Solutions for Cryptopals Crypto Challenges implemented in Rust.
The final product should be a library of cryptographic primitives (see documentation), implementing as much crypto as possible (instead of using libraries). Code should be as generic as possible. Usage of traits and generics instead of concrete types is encouraged.
The challenges will serve only as integration tests cases: the actual library
code is not organized around sets. If you want to review a specific challenge,
find it under the /tests/ folder and explore the used functions.
This is not a crypto library (don't roll your own crypto!) but it should serve as a real-world exercise.
-
Running tests:
cargo testSome tests are ignored due to long running time (and are not run in the CI). You can run those (probably you want them in
releasemode):cargo test --release -- --ignoredYou can also run tests only for specific sets/tests. E.g. for set 1, challenge 2:
cargo test set1::challenge2And run the documentation examples as tests:
cargo test --doc -
Generate and open documentation:
cargo doc --open
- ✅ Convert hex to base64
- ✅ Fixed XOR
- ✅ Single-byte XOR cipher
- ✅ Detect single-character XOR
- ✅ Implement repeating-key XOR
- ✅ Break repeating-key XOR
- ✅ AES in ECB mode
- ✅ Detect AES in ECB mode
- ✅ Implement PKCS#7 padding
- ✅ Implement CBC mode
- ✅ An ECB/CBC detection oracle
- 🟨 Byte-at-a-time ECB decryption (Simple)
- Tests sometimes fail due to randomness.
- ✅ ECB cut-and-paste
- 🟨 Byte-at-a-time ECB decryption (Harder)
- Tests sometimes fail due to randomness.
- ✅ PKCS#7 padding validation
- ✅ CBC bitflipping attacks
- ✅ The CBC padding oracle
- ✅ Implement CTR, the stream cipher mode
- ⬛ Break fixed-nonce CTR mode using substitions
- ⬛ Break fixed-nonce CTR statistically
- ✅ Implement the MT19937 Mersenne Twister RNG
- ✅ Crack an MT19937 seed
- ✅ Clone an MT19937 RNG from its output
- ✅ Create the MT19937 stream cipher and break it
- ✅ Break "random access read/write" AES CTR
- ✅ CTR bitflipping
- ✅ Recover the key from CBC with IV=Key
- ✅ Implement a SHA-1 keyed MAC
- ✅ Break a SHA-1 keyed MAC using length extension
- ✅ Break an MD4 keyed MAC using length extension
- ⬛ Implement and break HMAC-SHA1 with an artificial timing leak
- ⬛ Break HMAC-SHA1 with a slightly less artificial timing leak
- ✅ Implement Diffie-Hellman
- ✅ Implement a MITM key-fixing attack on Diffie-Hellman with parameter injection
- 🟨 Implement DH with negotiated groups, and break with malicious "g" parameters
- See
HACKcomments on ./tests/set5/challenge35_dh_negotiated_groups.rs
- See
- ✅ Implement Secure Remote Password (SRP)
- ✅ Break SRP with a zero key
- ✅ Offline dictionary attack on simplified SRP
- ✅ Implement RSA
- ✅ Implement an E=3 RSA Broadcast attack
- ✅ Implement unpadded message recovery oracle
- ✅ Bleichenbacher's e=3 RSA Attack
- 🟨 DSA key recovery from nonce
- Pending: DSA parameter generation.
- ✅ DSA nonce recovery from repeated nonce
- ✅ DSA parameter tampering
- ✅ RSA parity oracle
- 🟨 Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case)
- This required the code for challenge 48 blow, i.e., I had more than one interval, but the challenge said otherwise. Did I do something wrong?
- ✅ Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)
- ⬛ CBC-MAC Message Forgery
- ⬛ Hashing with CBC-MAC
- ⬛ Compression Ratio Side-Channel Attacks
- ⬛ Iterated Hash Function Multicollisions
- ⬛ Kelsey and Schneier's Expandable Messages
- ⬛ Kelsey and Kohno's Nostradamus Attack
- ⬛ MD4 Collisions
- ⬛ RC4 Single-Byte Biases
Set 8: Abstract Algebra (Not publicly released!)
- ⬛ Diffie-Hellman Revisited: Small Subgroup Confinement
- ⬛ Pollard's Method for Catching Kangaroos
- ⬛ Elliptic Curve Diffie-Hellman and Invalid-Curve Attacks
- ⬛ Single-Coordinate Ladders and Insecure Twists
- ⬛ Duplicate-Signature Key Selection in ECDSA (and RSA)
- ⬛ Key-Recovery Attacks on ECDSA with Biased Nonces
- ⬛ Key-Recovery Attacks on GCM with Repeated Nonces
- ⬛ Key-Recovery Attacks on GCM with a Truncated MAC
To be done (sorry!). Need to review licenses compatible with dependencies.