Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In Cryptography a nonce (number used only once) is an important part of any encryption or signature algorithm. It's a big deal to not reuse nonces in cryptography but they are allowed to be public most of the time. When done incorrectly, it can be used to reveal secrets in encrypted messages or even recover the crypto key in the case of DSA. The article talks about why the reuse of nonces is so bad.

Encrypted channels work by changing the content of a message to be effectively random noise and then decoded on the other end. Going back to old ciphers from the 1500s, the mechanism was to sub in a given symbol with another mapped symbol. This could be done in the opposite direction to decrypt it. The security of this relies on the third parties (Evil Eve) not being able to infer information about the symbol-substitution procedure when looking at the encrypted data.

Many ciphers were broken by observing patterns within the individual encrypted messages, such as the Banburismus technique used to break the Enigma machine. To prevent his from happening, instead of having a single symbol to map to modern ciphers have 128 or 256-bit block sizeS. Additionally, there are rules in place to ensure to create a good substitution table for every symbol or block in this case.

The first part shows the classic Linux tux penguin being encrypted using ECB mode. Even though it's encrypted, you can still see Tux in the image! This is because blocks with the same data will produce the same output. To prevent this from happening, we introduce a nonce.

AES-CTR and ChaCha20 are both encryption modes that use an incrementing value as the nonce. When using the same noise (nonce) with two images, XORing the values together will produce the plaintext. If you ever reuse a nonce, an attacker who sees two encrypted messages can learn the XOR of the plaintext. If nonces aren't reused between different messages, then it's impossible to recover the original data. AES Ctr mode is weird - it encrypts the nonce then XORs that with the plaintext. This is why this is possible.

Recently, when auditing a protocol, they found an issue relating to this where Alice, Bob and Carol were the actors in a peer-to-peer communication model. After doing a secret sharing algorithm via asymmetric cryptography, they generate a key for ChaCha20 to use. When the algorithm is initialized, they all start with a nonce of zero.

As a result, if an attacker can sniff the message going from Alice to Bob then another from Bob to Alice with the same key and nonce, they can XOR the encrypted data together to recover the original! The important fields that are XORed are pseudorandom so it's not possible to learn all of their contents. The nonce reuse did allow them to leak the MAC key and an MitM could have been done to modify messages in transit.

The major difference can be seen on Tux and Betsy on why they couldn't get the message. Notice that the image was not perfectly recovered. These images were perfect because of the large amount of white and black on them, making them easy for overlaps. In the real world, if the numbers are random, you won't be able to see anything because the XORs will appear random.

Overall, I enjoyed the post and the visuals from it!