題目1

1. 已知某分組算法分組長度 32比特，采用CBC 分組算法工作模式，初始向量為 IV=0x12345678，
四組明文消息和密文分別是[11223344 aaaaaaaa 14725836 11335577]，和 [be91835a 03ec3058 370606ae f1e58037]。
請構建另一組明文消息，采用同樣的密鑰加密，初始向量IV_1 為 ffffffff，加密后密文為：[03ec3058 be91835a f1e58037 370606ae]。
則新的明文是？（格式為16進制）。

CBC 加密流程回顧

1. C[0] = Enc(P[0] ^ IV)
2. C[1] = Enc(P[1] ^ C[0])
3. C[2] = Enc(P[2] ^ C[1])
4. C[3] = Enc(P[3] ^ C[2])

所以：

1. P[0] = Dec(C[0]) ^ IV
2. P[1] = Dec(C[1]) ^ C[0]
3. P[2] = Dec(C[2]) ^ C[1]
4. P[3] = Dec(C[3]) ^ C[2]

解密流程：

lst = [(0x11223344 ^ 0x12345678),
       (0xaaaaaaaa ^ 0xbe91835a),
       (0x14725836 ^ 0x03ec3058),
       (0x11335577 ^ 0x370606ae)]
print([f'0x{x:08x}' for x in lst])
# [0x0316653c, 0x143b29f0, 0x179e686e, 0x263553d9]
""" 映射表
Enc(0x0316653c) = be91835a    
Enc(0x143b29f0) = 03ec3058 
Enc(0x179e686e) = 370606ae 
Enc(0x263553d9) = f1e58037 
"""
# 求 [03ec3058 be91835a f1e58037 370606ae]
# 根據映射表 異或后輸入值為 0x143b29f0 0x0316653c 0x263553d9 0x179e686e
iv1 = 0xffffffff
p1 = 0x143b29f0 ^ iv1
p2 = 0x0316653c ^ 0xbe91835a
p3 = 0x263553d9 ^ 0xf1e58037
p4 = 0x179e686e ^ 0x370606ae
print(' '.join(f"{x:08x}" for x in [p1, p2, p3, p4]))
# ebc4d60f bd87e666 d7d0d3ee 20986ec0

2. 在加密通訊中，隨機數是保障安全性的核心要素之一，其作用貫穿密鑰生成、協議設計、身份驗證等多個環節。某系統中的一臺設備隨機數發生器出現故障，在DH交換時私鑰全為0xCC，造成私鑰泄露?，F采集其通訊數據（見附件），請分析：

附件：

1).密鑰交換算法是？ (15/分）
Diffie-Hellman (DH)
2).IKE的數據完整性校驗算法是？ (15/分）

• 從Frame 1和Frame 2的Security Association payload中可以看到
• Transform Type: Integrity Algorithm (INTEG) (3)
• Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)

AUTH_HMAC_SHA1_96 

3).是通訊發起方設備還是響應方設備出現故障（填寫"發起方"或“響應方”） (20/分）

響應方

4).DH共享密鑰值是（十六進制方式） (30/分）

0582a72064aed69a5729c3cd84055feb9eecf2bb14bae26a26f0e322e667d174554fc11c06b204469de0650178ecd53d56a0ad8e016e93e66288f9e997a868488334ec61f0cbf35d6314f081e9555ef34cfb6021cbb68f97eaea0b66fc44dccb97fe2f64bd9cf02bf648f88bbccea0053b26007ac9b1fd82c616d14b1805ae4eb2e2e0c55fd0fc1e9f0ee6451120c1e8c6962755cb417776e3ef1f9da896110930f8551189a29dfa940bcf3d1bdbd05d4b5924922c7655c3224c9f4cb792f86b44f22bc95f5c42cca76d2e063a03e651f3eb4bae75c13499ce6891680114cab502b50541ca76895e55c4984e60adb899d1bd2deb5e3b06aff634b53d00f20883

