Problem E
Key "Hash"
A cryptographic hash function is an algorithm that maps data
of arbitrary size to data of a fixed size. Hashes are one-way
functions which are computationally infeasible to invert or
reverse. In a strong hash, the only way to find the original
message that produced a given hash would be a brute-force
attack. Sometimes attackers keep a hash of the encryption key
along with the data as a method of associating keys stored
elsewhere to the correct files.
Key Hash
A “key_hash” value can be found within the TLV data
structure. This hash is somehow associated to the rest of the
data in that structure. Pseudocode for this hash is listed in
the malware report. It is safe to assume that this is how the
developers look up one of the keys for decrypting the files.
The algorithm is described as follows:
![\includegraphics[width=0.9\textwidth ]{keyhash_alg}](/problems/nsachallenge21.keyhash/file/statement/en/img-0001.jpg)
This is obviously something of the malware developers’ own creation, and definitely not a cryptographically secure hash. It also appears to only work on data that is $16$-bytes long, which according to the report is because the keys that it hashes are always $16$ bytes long.
In the malware report a large list of random $16$-byte objects is found. These actually appear to be randomly generated this time, which makes you wonder just how many developers worked on this ransomware. You also notice a list of "key_hash" outputs that have been found. You connect the dots and realize some of those random objects might be used as keys in the final decryption layer.
|
$16$-byte Random Objects |
|
0x3c3102c78e3a3ed31656d8e3c9ac1f3b |
|
0xc3540552a86a0db0128a3f378f05e83a |
|
0x22858a33d4b403687f28254d3785e09d |
|
0x107aabf691f48debc53e88ca5a4c884d |
|
0x813c893aa5e3c52dc64e3dc5493abb16 |
|
0x7fdd4c7a8fc01a09e0e7c1bdd43b1328 |
|
0x30d8b441f9af30c0734833af36cb74ae |
|
0x05b115935984da0430baf5b9c3ae2b6a |
|
0x3ad8d3e573276aefd1b837946ee694d2 |
|
0xa58126faef3ba174987694c3b6184b20 |
|
0x5d7c57a158e737e587c4c20a8b154e0c |
|
0x0ae45a528a51d725bc7a11b22378a48a |
|
0xe028fc7de6accc28adb69301d827960d |
|
0x82ea7a8ec082d18a489313a5033620b6 |
|
0x222a1c92c80082e22f5ec31c671eaa43 |
|
0xce0ba6bff6263f28ed0c34dd364fe206 |
|
0x689b4d4700ccee9d5d4b706d4ca561ec |
|
0x70763051505a3ec3a1b03ba52a5034e0 |
|
0x5f1e1e731bc174dcc5c22580b5915b4c |
|
0x8d0fdb518e924d1c028430b82c5a0063 |
|
0x7f66ab1948c42b4676d4a1d958b0a5b3 |
|
0x560f62c0d48765f14e43d5fb9d096232 |
|
0xb0f84325c00718c472996358dd0f3b4f |
|
0x557fdc037cbfda3b2b3d0adb916e1db2 |
|
0x999c184e59fe8d1f66f260da14ff6bf0 |
|
0xd3d89edb212c332fdb1d6ce85ec9263f |
|
0x34bec5e9bdc3872e96c9cff3c1a5d59a |
|
0xde999e3b47a3bb6ccd4852bef6a647e0 |
|
0xf9d7e90352956071d4453f6b7d5ca38c |
|
0x91acdb8b283d12cc86f06994db7f2797 |
|
0x8a1358de28b3c8525de63bc488af5214 |
|
0xd9c00ba45e567fadeae00017506667e2 |
|
0xc89632547d5cb8bf7d3dea561b001ad0 |
|
0xc7dccf991e019a69aa6e6f019b00e9c5 |
|
0x547e72961be9908c2b466d21ceb968b2 |
|
Key_Hash outputs |
|
540541445:2428518688:33628526:2356318865:4070121552:1352772538 |
|
1275659304:2181210775:2416013469:202113024:4149014589:2464322186 |
|
886310936:1258898530:67593217:4200071938:4029137660:598092508 |
|
270864:3365015620:874776608:5242890:505212503:1761639401 |
|
441995429:545293120:2303721669:67592:1570535065:1977017073 |
|
2050:2196402828:1078399330:2459976341:1217616773:937216646 |
Implement the algorithm above to take random $16$-byte inputs and produce a key_hash.
Once you have a working algorithm, test all the random keys from the list above to see which ones match the list of key_hash outputs you have. Make sure you keep the key - key_hash relationships stored somewhere as it will make future work much easier!
Input
Multiple random $16$-byte objects encoded in HEX separated by newlines.
Output
The RAW output of the key_hash algorithm for each input separated by newlines.
| Sample Input 1 | Sample Output 1 |
|---|---|
8ea859d168c64f1f754e7c7032f1f85d c88d4022dcdc435635f5fa4a0d33414a cdc41d2126ed8f737d987a390a8d75bd 1a169ae91a343fb891995d37a9f9046e 46ea9d8afe42595e2bed2a9102eb20d8 8799479a631ecf7375080608bc7b5f28 |
67110992:2326286721:2566916433:34471970:4032197778:3991754888 1216692258:2148007936:54525970:948605472:3858231874:3475190104 2172919073:1279262720:17318272:637570065:1028156149:2643705843 402784488:34904577:604258884:2550152216:2426395798:2145289581 1189124362:656512:1210580995:2453803032:2720344763:1473927746 93848466:2181121032:319308164:34890:1902743136:1926498450 |
