I am going to outline an attack to decrypt some blocks of data using network key. The attack is at network
package and network/conn
part in particular.
Decrypt message len
The idea is to connect to a node and send some ciphertext to it. The node expects the following:
It first read both len(P) and len(V), and then it expects L=len(P)+len(V) bytes.
If we send <L bytes the node is going to timeout and subsequently reset the connection. If send at least L bytes that are not valid ciphertext, we would immediately get a connection reset.
So the approach is simple:
- Select 4 blocks of data and save it to X. This will be our len(P)||len(V).
- Choose n as a guess for L.
- Send X and then n random bytes.
- If we get immediate conn reset, then n >= L.
- Otherwise n < L.
- Repeat, until found.
This setup only gets us L. But we still don't know neither of len(P), nor len(V). The following is going to overcome this problem.
Decrypting Len(V)
Suppose we somehow capture a single encrypted message. That is: len(P)||len(V)||P||V
.
The idea is that if we perturb V, decryption will still pass, but if we change P, it will fail.
So we can randomly perturb blocks and check wether we get a connection reset.
This will give us both ciphertext and plaintext of a particular len(V)
.
Then we can attach this len(V)
block to a given len(P)
block and decrypt len(P) via algo from previous section.
TL;DR; use TLS, AEAD, AES-GCM and ephemeral keys for transport layer security