SwampCTF - "We Three Keys"
======
##### CTF Name: SwampCTF 2019
##### Challenge Name: We Three Keys
##### Challenge Category: Crypto
##### Difficulty: Easy
##### Points: 144
##### Challenge Description:
>In this modern world of cyber, keys are the new kings of the world. In fact, we will let you use the 3 best keys that I could find, make sure to see what they offer to you!
>
>nc chal1.swampctf.com 1441
>
>-=Created by noopnoop =-

### Solution
#### _Intro and Given Code_
This was an interesting crypto challenge which gave the source code to a faulty AES-CBC block cipher encryption service. It was basd on [this](https://cryptopals.com/sets/4/challenges/27) cryptopals challenge. The full script is shown [here](https://github.com/joshuahaddad/CTF_WriteUps/blob/master/SwampCtf/serv.py).
#### _AES-CBC Theory_

In the encryption, the plaintext is divided into multiple blocks. The encryption is then as follows:
*Let E_K(X) = AES encryption of X using key K,
B_i = the ith block,
C_i = the ith resultant ciphertext*

E_K(IV ⊕ B</sub>0</sub>) = C₀
E_K(C_i-1 ⊕ B</sub>i</sub>) = C_i

Decryption follows a similar pattern:
*Let D_K(X) = AES decryption of X using key K,
B_i = the ith plaintext block,
C_i = the ith ciphertext*

P_i = D_K(C_i) ⊕ C_i-1
P₀ = C₀ ⊕ IV

#### _Key=IV Attack_
Inspection of the main script for encryption and decryption reveals the vulnerability in the code:
`encrypt_message(key, key)`
Examination of the encryption code also reveals the block length to be 16 bytes:
`val = 16 - (len(msg) % 16)`
This code uses the key as the IV for encryption. Along with the ability to generate ciphertext and decrypt cipher text an attack can be mounted as follows:
1) Create a three block (48 byte) plaintext, note C₀ , C₁ , and C₂
2) Modify the ciphertext such that C₀ = C₂ to force D_K(C₂) = D_K(C₀)
3) Decrypt modified plaintext to obtain P₀, P₂, P₂ for the modified block
4) Compute D_K(C₀) using P</sub>2</sub> = D_K(C₂) ⊕ C₁ ⇒ P₂ ⊕ C₁ = D_K(C₂)
5) Compute IV = P</sub>1</sub> ⊕ D_K(C₀)
6) IV = Key, which contains the flag

**Using plaintext**:
616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161

**Encrypt with key 1**:
6b1a585f0788db5721bf270cf46f445308970de331a0a2f06fa9ba7a792d04df564337ed2f604008dc6acb88b23787fac23cd794b80b7979e1a32700274ff328

**Separate blocks**:
Load into python string and substring blocks of 32 `block1 = cipher[0:32]`
C₀ = 6b1a585f0788db5721bf270cf46f4453
C₁ = 08970de331a0a2f06fa9ba7a792d04df
C₂ = 564337ed2f604008dc6acb88b23787fa
C₃ = c23cd794b80b7979e1a32700274ff328 (This is a result of the newline character)

**Create Ciphertext C₀ + C₁ + C₀ + C₃ , noting C₁**:
6b1a585f0788db5721bf270cf46f445308970de331a0a2f06fa9ba7a792d04df6b1a585f0788db5721bf270cf46f4453c23cd794b80b7979e1a32700274ff328
C₁ = 08970de331a0a2f06fa9ba7a792d04df

**Decrypt Ciphertext**:
61616161616161616161616161616161616161616161616161616161616161610f9a0de52bb6f3e651bfb32f6c13098a2d497fa238f88b4fedc5fc945648d3b9
P</sub>0</sub> = 61616161616161616161616161616161
P</sub>2</sub> = 0f9a0de52bb6f3e651bfb32f6c13098a

**Compute P</sub>2</sub> ⊕ C₁ = D</sub>K</sub>(C₀)**:
D_K(C₀) = 70d00061a1651163e160955153e0d55.

**Compute D_K(C₀) ⊕ P</sub>0</sub> = IV = Key**:
IV = 666c61677b7730775f776834745f6c34.
Converting back to ASCII: *flag{w0w_wh4t_l4*.

**Decrypting on other keys and following same procedure**:
Since the above ciphertext is a valid encrypted string, we can use the same C₀ + C₁ + C₀ + C₃ for each key

Key 2:
P₂ = 90cceb203589b904830c91b4793ce0e2 P₀ = e222b9a8375061ab81d048a65f66d709
*Key = zy_k3yz_much_w34*

Key 3:
P₂ = 6a14b23d37551a4a3eecb3440267a4a8 P₀ = 09dcdcac7f85cc8a0e233d0f1739810a
*Key = k_crypt0_f41ls!}*

Flag: flag{w0w_wh4t_l4zy_k3yz_much_w34k_crypt0_f41ls!}

Original writeup (https://github.com/joshuahaddad/CTF_WriteUps/blob/master/SwampCtf/swampThreeKeys.md).