Uploaded byYOKARO-MON
PDF, PPTX1,304 views

FEAL - CSAW CTF 2014 Quals Crypto300

This document provides information about breaking the FEAL 4.3 block cipher that was used in the CRYPT0 300 challenge of the CSAW CTF 2014 quals. It describes using differential cryptanalysis to find the encryption subkeys (K0-K5) by analyzing the differences in plaintext and ciphertext pairs. It includes code examples of analyzing differential values at each round to iteratively determine each subkey value. After determining all subkeys, the document shows how to decrypt the flag values and obtain the final flag.

Embed presentation

Download as PDF, PPTX
FEAL APPENDIX FOR KATAGAITAI CTF TECHTALK CSAW CTF 2014 QUALS - CRYPT0 300 YOU0708@YOKARO-MON
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL NOTICE ▸ This material is an appendix for katagaitai CTF TechTalk ▸ https://atnd.org/events/71810 ▸ An modified version was used in katagaitai CTF ▸ Encryption key (SUBKEY) is fixed hex strings
FEAL 4.3 CSAW CTF 2014 QUALS CRYPT0 300 FEAL
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL FEAL 4.3 ▸ Feal 4.3 is used for the question You must first solve a puzzle, a sha1 sum ending in 16 bit's set to 1, it must be of length 21 bytes, starting with PkExU2wOJRG/XBDB Welcome to feal 4.3 Please decrypt: edcf27af7821cc71615f329e78d1f65e
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL FBOX IN FEAL 4.3 ▸ Feal 4.3 uses “rot 3” in fBox ▸ Differential values are not same with Feal 4
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL DIFFERENTIAL VALUE In [1]: import array In [2]: %paste def rot3(x): return ((x<<3)|(x>>5))&0xff def gBox(a,b,mode): return rot3((a+b+mode)%256) def fBox(plain): (snip.) In [3]: x1 = array.array("B", "80800000".decode("hex")) In [4]: fBox(x1) Out[4]: [10, 64, 8, 68] In [5]: x2 = array.array("B", "00000000".decode("hex")) In [6]: fBox(x2) Out[6]: [10, 64, 8, 64] In [7]: for a, b in zip(fBox(x1), fBox(x2)): print a ^ b, ....: 0 0 0 4 ΔY = 0x00000004
BREAKING FEAL 4.3 CSAW CTF 2014 QUALS CRYPT0 300 FEAL
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K3 FEALの最終ラウンドの差分解析49 0x02000000 key f 出力差分(ΔC1) ΔC1+ΔC2 入力差分(ΔX1) 入力差分(ΔX2) 出力差分(ΔC2) f(C1+C2+key)+f(C1’+C2’+key) この値は? ΔC1 = f(C1+C2+key)+f(C1’+C2’+key)+0x02000000 0x00000004 0x00000004
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K3 k3 = None if k3 == None: print "[*] start k3 attack" p1, p2, c1, c2, dc1, dc2, dcL, dcR = get_dataset(f, n, array.array(“B”,"8080000080800000".decode("hex"))) for k3 in xrange(65536): k3 = array.array("B", "%04x"%k3) for i in xrange(n): if dcL[i] != list_xor( list_xor( fBox(list_xor(dc1[i], k3)), fBox(list_xor(dc2[i], k3))), array("B", “00000004”.decode("hex")) ): break else: print "[*] found k3: %s" % "".join(map(chr, k3)) break else: print "[!] could not find k3" return SUBKEY is hex string Multiple candidates will be find if you use few plainest sets
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K2 0x02000000 key f 出力差分(ΔC1) ΔC1+ΔC2 入力差分(ΔX1) 入力差分(ΔX2) 出力差分(ΔC2) f(C1+C2+key)+f(C1’+C2’+key) この値は? ΔC1 = f(C1+C2+key)+f(C1’+C2’+key)+0x02000000 0x80800000 0x80800000 It can be calculated from encrypted value and k3 It can be calculated from encrypted value and k3
