Bitcoin Forum
August 18, 2017, 10:07:53 AM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: the goxsh script is zero-padding the secret and then encrypting in ECB mode  (Read 863 times)
prof7bit
Hero Member
*****
Offline Offline

Activity: 672



View Profile WWW
February 27, 2013, 08:27:34 PM
 #1

hello!

I am not a crypto-guru, so I might be wrong but this seems highly suspicious to me:


      password = password[0:32]
      aes = AES.new(password, AES.MODE_ECB)
      secret = str.zfill(secret, 128)
      secret = aes.encrypt(secret)


It turns out that before zero padding the length of secret is 88 bytes and after it is 128 bytes, so there is more than one complete block (key length = 32 bytes) of known plaintext and because of ECB mode all other 32 byte blocks will be encoded with the very same key! Isn't this danegrous? Shouldn't it be padded with random bytes instead and also the ECB mode be completely avoided?

Old Bitcoins recycling and disposal: 1N7ZcHoe77JncRYAg27RVqJZbrjqUQ77WE
Blockchain.info -> Multibit converter (and much more) https://github.com/prof7bit/wallet-key-tool
1503050873
Hero Member
*
Offline Offline

Posts: 1503050873

View Profile Personal Message (Offline)

Ignore
1503050873
Reply with quote  #2

1503050873
Report to moderator
1503050873
Hero Member
*
Offline Offline

Posts: 1503050873

View Profile Personal Message (Offline)

Ignore
1503050873
Reply with quote  #2

1503050873
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1503050873
Hero Member
*
Offline Offline

Posts: 1503050873

View Profile Personal Message (Offline)

Ignore
1503050873
Reply with quote  #2

1503050873
Report to moderator
1503050873
Hero Member
*
Offline Offline

Posts: 1503050873

View Profile Personal Message (Offline)

Ignore
1503050873
Reply with quote  #2

1503050873
Report to moderator
Zeilap
Full Member
***
Offline Offline

Activity: 154


View Profile
February 27, 2013, 09:31:21 PM
 #2

hello!

I am not a crypto-guru, so I might be wrong but this seems highly suspicious to me:


      password = password[0:32]
      aes = AES.new(password, AES.MODE_ECB)
      secret = str.zfill(secret, 128)
      secret = aes.encrypt(secret)


It turns out that before zero padding the length of secret is 88 bytes and after it is 128 bytes, so there is more than one complete block (key length = 32 bytes) of known plaintext and because of ECB mode all other 32 byte blocks will be encoded with the very same key! Isn't this danegrous? Shouldn't it be padded with random bytes instead and also the ECB mode be completely avoided?
I'm no crypto guru either, but here is a simple attack:

Code:
# passwords is a large list of common passwords
passwords = ['querty', 'password', ... ]

# map of encrypted null block (i.e. result of encrypting zero) => password
zeroCiphers = {}

# fill the zeroCiphers
for password in passwords:
    aes = AES.new(password, AES.MODE_ECB)
    zeroCiphers[aes.encrypt(0)] = password


def decrypt(ciphertext):
    # get the last block (we're hoping it's from encrypting the zero padding)
    lastBlock = cipertext[-16:]

    # look up this encrypted zero byte in our table to get the password
    password = zeroCiphers[lastBlock]

    if(password !== null):
        # BINGO!
        aes = AES.new(password, AES.MODE_ECB)
        return aes.decrypt(ciphertext)
    else:
        return '';

Quick fix is to change to Cipher Block Chaining, so that the cipher changes every block, you don't know block were originally zero padding.


Please send a share of any stolen bitcoins to the address in my sig Wink

1GLeSqooAPe8PfWbJecnL3AteDac2B3cqj
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!