Ad
  • Custom User Avatar

    however, this doesn't mean that CBC is, by definition, stateful. Isn't CBC just a method of encryption/decryption?

    No. There are two parts of an encryption/decryption method: the block cipher used (e.g AES, DES), and the mode of operation which specifically refers how a block cipher is composed across different blocks (it has no meaning if you only have 1 block). When you say the encrytpion algorithm is AES-CBC it means AES cipher operating in CBC mode. CBC alone doesn't specify how to encrypt each block.

    So there is the first, biggest problem with the kata: it inflates the notion of CBC into the entire encryption process (cipher, mode of operation, input/output processing). It claims it teaches CBC, but in reality we have to process the input into blocks of bits (padding is ignored), encrypt the blocks, chain the blocks with CBC, then processes the blocks again. This is like 70% other unrelated things outside CBC. This is already a sign you should revisit the concepts again before creating the kata about educating others about this specific concept.

    Also, I don't see why you're proposing to prematurely delete the kata, since there's nothing about the kata that you've addressed with your responses. What's happening with decrypt being calling in the same instance encrypt is called? Why are the random tests reusing the same instance, calling encrypt many times, and expect both the key and IV stays the same each call? These are definitely anti-conventional designs (no established crypto library does this, because misuse of crypto is worse than no crypto), and if you insist on maintaining this design that go against all common best practices, you better have a convincing reason, which you haven't provided any.

    If the kata is to be improved, at least you need to address these two things:

    • Separate CBC with input/output processing and the cipher itself. We shouldn't even need to implement the cipher or processing the inputs/outputs. Just give us the blocks with each block as array of bits, and the cipher as a function.
    • Re-design the API we have to implement to follow industry best practices. Again, if you're trying to teach people, and you're teaching them anti-industry practices, everyone who knows better will roll their eyes.
  • Default User Avatar

    My understanding is that all applications of CBC within cybersecurity are stateful- however, this doesn't mean that CBC is, by definition, stateful. Isn't CBC just a method of encryption/decryption? If you could lead me to a source that CBC by nature (rather than the applications of) is stateful I will delete this kata. I still maintain that it's useful to know how CBC works. No need to be harsh by calling it a scam! Lmk if you think of a way to do random testing with it.

  • Custom User Avatar

    it's a simplification of how CBC works, and it's more of an introduction to the concept of CBC encryption

    So this is not actually CBC, and whatever being introduced in the kata does not resemble actual CBC, or capture the core idea of it (there is an internal state that updates as input is processed).

    Please don't pretend misinformation to be "beginner-friendly material", this would be a scam: whoever trying to learn from the kata will be mislead (to outright harmed) by the wrong information perpetuated by the kata. Note that good introduction materials will make sure the core ideas are intact.

  • Default User Avatar

    I see, thanks for that information, I appreciate it. I just entered tech/security center so this is all good stuff to know. I'll fix this eventually, but I don't see how this is relevant as a design flaw- it's a simplification of how CBC works, and it's more of an introduction to the concept of CBC encryption. Thoughts?

  • Default User Avatar

    Right, that's true. Do you have any suggestions for how I implement random tests?

  • Default User Avatar

    This comment is hidden because it contains spoiler information about the solution

  • Custom User Avatar

    Critical kata design/testing flaw: since CBC is stateful, the same instance should not be used again for decryption after performing an encryption operation. Even pycryptodome is designed this way: if you try to call decrypt after encrypt it throws an error decrypt() cannot be called after encrypt(). A new instance is required to decrypt the message.

    It's also invalid to encrypt/decrypt multiple times, because the internal state will be changed after an operation. You're only allowed to encrypt/decrypt multiple times on continuous segments of data because encrypt(a) + encrypt(b) = encrypt(a+b) for CBC, and CBC is not an AEAD mode.

    In general, stream ciphers are almost always stateful and each encryption/decryption should be done fresh. So the kata should probably have two function encrypt_cbc(plaintext, key, iv) and decrypt_cbc(ciphertext, key, iv) instead. Or at least, the kata should specify (and revise) how the testing shall be done.

  • Custom User Avatar

    This comment is hidden because it contains spoiler information about the solution

  • Default User Avatar

    (hopefully) made it much clearer now. Also, I did implement a series of random tests so that people cannot cheat anymore. Thank you for your input!

  • Default User Avatar

    Fixed all of those things. Thank you for your input!

  • Default User Avatar

    Not enough information in the description to solve it (no idea how to use the IV for example) and I didn't feel like reading the whole wikipedia page.

    So here's something you might want to fix.

  • Custom User Avatar

    all input and output will be in base64

    This sentence is ambiguous: it can either mean base64 encoding (which is 3 bytes -> 4 base64 alphabets), or base64 alphabet.

    Also, the example section is jumbled up as a single line. If you want formatted text block you should put it in a code block (with 3 backticks).

  • Default User Avatar

    Added random tests/fixed suggestions, thank you for your help!

  • Default User Avatar

    Thank you! Will work on it now.

  • Custom User Avatar
    1. Actual testcases: Need random tests (Otherwise people can just hardcode all the answers without actually solving the task). Reference material listed below:-

    2. Sample / actual testcases: Missing testcase/solution import:

    import codewars_test as test
    from solution import CBC
    
    1. Sample / actual testcases: Missing it blocks, It's usually like this:
    @test.describe('Test Cases')
    def test_cases():
    
        @test.it('Fixed tests'):
        def _():
            ...some assertions...
    
        @test.it('Random Tests'):   # Only needed for actual testcases
        def _():
            ...some assertions...
    

    Happy authoring ^^

  • Loading more items...