the ciphertext with $O_j$'s like in the One-time-Pad.
kelalaka avatar
in flag
The first hash needs to be $hash(key)\oplus hash(ptxt)$, which doesn't change the attack, I'll correct it later...

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.