search

prosyslab-classroom / cs348-information-security

60 stars 10 forks source link

[Question][Hw2] Type signature of CBC.padding_oracle #251

Closed 727yubin closed 1 year ago

727yubin commented 1 year ago

Name: Yubin Lee

In main.ml, the type signatures of dec and padding_oracle are given as val dec : Block.t -> Block.t -> string -> Block.t list; val padding_oracle : Block.t -> Block.t -> Block.t list -> result.

However, in the main function, dec and crack are called as 


  | "dec" ->
      let key = Util.parse argv.(2) |> Block.block_of_string in
      let iv = Util.parse argv.(3) |> Block.block_of_string in
      let cipher = Util.parse argv.(4) in
      CBC.dec key iv cipher
      |> List.map Block.string_of_block
      |> String.concat "" |> print_endline
  | "crack" ->
      let key = Util.parse argv.(2) |> Block.block_of_string in
      let iv = Util.parse argv.(3) |> Block.block_of_string in
      let cipher = Util.parse argv.(4) in
      let oracle = CBC.padding_oracle key in
      CBC.crack oracle iv cipher |> print_endline```

Shouldn't type signature of `padding_oracle` be `Block.t -> Block.t -> string -> Block.t list`? I don't see why they are different... if not, what is `padding_oracle`'s `cipher` supposed to take?
727yubin commented 1 year ago

Sorry for the horrible code quote formatting...

bonjune commented 1 year ago

dec decrypts a ciphertext of type string into a list of decrypted blocks. padding_oracle takes key, iv, and a list of encrypted blocks.

727yubin commented 1 year ago

I see. I will try again. Thank you!

Re-st commented 1 year ago

I have a similar question yet not answered. 1) As "cipher" of padding_oracle is not a String but a Block.t list, what is 'LengthError' option for?

Readme says LengthError: the length of the input text is incorrect (i.e., not a multiple of the block size). But input text (= "cipher") is already Block.t list

2) As the output of CBC.dec is Block.t list, when padding is 1 (as 1 byte), I can't delete the padding. What should I do?

727yubin commented 1 year ago

  1. I believe LengthError should be returned if the length of the encrypted message is not divisible by (nb of bytes in block, 8 in actual AES during lecture).

  2. Keeping the last block as 1 byte long should be fine.

Rsln-M commented 1 year ago

I also didn't quite understand the "LengthError" option, I assumed it can only happen if any of the blocks has length different from the selected block length -- 2 in the case of Mini AES.

KAIST-JongchanPark commented 1 year ago

@Rsln-M Your understanding is right. padding_oracle should work well as itself, whatever input is given