Cryptanalysis Lecture

Cryptanalysis

Jonathan Rajewski

© 2012 Jonathan T Rajewski 1

Overview
• Thirty Five Slides of Lecture
• Review Cryptology
• Attacking Applications
• Attacking the cyphers we discussed
• FOR270 Crypto Challenge
– Until we have a winner!


The 3 Siezs


The Three C’s
• Cryptography
• Cryptanalysis
• Cryptology
3 C’s

Crypto

Basic Cryptanalysis


Quick Case Study


Case Study
When you enter your username and password
what happens?


Case Study
Authentication

Username + Password = Success


Attacking Applications

Learn how the application creates passwords!


FTP
Filezilla Graphical User
Interface

*Hypothetical Situation © 2012 Jonathan T Rajewski 12

FTP
In our FTP client, user credentials are stored in an INI file.

Boris is the target of the investigation. We currently have no
idea how the application stores user credentials.

We create a new profile named dummy with a password 1111.
The PWD value appears similar to one byte per character in
the password and, further, appears to look like the ASCII
representation. What we find:

Password: 1 1 1 1
ASCII: 0x31 0x31 0x31 0x31
PWD value: 0x31 0x32 0x33 0x34

There is an obvious pattern!!!!

Let's derive the other password....

PWD value: 0x42 0x70 0x74 0x6C 0x77 0x4E
ASCII: 0x42 0x6F 0x72 0x69 0x73 0x49
Password: B o r i s I

Let’s try it!
Password.ini file contains the following data.
Decrypt the password

PWD value: 0x70 0x62 0x75 0x76 0x7B 0x75 0x79 0x45
ASCII: 0x 0x 0x 0x 0x 0x 0x 0x
Password:


Let’s try it!
Password.ini file contains the following data.
Decrypt the password

PWD value: 0x70 0x62 0x75 0x76 0x7B 0x75 0x79 0x45
ASCII: 0x70 0x61 0x73 0x73 0x77 0x70 0x73 0x4C
Password: P A S S W O R D


Basic Cryptosystems
• Basic Ciphers
– Substitution
• Replacing one character with another “X”
– Transposition
• Rearranging the message


Substitution Ciphers
• Most famous: Caesar's Cipher
– Shift each letter to the right by 3
• ROT 13
1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher n o p q r s t u v w x y z a b c d e f g h i j k l m

• Substitute letters for others
– A is T
– B is R
– C is B


Where are we seeing ROT13?

NTUSER.datSoftwareMicrosoftWindows
CurrentVersionExplorerUserAssist


Where are we seeing ROT13?

http://www.csoonline.com/article/570813/data-exfiltration-how-data-gets-out


Tools to parse ROT13
• Volatility Plugin (Levy)
– http://gleeda.blogspot.com/2011/04/volatility-14-
userassist-plugin.html
• RegRipper (Carvy)
– http://regripper.wordpress.com/
• ROT13.com


How to parse ROT13 by hand
1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13

CipherText PlainText

N A
C P
C P
Y L
R E

Breaking Basic Ciphers
• Simple (monoalphabetic) substitution ciphers
easily broken with Frequency Analysis
Letters: E T O A N I R S H D L C W U M F Y G P B V K X Q J Z

Digraphs: TH HE IN ER ED AN ND AR RE EN ED TO NT EA OU NG ST AS

Trigraphs: THE AND ING HER NTH ENT THA INT ERE DTH EAR HAT OFT

• More complex (polyalphabetic) substitution
ciphers use multiple alphabets!


Columnar Transposition Cipher
• Disguising the message by rearranging the letters

– Plaintext:
• FOR270 IS SO MUCH FUN DONTCA THINK
FOR270ISSOMU
CHFUNDONTCHA
THINKQWERTYU
• cipher: fct ohh rfi 2un 7nk 0dq iow snr str oct mhy uau
• cipher enhanced: fctohhrfi2un7nk0dqiowsnrstroctmhyuau


Breaking the Columnar Transposition
Cipher
For all intensive purposes for this “cryptanalysis by hand in a
quick timeframe” we are going to attempt to guess the rows
and columns

cipher: dygi ioet dutx
cipher enhanced: dygiioetdutx

didyougetit


Vigenère Square

Ciphertext is intersection of key column and plaintext row.

Plaintext: DFIRISGREAT (Side)
Key: NTFSNTFSNTF (Top)
Ct: QYNJVLLYRTY (Intersect)


Vigenère Square Decryption

Ct: STYXMYYEGYRR (Intersect)
Key: FATFATFATFAT (Side)
Plaintext: NTFSMFTENTRY (Top)


Crypto Challenge
• Scenario
– You work for the “SUPER SECRET 5 LETTER
AGENCY”
– An ultra sophisticated ciphertext was located on
an internal server
– Our team of cryptographers are actively working
on breaking the code but we need your help!!!


Phase 1
The following ciphertext was found by the
cryptographers. They believe it could have
something to do with the userassist key.

ovg_qbg_yl_fynfu_m7mKvx

1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13


Phase 1 Review
Did you get it?
– ROT13 encryption.

CT: ovg_qbg_yl_fynfu_m7mKvx
PT: bit_dot_ly_slash_z7zXik
PT Decoded: bit.ly/z7zXik


Phase 2
We just learned from the cryptographers that
more this code may indicated a hidden key for
the next aspect of the cryptanalysis….

Visit this link and try to decode the data
http://bit.ly/x2qppi


Phase 2 Review

F O R E N S I C

A T O R

Forensicator


Phase 3
We identified the final encrypted string of
ciphertext by analyzing ram using Volatility.
Yay for open source tools!
Agency cryptologists believe that you will “crack
the case” and reveal the cyber villain.

Please analyze:
CT: ICLKGZMRUZ
Key: FORENSICATOR (you wont need the entire key)

Phase 3
Please analyze:
CT: ICLKGZMRUZ (Intersect)
Key: FORENSICATOR (Side)
PT: (Top)

Hint – you wont need the entire Key


Phase 3 Review
Ct: ICLKGZMRUZ(Intersect)
Key: FORENSICAT(Side)
Plaintext: DOUGTHEPUG(Top)


Phase 4
The end is here. This is the most complicated
ciphertext yet. Doug the Pug “cracked” during
interrogation and revealed his secret partner in
crime.

Next class we will look at the ADFGVX


Cryptanalysis Lecture

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (11)

Similaire à Cryptanalysis Lecture

Similaire à Cryptanalysis Lecture (20)

Dernier

Dernier (20)

Cryptanalysis Lecture