Breaking some homemade crypto

I recently did a code review assessment on an application for one of my client. The best part of the application was their own cryptography algorithm.

Moreover, the application was written in PHP and PHP do some strange things with string, characters and XOR operations. It only needed a few lines of python in order to break it.

TL;DR : please do not write your own crypto!

The cryptography algorithm was a symmetric one, that means there is always a private key shared between the encryption and the decryption. In fact the key was shared for the application.

Encryption algorithm

The encryption algorithm is the following (I rewrote it in python for a better comprehension):

def crypt(clearText):
    privateKey = '123456'
    cipherText = ''

    key= hashlib.md5(str(randint(0, 32000)).encode('ascii')).hexdigest()

    i = 0
    j = 0
    while (i< len(clearText)):
        if (j == len(key)):
            j=0
        cipherText += key[j]+chr(ord(clearText[i])^ord(key[j]))
        i += 1
        j += 1

    key2 = hashlib.md5(privateKey.encode('ascii')).hexdigest()
    i = 0
    j = 0
    result = ''

    while (i< len(cipherText)):
        if (j == len(key2)):
            j=0
        result += chr(ord(cipherText[i]) ^ ord(key2[j]))
        i+=1
        j+=1

    return result

We observe that there is only XOR operations. Quick reminder about XOR operations:

0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0

Moreover, by definition: a XOR b XOR a = b

Breaking things

In our situation we need to find cipherText in order to find the md5 hash of the private key. However cipherText is build using the clear text and a random number included between 0 and 32 000. Therefore by a Known-plaintext attack we can generate the 32 001 values of cipherText, XOR it with the encrypted string, search for the resulting sting which will be repeating every 36 characters and get the md5 hash of the private key. Our only constrain in that the plain text must be longer than 36 characters in order to easily find the md5 hash (an other option might have be to search for ascii characters).

Here is the python code:

def brute():
    clearText='this is a test in order to break some home made crypto'
    codedText=crypt(clearText)
    k=0
    while (k<32001):
        key= hashlib.md5(str(k).encode('ascii')).hexdigest()
        cipherText= ''

        i = 0
        j = 0
        while (i< len(clearText)):
            if (j == len(key)):
                j=0
            cipherText += key[j]+chr(ord(clearText[i])^ord(key[j]))
            i += 1
            j += 1

        i = 0
        j = 0
        result = ''

        while (i< len(codedText)):
            if (j == len(cipherText)):
                j=0
            result += chr(ord(codedText[i]) ^ ord(cipherText[j]))
            i+=1
            j+=1
        l = 0
        s = 0
        while (l<32):
            if (result[l]==result[l+32]):
                s +=1
            l+=1
        if s==32:
            print(k)
            print(result[:32])
            break
        k+=1

I put the two function in a file, added a main and run it:

[maggick@eridani ~]$ time python crypt.py
23467
e10adc3949ba59abbe56e057f20f883e

real    0m2.186s
user    0m2.186s
sys 0m0.000s
[maggick@eridani ~]$ echo -en '123456' | md5sum
e10adc3949ba59abbe56e057f20f883e  -

We got the md5 hash of the private key. The default key used in the application was 8 characters long and was use in other algorithms not home made.

PHP: character XOR character

PHP is doing really funny things, most of you know that. When analysing the original PHP code of the encryption function, I found something very strange:

$tmp .= mb_substr($text, $i, 1) ^ mb_substr($key, $j, 1);

How can you make a xor operation between two characters?!

In fact PHP make a xor operation between the ASCII value of the character and convert the result back to the ASCII character. For instance 'a' xor 'B' will result in 65 xor 98 which give 35 therefore 'a' xor 'B' → '#'

As you may have seen in the above code this is equivalent to the following python code:

tmp += chr(ord(clearText[i])^ord(key[j]))

Full code

The complete code is the following:

import hashlib
import base64
from random import randint

def crypt(clearText):
    privateKey = '123456'
    cipherText = ''

    key= hashlib.md5(str(randint(0, 32000)).encode('ascii')).hexdigest()

    i = 0
    j = 0
    while (i< len(clearText)):
        if (j == len(key)):
            j=0
        cipherText += key[j]+chr(ord(clearText[i])^ord(key[j]))
        i += 1
        j += 1

    key2 = hashlib.md5(privateKey.encode('ascii')).hexdigest()
    i = 0
    j = 0
    result = ''

    while (i< len(cipherText)):
        if (j == len(key2)):
            j=0
        result += chr(ord(cipherText[i]) ^ ord(key2[j]))
        i+=1
        j+=1

    return result

def brute():
    clearText='this is a test in order to break some home made crypto'
    codedText=crypt(clearText)
    k=0
    while (k<32001):
        key= hashlib.md5(str(k).encode('ascii')).hexdigest()
        cipherText= ''

        i = 0
        j = 0
        while (i< len(clearText)):
            if (j == len(key)):
                j=0
            cipherText += key[j]+chr(ord(clearText[i])^ord(key[j]))
            i += 1
            j += 1


        i = 0
        j = 0
        result = ''

        while (i< len(codedText)):
            if (j == len(cipherText)):
                j=0
            result += chr(ord(codedText[i]) ^ ord(cipherText[j]))
            i+=1
            j+=1
        l = 0
        s = 0
        while (l<32):
            if (result[l]==result[l+32]):
                s +=1
            l+=1
        if s==32:
            print(k)
            print(result[:32])
            break
        k+=1


def main():
    brute()

if __name__ == "__main__":
    main()