Link: https://cryptopals.com/
Done: 66/66
- PyCryptodome
- IACR Publications DB
- NIST Projects (US gov. approved standards)
References (see also 8/
)
- 1.7: AES / ECB
- 2.9: PKSC #7 - RFC 5652
- 2.10: CBC
- 3.17: CBC padding oracle
- Vaudenay, Security Flaws Induced by CBC Padding, 2002
- 3.18-20: CTR
- 3.21-24: Mersenne Twister (pseudocode)
- Makoto Matsumoto's MT page
- 4.28-29: SHA-1 (pseudocode)
- 4.29: Duong–Rizzo, Flickr's API Signature Forgery Vulnerability, 2009
- 4.30: MD4
- 4.31-32: HMAC
- RFC 2104
- 5.33-35: Diffie–Hellman
- RFC 3526
- 5.36-38: SRP
- 5.39-40: RSA
- 6.42: Bleichenbacher's attack (2006)
- Hal Finney's writeup
- 6.43-45: DSA
- 6.45: Vaudenay, The Security of DSA and ECDSA, 2003
- 6.46-48: Bleichenbacher's attack (1998)
- Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, 1998
- See also: Fujisaki et al., RSA-OAEP Is Secure under the RSA Assumption, 2004
- 7.49-50: CBC-MAC
- 7.50: Matthew Green's blog post
- 7.51:
- Duong–Rizzo, The CRIME attack, 2012
- 7.52: Merkle–Damgård
- Joux, Multicollisions in iterated hash functions, 2004
- 7.53:
- Kelsey–Schneier, Second Preimages on n-bit Hash Functions for Much Less than 2ⁿ Work, 2004
- 7.54:
- Kelsey–Kohno, Herding Hash Functions and the Nostradamus Attack, 2006
- 7.55:
- Wang et al., Cryptanalysis of the Hash Functions MD4 and RIPEMD, 2005
- Improved by: Sasaki et al., New Message Difference for MD4, 2007
- 7.56: RC4
- On the Security of RC4 in TLS and WPA: paper, biases
- See also (attack implemented in
aircrack-ng
): Klein, Attacks on the RC4 stream cipher, 2006
os
: containsurandom()
secrets
: secure (strongly non predictable and reproducible) alternative to therandom
module (Mersenne Twister-based pseudo-random number generator, reproducible)hashlib
: secure hash functionshmac
: keyed-hashing for authenticationbase64
: common binary-to-text encodings
bytes -> int int.from_bytes(b, 'big')
int -> bytes i.to_bytes(length, 'big')
i.to_bytes((i.bit_length()+7)//8, 'big')
bytes -> hex str b.hex()
hex str -> bytes bytes.fromhex(h)
int -> hex repr (0x..) hex(i)
int -> bin repr (0b..) bin(i)
- 3.17 (CBC padding oracle): A simple padding oracle leak allows easy decryption.
- 7.51 (CRIME): Analog to timing-leak attacks but taking advantage of compression. Not that surprising in theory, but performs amazingly well in practice.
- 8.62 (ECDSA biased nonces): A minor bias of a few bits in the DSA temporary keys reveals the private key after only capturing a handful of signatures. Unbelievably powerful reduction to an LLL problem.
- 8.64 (GCM short tags): When GCM is used with short truncated MACs, a single captured message + an available auth. oracle spectacularly snowball to revealing the auth. key.
- 4.29 (Merkle–Damgård secret-prefix MAC): On why one should not consider a hash function as an inviolable black box when building a MAC (and use HMAC instead).
- 7.50 (CBC-MAC hashing): On why (conversely) a MAC with a fixed key does not make a proper hash function (it is only true for HMAC by design).
- 8.61 (RSA sig. dup.): On using discrete log techniques to build RSA keys to validate a given signature (or decrypt a given message to a target plaintext).
- 8.63 (GCM repeated nonce): Repeating a GCM nonce once already (almost) reveals the auth. key. Interesting for the maths it involves, not that surprising though.