日本語版(JA Version)はこちら

Hello I’m @nya384 . This post is the Author’s writeup for LINE CTF 2024. I’m the author of the [crypto]haki-tako-game and [misc]rum-runners-ruse challenges.

Thank you for taking on my challenges. I enjoyed reading the Writeups you shared. Detailed solutions are provided in the participants’ Writeups (you can find them on Google).

Therefore, I would like to focus on the lessons and the background behind creating these challenges on this post.

[crypto] haki-tako-game

Challenge Introduction

Players are provided with a server connection URL, port, and the server’s source code. The server offers a decryption oracle for CBC mode and a decryption oracle for CFB-128 mode.

Upon connecting to the server, players are given an AES-GCM encrypted PIN code, which they aim to decrypt. However, the decryption oracle for CFB-128 mode implements a mechanism where a part of the decryption result is replaced with \0x00 (truncated-CFB).

Players can obtain the FLAG by devising clever queries to decrypt the PIN code and sending it to the server.

Lessons

There are two lessons

  • Even with different modes of operation, please separate the keys.
  • In some cases, integrity check through MAC or AEAD can help prevent the breaking of confidentiality.

Background of the Challenge

I set the following guidelines for creating this challenge:

  • 1.The basic idea of the challenge comes from real-world applications or protocols.
  • 2.The challenge is rich in educational implications.
  • 3.The challenge is designed so that players can focus on analyzing cryptographic logic.

For 1, it comes from a personal desire to introduce papers that come from real-world application designs. For 2, I selected papers as sources for the challenge that easily reflect lessons in problem design. For 3, specifically, it involved disclosing the source code except for the Flag, designing with a clear goal in mind.

cf. for 3.

Challenge Idea

The challenge idea comes from the following two attacks:

  • Related Mode Attack [Phan and Siddiqi 05] [Dayin, Lin, and Wu 07]
  • AEAD-to-CBC Downgrade Attacks on CMS [Roth and Strenzke 23]

The idea of the Related Mode Attack is that it is an attack where one mode of operation can be used to construct part or all of another mode of operation. And the Related Mode Attack is known as a generalization of the Related Cipher Attack [Wu02].

Moreover, AEAD-to-CBC Downgrade Attacks, while not explicitly stated in [Roth and Strenzke 23], is an attack with a similar idea to the Related Mode Attack. This is an attack that uses the decryption oracle in CBC mode to restore the complete plaintext when a part of the keystream (or plaintext) of GCM is unknown. This utilizes the fact that the encryption/decryption function of the block cipher primitive is bijective, the encryption part of GCM is essentially in CTR mode, and the nonce||counter input to the encryption function is known. Thanks to this condition, the attacker can identify the correct plaintext when brute-forcing the unknown part of the keystream.

  • In the case of an incorrect keystream, nonce||counter_{i} != CBC_{Dec}(keystream_{i}, k)
  • In the case of the correct keystream, nonce||counter_{i} == CBC_{Dec}(keystream_{i}, k)

Personally, I feel this content interesting as it comes from the analysis of real-world applications. [Dayin, Lin and Wu 07] and [Roth and Strenzke 23] can be accessed for free from the URL to the PDF. Please check them out.

cf. Free to access

There are charges to read

[misc]rum-runners-ruse

Lessons

  • Do not alter the scope of signature verification based on untrusted inputs.

Background of the Challenge

I wanted to create a challenge based on this interesting paper. Strenzke points out that in PKCS#7 signature verification and CMS (Cryptographic Message Syntax), the presence of certain fields in the given data can lead to variations in the scope of signature verification or the method of preprocessing the data targeted for signature verification. cf. [Strenzke 23] https://eprint.iacr.org/2023/1801

Note:
Similar to this, there are attacks on PDF signatures that alter the scope of signature verification due to untrusted inputs. I also considered this when creating the challenge. However, the PDF specifications are complex, and the binaries are unreadable. Therefore, I felt that such challenges would not be preferred from a player’s perspective, and I decided not to use them to create challenge. cf. https://web-in-security.blogspot.com/2019/02/how-to-spoof-pdf-signatures.html

Challenge Idea

In this challenge, players are given a der file with a valid signature but an invalid timestamp. The focus of the problem was how to maintain the signature while bypassing the timestamp validation. Initially, I planned to make this a warmup in the [crypto] category, but since it involved elements of reverse engineering (rev) as well as cryptography, I presented it as a [misc] challenge.

Intended Solution

The idea comes from this paper. That’s all there is to it. cf. [Strenzke 23] https://eprint.iacr.org/2023/1801

Unintended Solution

It seems it was possible to bypass timestamp validation by swapping the positions of the invalid timestamp and a valid timestamp that remained in the .der file. Note that while this was an unintended solution, it did not affect the ranking for the following reasons:

  • It was due to an oversight on my part in creating the challenge.
  • It does not involve queries that interfere with other players.

In Conclusion

Did you enjoy it? I hope to create more crypto challenges next time, given enough time and resources..