5).密鑰種子SKEYSEED是（十六進制方式） (30/分）

95c58ae7ff1554186e450f94c3f70a31d64fbb8c

6).發起方的IKE加密密鑰SK_ei是： (40/分）

# AES-CBC-256 , key 為 32Bytes
from Crypto.Hash import HMAC, SHA
import binascii

SPIi = binascii.a2b_hex('e0b156c9f61def4b')
SPIr = binascii.a2b_hex('c56eb49736d476d3')

SKEYSEED = bytes.fromhex('95c58ae7ff1554186e450f94c3f70a31d64fbb8c')
K = SKEYSEED

Ni = bytes.fromhex('76e1dbf5a2fd251d663c8f10103bb876c9f02eb6807168b3bea0f5b6a314565b')
Nr = bytes.fromhex('6c8fe3ce8951c4ebce5e9b167b00c02e684fa26ebc4487226f349b52ea34fb78')
S = Ni + Nr + SPIi + SPIr
T = b''
TotalKey = b''
for i in range(1, 10):  # 10 次循環足夠生成所需密鑰
    count_byte = binascii.a2b_hex('%02d' % i)  # 0x01 0x02 0x03 ...
    data = T + S + count_byte
    T = HMAC.new(K, data, SHA).hexdigest()
    T = binascii.a2b_hex(T)
    TotalKey += T

SK_d = TotalKey[0:20]
SK_ai = TotalKey[20:20 + 20]
SK_ar = TotalKey[40:40 + 20]
SK_ei = TotalKey[60:60 + 32]
SK_er = TotalKey[92:92 + 32]
SK_pi = TotalKey[124:124 + 20]
SK_pr = TotalKey[144:144 + 20]

# 打印結果
print(f'SK_d  = {SK_d.hex()}')
print(f'SK_ai = {SK_ai.hex()}')
print(f'SK_ar = {SK_ar.hex()}')
print(f'SK_ei = {SK_ei.hex()} (長度: {len(SK_ei)} 字節)')
print(f'SK_er = {SK_er.hex()} (長度: {len(SK_er)} 字節)')
print(f'SK_pi = {SK_pi.hex()}')
print(f'SK_pr = {SK_pr.hex()}')

# 453d6774c0eaf163864c1340b05fd7c219cc17cf7492ac716f6be2318b9f8f2c

7).由于密鑰泄露，可以解密數據，解密ESP后，可以得到ESP明文，是UDP數據包，內容格式如下：
45 00 00 3c b6 ed 00 00 80 11 00 00 c0 a8 03 15
c0 a8 02 30 03 e8 07 d0 00 28 86 cf 73 65 6e 64
20 6d 73 67 20 3d 20 7b 30 31 32 33 34 35 36 37
38 39 30 31 32 33 34 35 36 7d 0d 0a
分析可以發現UDP報文數據類似“send msg = {01234567890123456}”，請解密實際數據，填寫解密后UDP報文數據中大括號內的字符串： (50/分）

學了一天才學會。

73047882172936819

# https://www.rfc-editor.org/rfc/rfc3526.html
# g = 2, p_hex 是 2048-bit MODP Group 用到的標準質數 g ^ d % p = pow(g,d,p)
# ESP 格式 https://datatracker.ietf.org/doc/html/rfc4303#section-3.1
import hashlib
import hmac

from Cryptodome.Cipher import AES
import re

print(f'{" Q3 ":-^30}')
p_hex = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF"
p = int(p_hex, 16)

g = 2

priv_key_faulty_hex = "cc" * 256
priv_key_faulty = int(priv_key_faulty_hex, 16)

result = pow(g, priv_key_faulty, p)
h = hex(result)

if '1119cf0e23' in h:
    print('發起方')
if '1b2f22ea5e' in h:
    print('響應方')
# 響應方