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K2 for i in xrange(n): c1L = list_xor(c1[i][:4], c1[i][4:]) c1R = list_xor(c1[i][:4], fBox(list_xor(k3, list_xor(c1[i][4:], c1[i][:4])))) c2L = list_xor(c2[i][:4], c2[i][4:]) c2R = list_xor(c2[i][:4], fBox(list_xor(k3, list_xor(c2[i][4:], c2[i][:4])))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) for k2 in xrange(65536): k2 = array.array("B", "%04x"%k2) for i in xrange(n): if dcL[i] != list_xor( list_xor( fBox(list_xor(c1[i][4:], k2)), fBox(list_xor(c2[i][4:], k2))), array("B", "80800000".decode("hex"))): break else: print "[*] found k2: %s" % "".join(map(chr, k2)) break else: print "[!] could not find k2" return Calculate ΔC1, ΔC2 using k3
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K1 ▸ You must re-generate plaintext sets to change result after fBox FEALの差分解析41 次の差分を持つ平文ペアを入力する 0x8080000080800000 同じ鍵で暗号化されているため鍵の入力差分は0 0x80800000 0x80800000 0x80800000 0 0x02000000 ここの差分は不明 0 ΔC1 is fixed value It means: k1 can not be calculated
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K1 ▸ e.g. ΔX = 0x0000000040000000 FEALの差分解析41 次の差分を持つ平文ペアを入力する 0x8080000080800000 同じ鍵で暗号化されているため鍵の入力差分は0 0x80800000 0x80800000 0x80800000 0 0x02000000 ここの差分は不明 0 0x00000000 0x40000000 0x40000000 ???? ???? ΔX1 = 0x40000000
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K1 0x02000000 key f 出力差分(ΔC1) ΔC1+ΔC2 入力差分(ΔX1) 入力差分(ΔX2) 出力差分(ΔC2) f(C1+C2+key)+f(C1’+C2’+key) この値は? ΔC1 = f(C1+C2+key)+f(C1’+C2’+key)+0x02000000 0x40000000 0x40000000 It can be calculated from encrypted value and k3 It can be calculated from encrypted value, k3, and k2
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K1 p1, p2, c1, c2, dc1, dc2, dcL, dcR = get_dataset(f, n, array.array("B","0000000040000000".decode("hex"))) for i in xrange(n): c1L = list_xor(c1[i][:4], c1[i][4:]) c1R = list_xor(c1[i][:4], fBox(list_xor(k3, list_xor(c1[i][4:], c1[i][:4])))) c2L = list_xor(c2[i][:4], c2[i][4:]) c2R = list_xor(c2[i][:4], fBox(list_xor(k3, list_xor(c2[i][4:], c2[i][:4])))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) c1L = c1[i][4:] c1R = list_xor(c1[i][:4], fBox(list_xor(k2, c1[i][4:]))) c2L = c2[i][4:] c2R = list_xor(c2[i][:4], fBox(list_xor(k2, c2[i][4:]))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) for k1 in xrange(65536): k1 = array.array("B", "%04x"%k1) for i in xrange(n): if dcL[i] != list_xor( list_xor( fBox(list_xor(c1[i][4:], k2)), fBox(list_xor(c2[i][4:], k2))), array("B", "80800000".decode("hex"))):
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K0 ▸ e.g. ΔX = 0x0000000040000000 FEALの差分解析41 次の差分を持つ平文ペアを入力する 0x8080000080800000 同じ鍵で暗号化されているため鍵の入力差分は0 0x80800000 0x80800000 0x80800000 0 0x02000000 ここの差分は不明 0 0x00000000 0x40000000 0x0400000 ???? ???? ΔX1 = 0x00000000
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K0 for i in xrange(n): c1L = c1[i][4:] c1R = list_xor(c1[i][:4], fBox(list_xor(k1, c1[i][4:]))) c2L = c2[i][4:] c2R = list_xor(c2[i][:4], fBox(list_xor(k1, c2[i][4:]))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) for k0 in xrange(65536): k0 = array.array("B", "%04x"%k0) for i in xrange(n): if dcL[i] != list_xor(fBox(list_xor(c1[i][4:], k0)), fBox(list_xor(c2[i][4:], k0))): break else: print "[*] found k0: %s" % "".join(map(chr, k0)) break else: print "[!] could not find k0" return
CSAW CTF 2014 QUALS - CRYPT0 300: FEAL K4, K5, FLAG k4 = list_xor(list_xor(fBox(list_xor(k0, c1[0][4:])), c1[0][:4]), p1[0][:4]) print "[*] found k4: %s" % "".join(map(chr, k4)) k5 = list_xor(list_xor(list_xor(p1[0][:4], k4), c1[0][4:]), p1[0][4:]) print "[*] found k5: %s" % "".join(map(chr, k5)) k = [k0, k1, k2, k3, k4, k5] print "[*] got encryption key:", k flag = "".join(map(chr, feal.decrypt(array("B", flag1), k))) + "".join(map(chr, feal.decrypt(array("B", flag2), k))) print "[*] the flag is:", flag
THANK YOU! CSAW CTF 2014 QUALS CRYPT0 300 FEAL

