Dobbertin Challenge 2012
The Dobbertin Award
The Dobbertin Challenge is issued every two years since 2006, in honor and memory of Prof. Hans Dobbertin.
Hans Dobbertin was the founding director of the HGI and full professor at HGI's Chair for Cryptology and Information Security from 2001-2006. In the 1990's, Dobbertin developed new methods to break hashing algorithms of the MD4-family, and was also able to demonstrate weaknesses of it's successor MD5. His work contributed significantly to the fact that MD5 is considered as broken today.
He was recognized as "Germany's best code breaker" (FAZ, 2002) and one of the best cryptanalysts in the world. His early decease in 2006 was a tremendous loss.
The Challenge 2012
A simple JSON Web Service is provided, which processes PIN codes of users. A user can send his encrypted PIN to the Web Service, which decrypts and stores the PIN.
The Web Service allows to use cryptographically strong algorithms (RSA-OAEP and AES in GCM-mode) as well as algorithms with known weaknesses (RSA-PKCS#1 v1.5 and AES in CBC-mode).
To create a ciphertext, a sender may choose among these algorithms.
In order to protect the confidentiality of PINs, encryption based on the JSON Web Encryption standard (link) is used. This standard allows to apply symmetric and asymmetric encryption algorithms. An examplary message exchange is shown below:
Request:
POST /service HTTP/1.1
Content-Length: 217
Content-Type: text/plain; charset=ISO-8859-1
Host: cryptochallenge.nds.rub.de:50080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
eyJhbGciOiJSU0FfT0FFUCIsIml2IjoieXY2NnZ2ck8yNjNleXZpSSIsInR5cCI6IkpXVCIsImVuYyI6IkExMjhHQ00ifQ==.
ZBnPlwONWHxGDrtCxxopS4y4SrMZIAhUg3HI+SbLMxfPVRPW8yunejrkmfSLO1H/0tOx4ssggygHjG7sUfxL8A==.
i2vygn2vqFpsmep3etrD5Yh5xLP9xYhJdvn63WmHEPYChA==.
Response
HTTP/1.1 200 OK
Content-length: 24
Date: Fri, 12 Oct 2012 08:04:48 GMT
Data successfully stored
Your Task
You are the attacker who wants to learn the secret PIN of user Bob. You have already eavesdropped a ciphertext which contains Bob's PIN:
eyJhbGciOiJSU0FfT0FFUCIsIml2IjoieXY2NnZ2ck8yNjNleXZpSSIsInR5cCI6IkpXVCIsImVuYyI6IkExMjhHQ00ifQ==.
ZBnPlwONWHxGDrtCxxopS4y4SrMZIAhUg3HI+SbLMxfPVRPW8yunejrkmfSLO1H/0tOx4ssggygHjG7sUfxL8A==.
i2vygn2vqFpsmep3etrD5Yh5xLP9xYhJdvn63WmHEPYChA==.
You know already that this ciphertext consists of three parts:
- Information about the choice of algorithms used to encrypt this ciphertext (Base64 encoded).
- An asymmetric ciphertext (RSA-OAEP or RSA-PKCS#1 v1.5, Base64 encoded), which encrypts a symmetric session key.
- A symmetric ciphertext (AES-CBC or AES-GCM, Base64 encoded), which contains the payload, encrypted with the symmetric session key.
The payload consists of 18 bytes. In case of AES-GCM, the ciphertext is furthermore appended with 16 authentication bytes (There is no such message authentication if CBC-mode is used. However, before using the CBC-mode, the plaintext data has to be padded to achieve the smallest multiple of
the block size.).
You also know that the decrypted ciphertext has the format {"My PIN:":"****"} (18 ASCII characters), where **** represents a four digit PIN.
Can you use the server as an "oracle" to decrypt Bob's PIN?
Server certificate:
-----BEGIN CERTIFICATE-----
MIIBmTCCAUMCBFB1jPswDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCREUxDDAK
BgNVBAgMA25ydzEPMA0GA1UEBwwGYm9jaHVtMQwwCgYDVQQKDANoZ2kxDDAKBgNV
BAsMA3J1YjEMMAoGA1UEAwwDcnViMB4XDTEyMTAxMDE0NTgwM1oXDTEzMTAxMDE0
NTgwM1owVjELMAkGA1UEBhMCREUxDDAKBgNVBAgMA25ydzEPMA0GA1UEBwwGYm9j
aHVtMQwwCgYDVQQKDANoZ2kxDDAKBgNVBAsMA3J1YjEMMAoGA1UEAwwDcnViMFww
DQYJKoZIhvcNAQEBBQADSwAwSAJBAI/tMgMHi7qf2agEbaYyBa/eRKI44DsDbA8d
YBQV7DyIwOn6guTxKUxEsD+WoaUfiKA++dNthAZYoKkylRuoEIECAwEAATANBgkq
hkiG9w0BAQUFAANBAEOVWFvIC1XzhakBUb6J4+M+Fc4KkrbvUDBvNE6a0n1tRf3N
bY0ZYVQAKA5BGaK518vbFL+BAGkX4a+FA9A/K78=
-----END CERTIFICATE-----
Helpful References
- Daniel Bleichenbacher: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.
link
- Serge Vaudenay: Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS...
link
- Erlend Oftedal: Practical attacks on web crypto
link
- Graham Steel: Analysis of Cryptographic Security APIs
link
- JSON Web Encryption
link
- This challenge was created using the Nimbus-JWT library
link
The rules
- If you have decrypted the ciphertext successfully, please send an email to juraj.somorovsky@rub.de, with a short description of how you recovered the PIN.
- This is a pure crypto challenge! You can win only if you apply a cryptographic attack. In particular "hacking" the server, XSS, CSRF, etc. is not allowed.
- The first person or team that submits the correct PIN, with a short description of the attack strategy, will receive the Dobbertin Award 2012 (challenge cup and 300 EUR prize money) from Mrs. Dobbertin.
- This challenge is exclusive for RUB students. Everybody else is allowed to participate non-competitively and become a part of our Hall of Fame. Only RUB students can be awarded with the Dobbertin Award.
Thank you for participating in this challenge.
Hall of Fame
- Eloi Vanderbeken 1,2 (@elvanderb)
- Christian Becker 1 - our RUB challenge winner
- Alexey Hellman 1,2 (@hellman1908)
- Simon Zuckerbraun 1 (@HexKitchen)
- Michael Gehring 1,2
- Dominik Oepen 1 (@dmnk_bln)
1 found the solution the "symmetric" way.
2 found the solution the "asymmetric" way.
We would like to please the successful participants not to publicly disclose their solution before the 10th of November. Thank You.