This presentation gives an overview of many different encryption and encoding schemes. The content ranges from simple encodings, such as ASCII text represented as decimals to classical ciphers, such as Caesar and Vigenere ciphers to modern encryption standards, such as the Data Encryption Standard (DES) and Advanced Encryption Standard (AES). For modern encryption, there are many different implementation flaws that are discussed in the presentation as well as a few ideas for how to correct those flaws. At the end of the presentation, some thought questions are provided.
3. The enciphering and deciphering of
messages in secret code or
cipher; also : the computerized encoding
and decoding of information – Merriam
Webster
What is Cryptography?
4. Plaintext – the original message to encrypt
Ciphertext – an encrypted message
Cipher – an algorithm to convert plaintext
to ciphertext and vice versa
Key – A word/phrase or string of bits that
modifies the enciphering/deciphering
process
Basic Terminology
6. Substitution Ciphers
◦ Characters or groups of characters are replaced
by other characters
Transposition Ciphers
◦ Position of plaintext characters is shifted
◦ Ciphertext is simply a permutation of plaintext
Classical Ciphers
7. Replace each letter with a fixed different
letter
Plaintext – send reinforcements
Ciphertext – ktdp jtfdoejytbtdlk
Key – CRYPTOISFUN
Simple Substitution Cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C R Y P T O I S F U N A B D E G H J K L M Q V W X Z
8. Shift/Caesar Cipher – Rotate the letters by a
fixed amount
ROT13 – Special case (rotate by 13)
Plaintext – send reinforcements
Ciphertext – fraq ervasbeprzragf
Shift/Caesar/ROT13 Cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
9. Uses a set of Caesar ciphers based on a
keyword
Plaintext – send reinforcements
Key – somesecret
Ciphertext - kszh jikejhjqqqwrvj
Vigenère Cipher
S E N D R E I N F O R C E M E N T S
S O M E S E C R E T S O M E S E C R
10.
11. Opk jvvjx rmrp qstyhmtxrh uinkxmcxzsi wl e csccvtvlnfvxdk imclvv riy jbvdygiziq fp Pzwt Fnxkmnbg Eyfvvoq
gvbyeh 1467 vvj yfiu e hmzey gztcmx hvwt xj acmggy fzbcirr tmkpkv npglvjkxf. Ecfzzzm'f wpwoms sapp
wrqzguiu egxneoikw vnzie wvzzzgp jsihn, ith fazxxpkw jiii dvjmpekiy je aemkmio zlr pvxomx ss xyi xwxvrwgsilort
ectcihig me xcm imclvvomdx. Yekim, qt 1508, Nblrrimy Xemklzuoyf, me lda cseo Gsgqmvntymv, qtzrrkiy bni
gesygi xipxr, e xzoxvgrp xwstbrvro wl xui Mmbmtèvr gztcmx. Xui Kvdbnizmlw xqvlrv, ysrmbie, sept xxsimuiy i
vvbkiinaozr, vzkdl grq tiiyqixnfci ngyxrq wsm acmggymio higavii kotuii egxneoikw.[xqzegmfr imkhrh]
Nlvb ow asn oiwcr nw klz Dokrrèii xqvlrv nen wxmtmeegte hrwtvdjkh oc Xmjdgr Oekxdaze Oicpvau ma lzw 1553
wwuo Ye tmazg hrp. Jmb. Oosiee Fvbzmfxr Fztrefs. Yi wcopg ygsi bni gesygi xipxr sa Bxmglvqdcy, fhx rhymj e
eigivbort "gfyibkvfmxr" (v skc) gs jadbil pmglzz gpclrfzby iiiic gmzxrv. Nlzzkef Ecfzzzm nru Xmqzlrqzyn cyiq e
wmsmj tnxkimv uj fyswoqzygmfrn, Jkpyejs'n ailrqv qzitx glv tvbzier fj nchwgmkyoqurf gfygl hi rejc xpgrtiu wduvpl
