Wonky AES Discussion

HackTheBox
, , ,
1

Let’s talk about Wonky AES. Please do not share any flags or writeups.

2

Insane challenge. I gotta read lots of stuff about Fault Attack.

3

It’s all about that function.

void CipherFault(state_t* state, const uint8_t* RoundKey, bool is_fault, int pos, uint8_t fault)
{
  uint8_t round = 0;

  // Add the First round key to the state before starting the rounds.
  AddRoundKey(0, state, RoundKey);

  // There will be Nr rounds.
  // The first Nr-1 rounds are identical.
  // These Nr rounds are executed in the loop below.
  // Last one without MixColumns()
  for (round = 1; ; ++round)
  {
    SubBytes(state);
    ShiftRows(state);
    if (round == Nr) {
      break;
    }
    if (is_fault && round == Nr - 1) {
      (*state)[pos % 4][pos / 4] ^= fault;

    }
    MixColumns(state);
    AddRoundKey(round, state, RoundKey);
  }
  // Add round key to last round
  AddRoundKey(Nr, state, RoundKey);
}

It happens before MixColumns in round 9.

4

https://dl.acm.org/doi/fullHtml/10.1145/3623652.3623671

5

This post discusses an AES fault attack in round nine before MixColumns, and the author provides a script to retrieve the key.

However, the script provided takes one ciphertext and its faulty combinations, which makes it different from our challenge.

In our challenge, we have an unlimited number of ciphertext_n, faultytext_n pairs. I think I need to modify this script.

6

Exclusive content is now available for Wonky AES.

What is Exclusive Content?

You can still ask for help and specific hints in this thread.