Saturday, October 22, 2016

Flipping bits on encrypted Streaming Cipher output to modify encrypted content.

I've been taking a Computer Science class on Cryptography and I was told that Streaming Ciphers have the vulnerability that someone can bit-flip the ciphertext to produce changes to the plaintext in predictable ways.

So I thought I would do a simple test to verify this.  I chose RC4 as my cypher and the plaintext "plaintext" and the password "password".  Also I'm using the builtin hex editor "xxd" to allow me to flip the bits.  Below shows the resulting ciphertext dumped in Hex.  The first 16 bytes are the header with a salt.  The remaining file is the bytes encrypted on at a time.

$ echo plaintext | openssl rc4 -k password | xxd | tee cipher.hex0000000: 5361 6c74 6564 5f5f efda 26bb cb8c aa61 Salted__..&....a0000010: e467 a17c df3e 4a0b 7864 .g.|.>J.xd

To verify it decrypts:
$ xxd -r < cipher.hex | openssl rc4 -d -k passwordplaintext

Now on to test the exploit.  Using a text editor, I modified 'cipher.tex'.  I'm going to try to capitalize every other letter in the exploit by using XOR 20h on the ciphertext.  I've bolded the changed digits below.

0000000: 5361 6c74 6564 5f5f efda 26bb cb8c aa61 0000010: c467 817c ff3e 6a0b 5864

And sure enough the exploit works:

$ xxd -r < cipher.hex | openssl rc4 -d -k passwordPlAiNtExT


And by the way, this appears to also work for Block ciphers in CBC (Cipher-Block-Chaining) Mode.One can tamper with the Initialization Vector (IV) which is often stored next to the ciphertext in some systems. Again I've bolded the changed digits below:
For Example:
$ echo plaintext123456 | > openssl aes-256-cbc -e -k password -nosalt -nopad -iv 9F98E917B9ACEA58DFAD3CB2FAD6331E |> openssl aes-256-cbc -d -k password -nosalt -nopad -iv BF98C91799ACCA58FFAD3CB2FAD6331E PlAiNtExT123456