Simple attacks on AES-ECB
This repo contains two simple attacks on AES-ECB. The purpose of these attacks is to demonstrate AES in mode ECB is insecure, in particular when multiple blocks are encrypted, and so AES should be used in a different mode (CBC, CTR, …) that incorporate a nonce or initialization vector. Similar attacks can be designed as well for other modes if the nonce or initialization vector is constant.
The first attack is chosen plaintext attack (CPA), in which the attacker sends the top 1 million passwords to the encryption oracle and records the ciphertext in a dictionary where the key is the ciphertext and the value is the corresponding plaintext that was submitted. Then if the attacker observes an encrypted value and checks if it is in the dictionary. If it is, then the attacker has obtained the plaintext without knowing the key or being able to encrypt anything. The file which implements this attack is aes_ecb_password_attack.py, and this script calls aes_ecb_password_oracle.py, which serves as the encryption oracle. This attack could be generalized to other data that has some structure or includes words, such as usernames, names, addresses, prices, or certain id numbers. [NEEDS UPDATING TO BE COMPATIBLE WITH UPDATED LIBRARY]
The second attack is an adaptive chosen plaintext attack (CPA2), in which the attacker inputs user data “x…x”, and then the encryption oracle encrypts “data=x…x,token=mysecrettoken123,” and the attacker can observe the entire encrypted blob of text. The attacker than brute forces one byte of the “,token=mysecrettoken123” at a time by altering the plaintext submitted as data. The file which implements this attack is aes_ecb_attack.py, and this script can be run in several different modes depending on if you want to view the information that the oracle sees or run it from an attacker view, as well as whether you want it to do a slowed down step-by-step, or just return the result. This script calls aes_ecb_password_oracle.py, which serves as the encryption oracle. This attack can also be generalized and used whenever there is some user input data that gets concatenated with static secret data that is then all encrypted as one entity.