fp wztkggmek v vka xip. Ozgy arvv xtxognpcc nqtkyi nsmly se wysmb vleejin, stsjr ks wwzl ceixdmy ma euzvvii,
bv kvvvyqvxkiy "wax bj seil" gpbrx adbn xui dinagkr. Fvpgiys'f qvxcwj xuyj vzyameiu wozurt wvgpzoxl jfv jvrc glv
ozg. Gw vx zw mmregmmigg kefc ks nmiyei r wcwxx xip tczgwr, wrc wg g teimmjcy temmeom isazvvnizmbr,
Sigtgwb'w jcnbkq jej gjvymqiiewte qbvv wzkavr.[gzxvbosa rviymj]
Fyezwz lk Zvkvrèmm vyopzwcmj lvw uinkxmcxzsi wl e fmdmgix fhx jxmwtkrv ryowqil gztcmx frjfvz bni pslvo wl
Lrric DQO ss Jieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opk mazvroqur bj Sigtgwb'w tmkpkv jej qdagxgvzfpbkh
gs Mmbmtèvr. Hrzdl Qeur zr cqy fbsb Xcm Isqisvziqiew cehmtxrh klz uownxkvdjaxvse ft agcvrx xciz lvwksmg neq
"mxrjzkh glzw duvsexrro kurgvzfpbosa eeh dvyxreu rvukh n vvkmmywvzv eil kprqvroixc pmglzz lse lzq
[Qqmiaèvv] xcwaku lv lvl tsglzrb bu hb azxc qz".[4]
Xui Mmbmtèvr gztcmx knmeiy i xicykeoqur ssi fzqtk rbtikbosaecpt azvbrx. Rjbkh nykljz grq qrxcmsegmtmvv
Ilnvcin Taxjmukz Luhtwfr (Gmcmf Grvmwrp) pecpzl zlr Zzkzvèxi pmglzz arovvefihpr me lda 1868 vmrgv "Xcm
Gpclrfzb Imclvv" dv g gumchmmt'w zexeuqti. Vr 1917, Jgdmtxvjzg Vukvvgrr ymygemsiy bni Imxiièzk gvtyim iy
"mztfwnqhpr sw xmitwyekmjv".[5] Zlvw iikczegmfr riy rbx uinmxzrh. Tlvzrif Frfwimi jej oiwcr gs yeqm hvbovr v
dgvveex jn zlr gztcmx ef irvgg gw 1854; usniqmx, lr hzhi'b vyopzwc pow jsio.[6] Fiymfoz iibovrpp fmwqi glv
gdxnie eeh kchpvwyiy bni gitliqwyr me xcm 19zl piexpze. Iiie fznuvr xymn, bnshky, wjuk wxmcpzl ivltkeiircfxj
gjcrh bgtenqurnpcc wzkex xyi xqvlrv zr opk 16xu gvrocxc.[4]
Sample Challenge
12. Copy paste the text into CrypTool
Choose Analysis > Classic > Ciphertext
Only > Vigenere Cipher
The text is decrypted with the key
“vigenere”
Solution
14. Plaintext written downwards on “rails” of an
imaginary fence, then moving up when the
bottom is reached
Plaintext: we are discovered flee at once
Ciphertext:
WECRLTEERDSOEEFEAOCAIVDEN
Rail Fence Cipher
*Example from Wikipedia
15. Plaintext written on a grid of given
dimensions and read off in a patter given in
the key
“Spiral inwards, clockwise, starting from the
top right”
Ciphertext:
EJXCTEDECDAEWRIORFEONALEVSE
Route Cipher
*Example from Wikipedia
16. Symmetric Key Encryption
◦ Uses the same key to encrypt and decrypt
Asymmetric Key Encryption
◦ Also known as public key encryption
◦ Uses two keys: one to encrypt and one to decrypt
Modern Ciphers
17. Share a secret key among two or more
parties
DES – Data Encryption Standard
◦ Uses a 56-bit key
◦ Standard from 1979 to 1990s
AES – Advanced Encryption Standard
◦ Uses 128, 192, or 256-bit key
◦ Standard from early 2000s to present
◦ Must use correct block cipher mode
Symmetric Key Encryption
19. Given a sequence x1x2
…
xn of plaintext blocks
Ciphertext: yi = ℯk(xi)
Advantage: computation done in parallel
Disadvantage: same plaintext block yields
same ciphertext blocks
ECB Mode
21. CTF Problem – CSAW 2010, Crypto Bonus
Users allowed to log into system with only their
username
◦ Root and Admin are not allowed!
