# Assigment 5. AES Salavat Dinmukhametov ## Crypto basics 1 For this task I used AES excel [table](https://www.nayuki.io/page/aes-cipher-internals-in-excel). If Plaintext and key look like this ![](https://i.imgur.com/eOdJBVX.png) All first round you may see below. ![](https://i.imgur.com/FrIUPQl.png) And answer for first round is see table below | 62| 62 | 62 | 62 | | -------- | -------- | -------- |---| | 63 | 63 | 63 | 63 | 63 | 63 | 63 | 63 | 63 | 63 | 63 | 63 ## Crypto basics 2 ### Padding Oracle Attack Padding Oracle Attack can be implemented only then we using CBC encryption mode. In CBC decryption implementation to get encrypted message usually decrypting block, validate the padding, remove this padding and return plaintext. If we insert invalid padding, server will return that decryption failed. It is server error and request code will be equal to 500. Let's the attacker has two ciphertext blocks A<sub>1</sub>, A<sub>2</sub> and she wants to decrypt the second block to get plaintext B<sub>1</sub>, B<sub>2</sub>. The attacker changes the last byte of cipherblock and sends it to server. The server then returns whether or not the padding of the last decrypted block is correct. If the padding is correct, the attacker now knows that the last byte of decrypted block. If the padding is incorrect, the attacker will bruteforce all bytes from 0 to 255. To get key the attacker need only 4080 attempts. ### CBC Byte Flipping Attack CBC Byte Flipping Attack also use CBC encryption mode. This attack is usually in scenarios where the encryption function takes in some input as a payload, prepends a random string, appends another string to it before encrypting it. There are cases where the encryption function escapes some characters or character sequences from the payload supplied, before encrypting it. The function escapes “;” and “=” characters from the payload and then prepends and appends strings. It then encrypts the resultant string(concatenation of prepend string, payload and appended string). The given decryption function checks if “;admin=true;” is still present in the decrypted string. If yes, then the payload leads to successful login as the admin. But the problem here is: during the encryption since the “;” and “=” characters are escaped from the payload, one cannot directly give “;admin=true;” as payload since the encryption function will change it to “?admin?true?” before encryption. ## Crypto basics 3 1. We may use tool from first exercise to compute all values. The keys k<sub>0</sub> and k<sub>1</sub> are given as a single array (W<sub>0</sub>,...,W<sub>7</sub>). ![](https://i.imgur.com/dtLxq29.png) So output for the first round of AES to the input W and the subkeys W0, . . . ,W7 is ![](https://i.imgur.com/3nhaIUr.png) 2. As a previous example ![](https://i.imgur.com/kdN5g4K.png) but our plaintext now is zeros. Answer: ![](https://i.imgur.com/gaUILfG.png) 3. we may notice that different only first column in both tables. F4CC6B53<sub>16</sub> = 11110100110011000110101101010011<sub>2</sub> DCD87F6F<sub>16</sub> = 11011100110110000111111101101111<sub>2</sub> Answer: 10 bits. ## Crypto basics 4 Starting from RC\[1\]=01, RC\[i\]=02×RC\[i−1\]modP(x) where P(x) is the AES polynomial. RC\[8\] = x<sup>7</sup> = (10000000)<sub>2</sub> = 80<sub>16</sub> RC\[10\]=x<sup>5</sup>+x<sup>4</sup>+x<sup>2</sup>+x=00110110<sub>2</sub>=36<sub>16</sub>