密码分析与攻击库
samson-crypto的Python项目详细描述
参孙
不要使用samson的加密原语来保护内容
samson是一个密码分析和攻击库。其目的是提供一种快速原型化和执行加密和边通道攻击的方法。SAMSON是从现有的库中人工地限制用户对密码原语的控制而产生的。
已经实施了许多最大的加密攻击,包括:
- CBC/PKCS 1v1.5/OAEP填充Oracle
- 犯罪/违约
- dsa/ecdsa nonce重用
- 流密码nonce重用
- 子组攻击
- 哈希构造攻击(长度扩展、固定点等)
- prng开裂
Samson的重点是:
- uniformity:为用户提供统一的界面
- 便利性:尽量减少不直接解决问题的时间
- real world applicability:构建攻击以通用方式工作,并包含通用标准的接口
示例
repl
[root@localhost ~]# samson /$$$$$$$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$_____/ |____ $$|$$_ $$_ $$ /$$_____/ /$$__ $$|$$__ $$|$$$$$$ /$$$$$$$|$$\ $$\ $$|$$$$$$|$$\ $$|$$\ $$\____ $$ /$$__ $$|$$|$$|$$\____ $$|$$|$$|$$|$$ /$$$$$$$/|$$$$$$$|$$|$$|$$ /$$$$$$$/|$$$$$$/|$$|$$|_______/ \_______/|__/ |__/ |__/|_______/ \______/ |__/ |__/ v0.2.0 -- https://github.com/wildcardcorp/samson Python 3.5.3 (11af55503d5c, May 232019, 09:37:40)[PyPy 7.0.0 with GCC 9.1.1 20190503(Red Hat 9.1.1-1)] IPython 7.6.0 In [1]: logging.getLogger("samson").setLevel(logging.INFO) In [2]: RC4(b'what a key!').generate(12) ^ b'Hello world!' Out[2]: <Bytes: b')\x1f\xb8xW}\xfc\xc5,\x0f\xc3,', byteorder=big> In [3]: gcm= GCM(Rijndael(Bytes.random(32)).encrypt) ...: data= b"Auth'd data" ...: nonce= Bytes.random(8) ...: ciphertext= gcm.encrypt(nonce=nonce, plaintext=b'Hello world!', data=data) ...: gcm.decrypt(nonce, ciphertext, data) Out[3]: <Bytes: b'Hello world!', byteorder=big> In [4]: ciphertext_b= gcm.encrypt(nonce=nonce, plaintext=b'Wait the same nonce?', data=b'') ...: ...: ciphertext_a, tag_a= ciphertext[:-16], ciphertext[-16:] ...: ciphertext_b, tag_b= ciphertext_b[:-16], ciphertext_b[-16:] ...: ...: candidates= ForbiddenAttack().execute(data, ciphertext_a, tag_a, b'', ciphertext_b, tag_b) ...: gcm.H in candidates Out[4]: True In [5]: bf= Blowfish(b"world's worst key") ...: cbc= CBC(bf.encrypt, bf.decrypt, block_size=8, iv=Bytes.random(8)) ...: ...: def oracle_func(attempt): ...: try: ...: _= cbc.decrypt(attempt) ...: return True ...: except Exception as _: ...: return False ...: ...: ...: ciphertext= cbc.encrypt(b'secret plaintext') ...: attack= CBCPaddingOracleAttack(PaddingOracle(oracle_func), block_size=8, iv=cbc.iv) ...: recovered_plaintext= attack.execute(ciphertext) Blocks cracked: 100%|█████████████████████████████████████████████████████████████████████████████████████|3/3 [00:00<00:00, 14.25blocks/s] Bytes cracked: 100%|██████████████████████████████████████████████████████████████████████████████████████|8/8 [00:00<00:00, 226.56bytes/s] In [6]: recovered_plaintext Out[6]: <Bytes: b'secret plaintext\x08\x08\x08\x08\x08\x08\x08\x08', byteorder=big> In [7]: Z_p= ZZ/ZZ(49339) ...: Z_p[x](x**5 - x**3 + 1).factor() Out[7]: {<Polynomial: x**2 + ZZ(34751)*x + ZZ(20606), coeff_ring=ZZ/ZZ(49339)>: 1, <Polynomial: x**3 + ZZ(14588)*x**2 + ZZ(39369)*x + ZZ(31211), coeff_ring=ZZ/ZZ(49339)>: 1} In [8]: F= FF(2, 8) ...: F[36] / F(x + 1) Out[8]: <FiniteFieldElement: val=x**4 + x**3 + x**2, field=F_(2**8)> In [9]: gcd(F[2], F[10]) Out[9]: <FiniteFieldElement: val=x, field=F_(2**8)>
