Insomni'hack teaser 2023 - GCM
This is the solution of the challenge “GCM” given during the Insomni’hack teaser 2023. It was an example of nonce re-use in AES GCM computation.
Description
You came across a custom GCM implementation. You are also given ciphertexts (iv_j, c_j, t_j), where iv is the IV, c the ciphertext, and t the tag. You also know the corresponding messages. Everything is given in base64.
Your goal is to create a valid ciphertext (ivChall, cChall, tChall) of the message “IBr0keGCMD1dntI?At1EastIcanAuth3nT1C413Wh41IWant”. The flag should be “INS{” + MD5(ivChall + cChall + tChall) + “}” A function computing the flag given the ciphertext is given for convenience.
Details
Points: 151
Category: Crypto
Author: Alex
Solution
This challenge was the next level of the challenge Custom GCM given during Black Alps CTF by the same author. This time it appears that the counter is only two byte long and we have a message which is $2^{16}$ blocks. Thus, the counter warps and the value of the IV is incremented until it matches the value of the next counter value $Y_2 = E_k(IV_2 || 0^{15} || 1)$. We can recover $Y_2$ simply by XORing the last block of the first plaintext with the last block of the first ciphertext.
We have the following equation for $T_2$ representing the second tag and $H$ representing the hash key: $$T_2 = C_2 \cdot H \oplus E_k(Y_2)$$ Since we know all the values except $H$ we can compute it. Then we can encrypt and authenticate any messages. Here is the full solution:
|
|