Byte Bandits 2020: Crypto - Extra Careful Bank

TL;DR Ho to make (fake) money thanks to ECB mode insecurity

Problem statement

the Extra Careful Bank claims to have the greatest encryption for its transactions. it is so sure no one can forge the encrypted transactions that it is going to process any valid encrypted transactions. Can you get the flag?

Let’s start

We can interact with the Extra Careful Bank by using nc crypto.byteband.it 7003. The following message welcomes us:

                     Extra Careful Bank
We use advanced encryption standard to encrypt our transactions


BALANCE: $10
NUMBER OF TRANSFERS DONE: 0

Max transfers = 10
More choices become available after finishing all transfers.

1. Transfer money.
Enter your choice:

We have only $10 and one option available. The program says that more choices become available after finishing all transfers. Let’s try transfer money:

1. Transfer money.
Enter your choice:
1
Enter the receiver id(1, 2 or 3):

Only three receivers available…

Enter the receiver id(1, 2 or 3):
1
Enter amount(min = $1, max = $500):

Obviously I tried to input negative numbers, but it didn’t work (it wouldn’t have been a crypto challenge…).

If I choose a correct amount (min = $1, max = my balance) the following message appears:

Transfer made successfully.

and we start again from the beginning, with the value of my balance and the number of transfers done correctly updated.

                     Extra Careful Bank
We use advanced encryption standard to encrypt our transactions


BALANCE: $9
NUMBER OF TRANSFERS DONE: 1

Now, if we give all the money to one lucky receiver, we can’t see the other choices the program was talking about. So, since the minimum amount for a transfer is $1 and we start with $10, we are forced to complete ten $1 transfers. After giving away all our money we can see the other choices:

                     Extra Careful Bank
We use advanced encryption standard to encrypt our transactions


BALANCE: $0
NUMBER OF TRANSFERS DONE: 10

2. See today's transactions(encrypted)
3. See special transaction(encrypted)
4. Provide encrypted transactions.
5. Get flag.
Enter your choice:

You can easily guess what was the first option I tried… 5! The bank answers with:

You need a balance greater than or equal to $1500 to get the flag.

We have the astronomical amount of ZERO dollars… But we are rich in ideas so we continue with the other choices. Choosing 2 we get something like:

c9f81b53f1a90abd9b5e55bc668b3194ce6c6535bf090194f5aafa7aa620c47b1d212a4b26acc8f46d9ca4430a9cd3ea
ce6c6535bf090194f5aafa7aa620c47b1719ef14f5e463730f6ca8fe43b516addbaa1ffbb9508635992b02e259100782
c9f81b53f1a90abd9b5e55bc668b3194ce6c6535bf090194f5aafa7aa620c47b1d212a4b26acc8f46d9ca4430a9cd3ea
1719ef14f5e463730f6ca8fe43b516adce6c6535bf090194f5aafa7aa620c47babd45e61293e9ce84894bcdc5f62b277
c9f81b53f1a90abd9b5e55bc668b3194ce6c6535bf090194f5aafa7aa620c47b1d212a4b26acc8f46d9ca4430a9cd3ea
c9f81b53f1a90abd9b5e55bc668b31941719ef14f5e463730f6ca8fe43b516ad1d212a4b26acc8f46d9ca4430a9cd3ea
c9f81b53f1a90abd9b5e55bc668b3194d625452e53eb1bc9632952a68da57a141d212a4b26acc8f46d9ca4430a9cd3ea
ce6c6535bf090194f5aafa7aa620c47b1719ef14f5e463730f6ca8fe43b516ad089dff22639eb26b4b1a7ffe8ce32a09
c9f81b53f1a90abd9b5e55bc668b3194ce6c6535bf090194f5aafa7aa620c47b1d212a4b26acc8f46d9ca4430a9cd3ea
c9f81b53f1a90abd9b5e55bc668b31941719ef14f5e463730f6ca8fe43b516ad1d212a4b26acc8f46d9ca4430a9cd3ea
ce6c6535bf090194f5aafa7aa620c47bd625452e53eb1bc9632952a68da57a14d6f56740032330bb887f4132dd9b55c2
1719ef14f5e463730f6ca8fe43b516adce6c6535bf090194f5aafa7aa620c47bdbaa1ffbb9508635992b02e259100782
c9f81b53f1a90abd9b5e55bc668b3194d625452e53eb1bc9632952a68da57a141d212a4b26acc8f46d9ca4430a9cd3ea
c9f81b53f1a90abd9b5e55bc668b3194d625452e53eb1bc9632952a68da57a141d212a4b26acc8f46d9ca4430a9cd3ea
c9f81b53f1a90abd9b5e55bc668b31941719ef14f5e463730f6ca8fe43b516ad1d212a4b26acc8f46d9ca4430a9cd3ea
d625452e53eb1bc9632952a68da57a141719ef14f5e463730f6ca8fe43b516ad4e59348eb36fe417e993c2f83c46b1d6
1719ef14f5e463730f6ca8fe43b516adce6c6535bf090194f5aafa7aa620c47bf0254299e08db54bc031c4d33e427a39
ce6c6535bf090194f5aafa7aa620c47b1719ef14f5e463730f6ca8fe43b516ad9533cf64d332c8f4ad415a461e208191
ce6c6535bf090194f5aafa7aa620c47bd625452e53eb1bc9632952a68da57a1455a0c42c30ca5d83e119327f2c0e1a4c
1719ef14f5e463730f6ca8fe43b516add625452e53eb1bc9632952a68da57a146db5b82200a8b447cdfbb9dd87c5ed2b

