It's starting to become a proper challange

2019-06-26 14:44:06 +02:00
parent da749e84f4
commit 0c9768e065
8 changed files with 500265 additions and 46 deletions
--- a/break_script/automated_attack.py
+++ b/break_script/automated_attack.py
@@ -0,0 +1,125 @@
+#!/usr/bin/env python3
+
+from pwn import *
+import random
+import string
+import math
+
+#context.log_level = "debug"
+
+allowed_chars = string.ascii_letters + string.digits + string.punctuation
+
+sbox = (
+	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
+	0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
+	0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
+	0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
+	0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
+	0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
+	0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
+	0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
+	0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
+	0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
+	0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
+	)
+
+def gather_measurements(r, amount):
+	progress = log.progress("Gathering measurements")
+	measurements = {}
+	for i in range(amount):
+		if i & 0xFF == 0:
+			progress.status("{}/{}".format(i, amount))
+		r.send(b"profiler_reset\n")
+		r.recvuntil(b"> ")
+		password = ''.join(random.choices(allowed_chars, k=16)).encode("ascii")
+		r.send(b"login\n")
+		r.send(password)
+		r.send(b"\n")
+		r.send(password)
+		r.send(b"\n")
+		r.recvuntil(b"> ")
+		r.send(b"profiler_print\n")
+		response = r.recvuntil(b"\n> ", drop=True)
+		response = response.decode("ascii")
+		for line in response.splitlines():
+			line = line.split(" ")
+			name = line[0]
+			no_invocations = int(line[-1])
+			if name == "gf_reduce":
+				measurements[password] = no_invocations
+				break
+	progress.success("{amount}/{amount}".format(amount=amount))
+	return measurements
+
+def mean(data):
+	return sum(data) / len(data)
+
+def variance(data, mean):
+	result = 0
+	for value in data:
+		result += (value - mean) ** 2
+	return result / len(data)
+
+def t_test(group_big, group_small):
+	mean_big = mean(group_big)
+	variance_big = variance(group_big, mean_big)
+	mean_small = mean(group_small)
+	variance_small = variance(group_small, mean_small)
+	return (mean_big - mean_small) / math.sqrt(variance_big / len(group_big) + variance_small / len(group_small))
+
+r = process("/home/manuel/wolke/Projects/secutech_authenticator/build/default/secutech")
+
+r.recvuntil(b"> ")
+
+measurements = {}
+
+key = []
+
+# We keep gathering measurements until we are certain enoguh which key the correct one is
+while len(key) < 16:
+	measurements.update(gather_measurements(r, 1000))
+	log.info("Total number of unique measurements gathered: {}".format(len(measurements)))
+	
+	# This attack allows us to test each aes key byte independently
+	for key_byte in range(len(key), 16):
+		progress = log.progress("Attacking key byte {:2}".format(key_byte))
+		
+		t_values = []
+		
+		# We guess each possible value for the key byte. We then calculate the key addition and the byte subsitution for that byte.
+		# (We leave out shift rows because shifting the rows does not change the timing)
+		# Then we predict whether the calulation will be slow or fast based on that result and check which of the key guesses best fit our prediction.
+		# That Guess is most likely the correct value for the key byte.
+		for key_guess in range(0x100):
+			group_fast = []
+			group_slow = []
+			for password, no_invocations in measurements.items():
+				# If the msb is set the reduction function has to be called making code execution slower
+				is_fast = sbox[password[key_byte] ^ key_guess] & 0x80 == 0
+				# Sort the measurement into one of the groups based on our prediction
+				if is_fast:
+					group_fast.append(no_invocations)
+				else:
+					group_slow.append(no_invocations)
+
+			# The further apart the measurements in these groups are the more likely it is that we found the correct value for the key byte.
+			# We can calculate the certainty using Welch's t-test. If the result of the t-test is >4.5 we can be very certain we found the correct value.
+			t_values.append(t_test(group_slow, group_fast))
+		
+		# The biggest value in the list is our best guess for the value
+		max_t_value = max(t_values)
+		candidate = t_values.index(max_t_value)
+		progress.success("{:02X} ({:.2})".format(candidate, max_t_value))
+
+		# Check if we are certain enough to add this result to the key. If not stop attacking and gather more measurements
+		if max_t_value >= 4.5:
+			key.append(candidate)
+		else:
+			break
+
+print("Key:", " ".join(["{:02X}".format(k) for k in key]))
--- a/break_script/break_aes.jl
+++ b/break_script/break_aes.jl
@@ -9,8 +9,8 @@ using Formatting

 function parse_csv(filename)
    data = CSV.read(filename, header=0)
-    plaintexts::Matrix{UInt8} = convert(Matrix{UInt8}, data[:, 1:16])#[1:50, :]
-    timings::Matrix{UInt32} = convert(Matrix{UInt32}, data[:, 17:17])#[1:50]
+    plaintexts::Matrix{UInt8} = convert(Matrix{UInt8}, data[:, 1:16])
+    timings::Matrix{UInt32} = convert(Matrix{UInt32}, data[:, 17:17])
    return plaintexts, timings
 end

