package isp.integrity;import fri.isp.Agent;import fri.isp.Environment;

1. package isp.integrity;
2.  
3. import fri.isp.Agent;
4. import fri.isp.Environment;
5.  
6. import java.lang.reflect.Array;
7. import java.math.BigInteger;
8. import java.nio.ByteBuffer;
9. import java.nio.ByteOrder;
10. import java.nio.charset.StandardCharsets;
11. import java.security.MessageDigest;
12. import java.security.SecureRandom;
13. import java.util.ArrayList;
14. import java.util.Arrays;
15.  
16. /**
17.  * As the person in the middle (MITM), intercept a message from Alice,
18.  * modify the message as instructed, and create a MAC tag that will verify successfully.
19.  * <p>
20.  * Useful resources:
21.  * - SHA-1 RFC https://tools.ietf.org/html/rfc3174 (section o padding in particular)
22.  * - Wikipedia entry: https://en.wikipedia.org/wiki/Length_extension_attack
23.  * <p>
24.  * You can assume to know the length of the plaintext and the length of the secret that is used
25.  * for MAC-ing.
26.  * <p>
27.  * To manually set the internal state of the SHA-1 algorithm, use the {@link ModifiedSHA1} class.
28.  */
29. public class AgentCommunicationMITM {
30.  
31.     public static void main(String[] args) throws Exception {
32.         // Alice and the bank have a shared secret, and its length is known to the attacker.
33.         final byte[] sharedSecret = new byte[16];
34.  
35.         // For debugging purposes, I recommend using a static secret (like all zeros).
36.         // Your solution, however, must work with an arbitrary secret.
37.         // So for debugging, comment out the following two lines.
38.         final SecureRandom rnd = new SecureRandom();
39.         rnd.nextBytes(sharedSecret);
40.  
41.         final Environment env = new Environment();
42.  
43.         env.add(new Agent("alice") {
44.             @Override
45.             public void task() throws Exception {
46.                 final String message = "Wire 10 EUR to MITM.";
47.                 final byte[] pt = message.getBytes(StandardCharsets.UTF_8);
48.  
49.                 final MessageDigest d = MessageDigest.getInstance("SHA-1");
50.                 d.update(sharedSecret);
51.                 d.update(pt);
52.                 final byte[] tag = d.digest();
53.  
54.                 print("data  = %s", message);
55.                 print("pt    = %s", hex(pt));
56.                 print("tag   = %s", hex(tag));
57.  
58.                 send("bank", pt);
59.                 send("bank", tag);
60.             }
61.         });
62.  
63.         env.add(new Agent("mitm") {
64.             @Override
65.             public void task() throws Exception {
66.                 final byte[] pt = receive("alice");
67.                 final byte[] tag = receive("alice");
68.                 final String message = new String(pt, StandardCharsets.UTF_8);
69.                 print("data    = %s", message);
70.                 print("pt      = %s", hex(pt));
71.                 print("tag     = %s", hex(tag));
72.  
73.                 // TODO: Extend the message and produce a valid tag without knowing the shared secret.
74.                 // (However, you do know the length of the shared secret [and the length of the message].)
75.  
76.                 // Calculate padding block
77.                 final byte[] pb = pb(512 - ((message.length()*8) % 512) - 64);
78.                 final byte[] w = ByteBuffer.allocate(8).putInt(message.length()).array();
79.  
80.                 // Data to be added
81.                 final byte[] addition = "And then, in a separate transaction, wire 1,000,000 EUR more."
82.                         .getBytes(StandardCharsets.UTF_8);
83.  
84.                 // Hash addition
85.                 ModifiedSHA1 sha = new ModifiedSHA1();
86.                 sha.setState(tag, 1);       // TODO: how to set blockCount
87.                 sha.update(addition);
88.  
89.                 // Forged message and tag
90.                 byte[] pt_ = concatenate(pt, addition);
91.                 byte[] tag_ = sha.digest();
92.  
93.                 send("bank", pt_);
94.                 send("bank", tag_);
95.             }
96.         });
97.  
98.         env.add(new Agent("bank") {
99.             @Override
100.             public void task() throws Exception {
101.                 final byte[] pt = receive("alice");
102.                 final byte[] tag = receive("alice");
103.  
104.                 // recompute the tag
105.                 final MessageDigest d = MessageDigest.getInstance("SHA-1");
106.                 d.update(sharedSecret);
107.                 d.update(pt);
108.                 final byte[] tagComputed = d.digest();
109.  
110.                 print("data = %s", new String(pt, StandardCharsets.UTF_8));
111.                 print("pt   = %s", hex(pt));
112.  
113.                 if (Arrays.equals(tag, tagComputed))
114.                     print("MAC verification succeeds: %s == %s", hex(tag), hex(tagComputed));
115.                 else
116.                     print("MAC verification fails: %s != %s", hex(tag), hex(tagComputed));
117.             }
118.         });
119.  
120.         env.mitm("alice", "bank", "mitm");
121.         env.start();
122.     }
123.  
124.     private static byte[] pb(int lenfth) {
125.         // 2^(lenfth-1)
126.         byte[] pb = BigInteger.valueOf(2).pow(lenfth-1).toByteArray();
127.         return Arrays.copyOfRange(pb, pb.length - lenfth/8, pb.length);
128.     }
129.  
130.     private static byte[] concatenate(byte[] a, byte[] b) {
131.         int aLen = a.length;
132.         int bLen = b.length;
133.  
134.         byte[] c = new byte[aLen + bLen];
135.         System.arraycopy(a, 0, c, 0, aLen);
136.         System.arraycopy(b, 0, c, aLen, bLen);
137.  
138.         return c;
139.     }
140. }