More Related Content

PDF
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
byakaptur
 
PDF
Byterun, a Python bytecode interpreter - Allison Kaptur at NYCPython
byakaptur
 
PDF
Diving into byte code optimization in python
byChetan Giridhar
 
PDF
Bytes in the Machine: Inside the CPython interpreter
byakaptur
 
PDF
Exploring slides
byakaptur
 
PDF
Recognize Godzilla
by隊長 アイパー
 
PDF
"A 1,500 line (!!) switch statement powers your Python!" - Allison Kaptur, !!...
byakaptur
 
ODP
Exploiting Memory Overflows
byAnkur Tyagi
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
byakaptur
 
Byterun, a Python bytecode interpreter - Allison Kaptur at NYCPython
byakaptur
 
Diving into byte code optimization in python
byChetan Giridhar
 
Bytes in the Machine: Inside the CPython interpreter
byakaptur
 
Exploring slides
byakaptur
 
Recognize Godzilla
by隊長 アイパー
 
"A 1,500 line (!!) switch statement powers your Python!" - Allison Kaptur, !!...
byakaptur
 
Exploiting Memory Overflows
byAnkur Tyagi
 

What's hot

DOCX
C++ file
bysimarsimmygrewal
 
PDF
Python opcodes
byalexgolec
 
PPTX
TCO in Python via bytecode manipulation.
bylnikolaeva
 
PDF
JavaScript Event Loop
byDerek Willian Stavis
 
PDF
[JS EXPERIENCE 2018] Javascript Event Loop além do setInterval - Derek Stavis
byiMasters
 
PPTX
JavaScript Event Loop
byDesignveloper
 
PDF
All I know about rsc.io/c2go
byMoriyoshi Koizumi
 
PDF
Galios: Python Programming
byKishoj Bajracharya
 
PDF
Performance testing of microservices in Action
byAlexander Kachur
 
PDF
Faster Python, FOSDEM
byVictor Stinner
 
PDF
Concurrency in Python4k
byRodolfo Carvalho
 
PPT
computer notes - Data Structures - 9
byecomputernotes
 
PDF
cwit-poster_logo
bySudharaka Palamakumbura
 
DOCX
Wap to implement bitwise operators
byHarleen Sodhi
 
PPT
Jan 2012 HUG: RHadoop
byYahoo Developer Network
 
PDF
The Ring programming language version 1.5.2 book - Part 45 of 181
byMahmoud Samir Fayed
 
PDF
Time Series Analysis Sample Code
byAiden Wu, FRM
 
PDF
Powered by Python - PyCon Germany 2016
bySteffen Wenz
 
PDF
A gentle introduction to functional programming through music and clojure
byPaul Lam
 
PDF
Data structure programs in c++
bymmirfan
 
C++ file
bysimarsimmygrewal
 
Python opcodes
byalexgolec
 
TCO in Python via bytecode manipulation.
bylnikolaeva
 
JavaScript Event Loop
byDerek Willian Stavis
 
[JS EXPERIENCE 2018] Javascript Event Loop além do setInterval - Derek Stavis
byiMasters
 
