I would like to point out that unlike you make it out to be in this video, reusing keys with CTR mode isn't insecure by design. The actual problem lies in reusing the same initialization vector value (IV) with multiple encryptions with the same key. The IV values should be nonces (or 'number used only once') to protect against this attack. Usually these nonce values are achieved by using a running counter value added to the original IV value (IV || CTR[i]), hence the name counter mode. Let me demonstrate the attack and how to prevent it: Ciphertext1 = Plaintext1 ⊕ AES(key, IV) Ciphertext2 = Plaintext2 ⊕ AES(key, IV) Which leads to the following ciphertext pair: Ciphertext1 ⊕ Ciphertext2 = Plaintext1 ⊕ AES(key, IV) ⊕ Plaintext2 ⊕ AES(key, IV) Now, because the (key, IV) pair is reused, the AES(key, IV) will yield the same result for both ciphertexts. This means that an attacker can now compute Ciphertext pairs easily by cancelling the AES encryption out of the equation (XORing anything by itself will always yield to 0): Ciphertext1 ⊕ Ciphertext2 = Plaintext1 ⊕ Plaintext2 Therefore an attacker can easily get the Plaintext2 value by computing the following operation: Plaintext2 = Plaintext1 ⊕ Ciphertext1 ⊕ Ciphertext2 As was demonstrated in this video. When using the counter mode properly, we get the ciphertexts in the following way: Ciphertext1 = Plaintext1 ⊕ AES(key, (IV || CTR[0])) Ciphertext2 = Plaintext2 ⊕ AES(key, (IV || CTR[1])) Which leads to the following ciphertext pair: Ciphertext1 ⊕ Ciphertext2 = Plaintext1 ⊕ AES(key, (IV || CTR[0])) ⊕ Plaintext2 ⊕ AES(key, (IV || CTR[1])) Now, because the AES encryption operations yield different results, an attacker can no longer just cancel the AES encryptions out and would actually need to compute the values themselves. Even if the attacker knows the original IV value, they have no way of actually computing these without obtaining the key! Therefore, the attack is rendered useless whenever unique (key, IV) pairs are used. The code in question should be fixed by making the following change to the counter: iv = os.urandom(16) ctr = Counter.new(128, int.from_bytes(iv, byteorder='big')) cipher = AES.new(KEY, AES.MODE_CTR, counter=ctr)

I did not have the right understanding for this challenge and did not give the right explanation in the video, and I'm sorry for that. You can find a solid explanation in Arttu Paju's comment pinned below and the other comments that explain where I went wrong in this one. Sorry!

you + sleep deprivation = hilarious

Hope you know your sleep deprivation hasn’t gone unappreciated, I seriously like camp out everyday after work looking forward to these. Love and appreciate you John!

I really learn a lot through your videos, best part I also enjoy watching them again and again ❤️

In this specific scenario, the actual vulnerability is the non-unique (nonce, key) pair between 2 distinct encryptions. As during the creation of the AES object no value for nonce(=IV) is specified, a default one is used and thus, 2 ciphertext will share the same default IV and key which makes it vulnerable

nice video, I enjoyed the end credit bonus scene of crazy john with the lights. Keep it up, buddy.

your videos are so fun to watch and so educating

"Your life should be in Dark Mode...." John Hammond That should be a famous quote!

Thanks for the video John!

learned something new again. Thanks John

This is my new favorite channel.

Dark mode John isn't bad at all

amazing John

bro , the dark mode in the end was super duper cool ! test it one in a while :)

Its 2 : 11 and im watching your video , i should also have to go to bed now good night John, btw awesome content as always ❗

Real talk? The room looks great at the end there!

Awesome!

Addicted to you sir

Nice

I like dark mode ! Keep it :-)

Just reusing a key and it breaks one of the most popular encryption algorithms

how many hours do you actually sleep in a day? appreciate your videos and knowledge sharing

DarkMODE for the Win.

Cool video in dark mode ...

Oh, so all you had to do was Xor? I did not know that worked for AES! I thought you had to brute force the urandom-value against the know string to find the key and then decrypt the flag. :p

john sir king🤴🤴🤴🤴

I wonder if they called it PhaseStream3, or PS3, on purpose.. The first PS3 hack involved a bad PRNG .

how would you attempt this if the source string wasn't supplied?

Love from india

why don't u make python series where u gonna teach pentesting python to us. If this would happen gonna appreciate it vro🙏

1 dislike is the ip john hammond hacked

What can you hack is the sky the limit or are their specifics

ok

HTB{ {H)igh (E)ducation (A)ttentional (R)ight (NOW) (T)raffic! } --->Thx!

yeah I just start the video ... (i wr0t3 c0mm3n7 b3f0r3 st4r7ing l0l)

I see that you have Linux but... it’s not kali bro you need to try kali Linux it will change your life. Ps I love your videos keep up the good work 🙂🙂

You explained absolutly nothing in this video..Reusing the key is not the only problem here.

Heartt

John You really need to sleep