add cpa-suffix

cryptography/cpa-suffix/DESCRIPTION.md

@@ -0,0 +1,10 @@
+Okay, now let's complicate things slightly to increase the realism.
+It's rare that you can just craft queries for the plaintext that you want.
+However, it's less rare that you can isolate the _tail end_ of some data into its own block, and in ECB, this is bad news.
+We'll explore this concept in this challenge, replacing your ability to query substrings of the flag with just an ability to encrypt some bytes off the end.
+
+Show us that you can still solve this!
+
+----
+**HINT:**
+Keep in mind that, once you recover some part of the end of the flag, you can build a new codebook with additional prefixes of the known parts, and repeat the attack on the previous byte!

cryptography/cpa-suffix/run

@@ -0,0 +1,26 @@
+#!/opt/pwn.college/python
+
+from base64 import b64encode, b64decode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+
+flag = open("/flag", "rb").read().strip()
+
+key = get_random_bytes(16)
+cipher = AES.new(key=key, mode=AES.MODE_ECB)
+
+while True:
+    print("Choose an action?")
+    print("1. Encrypt chosen plaintext.")
+    print("2. Encrypt the tail end of the flag.")
+    if (choice := int(input("Choice? "))) == 1:
+        pt = input("Data? ").strip().encode()
+    elif choice == 2:
+        length = int(input("Length? "))
+        pt = flag[-length:]
+    else:
+        break
+
+    ct = cipher.encrypt(pad(pt, cipher.block_size))
+    print(f"Result: {b64encode(ct).decode()}")

cryptography/module.yml

@@ -18,9 +18,11 @@ challenges:
 - id: level-4
   name: AES
 - id: cpa
-  name: Chosen-plaintext Attack
+  name: AES-ECB-CPA
 - id: cpa-http
-  name: CPA-over-HTTP
+  name: AES-ECB-CPA-HTTP
+- id: cpa-suffix
+  name: AES-ECB-CPA-Suffix
 - id: level-5
   name: level5
 - id: level-6