JavaScript Event Loop
byDesignveloper
 
All I know about rsc.io/c2go
byMoriyoshi Koizumi
 
Galios: Python Programming
byKishoj Bajracharya
 
Performance testing of microservices in Action
byAlexander Kachur
 
Faster Python, FOSDEM
byVictor Stinner
 
Concurrency in Python4k
byRodolfo Carvalho
 
computer notes - Data Structures - 9
byecomputernotes
 
cwit-poster_logo
bySudharaka Palamakumbura
 
Wap to implement bitwise operators
byHarleen Sodhi
 
Jan 2012 HUG: RHadoop
byYahoo Developer Network
 
The Ring programming language version 1.5.2 book - Part 45 of 181
byMahmoud Samir Fayed
 
Time Series Analysis Sample Code
byAiden Wu, FRM
 
Powered by Python - PyCon Germany 2016
bySteffen Wenz
 
A gentle introduction to functional programming through music and clojure
byPaul Lam
 
Data structure programs in c++
bymmirfan
 

Viewers also liked

PPTX
katagaitai CTF勉強会 #3 crypto
bytrmr
 
DOC
Nivin Joseph- resume
byNivin Joseph N
 
PPTX
A1. MEP 1 - Mod 1 - Tema1
byPoliana Bellan
 
PPTX
Experiencing victory God’s way
byEvlchemist
 
PDF
Silabo evaluacion educativa pato tobar
byverito velasquez
 
PPT
Відкриття періодичного закону
byЕлена Мешкова
 
DOCX
NUR SYUHADA AZHAR. RESUME (1)
byOh Huda
 
katagaitai CTF勉強会 #3 crypto
bytrmr
 
Nivin Joseph- resume
byNivin Joseph N
 
A1. MEP 1 - Mod 1 - Tema1
byPoliana Bellan
 
Experiencing victory God’s way
byEvlchemist
 
Silabo evaluacion educativa pato tobar
byverito velasquez
 
Відкриття періодичного закону
byЕлена Мешкова
 
NUR SYUHADA AZHAR. RESUME (1)
byOh Huda
 

Similar to FEAL - CSAW CTF 2014 Quals Crypto300

PDF
Frsa
by_111
 
PPTX
Introduction to Python Programming.pptx
byPython Homework Help
 
DOCX
Cryptography and security lab programs.docx
byDgdujvv
 
DOCX
Block Encryption Algorithm Project.docx
byUsamaAliLone3
 
PDF
Algorithm Intfact
bySubhendraBasu11
 
PPTX
Data encryption standard
byMohammad Golyani
 
PDF
NTUT Information Security Homework 1
bydennysora
 
DOCX
ECE-PYTHON.docx
byChaithanya89350
 
PPTX
SHA1 collision analysis and resolving a problem of recursive hashing with xra...
byDiego Hernan Marciano
 
PPTX
Computer Network Homework Help
byComputer Network Assignment Help
 
PPTX
Computing on Encrypted Data
byNew York Technology Council
 
PDF
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
byCyber Security Alliance
 
PDF
1508.07756v1
bySamir Crypticus
 
PDF
Cryptography 202
byUTD Computer Security Group
 
PPTX
DES Presentation.pptx for Information Security, A common Subject
bykashafbutt72
 
PPTX
Ch03 des
bymogtabamoutasem
 
PPTX
How DES Works Week#10 Lecture#01,02(DES).pptx
byFaizanAli393009
 
PDF
Numpy questions with answers and practice
bybasicinfohub67
 
PDF
Introduction to Homomorphic Encryption
byhubx
 
PDF
Introduction to Homomorphic Encryption
byChristoph Matthies
 
Frsa
by_111
 
Introduction to Python Programming.pptx
byPython Homework Help
 
Cryptography and security lab programs.docx
byDgdujvv
 
Block Encryption Algorithm Project.docx
byUsamaAliLone3
 
Algorithm Intfact
bySubhendraBasu11
 
Data encryption standard
byMohammad Golyani
 
NTUT Information Security Homework 1
bydennysora
 
ECE-PYTHON.docx
byChaithanya89350
 
SHA1 collision analysis and resolving a problem of recursive hashing with xra...
byDiego Hernan Marciano
 
