- By
**truda** - Follow User

- 203 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Cryptography Crash Course' - truda

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Outline

- Overview
- Encryption
- Classical Ciphers
- Modern Ciphers
- Hash Functions
- Encodings
- Steganography
- Questions and Sample Challenges
- CTF

What is Cryptography?

- The enciphering and deciphering of messages in secret code or cipher; also: the computerized encoding and decoding of information – Merriam Webster

Basic Terminology

- Plaintext – the original message to encrypt
- Ciphertext – an encrypted message
- Cipher – an algorithm to convert plaintext to ciphertext and vice versa
- Key – A word/phrase or string of bits that modifies the enciphering/deciphering process

Classical Ciphers

- Substitution Ciphers
- Characters or groups of characters are replaced by other characters
- Transposition Ciphers
- Position of plaintext characters is shifted
- Ciphertext is simply a permutation of plaintext

Simple Substitution Cipher

- Replace each letter with a fixed different letter
- Plaintext – send reinforcements
- Ciphertext – ktdpjtfdoejytbtdlk
- Key – CRYPTOISFUN

Shift/Caesar/ROT13 Cipher

- Shift/Caesar Cipher – Rotate the letters by a fixed amount
- ROT13 – Special case (rotate by 13)
- Plaintext – send reinforcements
- Ciphertext – fraqervasbeprzragf

Vigenère Cipher

- Uses a set of Caesar ciphers based on a keyword
- Plaintext – send reinforcements
- Key – somesecret
- Ciphertext - kszhjikejhjqqqwrvj

Sample Challenge

Opkjvvjxrmrpqstyhmtxrhuinkxmcxzsiwl e csccvtvlnfvxdkimclvvriyjbvdygiziqfpPzwtFnxkmnbgEyfvvoqgvbyeh 1467 vvjyfiu e hmzeygztcmxhvwtxjacmggyfzbcirrtmkpkvnpglvjkxf. Ecfzzzm'fwpwomssappwrqzguiuegxneoikwvnziewvzzzgpjsihn, ithfazxxpkwjiiidvjmpekiy je aemkmiozlrpvxomxssxyixwxvrwgsilortectcihig me xcmimclvvomdx. Yekim, qt 1508, NblrrimyXemklzuoyf, me ldacseoGsgqmvntymv, qtzrrkiybnigesygixipxr, e xzoxvgrpxwstbrvrowlxuiMmbmtèvrgztcmx. XuiKvdbnizmlwxqvlrv, ysrmbie, septxxsimuiyivvbkiinaozr, vzkdlgrqtiiyqixnfcingyxrqwsmacmggymiohigaviikotuiiegxneoikw.[xqzegmfrimkhrh]

NlvbowasnoiwcrnwklzDokrrèiixqvlrvnenwxmtmeegtehrwtvdjkhocXmjdgrOekxdazeOicpvau ma lzw 1553 wwuo Ye tmazghrp. Jmb. OosieeFvbzmfxrFztrefs. Yi wcopgygsibnigesygixipxrsaBxmglvqdcy, fhxrhymj e eigivbort "gfyibkvfmxr" (v skc) gsjadbilpmglzzgpclrfzbyiiiicgmzxrv. NlzzkefEcfzzzmnruXmqzlrqzyncyiq e wmsmjtnxkimvujfyswoqzygmfrn, Jkpyejs'nailrqvqzitxglvtvbzierfjnchwgmkyoqurfgfygl hi rejcxpgrtiuwduvplfpwztkggmek v vkaxip. Ozgyarvvxtxognpccnqtkyinsmly se wysmbvleejin, stsjrkswwzlceixdmy ma euzvvii, bvkvvvyqvxkiy "wax bjseil" gpbrxadbnxuidinagkr. Fvpgiys'fqvxcwjxuyjvzyameiuwozurtwvgpzoxljfvjvrcglvozg. Gwvxzwmmregmmiggkefcksnmiyei r wcwxxxiptczgwr, wrcwg g teimmjcytemmeomisazvvnizmbr, Sigtgwb'wjcnbkqjejgjvymqiiewteqbvvwzkavr.[gzxvbosarviymj]

