Title: the goxsh script is zero-padding the secret and then encrypting in ECB mode Post by: prof7bit on February 27, 2013, 08:27:34 PM hello!
I am not a crypto-guru, so I might be wrong but this seems highly suspicious to me: password = password[0:32] aes = AES.new(password, AES.MODE_ECB) secret = str.zfill(secret, 128) secret = aes.encrypt(secret) It turns out that before zero padding the length of secret is 88 bytes and after it is 128 bytes, so there is more than one complete block (key length = 32 bytes) of known plaintext and because of ECB mode all other 32 byte blocks will be encoded with the very same key! Isn't this danegrous? Shouldn't it be padded with random bytes instead and also the ECB mode be completely avoided? Title: Re: the goxsh script is zero-padding the secret and then encrypting in ECB mode Post by: Zeilap on February 27, 2013, 09:31:21 PM hello! I'm no crypto guru either, but here is a simple attack:I am not a crypto-guru, so I might be wrong but this seems highly suspicious to me: password = password[0:32] aes = AES.new(password, AES.MODE_ECB) secret = str.zfill(secret, 128) secret = aes.encrypt(secret) It turns out that before zero padding the length of secret is 88 bytes and after it is 128 bytes, so there is more than one complete block (key length = 32 bytes) of known plaintext and because of ECB mode all other 32 byte blocks will be encoded with the very same key! Isn't this danegrous? Shouldn't it be padded with random bytes instead and also the ECB mode be completely avoided? Code: # passwords is a large list of common passwords Quick fix is to change to Cipher Block Chaining, so that the cipher changes every block, you don't know block were originally zero padding. Please send a share of any stolen bitcoins to the address in my sig ;) |