Join Log in
Score:0
Shark44 avatar Crypto

AES CBC - Find IV (CTF)

bv flag
Shark44

I am currently trying to solve a training challenge based on AES with CBC. This is the infos I'm given:

KEY = "yn9RB3Lr43xJK2██".encode()
IV  = "████████████████".encode()
msg = "AES with CBC is very unbreakable".encode()

Those spaces are unknown characters, and I also have the output:

c5██████████████████████████d49e78c670cb67a9e5773d696dc96b78c4e0

Does anyone have any idea on where I can start? My idea would be to bruteforce the key since only 2 characters are missing but I don't know how can I do it.

Note that the output was produces via the following python code:

aes = AES.new(KEY, AES.MODE_CBC, IV)
print binascii.hexlify(aes.encrypt(msg)).decode()

Edit:

from Crypto.Cipher import AES
import binascii
from pwn import xor
from Crypto.Util.number import bytes_to_long

alphabet = [chr(i) for i in range(31,128)]
key_base = b"yn9RB3Lr43xJK2"
iv = ""
output = b'c500000000000000000000000000d49e78c670cb67a9e5773d696dc96b78c4e0'
output_bytes = binascii.unhexlify(output)

msg = "AES with CBC is very unbreakable".encode()

for char1 in alphabet:
    for char2 in alphabet:
        key = key_base + char1.encode() + char2.encode()
        aes = AES.new(key, AES.MODE_CBC)
        decryptedMsg = aes.decrypt(output_bytes)
        if decryptedMsg[16] == msg[16] and decryptedMsg[31] == msg[31] and decryptedMsg[30] == msg[30]:
            print(key)
            cipher_1 = xor(msg[16:], decryptedMsg[16:])
            iv = xor(aes.decrypt(cipher_1), msg[:16])
            #print(AES.new(key, AES.MODE_CBC, iv).encrypt(msg[:16]) == cipher_1)
            
            # Now let's verify if we got the correct value or not..
            aes = AES.new(key, AES.MODE_CBC, iv)
            print(binascii.hexlify(aes.encrypt(msg)).decode()) #This value should correspond to output_bytes
119
0 + 8
aes
cbc
Maarten Bodewes avatar
in flag
Maarten Bodewes
Hint: there are three bytes of the first ciphertext block that are known. That means that you can block-decrypt the second block and compare those bytes with the plaintext (after the required bit-operation). As you are only missing two bytes from the key it is likely that there is only one solution that fits.
2
Reply
Shark44 avatar
bv flag
Shark44
I've had a look at how AES CBC works but I've not quite understood the relationship between the output string and the first cipherblock, how can I deduct which bytes to use starting from the cipher?
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
So the ciphertext bytes of the first block are XOR'ed with the plaintext bytes before encryption. When decrypting you go the other way around, starting with a block decrypt of the second block. So you can then use these known bytes of block 1 to retrieve the plaintext of block 2 by using the "opposite of XOR". If those bytes match then you have a key that could have been used for encryption - and as there are only 65ki possible key candidates, that's probably the key you need (going over the entire key space would be wise, there may be two, but that would probably invalidate the CTF, so).
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Hint 2: You could significantly shorten the development of your program by filling in any value, say `0x00`, for the unknown bytes, perform "a decryption operation" and then compare bytes.
0
Reply
Shark44 avatar
bv flag
Shark44
Wouldn't I need the IV as well to perform the XOR to "check" whether the key is correct or not? I am not understanding how you refer to the first/second block, how do you retrieve them from the output string?
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
For CBC **decryption** you'd only need the previous ciphertext block or, for the first block, the IV. And you are only interested in the 3 bytes of the second block, so not having the IV only means that you cannot decode the first block of the ciphertext (which you already couldn't due to the 13 missing byte values). The output doesn't contain the IV, so the first block is the first 16 bytes and the second block is the second / last 16 bytes (after decoding the hexadecimals).
0
Reply
Shark44 avatar
bv flag
Shark44
I tried bruteforcing the keys trying to decrypt the second cipher block, and then comparing the result with the second block of the plaintext but no couple match. I posted the code in the question.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/147414/discussion-between-maarten-bodewes-on-strike-and-shark44).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.