Hmmm twenty lines, many similarities among them… Let’s go on. Choosing 3 we get something like:

This is an encrypted transaction involving a transfer of $500:
ce6c6535bf090194f5aafa7aa620c47b1719ef14f5e463730f6ca8fe43b516adbf958884b8f64ebd4ce1d197911f537a

You can get more of them by choosing 3 again in the menu.

So every line of the twenty lines above is an encrypted transaction, I have only completed ten transactions, so there must be other transactions in there. We will return on them soon, we have another choice to look at (4):

Since the Extra Careful Bank uses such a secure encryption, we are sure that no one can forge encrypted transactions.
If you think you can, provide me with three valid encrypted transactions and they will be processed.
First encrypted transaction:

We should provide three valid encrypted transactions, reusing the old ones sometimes works, sometimes it says that we don’t have enough money. It is easy to guess what are the transactions that we made before, because since we don’t have any money, if we reuse a transaction that involves a transfer from our balance to another one, a message will inform us that we don’t have enough money. If we look carefully all these transactions start and end with the same 16 bytes (32 hex chars)…

The biggest hint appears when you try type random stuff in place of an encrypted transaction:

First encrypted transaction:
asd
Invalid Length
Transaction Format:
sender account number(16 bytes)+receiver account number(16 bytes)+amount(prepended appropraitely to 16 bytes)

'+' represents concatenation

Wow, we now know how a transaction is made! But wait, we already noticed some similarities among the encrypted transactions, we saw the first 16 bytes repeated 10 times in the list of today’s transaction, the same thing happens for the last 16 bytes! It looks like the same block of 16 bytes is encrypted in the same way… Electronic CodeBook! It also has the same acronym of the challenge name: E xtra C areful B ank, ECB!

Electronic codebook (ECB)

ECB is a block cipher mode of operation

From Wikipedia:

The simplest of the encryption modes is the electronic codebook (ECB) mode (named after conventional physical codebooks). The message is divided into blocks, and each block is encrypted separately.

The disadvantage of this method is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. In some senses, it doesn’t provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.

Extra Careful, they say…

As Jean-Philippe Aumasson report in his book Serious Cryptography, Marsh Ray, a cryptographer at Microsoft once said:

“Everybody knows ECB mode is bad because we can see the penguin.”

He was refering to a famous illustration of ECB’s insecurity that uses an image of the Linux’s mascot, Tux.

Wikipedia again:

A striking example of the degree to which ECB can leave plaintext data patterns in the ciphertext can be seen when ECB mode is used to encrypt a bitmap image which uses large areas of uniform color. While the color of each individual pixel is encrypted, the overall image may still be discerned, as the pattern of identically colored pixels in the original remains in the encrypted version.

Back to the challenge

Let’s look again at our transactions, we can get the encryption of $500, it is just the last 16 byte substring of the special transaction, in our case (the encryption is changed at every run of the program) is:

bf958884b8f64ebd4ce1d197911f537a

We can also get the encryption of our account number, we just need to search in the list of today’s transaction the 16 bytes that are repeated ten times at the beginning of the line:

c9f81b53f1a90abd9b5e55bc668b3194

By looking at the second block of these transaction, and in general at the other ones (special transaction included), we can get the encrypted account numbers related to the ids 1, 2 and 3.

ce6c6535bf090194f5aafa7aa620c47b
1719ef14f5e463730f6ca8fe43b516ad
bf958884b8f64ebd4ce1d197911f537a

We need all of these tree encrypted account numbers because we cannot reuse the same transaction.

We now have all the elements to forge three transactions! We just have to concatenate an encrypted account number as sender, our encrypted account number as receiver and the encryption of $500 as the amount:

ce6c6535bf090194f5aafa7aa620c47bc9f81b53f1a90abd9b5e55bc668b3194bf958884b8f64ebd4ce1d197911f537a
1719ef14f5e463730f6ca8fe43b516adc9f81b53f1a90abd9b5e55bc668b3194bf958884b8f64ebd4ce1d197911f537a
bf958884b8f64ebd4ce1d197911f537ac9f81b53f1a90abd9b5e55bc668b3194bf958884b8f64ebd4ce1d197911f537a

and we get:

                     Extra Careful Bank
We use advanced encryption standard to encrypt our transactions


BALANCE: $1500
NUMBER OF TRANSFERS DONE: 10

2. See today's transactions(encrypted)
3. See special transaction(encrypted)
4. Provide encrypted transactions.
5. Get flag.
Enter your choice:

We have the money to buy the flag! Here it is: flag{bank$_sh0uld_n07_us3_ECB}.