Project 3
AES block cipher modes

In this project you will answer a series of questions about AES. In this description you will see five questions, Question 1,…,Question 5. You should answer each of these in a separate document, preferably a markdown document like this one. Please do not use MS word or another word processing program. The cocalc text editor is fine. Please clearly indicate your solution by using an informative filename like solution.md.

In class last week we played around a bit using block cipher modes and openssl. For reference I have given you an example of how to use the tool in the file called enc.sh in your directory:

hunter@pop-os:~/Desktop/aes_play$ cat enc.sh
KEY=000102030405060708090A0B0C0D0E0F
IV=101112131415161718191A1B1C1D1E1F
openssl aes-128-ecb -e -K $KEY -in plaintext -out ct_ecb
You can execute this script by doing this at the terminal:

hunter@pop-os:~/Desktop/aes_play$ . enc.sh
This will produce the output ct_ecb which is the encryption of the plaintext in the file called plaintext.

After running enc.sh you should be able to look at the cipertext and plaintext using the hex editor xxd. The output should look like this:

hunter@pop-os:~/Desktop/aes_play$ xxd ct_ecb
00000000: 29ab 9897 1f42 5ad4 e4b5 d5cf 4c7a fd68  )….BZ…..Lz.h
00000010: 5a3f 6b23 d9de ddd5 8910 9a6f dfd4 9902  Z?k#…….o….
00000020: 1983 2768 4597 007e 4331 314e dfa7 1811  ..’hE..~C11N….
00000030: 77ec caa1 03ce 813a 4070 2661 a7c4 7b5f  w……:@p&a..{_
00000040: 06b1 9024 f5cd 9667 99c7 4ddc d479 b661  …$…g..M..y.a
00000050: 08d3 1d4d 1bd7 e600 fc18 b6f2 eedb 3148  …M……….1H
00000060: 6a87 f1b2 dc3b e5df 8eac 13b1 9be2 a7fd  j….;……….
00000070: 8911 1e63 804c 7023 e112 7209 0c15 aa1c  …c.Lp#..r…..
00000080: ffa3 0de9 e609 1259 d6a9 9640 080d 876b  …….Y…@…k
00000090: 657e d2d7 403f 0535 d192 5bc8 2d35 098d  e~..@?.5..[.-5..
000000a0: 0a05 80ec de7b fc2f 3f60 7c39 516e 5e93  …..{./?`|9Qn^.
000000b0: a21e 8a78 c563 0b49 5342 470c e2fb 36d3  …x.c.ISBG…6.
hunter@pop-os:~/Desktop/aes_play$ xxd plaintext
00000000: 4166 7465 7220 616c 6c2c 2069 7427 7320  After all, it’s
00000010: 6561 7379 2074 6f20 7265 6f70 656e 2073  easy to reopen s
00000020: 6368 6f6f 6c73 2069 6620 7468 6520 6e65  chools if the ne
00000030: 7773 2069 7320 676f 6f64 2e20 2046 6f72  ws is good.  For
00000040: 2065 7861 6d70 6c65 2c20 6d79 2063 6f6c  example, my col
00000050: 6c65 6167 7565 7320 616e 6420 4920 6f62  leagues and I ob
00000060: 7365 7276 6564 2074 6865 2075 7365 206f  served the use o
00000070: 6620 7363 686f 6f6c 2063 6c6f 7369 6e67  f school closing
00000080: 7320 616e 6420 6f74 6865 7220 4e50 4973  s and other NPIs
00000090: 2064 7572 696e 6720 7468 6520 3230 3039  during the 2009
000000a0: 2048 314e 3120 696e 666c 7565 6e7a 6120  H1N1 influenza
000000b0: 6570 6964 656d 6963 2e0a 0a              epidemic…
Notice that the plaintext is 12 blocks long, as is the ciphertext. But the ciphertext has been padded such that the last block is a full 16 bytes.

You can get the ciphertext as hex without formatting by using the -p option with xxd:

hunter@pop-os:~/Desktop/aes_play$ xxd -p ct_ecb
29ab98971f425ad4e4b5d5cf4c7afd685a3f6b23d9deddd589109a6fdfd4
9902198327684597007e4331314edfa7181177eccaa103ce813a40702661
a7c47b5f06b19024f5cd966799c74ddcd479b66108d31d4d1bd7e600fc18
b6f2eedb31486a87f1b2dc3be5df8eac13b19be2a7fd89111e63804c7023
e11272090c15aa1cffa30de9e6091259d6a99640080d876b657ed2d7403f
0535d1925bc82d35098d0a0580ecde7bfc2f3f607c39516e5e93a21e8a78
c5630b495342470ce2fb36d3
Redirect this into a file of its own:

xxd -p ct_ecb > ct_ecb.hex
Now edit the hex and change the sequence 06b19024 from the 5th block so that it becomes 86b19024. Notice that this is a one bit change. Save the changes to ct_ecb.hex.

Now use xxd in reverse mode to convert the altered hex back into a binary file:

xxd -r -p ct_ecb.hex > ct_ecb_bitflip
Now decrypt this file as if it were the ciphertext for the original plaintext.

For how to do the decryption, look in the file dec.sh.

Question 1

How has the plaintext changed? Paste what you see on the command line when you xxd both the original plaintext and the decrypt of the altered ciphertext.

Question 2

Repeat all of the above, but this time use CBC mode (please use the IV provided in enc.sh). Again change a single bit in the 5th block of the ciphertext. In particular, change 32429b73 to 22429b73. How does the plaintext change? Which lines are affected? Why does it happen? Again paste both the xxd of the original and altered plaintext.

You can use this encryption command:

hunter@pop-os:~/Desktop/aes_play$ openssl aes-128-cbc -e -K $KEY -iv $IV -in plaintext -out ct_cbc
Question 3

Repeat all of the steps above, but this time use CTR mode. Notice that the ciphertext is not padded in this case. Why not? In the bit flip part of the exercise, change 166186a5 to 366186a5. Which blocks change? How do they change? Why is that the change?

You can use this encryption command:

hunter@pop-os:~/Desktop/aes_play$ openssl aes-128-ctr -e -K $KEY -iv $IV -in plaintext -out ct_ctr
Part 2
In this section you will break a ciphertext. This is possible because the developer (me) has made a terrible error. He has encrypted two files using aes-128-ctr using the same key and the same IV. Even worse: The plaintext of one of the files is known to the attacker (you)!

Question 4

Why is this a mistake? What is the basic plan for decrypting the ciphertext for which the plaintext is unknown?

The files were encrypted using a truly random 128 bit key to which you do not have access. One of the files is just the file called plaintext which you have in your directory. The ciphertext files are called pt_key2 and m2_key2. The file pt_key2 is the encryption of plaintext, but m2_key2 is the encryption of an as yet unknown file.

To help you along I have given you a program called xor. The source code is in the file xor.c. You use it like this:

$ ./xor file1 file2 > file3
This XORs file1 and file2 on the byte level and puts the result in file3. Because file1 and file2 are probably not the same length, file3 is only as long as the shorter of file1 and file2.

Question 5

What is the decryption of m2_key2? (Or as much of it as you can find)?