@@ -51,30 +51,44 @@ function build_key_schedule(initial_key)
 	return round_keys
 end

+function gf_mult2(value::UInt8)::UInt8
+	result = value << 1
+	if value & 0x80 != 0
+		result ⊻= value
+	end
+	return result
+end
+
+function gf_mult3(value::UInt8)::UInt8
+	return gf_mult2(value) ⊻ value
+end
+
 function break_decryption()
    keys, timings = parse_csv("timing.csv")
 	round_keys = Array{UInt8, 3}(undef,11, size(keys, 1), 16)
-	for keyno=1:size(keys, 1)
+	@Threads.threads for keyno=1:size(keys, 1)
 		round_keys[:, keyno, :] = build_key_schedule(keys[keyno, :])
 	end
    t_values = Vector{Float64}(undef, 0x100)
-	r_shiftrows=[0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3] .+ 1
-    for secretbyte=1:16
-        for secret=0:0xFF
-			# TODO Shift rows must be respected here
-			msbs_set = ((round_keys[10, :, r_shiftrows[secretbyte]] .⊻ r_sbox[(secret .⊻ round_keys[11, :, secretbyte]) .+ 1]) .& 0xE0) .!= 0
-			#msbs_set = (sbox[(keys[:, secretbyte] .⊻ secret) .+ 1] .& 0x08) .!= 0
-            group_slow = timings[msbs_set]
-            group_fast = timings[msbs_set.==false]
-            t_values[secret + 1] = t_val(group_fast, group_slow)
-        end
-        print(format("{:02x} ", argmax(t_values) - 1))
-        if secretbyte==1
-            plt = plot_discrete_tval(0:0xFF, t_values, "secret data")
-			display(plt)
-        end
-    end
-    println()
+	shiftrows = [0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11] .+ 1
+	r_shiftrows = [0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3] .+ 1
+	byte1 = shiftrows[1]
+	byte2 = shiftrows[2]
+	byte3 = shiftrows[3]
+	byte4 = shiftrows[4]
+	high_tvalues = [Vector{Any}(undef, 0) for i=1:Threads.nthreads()]
+	@Threads.threads for p1=0xA0:0xA0
+		for p2=0x00:0x00, p3=0x70:0x80, p4=0xD0:0xE0
+			msbs_set = (gf_mult2.(sbox[p1 .⊻ round_keys[1, :, byte1] .+ 1]) .⊻ gf_mult3.(sbox[p2 .⊻ round_keys[1, :, byte2] .+ 1]) .⊻ sbox[p3 .⊻ round_keys[1, :, byte3] .+ 1] .⊻ sbox[p4 .⊻ round_keys[1, :, byte4] .+ 1]) .& 0xC0 .!= 0
+			group_slow = timings[msbs_set]
+			group_fast = timings[msbs_set.==false]
+			t_value = t_val(group_fast, group_slow)
+			if abs(t_value) > 4
+				push!(high_tvalues[Threads.threadid()], (p1, p2, p3, p4, t_value))
+			end
+		end
+	end
+	println(high_tvalues)
 end

-break_decryption()
+@time break_decryption()
--- a/break_script/sbox.jl
+++ b/break_script/sbox.jl
@@ -35,3 +35,5 @@ const r_sbox = [
 	0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
 	0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
 	0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d ];
+
+const irreducible_polynom = 0x1b
--- a/break_script/timing.csv
+++ b/break_script/timing.csv
--- a/break_script/util.jl
+++ b/break_script/util.jl
@@ -2,7 +2,7 @@

 using Statistics

-function t_val(group_fast, group_slow)
+function t_val(group_fast, group_slow)::Float64
    if size(group_fast, 1) == 0 || size(group_slow, 1) == 0
        return 0
    end
--- a/main.cpp
+++ b/main.cpp
@@ -1,34 +1,87 @@
 #include "aes.hpp"

 #include <iostream>
-#include <chrono>
-#include <fstream>
-#include <thread>
-#include <cstring>
+#include <string>