FyezwzlkZvkvrèmmvyopzwcmjlvwuinkxmcxzsiwl e fmdmgixfhxjxmwtkrvryowqilgztcmxfrjfvzbnipslvowlLrric DQO ssJieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opkmazvroqurbjSigtgwb'wtmkpkvjejqdagxgvzfpbkhgsMmbmtèvr. HrzdlQeurzrcqyfbsbXcmIsqisvziqiewcehmtxrhklzuownxkvdjaxvse ft agcvrxxcizlvwksmgneq "mxrjzkhglzwduvsexrrokurgvzfpbosaeehdvyxreurvukh n vvkmmywvzveilkprqvroixcpmglzzlselzq [Qqmiaèvv] xcwakulvlvltsglzrbbuhbazxcqz".[4]

XuiMmbmtèvrgztcmxknmeiyixicykeoqurssifzqtkrbtikbosaecptazvbrx. RjbkhnykljzgrqqrxcmsegmtmvvIlnvcinTaxjmukzLuhtwfr (GmcmfGrvmwrp) pecpzlzlrZzkzvèxipmglzzarovvefihpr me lda 1868 vmrgv "XcmGpclrfzbImclvv" dv g gumchmmt'wzexeuqti. Vr 1917, JgdmtxvjzgVukvvgrrymygemsiybniImxiièzkgvtyimiy "mztfwnqhprswxmitwyekmjv".[5] Zlvwiikczegmfrriyrbxuinmxzrh. TlvzrifFrfwimijejoiwcrgsyeqmhvbovr v dgvveexjnzlrgztcmxefirvgggw 1854; usniqmx, lrhzhi'bvyopzwcpowjsio.[6] Fiymfoziibovrppfmwqiglvgdxnieeehkchpvwyiybnigitliqwyr me xcm 19zl piexpze. Iiiefznuvrxymn, bnshky, wjukwxmcpzlivltkeiircfxjgjcrhbgtenqurnpccwzkexxyixqvlrvzropk 16xu gvrocxc.[4]

Solution

- Copy paste the text into CrypTool
- Choose Analysis > Classic > Ciphertext Only > Vigenere Cipher
- The text is decrypted with the key “vigenere”

Rail Fence Cipher

- Plaintext written downwards on “rails” of an imaginary fence, then moving up when the bottom is reached
- Plaintext: we are discovered flee at once
- Ciphertext: WECRLTEERDSOEEFEAOCAIVDEN

*Example from Wikipedia

Route Cipher

- Plaintext written on a grid of given dimensions and read off in a patter given in the key
- “Spiral inwards, clockwise, starting from the top right”
- Ciphertext: EJXCTEDECDAEWRIORFEONALEVSE

*Example from Wikipedia

Modern Ciphers

- Symmetric Key Encryption
- Uses the same key to encrypt and decrypt
- Asymmetric Key Encryption
- Also known as public key encryption
- Uses two keys: one to encrypt and one to decrypt

Symmetric Key Encryption

- Share a secret key among two or more parties
- DES – Data Encryption Standard
- Uses a 56-bit key
- Standard from 1979 to 1990s
- AES – Advanced Encryption Standard
- Uses 128, 192, or 256-bit key
- Standard from early 2000s to present
- Must use correct block cipher mode

Block Cipher Modes

- ECB – Electronic Codebook
- CBC – Cipher Block Chaining
- CFB – Cipher Feedback
- OFB – Output Feedback
- CTR – Counter
- CCM – Counter with Cipher-block Chaining

ECB Mode

- Given a sequence x1x2…xn of plaintext blocks
- Ciphertext: yi = ℯk(xi)
- Advantage: computation done in parallel
- Disadvantage: same plaintext block yields same ciphertext blocks

Why Not to Use ECB Mode

*From Wikipedia

Why Not to Use ECB Mode cont.