Computer Network Homework Help
byComputer Network Assignment Help
 
Computing on Encrypted Data
byNew York Technology Council
 
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
byCyber Security Alliance
 
1508.07756v1
bySamir Crypticus
 
Cryptography 202
byUTD Computer Security Group
 
DES Presentation.pptx for Information Security, A common Subject
bykashafbutt72
 
Ch03 des
bymogtabamoutasem
 
How DES Works Week#10 Lecture#01,02(DES).pptx
byFaizanAli393009
 
Numpy questions with answers and practice
bybasicinfohub67
 
Introduction to Homomorphic Encryption
byhubx
 
Introduction to Homomorphic Encryption
byChristoph Matthies
 

Recently uploaded

PDF
CME397 SURFACE ENGINEERING UNIT 2 FULL NOTES
bykarthi keyan
 
PPTX
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
PPTX
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
PDF
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
PDF
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
PDF
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
PPTX
Why Most SAP PM Implementations Fail — And How High-Reliability Plants Fix It
byMaintWiz Technologies Private Limited
 
PPTX
This Bearing Didn’t Fail Suddenly — How Vibration Data Predicts Failure Month...
byMaintWiz Technologies Private Limited
 
PPTX
uADPF Topology_SFP requirements_locked slides.pptx
byMd Bellal Hossain
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PDF
Enhancing optical fiber communication systems using repetition coding for imp...
byMouweffeqBouregaa
 
PPTX
Fitting Infiltration Models to Infiltration using Excel (1).pptx
byTomNickoRivera1
 
PDF
Highway Curves in Transportation Engineering.pdf
byMahmoodKhalid11
 
PDF
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
PDF
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
PDF
Shear Strength of Soil/Mohr Coulomb Failure Criteria-1.pdf
byMahmoodKhalid11
 
PDF
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
PDF
Chemical Hazards at Workplace – Types, Properties & Exposure Routes, CORE-EHS
byCORE EHS
 
PPT
Network Model for Biomedical Engineering Students
byOcheriCyril2
 
PDF
Applications of AI in Civil Engineering - Dr. Rohan Dasgupta
byRohan Dasgupta
 
CME397 SURFACE ENGINEERING UNIT 2 FULL NOTES
bykarthi keyan
 
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
Why Most SAP PM Implementations Fail — And How High-Reliability Plants Fix It
byMaintWiz Technologies Private Limited
 
This Bearing Didn’t Fail Suddenly — How Vibration Data Predicts Failure Month...
byMaintWiz Technologies Private Limited
 
uADPF Topology_SFP requirements_locked slides.pptx
byMd Bellal Hossain
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
Enhancing optical fiber communication systems using repetition coding for imp...
byMouweffeqBouregaa
 
Fitting Infiltration Models to Infiltration using Excel (1).pptx
byTomNickoRivera1
 
Highway Curves in Transportation Engineering.pdf
byMahmoodKhalid11
 
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
Shear Strength of Soil/Mohr Coulomb Failure Criteria-1.pdf
byMahmoodKhalid11
 
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
Chemical Hazards at Workplace – Types, Properties & Exposure Routes, CORE-EHS
byCORE EHS
 
