stypr / stypr_crypt Goto Github PK

Lol hi again !

While I was writing my SIP protocol fuzzer, I wrote some seed generation code that was very similar to your crypto.go:randInt() implementation:

// https://github.com/stypr/stypr_crypt/blob/master/crypto.go#L11-L14
func randInt(count int) int {
    rand.Seed(time.Now().UTC().UnixNano() + rand.Int63n(65537))
    return 1 + rand.Intn(count)
}

The issue is that adding random Δns (i.e. rand.Int63n(65537)) to the time.Now().UTC().UnixNano() to create a seed object and then creating another seed object in the future can actually create two identical deterministic seed objects if and only if you created the second object Δns + (second Δns) after creating the first object. Once the two time luckily hits the same time result, you get two identical and no-longer random seeds.

Although this is probably impossibly rare case in the wild, I remembered that you had a similar implementation when I read your crypto.go back in 2016. I think you said this repo is not for production but I wanted to let you know since I thought it was pretty cool! 😄

Hello~

I think your implementation looks so cool (especially the C code) that I had to take a closer look~ After some random tests, k (https://github.com/initbar/stypr_crypt/blob/master/crypto.py#L5) might need a different generation (other than random.randint(1, 1024)).

I think the problem is that since the random pool is coded with tight bounds (1024), a collision can occur as little as 38 iterations. However, weird thing is that even with a small tweak (above) to increase the upper bound from 1024 to 2**32, it seems like I can always hit a collision within <2048 iterations (most certainly at 2048 - 1).

Since stypr_encrypt('a') predictably generates a length 10 block (+6 with additional characters), using the relationship between length and additional characters, an assumption can be safely made that length 10 block must contain only 1 character (and 16 == 2 characters, etc.). Which, even if the stypr_decrypt() wasn't available, since exhausting all blocks with length 1 (i.e. [A-Za-z0-9]) is super fast (based on the implementation), I think finding a collision and asserting that the plaintext found without proper decryption is computationally feasible (code below):

from crypto import * # stypr's crypto

def get_collision(k):
  H = []
  a = k
  r = 2048
  for i in xrange(r):
    H.append(stypr_encrypt(a)[4:10][::-1])
    if len(set(H)) < i: break
  return i

print get_collision('a')

Result: