2018 NSEC crypto leak writeup

1.题目分析

题目可以在此处下载。下载并解压后会得到一个加密python脚本和一个加密后的wav文件。

题目描述

A recent transcript suspected to contain incriminating conversations between the officials in charge of the Mars colonization plan has leaked but is encrypted with the latest top-secret encryption algorithm: RC8! You’ve recovered the source code to their new encryption algorithm, but the key and seed value are missing. Find a weakness in the scheme and recover the transcript.

大概意思就是说希望我们在没有key和seed的情况下去解密文件。为此，我们先来看看RC8_Encrypt.py中的代码了解其是如何进行加密的。

#!/usr/bin/env python3
import sys

def rc8(state, key, n):
    '''
    Top Secret RC8 Stream Cipher
    '''
    while (n > 0):
        yield state & 0xff
        for _ in range(8):
            c, s = key, state
            b = 0
            while c:
                b ^= c & 1 * s & 1
                c >>= 1 ; s >>= 1
            state = state >> 1 | b << 63
        n -= 1

def main():
    seed, key = ?, ? # Missing

    with open(sys.argv[1], 'rb') as fin:
        data = bytearray(fin.read())

    for i,x in enumerate(rc8(seed, key, len(data))):
        data[i] ^= x

    with open(sys.argv[1] + '.enc', 'wb') as fout:
        fout.write(data)

if __name__ == "__main__":
    main()

我们可以很容易看出这是一种流加密，密钥流生成函数是rc8()，也很容易看出密钥流每次取得是state的最低八位，下面主要分析一下state是如何变化的，变化的代码如下

for _ in range(8):
            c, s = key, state
            b = 0
            while c:
                b ^= c & 1 * s & 1
                c >>= 1 ; s >>= 1
            state = state >> 1 | b << 63

设$c=c_{0}c_{1} \cdots c_{n-1}$和$s=s_{0}s_{1} \cdots s_{n-1}$分别是c和s的二进制表示，根据对上面代码的分析我们不难得到下面式子：
$\qquad$ $\qquad$ $b=(c_{0}$&$s_{0})$^$(c_{1}$&$s_{1})$^$\cdots$^ <