Network Model for Biomedical Engineering Students
byOcheriCyril2
 
Applications of AI in Civil Engineering - Dr. Rohan Dasgupta
byRohan Dasgupta
 

FEAL - CSAW CTF 2014 Quals Crypto300

  • 1.
    FEAL APPENDIX FOR KATAGAITAICTF TECHTALK CSAW CTF 2014 QUALS - CRYPT0 300 YOU0708@YOKARO-MON
  • 2.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL NOTICE ▸ This material is an appendix for katagaitai CTF TechTalk ▸ https://atnd.org/events/71810 ▸ An modified version was used in katagaitai CTF ▸ Encryption key (SUBKEY) is fixed hex strings
  • 3.
    FEAL 4.3 CSAW CTF2014 QUALS CRYPT0 300 FEAL
  • 4.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL FEAL 4.3 ▸ Feal 4.3 is used for the question You must first solve a puzzle, a sha1 sum ending in 16 bit's set to 1, it must be of length 21 bytes, starting with PkExU2wOJRG/XBDB Welcome to feal 4.3 Please decrypt: edcf27af7821cc71615f329e78d1f65e
  • 5.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL FBOX IN FEAL 4.3 ▸ Feal 4.3 uses “rot 3” in fBox ▸ Differential values are not same with Feal 4
  • 6.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL DIFFERENTIAL VALUE In [1]: import array In [2]: %paste def rot3(x): return ((x<<3)|(x>>5))&0xff def gBox(a,b,mode): return rot3((a+b+mode)%256) def fBox(plain): (snip.) In [3]: x1 = array.array("B", "80800000".decode("hex")) In [4]: fBox(x1) Out[4]: [10, 64, 8, 68] In [5]: x2 = array.array("B", "00000000".decode("hex")) In [6]: fBox(x2) Out[6]: [10, 64, 8, 64] In [7]: for a, b in zip(fBox(x1), fBox(x2)): print a ^ b, ....: 0 0 0 4 ΔY = 0x00000004
  • 7.
    BREAKING FEAL 4.3 CSAW CTF2014 QUALS CRYPT0 300 FEAL
  • 8.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K3 FEALの最終ラウンドの差分解析49 0x02000000 key f 出力差分(ΔC1) ΔC1+ΔC2 入力差分(ΔX1) 入力差分(ΔX2) 出力差分(ΔC2) f(C1+C2+key)+f(C1’+C2’+key) この値は? ΔC1 = f(C1+C2+key)+f(C1’+C2’+key)+0x02000000 0x00000004 0x00000004
  • 9.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K3 k3 = None if k3 == None: print "[*] start k3 attack" p1, p2, c1, c2, dc1, dc2, dcL, dcR = get_dataset(f, n, array.array(“B”,"8080000080800000".decode("hex"))) for k3 in xrange(65536): k3 = array.array("B", "%04x"%k3) for i in xrange(n): if dcL[i] != list_xor( list_xor( fBox(list_xor(dc1[i], k3)), fBox(list_xor(dc2[i], k3))), array("B", “00000004”.decode("hex")) ): break else: print "[*] found k3: %s" % "".join(map(chr, k3)) break else: print "[!] could not find k3" return SUBKEY is hex string Multiple candidates will be find if you use few plainest sets
  • 10.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K2 0x02000000 key f 出力差分(ΔC1) ΔC1+ΔC2 入力差分(ΔX1) 入力差分(ΔX2) 出力差分(ΔC2) f(C1+C2+key)+f(C1’+C2’+key) この値は? ΔC1 = f(C1+C2+key)+f(C1’+C2’+key)+0x02000000 0x80800000 0x80800000 It can be calculated from encrypted value and k3 It can be calculated from encrypted value and k3
  • 11.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K2 for i in xrange(n): c1L = list_xor(c1[i][:4], c1[i][4:]) c1R = list_xor(c1[i][:4], fBox(list_xor(k3, list_xor(c1[i][4:], c1[i][:4])))) c2L = list_xor(c2[i][:4], c2[i][4:]) c2R = list_xor(c2[i][:4], fBox(list_xor(k3, list_xor(c2[i][4:], c2[i][:4])))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) for k2 in xrange(65536): k2 = array.array("B", "%04x"%k2) for i in xrange(n): if dcL[i] != list_xor( list_xor( fBox(list_xor(c1[i][4:], k2)), fBox(list_xor(c2[i][4:], k2))), array("B", "80800000".decode("hex"))): break else: print "[*] found k2: %s" % "".join(map(chr, k2)) break else: print "[!] could not find k2" return Calculate ΔC1, ΔC2 using k3
