GCM

Challenge Points: 300 Challenge Description: [None] tl;dr CTR Bit Flipping Break GHASH to get authentication key H (unintended approach) Bypass authentication The way we solved it (unintended approach) was pretty interesting! Challenge Internals We are given a service that allows us to encrypt/decrypt data using AES-CTR mode. Code for this is as follows: def main(): global sessionid username = input('Enter username: ') sessionid = sha256(username.encode()).digest()[:10] while True: print("Menu") print("[1] Encrypt") print("[2] Decrypt") print("[3] Exit") choice = input("> ") if choice == '1': msg = input('Enter message to be encrypted: ') if 'flag' in msg: print("You cant encrypt flag :(") continue c = encrypt(msg.encode()) nonce = hexlify(c[0]).decode() ciphertext = hexlify(c[1]).decode() tag = hexlify(c[2]).decode() print(nonce + ':' + ciphertext + ':' + tag) continue if choice == '2': nonce, ciphertext, tag = input( 'Enter message to be decrypted: ').split(':') nonce = long_to_bytes(int(nonce, 16)) ciphertext = long_to_bytes(int(ciphertext, 16)) tag = long_to_bytes(int(tag, 16)) pt = decrypt(nonce, ciphertext, tag).decode() if pt == 'may i please have the flag': print("Congrats %s" % username) print("Here is your flag: %s" % flag) print(pt) continue if choice == '3': break As you can see, the service does not allow encrypting messages that contain “flag” as a substring. Also, when we choose to decrypt data, the service checks if the decrypted data is equal to “may i please have the flag” and gives the flag only if it is true. ...