packz/gist:3825835

## gistfile1.md

      
    Raw
  

              gistfile1.md
            
          
RSA and padding oracle attack with very good examples another
Cryptographic doom principle
Static IV is bad
http://crypto.stackexchange.com/
http://blog.cryptographyengineering.com/2012/10/the-crypto-dream.html
http://sourceforge.net/projects/evercrack/
http://www.snikt.net/blog/2012/12/02/howto-encrypt-harddrive/
Homographic cryptography
https://factorable.net/
Real World Crypto 2013
https://polarssl.org
Pond is not email. Pond is forward secure, asynchronous messaging for the discerning gentleman
Perfect forward secrecy with PGP RFC
TOR vs i2p
http://blog.spiderlabs.com/2013/01/defeating-aes-without-a-phd.html
https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm
https://github.com/ssllabs/research/wiki
This page contains my godzilla crypto tutorial, totalling 973 slides in 12 parts
http://www.cs.berkeley.edu/~daw/teaching/cs261-f12/misc/if.html
https://code.google.com/p/bletchley/source/checkout
http://www.stat.fsu.edu/pub/diehard/
http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
http://www.cryptovirology.com/
http://nullprogram.com/blog/2012/06/24/
http://www.cs.rit.edu/~ib/Classes/CS482-705_Winter10-11/Slides/
If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong


## gistfile2.js
// http://fail0verflow.com/blog/2013/megafail.html
// Mega's standard hash function
function h(s)
{
    var a = [0,0,0,0];
	var aes = new sjcl.cipher.aes([111111,222222,333333,444444]);
	s += Array(16).join('X');

	for (var i = s.length&-16; i--; )
	{
		a[(i>>2)&3] ^= s.charCodeAt(i)<<((7-i&3)<<3);
		if (!(i&15)) a = aes.encrypt(a);
	}
	return a;
}

// The reverse hash function, used to backtrack across data.
// reverse_h(s, h(s)) == [0,0,0,0]
function reverse_h(s,a)
{
	var aes = new sjcl.cipher.aes([111111,222222,333333,444444]);
	for (var i = 0; i < s.length; i++)
	{
		if (!(i&15)) a = aes.decrypt(a);
		a[(i>>2)&3] ^= s.charCodeAt(i)<<((7-i&3)<<3);
	}
	return a;
}

// The hash value that we want to forge
g_hash = [0,0,0,0]

$(document).ready(function(){
	// Just fetches the file from disk and computes the standard Mega hash
	$("#file").change(function() {
		if (this.files.length > 0) {
			var binaryReader = new FileReader();
			binaryReader.onload = function(){
				var blob = binaryReader.result;
				g_hash = h(blob);
				$("#hash").text("[" + g_hash.join(",") + "]");
			};
			binaryReader.readAsText(this.files[0]);
		}
	});
	// Computes the forged file
	$("#forge").click(function(){
		// Initialize the AES engine
		var aes = new sjcl.cipher.aes([111111,222222,333333,444444]);
		// Append JS-friendly padding such that the file is a multiple of
		// 16 bytes long and ends in "\n/*" (yes, this could be simplified
		// by merging the two comments, but whatever).
		var head = $("#forgedfile").text() + "\n//XXX";
		head += Array(16).join('X');
		head = head.substr(0, (head.length&-16) - 3);
		head += "\n/*"
		// Reverse the MAC to compute the intermediate MAC value for the
		// head of the file, such that the final MAC value is what we want.
		// (the head of the file is the tail of the hash data, since the MAC
		// runs backwards). Decrypt it one last time; this decryption
		// corresponds to the encryption performed at the end of the collision
		// block (see below).
		var headhash = aes.decrypt(reverse_h(head, g_hash));
		// Create and MAC normally the last block in the file. This is just
		// "*/\n" plus the standard XXXXX padding applied by h()
		var tail = "*/\n";
		var tailhash = h(tail);
		// Finally, given one intermediate MAC value and what we want the next
		// MAC value to be, just XOR them together to find the block that we
		// need to insert.
		var collision = "";
		for (i = 0; i < 16; i++) {
			var xor = headhash[i>>2] ^ tailhash[i>>2];
			collision += String.fromCharCode((xor >> ((3-i&3)<<3)) & 0xff);
		}
		// Append everything together to form the new file
		var data = head + collision + tail;
		// Double check that the collision worked
		var h2 = h(data);
		if ( g_hash[0] == h2[0] && g_hash[1] == h2[1] &&
		     g_hash[2] == h2[2] && g_hash[3] == h2[3]) {
			alert("Collision successful, hash value matches!");
			var uri = "data:application/octet-stream," + encodeURIComponent(data);
			window.open(uri, 'Your forged file');
		} else {
			alert("Collision failed! Got " + h2.join(","));
		};
	});
});
	// http://fail0verflow.com/blog/2013/megafail.html
	// Mega's standard hash function
	function h(s)
	{
	var a = [0,0,0,0];
	var aes = new sjcl.cipher.aes([111111,222222,333333,444444]);
	s += Array(16).join('X');

