6

I'm having some trouble understanding the methodology for a crypto exercise I'm doing. The goal of the exercise is to recover an encrypted secret string through a chosen key attack on AES in ECB mode.

I have an oracle function that takes a string as input, appends the secret string to it, and returns the AES-ECB-128 encrypted string for it, using a static, randomly-generated key.

oracle("text goes here!!") -> AES.encrypt("text goes here!!somesecretsomesecret", "staticrandomkey!")

I understand how to get the plaintext for the secret phrase using the method described here, and have been successful at recovering 16-byte secret strings.

What I don't understand is, how can that method be applied to secret strings longer than 16 bytes? Unless I'm missing something obvious, it only works for recovering the first block of an appended secret.

Community
  • 1

1 Answers1

5

I think you already said the solution in your post but let's repoint it.

  1. AES work with block size of 16 bytes (128 bits)
  2. The secret is appended to a text that you choose.
  3. ???
  4. Find out the characters of the secret string one by one

If it was not an exercize I would give more details...

EDIT

Once you find the first 16 bytes, all you need to do is :

Exactly the same thing but look at the second block!

The solution...

  1. Get the first secret block

Enter 15 characters and retrieve the first 16 encoded bytes Then enter 16 characters changing the last one until you get the same result as with 15 characters for the first 16 encoded bytes. That 16th character is the first character of your secret. You can then repeat the process by putting 14 characters and then finding the second secret characters with the same thechnique.

  1. Get the second secret block

You already found the first 16 secret bytes. Now enter 15 characters and find the result for the second block of encoded bytes; bytes 17 to 32. Then enter 32 characters, only changing the last one until you find the 17th secret characters in the secret string. Then repeat to find the 18th and so on byte.

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • This doesn't answer my question at all. The solution I mentioned only works for recovering the first block of the secret. –  Oct 07 '15 at 13:28
  • 4
    @Mego Oh, you figured out how to get the first block? Then apply the same technique for the second block and so on :) – Gudradain Oct 07 '15 at 13:31
  • How can the same technique work for the second block? I can't insert text between the first and second blocks. –  Oct 07 '15 at 13:37
  • 4
    @Mego But you still can insert text at the beginning AND you know the first 16 characters. – Gudradain Oct 07 '15 at 13:39
  • 2
    Oh, I get it now! I didn't think to consider that first block as part of my input. It's basically the same problem, except I have a fixed, known text between my input and the secret, and I'm looking more than one block ahead. Thanks! –  Oct 07 '15 at 13:45