Skip to content

Commit 873cac5

Browse files
carlospolopcarlospolop
authored
Merge pull request #1911 from HackTricks-wiki/update_Carelessness_versus_craftsmanship_in_cryptography_20260218_130042
Carelessness versus craftsmanship in cryptography
2 parents ffeb6d5 + 310764a commit 873cac5

1 file changed

Lines changed: 23 additions & 0 deletions

File tree

src/crypto/symmetric/README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,24 @@ If a nonce/IV is reused with the same key:
3434
- `C1 XOR C2 = P1 XOR P2` (classic keystream reuse)
3535
- With known plaintext, you can recover the keystream and decrypt others.
3636

37+
**Nonce/IV reuse exploitation patterns**
38+
39+
- Recover keystream wherever plaintext is known/guessable:
40+
41+
```text
42+
keystream[i..] = ciphertext[i..] XOR known_plaintext[i..]
43+
```
44+
45+
Apply the recovered keystream bytes to decrypt any other ciphertext produced with the same key+IV at the same offsets.
46+
- Highly structured data (e.g., ASN.1/X.509 certificates, file headers, JSON/CBOR) gives large known-plaintext regions. You can often XOR the ciphertext of the certificate with the predictable certificate body to derive keystream, then decrypt other secrets encrypted under the reused IV. See also [TLS & Certificates](../tls-and-certificates/README.md) for typical certificate layouts.
47+
- When multiple secrets of the **same serialized format/size** are encrypted under the same key+IV, field alignment leaks even without full known plaintext. Example: PKCS#8 RSA keys of the same modulus size place prime factors at matching offsets (~99.6% alignment for 2048-bit). XORing two ciphertexts under the reused keystream isolates `p ⊕ p'` / `q ⊕ q'`, which can be brute-recovered in seconds.
48+
- Default IVs in libraries (e.g., constant `000...01`) are a critical footgun: every encryption repeats the same keystream, turning CTR into a reused one-time pad.
49+
50+
**CTR malleability**
51+
52+
- CTR provides confidentiality only: flipping bits in ciphertext deterministically flips the same bits in plaintext. Without an authentication tag, attackers can tamper data (e.g., tweak keys, flags, or messages) undetected.
53+
- Use AEAD (GCM, GCM-SIV, ChaCha20-Poly1305, etc.) and enforce tag verification to catch bit-flips.
54+
3755
### GCM
3856

3957
GCM also breaks badly under nonce reuse. If the same key+nonce is used more than once, you typically get:
@@ -44,6 +62,7 @@ GCM also breaks badly under nonce reuse. If the same key+nonce is used more than
4462
Operational guidance:
4563

4664
- Treat "nonce reuse" in AEAD as a critical vulnerability.
65+
- Misuse-resistant AEADs (e.g., GCM-SIV) reduce nonce-misuse fallout but still require unique nonces/IVs.
4766
- If you have multiple ciphertexts under the same nonce, start by checking `C1 XOR C2 = P1 XOR P2` style relations.
4867

4968
### Tools
@@ -185,4 +204,8 @@ Reference writeup (HTB Kryptos):
185204
https://0xrick.github.io/hack-the-box/kryptos/
186205
{{#endref}}
187206

207+
## References
208+
209+
- [Trail of Bits – Carelessness versus craftsmanship in cryptography](https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/)
210+
188211
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)