print(f'{" Q4 ":-^30}')
# K = (發起方的公鑰 A) ^ (響應方的故障私鑰 b) mod p
pub_key_i = 0x1119cf0e2342bc9dd981e34e345ea68e363ef54cf4328afa40b2d55a9e473736d16d2a824d18be5ee395149d785de49178725f55368cffa26d6c67927fe7d540e5e17cc6ce22c7481a873a28035371ca1427745eb9975686d0774342533d2d469a422f28bdb2ba0684521fd5eeadcec18c240de35308b594390513cdba65246a3aa6cbdd506822086d2a733864198a46290fc32687f183d26a81cc8ebf0bb0e6d2f52ee8db3980207cbe266bf6d8b080d6a9c1ed1b4fcf1936bb54e0eb173fcaec4869d97b1a9917e31d20de3328ff4c8d6258d5be699c7d69e4e59768c4d152fa4bdcc0be4fb6b981fb16675fd197878fd5384ab4d9f9c1a7d690eb23b13b98
priv_key_r_faulty = priv_key_faulty
shared_key = pow(pub_key_i, priv_key_r_faulty, p)
shared_key_hex = f'{shared_key:0{256 * 2}x}'
print(f"DH共享密鑰值是: {shared_key_hex}")
# 0582a72064aed69a5729c3cd84055feb9eecf2bb14bae26a26f0e322e667d174554fc11c06b204469de0650178ecd53d56a0ad8e016e93e66288f9e997a868488334ec61f0cbf35d6314f081e9555ef34cfb6021cbb68f97eaea0b66fc44dccb97fe2f64bd9cf02bf648f88bbccea0053b26007ac9b1fd82c616d14b1805ae4eb2e2e0c55fd0fc1e9f0ee6451120c1e8c6962755cb417776e3ef1f9da896110930f8551189a29dfa940bcf3d1bdbd05d4b5924922c7655c3224c9f4cb792f86b44f22bc95f5c42cca76d2e063a03e651f3eb4bae75c13499ce6891680114cab502b50541ca76895e55c4984e60adb899d1bd2deb5e3b06aff634b53d00f20883

print(f'{" Q5 ":-^30}')
# Ni: Initiator's Nonce，發起方生成的、本次會話使用的一次性隨機數。
# Nr: Responder's Nonce，響應方生成的、本次會話使用的一次性隨機數。
"""
tshark -r capture.pcap -T fields -e isakmp.nonce
76e1dbf5a2fd251d663c8f10103bb876c9f02eb6807168b3bea0f5b6a314565b
6c8fe3ce8951c4ebce5e9b167b00c02e684fa26ebc4487226f349b52ea34fb78
"""
bh = lambda x: bytes.fromhex(x)
Ni = bh('76e1dbf5a2fd251d663c8f10103bb876c9f02eb6807168b3bea0f5b6a314565b')
Nr = bh('6c8fe3ce8951c4ebce5e9b167b00c02e684fa26ebc4487226f349b52ea34fb78')
nonce_concat = Ni + Nr
g_ir_bytes = shared_key.to_bytes(256, 'big')
# tshark -r capture.pcap -V | grep PRF  , PRF_HMAC_SHA1
SKEYSEED = hmac.new(nonce_concat, g_ir_bytes, hashlib.sha1).digest()
print(f"密鑰種子SKEYSEED是: {SKEYSEED.hex()}")
# 9ec82c13e5f2beb1c7af21f6873e113ba04c47fda57fce06c3e0f5141d2fc452