cli
[root@localhost ~]# samson hash md5 texttohash 0d7e83711c9c8efa135653ef124cc23b [root@localhost ~]# echo -n "texttohash" | samson hash md5 0d7e83711c9c8efa135653ef124cc23b [root@localhost ~]# samson hash blake2b texttohash de92a99c2d5cb8386cada3589b7c70efa27c6d99a3ec1a2f9313258c0e91229f2279ccf68d6766aa20d124ca415dacbb89fb657013de1a2009752084186445a7 [root@localhost ~]# samson hash keccak texttohash --args=r=1044,c=512,digest_bit_size=256 1a568ef9ead0b2a9eeffc1d1e9a688c9153f33719ac5b30a533d1edba0e301b8 [root@localhost ~]# samson pki generate rsa --args=bits=1024 -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQChL/Xmka6z8EEiwNC+NXrEs1WHFjUz364hPfFlOMVAmrrWHsAls71U+6 5VybjZPpYOBGcr/M2C6al9W7y18fkf3gAZhfPLvat8OpsfM+ltmlLJ3kTLiVJo2Y+KTPNz I9nrKUgD/KEcL73kvwJGYL+YwX8YNcbxKv5rNxB0kdW33wIDAQABAoGBAJhMe7ie4AZutO zEaLfASj6+/8oC5sQbzijkoUi16lLPoEeeiIlXGkbJA4FVd430/81AxccfN4NBin7DBjyX 5H2BmsN3rPGnsCKC+uY4z2+er7B+i2YHgF1K5ymC/8pFV5eU5GTVF0FxZHtviLhDA0p8Fh liii2JNpM2MDgj7j9BAkEAuzKx+nspNtH+myjMHMRkswLiMIQ8VonOXmH6aBnQekzYvAmy nCbSlbYohxCYjrPy+a76siSIGK+SO8YpxG7MIQJBANxt8S+ZnrmPZKoWEu3pcn95Fa26Up qz2L2YemqRid6BlE2/2+cLYMVglEUfhgrqvNCFbwqc1UgeK47065iUA/8CQExZE7+uBZQn N2k+zWiaLNvZvDi/ZgCBedqCqWdVx/JpbyfZ6K/JIbAPuB3GBgKFn/53gCWxwpQW31RjsN s9uSECQQDOpkN2XI5xZ/z3d7pHUJQG7X1lYUgPwItxM4GQZuDZuKFQQo3mDMSsRd667tK7 aVWaJ33ydRV+hspPO02jvSABAkAPaMHmQcEN8c8bOWc5VjH8kxcV5iHUw88WH9hEKpHTsk j+LYTu11aOZXFh4dmw5jHd1gjA4bD24c0f5NN7vQLJ -----END RSA PRIVATE KEY----- [root@localhost ~]# samson pki generate rsa --args=bits=128,p=7 --encoding=pkcs8 -----BEGIN PRIVATE KEY----- MFMCAQAwDQYJKoZIhvcNAQEBBQAEPzA9AgEAAgkEI+1gRNRD9i8CAwEAAQIJAIiZ98pCij jhAgEHAgkAl2sNwLCb/pkCAQUCCQCImffKQoo44QIBBQ== -----END PRIVATE KEY----- [root@localhost ~]# samson pki generate rsa --args=bits=256 --pub -----BEGIN PUBLIC KEY----- MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAKItLmP4OG4LIOgWZRt+MFOifSHsoow9NcwAwt p3Xx0NAgMBAAE= -----END PUBLIC KEY----- [root@localhost ~]# samson pki generate ecdsa --args=curve=nistp256 --encoding=openssh -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQnJDxj9BKhFg50vqrwzDGtJtmmlhK3 E1l1k6L1eHlLO9MGu2JnTzV6tRFNDuCqs9QkCUDkm3sTYq+9tspJ9ISLAAAAsJ0TFlidEx ZYAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCckPGP0EqEWDnS+ qvDMMa0m2aaWErcTWXWTovV4eUs70wa7YmdPNXq1EU0O4Kqz1CQJQOSbexNir722ykn0hI sAAAAhALJ58WavKVYz2fG3koYq3Pthpmg9MJVmStjRyZMYqCrmAAAAEG5vaG9zdEBsb2Nh bGhvc3QBAgMEBQYH -----END OPENSSH PRIVATE KEY----- [root@localhost ~]# samson pki generate eddsa --args=curve=ed25519 --encoding=openssh --pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0Ru2OL3mSV1aOopjhcxK+pg6fTYcyxOfBy4cjJQ0T4 nohost@localhost [root@localhost ~]# openssl genrsa 128 | samson pki parse rsa Generating RSA private key, 128 bit long modulus .