 #include "profiler.hpp"

 using namespace std;
-using namespace std::chrono;
+
+string prompt(char separator = '>')
+{
+	PROFILER_RECORD;
+	string input;
+	cout << separator << ' ';
+	cin >> input;
+	if (!cin.good())
+	{
+		cout << "OOPSIE WOOPSIE!! Uwu We made a fucky wucky!! A wittle fucko boingo! The code monkeys at our headquarters are working VEWY HAWD to fix this!" << endl;
+		exit(1);
+	}
+	return input;
+}
+
+void print_help()
+{
+	PROFILER_RECORD;
+	// TODO Verify whether there are more/less commands
+	cout << "The following commands are available: help, login, exit" << endl;
+}
+
+void login()
+{
+	PROFILER_RECORD;
+	uint8_t key[16] = {0xA0,0x7C,0x3D,0x99,0xFA,0x00,0x02,0x46,0x97,0x33,0x73,0x50,0x31,0x7C,0xD3,0xDC}; // TODO Load me from a file
+	cout << "Username";
+	string username = prompt(':');
+	cout << "Password";
+	string password = prompt(':');
+	uint8_t encrypted_password[16];
+	if (password.length() != 16)
+	{
+		cout << "Password format error" << endl;
+		return;
+	}
+	for (int i = 0;i < 16;i++)
+	{
+		encrypted_password[i] = password[i];
+	}
+	AES::encrypt_ecb(encrypted_password, key);
+	// TODO Validate encrypted password
+}
+
+bool execute_command(const string &input)
+{
+	PROFILER_RECORD;
+	if (input == "exit")
+	{
+		cout << "Thank you for visiting the Secutech customer portal. Please visit us again soon!" << endl;
+		return false;
+	}
+	if (input == "login")
+	{
+		login();
+	}
+	else if (input == "help")
+	{
+		print_help();
+	}
+	else if (!profiler.command_line(input))
+	{
+		cout << "Invalid command '" << input << "'" << endl;
+	}
+	return true;
+}

 int main(int argc, char **argv) {
-	//uint8_t data[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-	uint8_t data[16] = {0xA0,0x7C,0x3D,0x99,0xFA,0x00,0x02,0x46,0x97,0x33,0x73,0x50,0x31,0x7C,0xD3,0xDC};
-	//const uint8_t key[16] = {0xA0,0x7C,0x3D,0x99,0xFA,0x00,0x02,0x46,0x97,0x33,0x73,0x50,0x31,0x7C,0xD3,0xDC};
-	uint8_t key[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-	ifstream input("/dev/urandom", ios::binary);
-	for (int i = 0;i < 100000;i++)
+	PROFILER_RECORD;
+	cout << "Welcome to the Secutech customer portal." << endl;
+	cout << "How can we help you today? (type 'help' for help)" << endl;
+	string input;
+	do
 	{
-		input.read((char*) key, 16);
-		AES::encrypt_ecb(data, key);
-		for (int d = 0;d < 16;d++)
-		{
-			cout << dec << (int) key[d] << ",";
-		}
-		profiler.clear();
-		AES::decrypt_ecb(data, key);
-		cout << profiler.calls["gf_reduce"] << endl;
-		profiler.clear();
-	}
+		input = prompt();
+	} while (execute_command(input));
+
 	return 0;
 }
--- a/profiler.cpp
+++ b/profiler.cpp
@@ -1,5 +1,10 @@
 #include "profiler.hpp"

+#include <iostream>
+#include <sstream>
+#include <iomanip>
+
+using namespace std;
 using std::string;

 Profiler profiler;
@@ -9,8 +14,27 @@ void Profiler::record_function_call(const char *function_name)
 	calls[function_name]++;
 }

-void Profiler::clear()
+void Profiler::reset()
 {
 	calls.clear();
 }

+bool Profiler::command_line(const string &input)
+{
+	if (input == "profiler_print")
+	{
+		for (auto it = this->calls.begin();it != this->calls.end();it++)
+		{
+			ostringstream out;
+			out << left << setw(25) << it->first << right << setw(5) << it->second;
+			cout << out.str() << endl;
+		}
+		return true;
+	}
+	if (input == "profiler_reset")
+	{
+		this->reset();
+		return true;
+	}
+	return false;
+}
--- a/profiler.hpp
+++ b/profiler.hpp
@@ -9,7 +9,8 @@ class Profiler
 public:
 	std::map<std::string, uint32_t> calls;
 	void record_function_call(const char *function_name);
-	void clear();
+	void reset();
+	bool command_line(const std::string &input);
 };

 #define PROFILER_RECORD profiler.record_function_call(__func__)