tarcieri/ecb_is_bad.rb

## ecb_is_bad.rb
require 'openssl'

# Don't use this
module Encryption
  def self.cipher(mode)
    cipher = OpenSSL::Cipher::Cipher.new("aes-256-ecb")
    cipher.send mode
    cipher.key = "ABANDON ALL HOPE YE WHO USE ECB!"
    cipher.padding = 0
    cipher
  end

  def self.encrypt(text)
    return unless text

    # lolpadding courtesy the fastaes gem
    block_size = 16
    padding_length = block_size - (text.length % block_size)
    text += "\0" * padding_length

    aes = cipher(:encrypt)
    aes.update(text) << aes.final
  end
end

# We assume the attacker has access to some kind of encryption oracle somewhere
# in the system. An example of this would be an encrypted cookie where the
# attacker can control a portion of the plaintext.

def oracle(chosen_plaintext)
  Encryption.encrypt(chosen_plaintext + TARGET_MESSAGE)
end

PAD        = "A"
BLOCK_SIZE = 16

TARGET_MESSAGE = "secret message"

# LENGTH can be determined automatically but I'm lazy
LENGTH     = TARGET_MESSAGE.size

plaintext = ""

LENGTH.times do
  pad_size = BLOCK_SIZE - plaintext.size - 1
  prefix   = PAD * pad_size

  target_ciphertext = oracle(prefix)
  prefix << plaintext

  n = -1
  begin
    n += 1
    guess = prefix + n.chr
    encrypted_guess = oracle(guess)[0...BLOCK_SIZE]

    puts "Guessing: #{guess.inspect}\t(encrypted: #{encrypted_guess.unpack("H*").first[0..8]}, target: #{target_ciphertext[0...BLOCK_SIZE].unpack("H*").first[0..8]})"
  end until encrypted_guess == target_ciphertext[0...BLOCK_SIZE]

  plaintext << n.chr
  puts "LOCK! We now have: #{plaintext}"
end
	require 'openssl'

	# Don't use this
	module Encryption
	def self.cipher(mode)
	cipher = OpenSSL::Cipher::Cipher.new("aes-256-ecb")
	cipher.send mode
	cipher.key = "ABANDON ALL HOPE YE WHO USE ECB!"
	cipher.padding = 0
	cipher
	end

	def self.encrypt(text)
	return unless text

	# lolpadding courtesy the fastaes gem
	block_size = 16
	padding_length = block_size - (text.length % block_size)
	text += "\0" * padding_length

	aes = cipher(:encrypt)
	aes.update(text) << aes.final
	end
	end

	# We assume the attacker has access to some kind of encryption oracle somewhere
	# in the system. An example of this would be an encrypted cookie where the
	# attacker can control a portion of the plaintext.

	def oracle(chosen_plaintext)
	Encryption.encrypt(chosen_plaintext + TARGET_MESSAGE)
	end

	PAD = "A"
	BLOCK_SIZE = 16

	TARGET_MESSAGE = "secret message"

	# LENGTH can be determined automatically but I'm lazy
	LENGTH = TARGET_MESSAGE.size

	plaintext = ""

	LENGTH.times do
	pad_size = BLOCK_SIZE - plaintext.size - 1
	prefix = PAD * pad_size

	target_ciphertext = oracle(prefix)
	prefix << plaintext

	n = -1
	begin
	n += 1
	guess = prefix + n.chr
	encrypted_guess = oracle(guess)[0...BLOCK_SIZE]

	puts "Guessing: #{guess.inspect}\t(encrypted: #{encrypted_guess.unpack("H").first[0..8]}, target: #{target_ciphertext[0...BLOCK_SIZE].unpack("H").first[0..8]})"
	end until encrypted_guess == target_ciphertext[0...BLOCK_SIZE]

	plaintext << n.chr
	puts "LOCK! We now have: #{plaintext}"
	end