Cryptohack

This video from NUS Greyhats should help you with this challenge. Basically, in the additive group of $\mathcal F_p$, the discrete logarithms are simply the inverses. Denote $a, b$ as the secret keys of Alice and Bob. The public key of Alice and Bob are given by $A = ag \mod p$ and $B = bg \mod p$ (it’s normally $g^a$, but we are working with addition here, hence). Hence, the secret key $a$ can be recovered by multiplying the multiplicative inverse of $g$ on both sides of $A = ag \mod p$....

The solution is unnecessary nuking of the challenge. We were given the Diffie-Hellman key exchange between Alice and Bob, with some flag encrypted using the shared secret from that session. We can easily verify that Bob is still reusing his secret b in the communication with us. There are two ways to solve this challenge. The most straightforward way is to use the value A from Alice as the generator $g’$ we sent, p as the prime in the Diffie-Hellman key exchange between Alice and Bob earlier, the value of A does not matter....

The idea may stem from this question on Crypto StackExchange. We use the same idea as the “nuke” solution in Static Client earlier. We will use some groups where the order is smooth, and thus we can efficiently use Pohlig-Hellman. We thus need to pick some weak primes that passes some checks on the server side. Some of the checks are the following: Using number in the form of $p^k$: this may not work (the solution in Static Client won’t work here) as there is some primality check on the server side....

The given link shows us an instance of ARC4, or the stream cipher version of the encryption scheme RC4. I do know beforehand that RC4 is deprecated because of some vulnerabilities, and there are no other apparent weakness to the way that the plaintext is generated from the ciphertext and iv. Also note that, as this is a symmetric stream cipher, encryption and decryption is the same xor operation on the keystream generated....

The description is mentioning something about Infinite Garble Extension, which is used in Telegram (searching the name of the Python class, aesige), hence the name “Paper Plane” - Telegram’s logo. The only observation needed to solve this challenge is that, decryption on a single block can be done without including the entire ciphertext. We only need the first block of ciphertext, and the m0 and c0 corresponding to that block. The very first block will have m0 and c0 provided, and consequent blocks will use the previous plaintext block decrypted for m0, and its corresponding ciphertext block for c0....

The challenge gives us the description that there is some ChaCha20 implementation, and searching Google for the name of the challenge shows some hints about this implementation being done “incorrectly”. Hence we should take a look at the way that ChaCha20 is supposed to be implemented. One good resource is RFC 8439, clicking on the link should take you to the page that contains the high-level pseudocode of how ChaCha20 works....

The encrypt function appends the flag to the plaintext provided by the user. However, the concatenated string is passed to zlib for compression before encrypting. There are no evident weakness in the use of AES-CTR, hence this challenge has to do with some properties of zlib. Indeed, after fuzzing for a while, it seems like zlib was eliminating duplicate strings - hence a correct guess of a portion of the flag will result in a shorter resulting plaintext compared to the resulting ciphertext from a incorrect guess....

This challenge documents the ZeroLogon vulnerability, which is a critical vulnerability originating from a cryptographic authentication protocol failure in Microsoft Active Directory. There is a ZeroLogon whitepaper, which is useful in solving this challenge. The underlying encryption scheme in both the challenge and the Microsoft Active Directory is the AES-CFB8. The encryption method should be clearly demonstrated in the paper. In the challenge, the encrypt method is not in use and only serve as a red herring....

The ciphertexts in the challenge are encrypted with AES-CTR with the same, new zero counter. Hence, the keystream used to xor the plaintexts to obtain the ciphertexts will be the same for all ciphertexts. This now becomes the classic, and taught by many cryptographic courses in universities worldwide about the many time pad. The one-time pad cannot be used multiple times (hence the name) because an attacker can xor the two ciphertexts to obtain the xor of the corresponding plaintext....

I did not manage to solve this, I was trying to brute force the IV used in the challenge, but seems like $2^{64}$ possibilities of possible IVs is simply too many for my laptop to handle. Peek at the solution and I’m glad I did because there is no shot that I know this. DES, or 3DES also, suffer the problem of weak keys. These are keys that cause the encryption mode of DES to act identically to the decryption mode of DES (albeit potentially that of a different key)....