# ECB Oracle
An oracle is a type of tool or service that can provide information about a cryptographic algorithm, often with the goal of breaking it.
Most of the time, an attacker might use a chosen plaintext attack to submit carefully-crafted plaintexts to the encryption function and observe the resulting ciphertexts in order to build a dictionary of plaintext/ciphertext pairs that can be used to decrypt other blocks.
Some elements are required to exploit an oracle :
* Ability to submit plaintext messages
* Ability to observe ciphertexts
* Ability to repeat these actions
## Exploitation
As explained [here](/cryptography/symmetric-cryptography/aes/mode-of-operation/ecb.md), AES using ECB mode will always produce the same ciphertext for the exact same plaintext input.
So the attacker can list every single possibility for each block and then break the cipher.
{% hint style="danger" %}
As AES cipher block of size 16 bytes. there is 340282366920938463463374607431768211456 ( $$256^{16}$$) possibilities.
{% endhint %}
What if the attacker can inject some data directly into the targeted cipher message such as :
```python
data = user_input + secret
ciphertext = cipher.encrypt(data)
```
The user can inject as many byte as he want.
Furthermore, AES will always encrypt blocks of size 16. If the input block is shorter than 16 bytes, then it will be padded, typically using [PKCS#7](/cryptography/general-knowledge/padding/pkcs-7.md).
### Retrieve the last block
By injecting enough data, the last block can be known :
```python
b'\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10'
```
{% hint style="info" %}
This block correspond to the padding when the cipher data match match exactly with the block size ( $$plaintext \mod 16 = 0$$)
{% endhint %}
The attacker can inject this block as plaintext input + enough padding to make the plaintext match the block size and then compare his injected block and the last one.
```python
i = 16
cipher_size = len(encrypt(b'\x10' * i))
cur_size = cipher_size
while cipher_size == cur_size:
i += 1
data = encrypt(b'\x10' * i)
cur_size = len(data)
if cur_size > cipher_size :
print("injected block :", data[0:32])
print("last block :", data[-32::])
assert(data[0:32] == data[-32::])
```
Using this behavior, if the user add 1 byte to the input, the last block will be :
```python
b'X\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'
```
{% hint style="info" %}
`X` is here the last char of the unknown part of the ciphered data : "`secret`"
As it is the only unknown char of the block, there is only 256 possibilities.
{% endhint %}
```python
i = 16
cipher_size = len(encrypt(b'\x10' * i))
cur_size = cipher_size
while cipher_size == cur_size:
i += 1
data = encrypt(b'\x10' * i)
cur_size = len(data)
if cur_size > cipher_size :
print("injected block :", data[0:32])
print("last block :", data[-32::])
assert(data[0:32] == data[-32::])
for c in range(256):
data = encrypt(c.to_bytes(1,'big') + b'\x0f' * i)
if data[0:32] == data[-32::]:
print("Last secret char is : ", c.to_bytes(1,'big'))
break
```
{% hint style="info" %}
Then the user can go on. If he add again one byte to the input he will have :
b'YX\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
Where `X` is the previously retrieve char.
He can continue until he retrieve the enire block.
{% endhint %}
### Retrieve the first block
Just has the last block, the user can manipulate him input in order to know exactly what there is as second block :
```python
i = 16
cipher_size = len(encrypt(b'\x10' * i * 2))
print("first block :", data[0:32])
print("second block :", data[32:64])
assert(data[0:32] == data[32:64])
```
{% hint style="info" %}
Here, the user has injected two block with the exact same value. If he inject just 1 less byte he will have :
```python
b'\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10X'
```
as second block, where `X` is the first char of the `secret` value.
The method here is the same as for retrieve the last block.
The only difference is instead of adding byte and brute-forcing the first char of the last block, the user will remove one char from him input and brute-force the last char of the second block.
{% endhint %}
```python
for c in range(256):
data = encrypt(b'\x10' * 15 + c.to_bytes(1,'big') + b'\x10' * 15)
if data[0:32] == data[32:64]:
print("First secret char is : ", c.to_bytes(1,'big'))
break
```
### What for secret longer than 2 block ?
Once the first or the last block is fully decrypted, it's possible to start again with the direct next block such as sending enough data to obtain the following block :
```
b'ECRETDATABLOCK1X'
```
Where `SECRETDATABLOCK1` is the first decrypted block so `ECRETDATABLOCK1` are the last 15 bytes of the first block and `X` is the first byte of the next block.
To obtain this block the user may send 16 bytes ( block used to bruteforce the targeted byte ) + 15 bytes to have :
```
Injection block Padding Targeted block Rest...
+----------------+----------------+---------------+----------------+
|ECRETDATABLOCK1X|VVVVVVVVVVVVVVVS|ECRETDATABLOCKX|................|
+----------------+----------------+---------------+----------------+
```
{% hint style="success" %}
Then, when the second block is obtain, it's possible to continue till the obtention of the entire secret value.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.ctfrecipes.com/cryptography/symmetric-cryptography/aes/mode-of-operation/ecb/ecb-oracle.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.