  • 12.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K1 ▸ You must re-generate plaintext sets to change result after fBox FEALの差分解析41 次の差分を持つ平文ペアを入力する 0x8080000080800000 同じ鍵で暗号化されているため鍵の入力差分は0 0x80800000 0x80800000 0x80800000 0 0x02000000 ここの差分は不明 0 ΔC1 is fixed value It means: k1 can not be calculated
  • 13.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K1 ▸ e.g. ΔX = 0x0000000040000000 FEALの差分解析41 次の差分を持つ平文ペアを入力する 0x8080000080800000 同じ鍵で暗号化されているため鍵の入力差分は0 0x80800000 0x80800000 0x80800000 0 0x02000000 ここの差分は不明 0 0x00000000 0x40000000 0x40000000 ???? ???? ΔX1 = 0x40000000
  • 14.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K1 0x02000000 key f 出力差分(ΔC1) ΔC1+ΔC2 入力差分(ΔX1) 入力差分(ΔX2) 出力差分(ΔC2) f(C1+C2+key)+f(C1’+C2’+key) この値は? ΔC1 = f(C1+C2+key)+f(C1’+C2’+key)+0x02000000 0x40000000 0x40000000 It can be calculated from encrypted value and k3 It can be calculated from encrypted value, k3, and k2
  • 15.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K1 p1, p2, c1, c2, dc1, dc2, dcL, dcR = get_dataset(f, n, array.array("B","0000000040000000".decode("hex"))) for i in xrange(n): c1L = list_xor(c1[i][:4], c1[i][4:]) c1R = list_xor(c1[i][:4], fBox(list_xor(k3, list_xor(c1[i][4:], c1[i][:4])))) c2L = list_xor(c2[i][:4], c2[i][4:]) c2R = list_xor(c2[i][:4], fBox(list_xor(k3, list_xor(c2[i][4:], c2[i][:4])))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) c1L = c1[i][4:] c1R = list_xor(c1[i][:4], fBox(list_xor(k2, c1[i][4:]))) c2L = c2[i][4:] c2R = list_xor(c2[i][:4], fBox(list_xor(k2, c2[i][4:]))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) for k1 in xrange(65536): k1 = array.array("B", "%04x"%k1) for i in xrange(n): if dcL[i] != list_xor( list_xor( fBox(list_xor(c1[i][4:], k2)), fBox(list_xor(c2[i][4:], k2))), array("B", "80800000".decode("hex"))):
  • 16.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K0 ▸ e.g. ΔX = 0x0000000040000000 FEALの差分解析41 次の差分を持つ平文ペアを入力する 0x8080000080800000 同じ鍵で暗号化されているため鍵の入力差分は0 0x80800000 0x80800000 0x80800000 0 0x02000000 ここの差分は不明 0 0x00000000 0x40000000 0x0400000 ???? ???? ΔX1 = 0x00000000
  • 17.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K0 for i in xrange(n): c1L = c1[i][4:] c1R = list_xor(c1[i][:4], fBox(list_xor(k1, c1[i][4:]))) c2L = c2[i][4:] c2R = list_xor(c2[i][:4], fBox(list_xor(k1, c2[i][4:]))) c1[i] = c1L + c1R c2[i] = c2L + c2R dcL[i] = list_xor(c1L, c2L) for k0 in xrange(65536): k0 = array.array("B", "%04x"%k0) for i in xrange(n): if dcL[i] != list_xor(fBox(list_xor(c1[i][4:], k0)), fBox(list_xor(c2[i][4:], k0))): break else: print "[*] found k0: %s" % "".join(map(chr, k0)) break else: print "[!] could not find k0" return
  • 18.
    CSAW CTF 2014QUALS - CRYPT0 300: FEAL K4, K5, FLAG k4 = list_xor(list_xor(fBox(list_xor(k0, c1[0][4:])), c1[0][:4]), p1[0][:4]) print "[*] found k4: %s" % "".join(map(chr, k4)) k5 = list_xor(list_xor(list_xor(p1[0][:4], k4), c1[0][4:]), p1[0][4:]) print "[*] found k5: %s" % "".join(map(chr, k5)) k = [k0, k1, k2, k3, k4, k5] print "[*] got encryption key:", k flag = "".join(map(chr, feal.decrypt(array("B", flag1), k))) + "".join(map(chr, feal.decrypt(array("B", flag2), k))) print "[*] the flag is:", flag
  • 19.
    THANK YOU! CSAW CTF2014 QUALS CRYPT0 300 FEAL