Upon authentication, they are presented with an
authentication token (an encryption of the timestamp,
username, and puzzle name)
Each auth-token only lasts 5 minutes!
Goal: Construct a correct authentication token for root
Why Not to Use ECB Mode
cont.
22. Submit “AAAAAAAA”
Submit “AAAAAAAA” again
Only difference is the highlighed portion (perhaps a [part
of] the timestamp)
Why Not to Use ECB Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf
23. Submit “AAAAAAAAAAAAAAAAAA”
The 3rd cipher block is repeated
Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin”
The correct token for “admin”
The above decrypts to “ 1285874686664|admin|
CSAW_CHALLENGE#4x02x02”
Why Not to Use ECB Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf
24. Given a sequence x1x2
…
xn of plaintext blocks
Each ciphertext block yi is XOR’d with the
next plaintext block xi+1 before encryption
Define y0 = IV (initialization vector)
Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1
CBC Mode
25. CTF Problem – CSAW 2010, Crypto 2
Users are presented with an auth token
Token is AES encryption of (Username, Team name, Puzzle
name, Access level)
The access level is set to 5 and teams need to access level
0
Bit Flipping in CBC Mode
26. Bit-flipping propagation
A change in a ciphertext block leads to a change in each
succeeding plaintext block
Bit flipping in CBC Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf
27. Hex dump of the URL-base64 decoded information
Decrypted to
Need to manipulate a byte in the 3rd ciphertext block that,
when decrypted, lines up with the 5 in “role=5”
Bit Flipping in CBC Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf
28. XOR 0x05 with 0xa8 and get 0xad
Replace 0xa8 with 0xad
Decrypted to
Success!
Bit Flipping in CBC Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf
29. Initialization vector: y0 = IV
Keystream element: zi = ℯk(yi-1), i ≥ 1
Ciphertext: yi = xi ⊕ zi, i ≥ 1
CFB Mode
30. Initialization vector: z0 = IV
Keystream: z1z2
…
zn
Keystream element: zi = ℯk(zi-1), i ≥ 1
Ciphertext: yi = xi ⊕ zi, i ≥ 1
OFB Mode
31. Similar to OFB but with a different
keystream
Plaintext block size = m bits
Counter, denoted ctr, bitstring of length m
Construct a sequence of bitstrings of length
m, denoted T1,T2,…
,Tn as follows:
Ti = ctr + i - 1 mod 2m
, i ≥ 1
Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1
CTR Mode
33. Based on mathematical relationships
(integer factorization and discrete
logarithm) that have no efficient solution
Public key, K, is published for everyone to
see
Private key, K-1
, is held by an individual
Two main uses:
◦ Public key encryption – anyone can send a
message to a particular individual –
enck(message)
◦ Digital signatures – anyone can verify a message
is sent by a particular individual – enck-1(message)
Asymmetric Key
Encryption
36. Attacks on cryptographic algorithms
Known plaintext – attacker has access to a
plaintext and the corresponding ciphertext
Ciphertext-only – attack has access to only a
ciphertext and not the plaintext
Chosen Plaintext/Ciphertext – attacker gets to
pick (encrypt/decrypt) a text of his choosing
Adaptive Chosen Plaintext/Ciphertext –
attacker chooses text based on prior results
Cryptographic Attack
Methods
37. Attacks on physical implementation of a
cryptosystem
Timing attack
Power monitoring attack
Acoustic cryptanalysis
Differential fault analysis
Data remanence
Padding oracle attack
Side Channel Attacks
39. Timing attack
◦ Add random delays in processing
Data remanence
◦ Overwrite locations where sensitive data is stored
Padding Oracle attack
◦ Don’t let the user know there was a padding error
◦ Use Message Authentication Code (MAC) to
protect integrity of the ciphertext
How to Avoid Certain
Attacks
41. Used to provide assurance of data integrity
Given a bitstring of any length, produce a
bitstring of length n (n depends on
algorithm)
Desired properties of a hash function:
◦ Easy to compute a hash given a message
◦ Hard to reverse a hash to a message
◦ Hard to modify a message and not the hash
◦ Hard to find to messages with the same hash
Hash Functions
43. Used to discover collisions in hashing
algorithms
There is more than a 50% chance that 2
people in a room of 23 will share a birthday
P[No common birthday] =
◦ n = number of people
Birthday Attack
1
0
365
365
n
i
i
44. CodeGate 2010 Challenge 15
A web based challenge vulnerable to padding/length
extension attack in its SHA1 based authentication scheme
The page asks for a username and then sets a cookie
Username “aaaa”
Cookie “web1_auth = YWFhYXwx|
8f5c14cc7c1cd461f35b190af57927d1c377997e”
The first part “YWFhYXwx” is the base64 encoded string of
“aaaa|1” (username|role)
The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the
sha1(secret_key + username + role)
Length Extension Attack
Write up from http://www.vnsecurity.net/t/length-extension-attack/
45. The cookie is checked at the next visit
Displays “Welcome back, aaaa! You are not the administrator.”
