Lab 6: The Need for Integrity

You are a student at EvilSchool, a horrible place full of horrible teachers. You are currently failing, but you want to pass just so can leave the horrible place. Your task is to change your final grade.

The Grade Service

At the end of the semester, you discover the school’s online grade submission service that teachers use to submit final grades for students. You can find the grade service running on a host and port provided by your instructor in class.

The service is fairly straight-forward:

  1. When a teacher connects, the system asks for a student name.
  2. The system retrieves that student’s final grade record, encrypts, and sends it back.
    • The format for records is: {name}{Comment}{Final Score}
    • Each element (name, comment, final score) is exactly 16 bytes.
    • This means a complete grade record is 48 bytes.
  3. The teacher decrypts the record, makes any changes, and then reencrypts it.
  4. The teacher submits the updated record to the service.

The Decryption Service

While snooping around on the network, you also discover a decryptor service that will take an encrypted grade record provided by the grading service and decrypt it for you. It is available at the host and port provided by your instructor in class.

Your task

Your goal is to connect to the service, retrieve your record, modify it to change your final grade to 100, and then submit that record to the grade service. You will know when you succeed because the service will respond with “You Win!”

Technical Detail

  1. The encrypted grade records are encrypted using AES in CBC mode with a random IV.
  2. The cipher text you receive is pre-pended with the IV. (So, the first 16 bytes of ciphertext is the IV.)
  3. The cipher text you receive is encoded in hexadecimal. You will need to convert it to raw bytes prior to working with it.

Hints

  1. Since you don’t know the encryption key used, you won’t be able to encrypt a new record. That means you need to directly modify the ciphertext in order to predictably change the plaintext. Look at the Wikipedia Page for CBC and study the decryption picture.
  2. Take a look at the socket api for Python. (The link is is for Python 3.6, but you can change the version in the upper left of the page.)
  3. Here is some sample code to help you parse the ciphertext:
    inp = raw_input("Ciphertext: ")
    iv = binascii.unhexlify(inp[0:32])
    ct = binascii.unhexlify(inp[32:])
    
  4. Here is some sample code to convert the raw bytes back into valid hexadeimcal:
    print(binascii.hexlify(iv)+binascii.hexlify(new_ct))