Dastardly Evil Scientists - Crypto

Task

Oh no! A brilliant scientist with questionable ethics has encrypted Anthony's important research. Luckily, the scientist who did this was overconfident, and gave us both the encrypted research and the contraption used to encrypt it. Can you get Anthony's research back before it's too late?

nc ctf.ritsec.club 30984

Solution

We get information on how to connect to the server and server.py file which contains the following code:

from Crypto.Cipher import DES
from Crypto.Util.Padding import pad
from secret import KEY, FLAG

BLOCK_SIZE = 64

key = bytes.fromhex(KEY)
cipher = DES.new(key, DES.MODE_ECB)
flag = cipher.encrypt(pad(bytes(FLAG, "utf-8"), BLOCK_SIZE))

print("Here's the flag (in hex):", flag.hex())
print("=" * 64)
print("Encrypt something if you want, you can choose the key and the plaintext :)")
while True:
    try:
        key = bytes.fromhex(input("Key (in hex): "))
        plaintext = bytes.fromhex(input("Message to encrypt (in hex): "))
        print("=" * 64)
        cipher = DES.new(key, DES.MODE_ECB)
        ciphertext = cipher.encrypt(pad(plaintext, BLOCK_SIZE))
        print("Here's your message! (in hex):", ciphertext.hex())
        print("Here's your message! (in bytes):", ciphertext)
        print("=" * 64)
    except KeyboardInterrupt:
        break

The code indicates that we are dealing with the DES algorithm in ECB mode. After connecting to the server we obtain an encrypted flag in hex. Additionally, we're given the capability to encrypt a message of our choice using a specified key. These two values must be entered as hexadecimal. After providing these values, we receive ciphertext in both hexadecimal and bytes.

Weak keys

A DES block cipher has several specific keys which are called weak keys. These keys make DES encryption work identically to decryption. There are four weak keys in DES:

0101 0101 0101 0101
1F1F 1F1F 0E0E 0E0E
E0E0 E0E0 F1F1 F1F1
FEFE FEFE FEFE FEFE

These keys contain parity bits. If we remove every 8th bit we get the following key values:

0000000 0000000
0000000 FFFFFFF
FFFFFFF 0000000
FFFFFFF FFFFFFF

This insight does not change the approach to launching an attack on DES, because we still need a key to decrypt the message, but we can check if the weak key was used to encrypt a message in this task.

Simple Python script which tries to decrypt a message using 4 weak keys:

from Crypto.Cipher import DES
from base64 import *

cipher_text_string = "28e3a0ff9089aecc83465e470624a89253a1aac856a4f7ff08b4648b7c5eff9aa41a0dd1c7fc15995382dc3149dfcccf82241fb566fb5a0382241fb566fb5a03"
cipher_text_bytes = bytes.fromhex(cipher_text_string)

KEY=b'\x00\x00\x00\x00\x00\x00\x00\x00'
a = DES.new(KEY, DES.MODE_ECB)
plaintext = a.decrypt(cipher_text_bytes)
print (plaintext)

KEY=b'\x1E\x1E\x1E\x1E\x0F\x0F\x0F\x0F'
a = DES.new(KEY, DES.MODE_ECB)
plaintext = a.decrypt(cipher_text_bytes)
print (plaintext)

KEY=b"\xE1\xE1\xE1\xE1\xF0\xF0\xF0\xF0"
a = DES.new(KEY, DES.MODE_ECB)
plaintext = a.decrypt(cipher_text_bytes)
print (plaintext)

KEY=b"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
a = DES.new(KEY, DES.MODE_ECB)
plaintext = a.decrypt(cipher_text_bytes)
print (plaintext)

After executing the script, we get a flag which was encrypted using the following key:

\xE1\xE1\xE1\xE1\xF0\xF0\xF0\xF0

Flag:

RS{W0W_TH1S_K3YSP4C3_1S_4S_FL4T_4S_34RTH}