print(f'{" Q6 ":-^30}')
# --- Q4: Initiator's IKE Encryption Key (SK_ei) ---
SPIi = bytes.fromhex('e0b156c9f61def4b')  # frame1_payload_hex[:16]
SPIr = bytes.fromhex('c56eb49736d476d3')  # frame2_payload_hex[16:32])
seed = Ni + Nr + SPIi + SPIr
s = seed
t1 = hmac.new(SKEYSEED, s + b'\x01', hashlib.sha1).digest()
t2 = hmac.new(SKEYSEED, t1 + s + b'\x02', hashlib.sha1).digest()
t3 = hmac.new(SKEYSEED, t2 + s + b'\x03', hashlib.sha1).digest()
t4 = hmac.new(SKEYSEED, t3 + s + b'\x04', hashlib.sha1).digest()
t5 = hmac.new(SKEYSEED, t4 + s + b'\x05', hashlib.sha1).digest()
TotalKey = t1 + t2 + t3 + t4 + t5
"""
SK_d  (用于派生更多密鑰 20字節)
SK_ai (發起方認證密鑰，20字節)
SK_ar (響應方認證密鑰，20字節)
SK_ei (發起方加密密鑰，32字節)
SK_er (響應方加密密鑰，32字節)
SK_pi (發起方身份偽隨機函數密鑰，32字節)
SK_pr (響應方身份偽隨機函數密鑰，32字節)
"""
SK_d = TotalKey[0:20]
SK_ai = TotalKey[20:20 + 20]
SK_ar = TotalKey[40:40 + 20]
SK_ei = TotalKey[60:60 + 32]
print(f"發起方的IKE加密密鑰SK_ei是: {SK_ei.hex()}")

print(f'{" Q7 ":-^30}')
# --- Q5: Decrypt ESP ---

seed_child = Ni + Nr
keymat_t1 = hmac.new(SK_d, seed_child + b'\x01', hashlib.sha1).digest()
keymat_t2 = hmac.new(SK_d, keymat_t1 + seed_child + b'\x02', hashlib.sha1).digest()
keymat_t3 = hmac.new(SK_d, keymat_t2 + seed_child + b'\x03', hashlib.sha1).digest()
keymat_t4 = hmac.new(SK_d, keymat_t3 + seed_child + b'\x04', hashlib.sha1).digest()
keymat_t5 = hmac.new(SK_d, keymat_t4 + seed_child + b'\x05', hashlib.sha1).digest()
keymat = keymat_t1 + keymat_t2 + keymat_t3 + keymat_t4 + keymat_t5

# ESP_KEY_ei: Starts at 0, length 32.  --> [0:32]
# ESP_KEY_ai: Starts at 32, length 20. --> [32:52]
# ESP_KEY_er: Starts at 52, length 32. --> [52:84]
# ESP_KEY_ar: Starts at 84, length 20. --> [84:104]

ESP_KEY_ei = keymat[0: 32]
ESP_KEY_ai = keymat[32: 52]
ESP_KEY_er = keymat[52: 84]
ESP_KEY_ar = keymat[84: 104]

key_len_esp_encr = 32
SK_ei_esp = keymat[0:key_len_esp_encr]
esp_hex = "cf867ae800000001b9cc1fd530becf6aefbe19ec41c6e23cfa86f899a99e8b64180de9858e06977a8a91553a741f930845228caf0604b8b0c9169d641406ce7c1415ffe0fd6fca58815177f46e515dd9ccb5102625afb41c1f883c943933d75260b1ba82"
esp_data = bytes.fromhex(esp_hex)

# ESP_Payload = SPI (4B) + Seq (4B) + IV (16B) + Ciphertext (可變) + ICV (12B)
spi, seq, esp_iv, esp_ciphertext, icv = esp_data[:4], esp_data[4:8], esp_data[8:8 + 16], esp_data[24:-12], esp_data[-12:]

# 響應方發包用 ESP_KEY_er 解，請求方發包用 ESP_KEY_ei 解
cipher = AES.new(ESP_KEY_er, AES.MODE_CBC, esp_iv)
plaintext_padded = cipher.decrypt(esp_ciphertext)

result = re.findall(rb'\{(.*)\}', plaintext_padded)[0].decode()
print(f"Decrypted Data: {result}")
# 73047882172936819