+++++++++++++++++++++++++++ ..+++++++++++++++++++++++++++ e is 65537(0x010001) <RSA: bits=128, p=18204634713468071783, q=14777058483132963961, e=65537, n=269010951824990204830693900060300012463, phi=134505475912495102398856103431849488360, d=14600484545241469070379515690589701393, alt_d=14600484545241469070379515690589701393> [root@localhost ~]# samson pki generate ecdsa --args=curve=p521 --pub --encoding=x509_cert --encoding-args=ca=1,serial_number=666,issuer=#'CN=hiya,O=hiya-corp,L=Rack City'# -----BEGIN CERTIFICATE----- MIICAzCCAV6gAwIBAgICApowEQYIKoZIzj0EAwIGBSuBBAAjMDcxDTALBgNVBAMTBGhpeW ExEjAQBgNVBAoTCWhpeWEtY29ycDESMBAGA1UEBwwJUmFjayBDaXR5MB4XDTE5MDMxNTA5 MDMwMloXDTIwMDMxNTA5MDMwMlowDTELMAkGA1UEAxMCY2EwgZswEAYHKoZIzj0CAQYFK4 EEACMDgYYABADfi2+eDb9LhtBKZx61bQEG/2uunKr64EGv5+CBNGQEz4RL8fC6wXG14vj0 m+It8FtADxeyud+59/MpZFk34HH4UgCvec9lWIGC/VspYySEtMyiMQGxFcGjSF30xMHmxV VdtCd0lwpno8swFynZbKyrTFpQPRE2xQKKi/dUh1MGBYeAhoECBKCCAgSwozIwMDAdBgNV HQ4EFgQUpFMCF9swcVSxvdGnBNrfB4PRdcIwDwYDVR0TAQH/BAUwAwEB/zARBggqhkjOPQ QDAgYFK4EEACMDgYsCwgYcCQgCtM/WKF1HGFVNXRvL+38bFgbtjkAc6lkgnv76bdngWhZj KzxOGlBrUMD0vXbjp0wpDnpynBxYXNZxHIrERMolw1wJBS72VR5m4ubujrW2ynM5p9hoc3 0SK8pZp5HLipmI9gjF/ywqZZGskyFt/nK4wfU3CaoOPOxI86AC5nbwn6f5Y4wA -----END CERTIFICATE-----
示例用例
- 审核基础架构 现有系统建模
- 解决/创建CTF
测试环境
- runtime:pypy 7.0.0(python 3.5.3)
- architecture:Linux 5.1.18-300.fc30.x86_64_1 smp
- os:Fedora安全实验室(Fedora Release 30)
安装
推荐的操作系统是fedora,推荐的python实现是pypy
请注意,pypy可能不会将samson的脚本安装到path。
解决方法包括:
- 从pypydid安装它的地方调用samson
- 使用cpython的pip安装samson
由于pypy的加载时间,samson的samson
脚本尝试调用cpython执行cli命令。
RHEL衍生物(在Fedora Security Lab 30上测试)
sudo dnf -y install pypy3 pypy3-devel pypy3 -m ensurepip pypy3 -m pip install samson-crypto
Debian衍生品(在Kali Linux 2019.2 64位上测试)
debian/ubuntu/kali不希望您使用ensurepip
安装pip,但它们只为cpython提供包。以下是创建virtualenv以防止与系统pip发生冲突的解决方法。
apt-get -y install pypy3 pypy3-dev pypy3 -m venv myvenv --without-pip --system-site-packages wget https://bootstrap.pypa.io/get-pip.py ./myvenv/bin/pypy3-c ./get-pip.py ./myvenv/bin/pypy3-c -m pip install samson-crypto
然后可以通过如下方式访问
./myvenv/bin/pypy3-c ./myvenv/bin/samson-py
性能
萨姆森的原语不是最快的,也不是命中注定的。如果您关心性能,您有两个选择:
- 使用更快库中的原语(例如pycrypto)
- 使用pypy而不是cpython
由于samson主要调用python,pypy提供了大量的速度提升。然而,pypy的最新稳定版本适用于python 3.5,而sha3是在3.6中引入的。参孙的sha3仍然有效,但测试将失败。