2023 Cyber Apocalypse: Perfect Synchronization

#htb #ctf #crypto #aes #ecb #block-cipher

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryCrypto
ChallengePerfect Synchronization

Summary

This challenge involves AES encryption in ECB mode with a critical design flaw. The cipher encrypts single characters concatenated with a salt using AES ECB mode. Since each character is independently encrypted with the same key and salt prefix, this creates a deterministic lookup table that can be exploited for message recovery.

Analysis

The vulnerable code:

class Cipher:
    def __init__(self):
        self.salt = urandom(15)
        self.cipher = AES.new(key, AES.MODE_ECB)


    def encrypt(self, message):
        return [self.cipher.encrypt(c.encode() + self.salt) for c in message]

Vulnerability: Each character is encrypted independently with:

  • Fixed salt (15 bytes)
  • Single character (1 byte)
  • Total: 16 bytes (one AES block)

Since AES ECB mode is deterministic, the same plaintext always produces the same ciphertext. This allows building a lookup table:

Character → Encrypted Block
'S' → ciphertext_S
'e' → ciphertext_e
'c' → ciphertext_c
...

Challenge Output (partial encrypted message): The output contains encrypted blocks that can be matched against a precomputed dictionary.

Solution

The exploitation strategy:

from Crypto.Cipher import AES


# Know the salt and key from the output
known_chars = set("SECRET MESSAGE")


# Build lookup table by encrypting each known character
lookup = {}
for char in known_chars:
    encrypted = cipher.encrypt(char.encode() + salt)
    lookup[encrypted.hex()] = char


# Decrypt the message by looking up each encrypted block
decrypted = ""
for encrypted_block in encrypted_blocks:
    decrypted += lookup[encrypted_block.hex()]


print(decrypted)

Key steps:

  1. Extract the salt from program output or runtime
  2. Extract the key from program output or runtime
  3. Build a dictionary of character→ciphertext mappings
  4. Match each encrypted block to recover the original message

Key Takeaways

  • AES ECB mode is vulnerable to pattern analysis
  • Never use ECB mode for encrypting multiple blocks
  • Encrypting single characters independently creates dictionary attack vulnerabilities
  • Deterministic encryption allows pre-computation of lookup tables
  • Always use authenticated encryption modes (GCM, CCM) with random IVs
  • Salt and key management are critical for security