AES-CTR Cryptography: Reused Key Weakness - HackTheBox Cyber Apocalypse CTF 

I would like to point out that unlike you make it out to be in this video, reusing keys with CTR mode isn't insecure by design. The actual problem lies in reusing the same initialization vector value (IV) with multiple encryptions with the same key. The IV values should be nonces (or 'number used only once') to protect against this attack. Usually these nonce values are achieved by using a running counter value added to the original IV value (IV || CTR[i]), hence the name counter mode. Let me demonstrate the attack and how to prevent it: Ciphertext1 = Plaintext1 ⊕ AES(key, IV) Ciphertext2 = Plaintext2 ⊕ AES(key, IV) Which leads to the following ciphertext pair: Ciphertext1 ⊕ Ciphertext2 = Plaintext1 ⊕ AES(key, IV) ⊕ Plaintext2 ⊕ AES(key, IV) Now, because the (key, IV) pair is reused, the AES(key, IV) will yield the same result for both ciphertexts. This means that an attacker can now compute Ciphertext pairs easily by cancelling the AES encryption out of the equation (XORing anything by itself will always yield to 0): Ciphertext1 ⊕ Ciphertext2 = Plaintext1 ⊕ Plaintext2 Therefore an attacker can easily get the Plaintext2 value by computing the following operation: Plaintext2 = Plaintext1 ⊕ Ciphertext1 ⊕ Ciphertext2 As was demonstrated in this video. When using the counter mode properly, we get the ciphertexts in the following way: Ciphertext1 = Plaintext1 ⊕ AES(key, (IV || CTR[0])) Ciphertext2 = Plaintext2 ⊕ AES(key, (IV || CTR[1])) Which leads to the following ciphertext pair: Ciphertext1 ⊕ Ciphertext2 = Plaintext1 ⊕ AES(key, (IV || CTR[0])) ⊕ Plaintext2 ⊕ AES(key, (IV || CTR[1])) Now, because the AES encryption operations yield different results, an attacker can no longer just cancel the AES encryptions out and would actually need to compute the values themselves. Even if the attacker knows the original IV value, they have no way of actually computing these without obtaining the key! Therefore, the attack is rendered useless whenever unique (key, IV) pairs are used. The code in question should be fixed by making the following change to the counter: iv = os.urandom(16) ctr = Counter.new(128, int.from_bytes(iv, byteorder='big')) cipher = AES.new(KEY, AES.MODE_CTR, counter=ctr)

you + sleep deprivation = hilarious

I did not have the right understanding for this challenge and did not give the right explanation in the video, and I'm sorry for that. You can find a solid explanation in Arttu Paju's comment pinned below and the other comments that explain where I went wrong in this one. Sorry!

Hope you know your sleep deprivation hasn’t gone unappreciated, I seriously like camp out everyday after work looking forward to these. Love and appreciate you John!

In this specific scenario, the actual vulnerability is the non-unique (nonce, key) pair between 2 distinct encryptions. As during the creation of the AES object no value for nonce(=IV) is specified, a default one is used and thus, 2 ciphertext will share the same default IV and key which makes it vulnerable

"Your life should be in Dark Mode...." John Hammond That should be a famous quote!

your videos are so fun to watch and so educating

Dark mode John isn't bad at all

I really learn a lot through your videos, best part I also enjoy watching them again and again ❤️

nice video, I enjoyed the end credit bonus scene of crazy john with the lights. Keep it up, buddy.

learned something new again. Thanks John

Thanks for the video John!

bro , the dark mode in the end was super duper cool ! test it one in a while :)

Just reusing a key and it breaks one of the most popular encryption algorithms

amazing John

This is my new favorite channel.

DarkMODE for the Win.

Real talk? The room looks great at the end there!

I like dark mode ! Keep it :-)

Its 2 : 11 and im watching your video , i should also have to go to bed now good night John, btw awesome content as always ❗

Awesome!

Nice

Cool video in dark mode ...

Addicted to you sir

why don't u make python series where u gonna teach pentesting python to us. If this would happen gonna appreciate it vro🙏

john sir king🤴🤴🤴🤴

Oh, so all you had to do was Xor? I did not know that worked for AES! I thought you had to brute force the urandom-value against the know string to find the key and then decrypt the flag. :p

how many hours do you actually sleep in a day? appreciate your videos and knowledge sharing

I wonder if they called it PhaseStream3, or PS3, on purpose.. The first PS3 hack involved a bad PRNG .

how would you attempt this if the source string wasn't supplied?

1 dislike is the ip john hammond hacked

Love from india

You explained absolutly nothing in this video..Reusing the key is not the only problem here.

I see that you have Linux but... it’s not kali bro you need to try kali Linux it will change your life. Ps I love your videos keep up the good work 🙂🙂

yeah I just start the video ... (i wr0t3 c0mm3n7 b3f0r3 st4r7ing l0l)

What can you hack is the sky the limit or are their specifics

ok

HTB{ {H)igh (E)ducation (A)ttentional (R)ight (NOW) (T)raffic! } --->Thx!

Heartt

John You really need to sleep