	for (var i = s.length&-16; i--; )
	{
	a[(i>>2)&3] ^= s.charCodeAt(i)<<((7-i&3)<<3);
	if (!(i&15)) a = aes.encrypt(a);
	}
	return a;
	}

	// The reverse hash function, used to backtrack across data.
	// reverse_h(s, h(s)) == [0,0,0,0]
	function reverse_h(s,a)
	{
	var aes = new sjcl.cipher.aes([111111,222222,333333,444444]);
	for (var i = 0; i < s.length; i++)
	{
	if (!(i&15)) a = aes.decrypt(a);
	a[(i>>2)&3] ^= s.charCodeAt(i)<<((7-i&3)<<3);
	}
	return a;
	}

	// The hash value that we want to forge
	g_hash = [0,0,0,0]

	$(document).ready(function(){
	// Just fetches the file from disk and computes the standard Mega hash
	$("#file").change(function() {
	if (this.files.length > 0) {
	var binaryReader = new FileReader();
	binaryReader.onload = function(){
	var blob = binaryReader.result;
	g_hash = h(blob);
	$("#hash").text("[" + g_hash.join(",") + "]");
	};
	binaryReader.readAsText(this.files[0]);
	}
	});
	// Computes the forged file
	$("#forge").click(function(){
	// Initialize the AES engine
	var aes = new sjcl.cipher.aes([111111,222222,333333,444444]);
	// Append JS-friendly padding such that the file is a multiple of
	// 16 bytes long and ends in "\n/*" (yes, this could be simplified
	// by merging the two comments, but whatever).
	var head = $("#forgedfile").text() + "\n//XXX";
	head += Array(16).join('X');
	head = head.substr(0, (head.length&-16) - 3);
	head += "\n/*"
	// Reverse the MAC to compute the intermediate MAC value for the
	// head of the file, such that the final MAC value is what we want.
	// (the head of the file is the tail of the hash data, since the MAC
	// runs backwards). Decrypt it one last time; this decryption
	// corresponds to the encryption performed at the end of the collision
	// block (see below).
	var headhash = aes.decrypt(reverse_h(head, g_hash));
	// Create and MAC normally the last block in the file. This is just
	// "*/\n" plus the standard XXXXX padding applied by h()
	var tail = "*/\n";
	var tailhash = h(tail);
	// Finally, given one intermediate MAC value and what we want the next
	// MAC value to be, just XOR them together to find the block that we
	// need to insert.
	var collision = "";
	for (i = 0; i < 16; i++) {
	var xor = headhash[i>>2] ^ tailhash[i>>2];
	collision += String.fromCharCode((xor >> ((3-i&3)<<3)) & 0xff);
	}
	// Append everything together to form the new file
	var data = head + collision + tail;
	// Double check that the collision worked
	var h2 = h(data);
	if ( g_hash[0] == h2[0] && g_hash[1] == h2[1] &&
	g_hash[2] == h2[2] && g_hash[3] == h2[3]) {
	alert("Collision successful, hash value matches!");
	var uri = "data:application/octet-stream," + encodeURIComponent(data);
	window.open(uri, 'Your forged file');
	} else {
	alert("Collision failed! Got " + h2.join(","));
	};
	});
	});