My solutions to the Cryptopals cryptography challenges 🔒 in well[citation needed] commented Golang.
A lot of things are implemented from scratch for lolz: hex, base64, AES with various modes (plain, ECB, CBC, CTR), SHA-1, SHA-256, MD4, HMAC-SHA1, HMAC-SHA256.
A branch implements bigints from scratch but is currently too slow to be used to solve all the challenges.
The references folder contains a copy of various whitepapers and RFCs useful for solving these challenges.
I have solved sets 1 through 7. I hope to finish the final set 8 soon 🤞.
- Convert hex to base64
- Fixed XOR
- Single-byte XOR cipher
- Detect single-character XOR
- Implement repeating-key XOR
- Break repeating-key XOR
- AES in ECB mode
- Detect AES in ECB mode
- Implement PKCS#7 padding
- Implement CBC mode
- An ECB/CBC detection oracle
- Byte-at-a-time ECB decryption (Simple)
- ECB cut-and-paste
- Byte-at-a-time ECB decryption (Harder)
- PKCS#7 padding validation
- CBC bitflipping attacks
- The CBC padding oracle
- Implement CTR, the stream cipher mode
- Break fixed-nonce CTR mode using substitutions
- Break fixed-nonce CTR statistically
- Implement the MT19937 Mersenne Twister RNG
- Crack an MT19937 seed
- Clone an MT19937 RNG from its output
- Create the MT19937 stream cipher and break it
- Break "random access read/write" AES CTR
- CTR bitflipping
- Recover the key from CBC with IV=Key
- Implement a SHA-1 keyed MAC
- Break a SHA-1 keyed MAC using length extension
- Break an MD4 keyed MAC using length extension
- Implement and break HMAC-SHA1 with an artificial timing leak
- Break HMAC-SHA1 with a slightly less artificial timing leak
- Implement Diffie-Hellman
- Implement a MITM key-fixing attack on Diffie-Hellman with parameter injection
- Implement DH with negotiated groups, and break with malicious "g" parameters
- Implement Secure Remote Password (SRP)
- Break SRP with a zero key
- Offline dictionary attack on simplified SRP
- Implement RSA
- Implement an E=3 RSA Broadcast attack
- Implement unpadded message recovery oracle
- Bleichenbacher's e=3 RSA Attack
- DSA key recovery from nonce
- DSA nonce recovery from repeated nonce
- DSA parameter tampering
- RSA parity oracle
- Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case)
- Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)
- CBC-MAC Message Forgery
- Hashing with CBC-MAC
- Compression Ratio Side-Channel Attacks
- Iterated Hash Function Multicollisions
- Kelsey and Schneier's Expandable Messages
- Kelsey and Kohno's Nostradamus Attack
- MD4 Collisions
- RC4 Single-Byte Biases
- Diffie-Hellman Revisited: Small Subgroup Confinement
- Pollard's Method for Catching Kangaroos
- Elliptic Curve Diffie-Hellman and Invalid-Curve Attacks
- Single-Coordinate Ladders and Insecure Twists
- Duplicate-Signature Key Selection in ECDSA (and RSA)
- Key-Recovery Attacks on ECDSA with Biased Nonces
- Key-Recovery Attacks on GCM with Repeated Nonces
- Key-Recovery Attacks on GCM with a Truncated MAC
- Truncated-MAC GCM Revisited: Improving the Key-Recovery Attack via Ciphertext Length Extension
- Exploiting Implementation Errors in Diffie-Hellman
I found an unofficial set 9 by Andrei Ilchenko.