We guess that 1 is the role for normal and 0 for administrator
Modify the first part to base64_encode(“aaaa|0”), the script
will return an error that the data has the wrong signature
The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=|
70f8bf57aa6d7faaa70ef17e763ef2578cb8d839”
“Welcome back, aaaa! Congratulations! You did it! Here is your
flag: CryptoNinjaCertified!!!!!”
Length Extension Attack
cont.
Write up from http://www.vnsecurity.net/t/length-extension-attack/
50. Hide messages in such a way that no one
suspects the existence of such a message
Usually hidden in images (but not
necessarily)
◦ Least significant bit
◦ Alpha byte in RGBA
Steganography
52. Google - everything
Foremost – recover files from other files
Cryptool - cryptanalysis
Useful Tools
53. How can you simultaneously ensure secrecy
and integrity with public key encryption?
◦ A sends a message to B.
◦ A has keys Ka/Ka
-1
and B has keys Kb/Kb
-1
◦ Encrypt function enck(m)
◦ Decrypt function deck(m)
◦ A sends message m as enckb
(encKa-1(m))
What if we reverse the encryption
functions?
◦ A sends message as encKa-1(enckb
(m))
◦ Anyone can switch A’s integrity check with theirs
Question #1
54. One Time Pad – proven to be impossible to crack
Plaintext of length n (bitstring or character string)
Key is also of length n
Plaintext: hello
Key: abcde
Ciphertext ((Plaintext + Key) mod 26):
(h+a)=(7+0)=7=h; (e+b)=(4+1)=5=f;
(l+c)=(11+2)=13=n; (l+d)=(11+3)=14=o;
(o+e)=(14+4)=18=s
Ciphertext: = hfnos
Question #2
55. If it’s been proven to be impossible to crack, why
doesn’t everyone use it?
◦ Only reveals maximum possible length (possibly padded)
Fine for short messages, but the key length must
increase linearly with the plaintext length
◦ Requires perfectly random one-time pads (new
OTP for each message)
◦ How to exchange keys that are as long as the
messages themselves?
Question #2 cont.
56. Plaintexts P1 and P2 were encrypted with the same
one-time pad key. We know P1, how do we find P2?
P1 = x64x69x73x63x6fx76x65x72x79 (discovery)
P2 = ?
C1 = x17x0cx10x11x0ax02x0ex17x00
C2 = x03x09x02x1bx0bx00x0ex1dx0d
Question #3
59. Cryptography: Theory and Practice, 3rd
Edition by Douglas R. Stinson
Wikipedia.org for many images
Cryptography 101, Parts 1-3: utdcsg.org
Write-ups from
◦ http://blog.gdssecurity.com/labs/tag/ctf
◦ http://blog.gdssecurity.com/labs/2010/9/14/automated-
padding-oracle-attacks-with-padbuster.html
◦ http://www.vnsecurity.net/t/length-extension-attack/
References