Cryptopals challenges solved in Ruby
This project demonstrates attacks on state-of-the-art Cryptography implementations, including AES, RSA, SHA-1, random number generators and much more...
- 46. RSA parity oracle
- cracks RSA encrypted message using one bit leak
- 45. DSA parameter tampering
- launches a DOS attack when g = np
- creates a DSA god key that validates any message when g = 1 + np
- 44. DSA nonce recovery from repeated nonce
- recovers DSA secret key x from reused session key k
- 43. DSA key recovery from nonce
- validates well signed message
- doesn't validate bad signed message
- recovers DSA secret key x from insecure session key k
- 42. Bleichenbacher's e=3 RSA Attack
- validates a legit RSA PKCS#1 v1.5 padded signature
- generates a fake signature for an e=3 RSA public key
- 41. Implement unpadded message recovery oracle
- recovers unpadded RSA encrypted message
Set 5: Diffie Hellman and Friends
- 40. Implement an E=3 RSA Broadcast attack
- cracks the broadcast RSA encrypted message when E is 3
- 39. Implement RSA
- encrypts and decrypts a message using RSA cryptosystem
- 38. Offline dictionary attack on simplified SRP
- authenticates when simplified SRP credentials matches
- fails to authenticate when simplified SRP credentials doesn't match
- cracks the password using MITM and dict attack on simplified SRP
- 37. Break SRP with a zero key
- confirms that session value is 0 when injected client key is 0
- confirms that session value is 0 when injected client key is N
- confirms that session value is 0 when injected client key is x * N
- 36. Implement Secure Remote Password (SRP)
- authenticates when credentials matches
- fails to authenticate when credentials doesn't match
- 35. Implement DH with negotiated groups, and break with malicious "g" parameters
- checks the negotiated groups protocol based on Diffie-Hellman
- confirms that generated session key = 1 when injected g = 1
- confirms that generated session key = 0 when injected g = p
- confirms that session key = (1 or p - 1) when injected g = p - 1
- 34. Implement a MITM key-fixing attack on Diffie-Hellman with parameter injection
- checks the Echo protocol based on Diffie-Hellman
- performs a man in the middle attack on Diffie-Hellman
- 33. Implement Diffie-Hellman
- ensures that the Diffie-Hellman session keys are valid
Set 4: Stream Crypto and Randomness
- 32. Break HMAC-SHA1 with a slightly less artificial timing leak
- finds the first byte of the HMAC from a tiny timing leak
- creates a valid HMAC from a tiny timing leak
- 31. Implement and break HMAC-SHA1 with an artificial timing leak
- works when the HMAC matches
- finds the first byte of the HMAC from timing leak
- creates a valid HMAC from timing leak
- 30. Break an MD4 keyed MAC using length extension
- works when the MAC matches
- fails when the MAC doesn't match
- creates a valid MD4 MAC from tempered data
- 29. Break a SHA-1 keyed MAC using length extension
- creates a valid SHA-1 MAC from tempered data
- 28. Implement a SHA-1 keyed MAC
- works when the MAC matches
- fails when the MAC doesn't match
- 27. Recover the key from CBC with IV=Key
- guesses the encryption key when key and IV are the same
- 26. CTR bitflipping
- modifies CTR encrypted text by flipping bits
- 25. Break "random access read/write" AES CTR
- attacks CTR using random access
Set 3: Block and Stream Crypto
- 24. Create the MT19937 stream cipher and break it
- creates a PRNG stream cipher
- creates cracks the PRNG stream cipher
- checks if a token comes from a MT19937 PRNG seeded with current time
- 23. Clone an MT19937 RNG from its output
- creates a copy of the state of a PRNG
- 22. Crack an MT19937 seed
- guesses the seed of a pseudorandom numbers generators
- 21. Implement the MT19937 Mersenne Twister RNG
- implements a pseudorandom numbers generators
- 20. Break fixed-nonce CTR statistically
- attacks same nonce in CTR as a repeating-key XOR
- 19. Break fixed-nonce CTR mode using substitutions
- attacks text encrypted with same nonce in CTR mode
- 18. Implement CTR, the stream cipher mode
- implements CTR mode using ECB
- 17. The CBC padding oracle
- attacks CBC using padding information
- 16. CBC bitflipping attacks
- decrypts CBC encrypted data
- 15. PKCS#7 padding validation
- strips valid padding
- fails while stripping bad padding
- 14. Byte-at-a-time ECB decryption (Harder)
- recovers the first byte of plain text from a random ECB oracle
- recovers the plain text from a random ECB oracle
- 13. ECB cut-and-paste
- alters ECB encrypted data
- 12. Byte-at-a-time ECB decryption (Simple)
- recovers the plain text from an ECB oracle
- 11. An ECB/CBC detection oracle
- detects ECB or CBC encryption mode
- 10. Implement CBC mode
- implements CBC mode decryption from AES-ECB cipher
- 9. Implement PKCS#7 padding
- appends padding to the input
- 8. Detect AES in ECB mode
- finds the AES-ECB encrypted line
- 7. AES in ECB mode
- decrypts AES-ECB encrypted file
- 6. Break repeating-key XOR
- checks the Hamming distance
- breaks a repeating key XOR
- 5. Implement repeating-key XOR
- encrypts a text with a key
- 4. Detect single-character XOR
- finds encrypted line
- 3. Single-byte XOR cipher
- decrypts simple XOR
- 2. Fixed XOR
- runs XOR
- 1. Convert hex to base64
- encodes hex to base64
The vulnerabilities exploited in the attacks are fully described on http://cryptopals.com
In the source code, you will find rough implementation of algorithms used in cryptography like SHA-1, MD4, MT19937...
Use ruby >= 2.3,
install the dependencies with bundle install and run it:
bundle exec run.rb
Usage:
run.rb [--help] [--slow] [SET_NUMBER]
SET_NUMBER : the number of the hacks set to run, from 1 to 6
--slow : run slow hacks, may take hours
--help : show help message
Examples:
bundle exec run.rb # run all hacks, except the slow ones
bundle exec run.rb --slow # run all hacks, including the slow ones
bundle exec run.rb 6 # run all Set#6 hacks, except the slow ones
bundle exec run.rb --slow 2 # run all Set#2 hacks, including the slow onesGNU GPL v3, see https://www.gnu.org/licenses/gpl-3.0.txt
Because it's fun, let's break some crypto 🔓