- CTF Problem – CSAW 2010, Crypto Bonus
- Users allowed to log into system with only their username
- Root and Admin are not allowed!
- Upon authentication, they are presented with an authentication token (an encryption of the timestamp, username, and puzzle name)
- Each auth-token only lasts 5 minutes!
- Goal: Construct a correct authentication token for root

Why Not to Use ECB Mode cont.

- Submit “AAAAAAAA”
- Submit “AAAAAAAA” again
- Only difference is the highlighed portion (perhaps a [part of] the timestamp)

Write up from http://blog.gdssecurity.com/labs/tag/ctf

Why Not to Use ECB Mode cont.

- Submit “AAAAAAAAAAAAAAAAAA”
- The 3rd cipher block is repeated
- Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin”
- The correct token for “admin”
- The above decrypts to “ 1285874686664|admin|CSAW_CHALLENGE#4\x02\x02”

Write up from http://blog.gdssecurity.com/labs/tag/ctf

CBC Mode

- Given a sequence x1x2…xn of plaintext blocks
- Each ciphertext block yi is XOR’d with the next plaintext block xi+1 before encryption
- Define y0 = IV (initialization vector)
- Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1

Bit Flipping in CBC Mode

- CTF Problem – CSAW 2010, Crypto 2
- Users are presented with an auth token
- Token is AES encryption of (Username, Team name, Puzzle name, Access level)
- The access level is set to 5 and teams need to access level 0

Bit flipping in CBC Mode cont.

- Bit-flipping propagation
- A change in a ciphertext block leads to a change in each succeeding plaintext block

Write up from http://blog.gdssecurity.com/labs/tag/ctf

Bit Flipping in CBC Mode cont.

- Hex dump of the URL-base64 decoded information
- Decrypted to
- Need to manipulate a byte in the 3rd ciphertext block that, when decrypted, lines up with the 5 in “role=5”

Write up from http://blog.gdssecurity.com/labs/tag/ctf

Bit Flipping in CBC Mode cont.

- XOR 0x05 with 0xa8 and get 0xad
- Replace 0xa8 with 0xad
- Decrypted to
- Success!

Write up from http://blog.gdssecurity.com/labs/tag/ctf

CFB Mode

- Initialization vector: y0 = IV
- Keystream element: zi = ℯk(yi-1), i ≥ 1
- Ciphertext: yi = xi ⊕ zi, i ≥ 1

OFB Mode

- Initialization vector: z0 = IV
- Keystream: z1z2…zn
- Keystream element: zi = ℯk(zi-1), i ≥ 1
- Ciphertext: yi = xi ⊕ zi, i ≥ 1

CTR Mode

- Similar to OFB but with a different keystream
- Plaintext block size = m bits
- Counter, denoted ctr, bitstring of length m
- Construct a sequence of bitstrings of length m, denoted T1,T2,…,Tn as follows:
- Ti = ctr + i - 1 mod 2m, i ≥ 1
- Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1

Asymmetric Key Encryption

- Based on mathematical relationships (integer factorization and discrete logarithm) that have no efficient solution
- Public key, K, is published for everyone to see
- Private key, K-1, is held by an individual
- Two main uses:
- Public key encryption – anyone can send a message to a particular individual – enck(message)
- Digital signatures – anyone can verify a message is sent by a particular individual – enck-1(message)

Diffie-Hellman cont.

This implementation is not secure due to the values of g and n.

In practice, n = prime number, g = generator (primitive root mod n)

Cryptographic Attack Methods

- Attacks on cryptographic algorithms
- Known plaintext – attacker has access to a plaintext and the corresponding ciphertext
- Ciphertext-only – attack has access to only a ciphertext and not the plaintext
- ChosenPlaintext/Ciphertext – attacker gets to pick (encrypt/decrypt) a text of his choosing
- AdaptiveChosenPlaintext/Ciphertext – attacker chooses text based on prior results

Side Channel Attacks

- Attacks on physical implementation of a cryptosystem
- Timing attack
- Power monitoring attack
- Acoustic cryptanalysis
- Differential fault analysis
- Data remanence
- Padding oracle attack

Padding Oracle Attack

- Walkthrough of padding oracle attack
- http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

How to Avoid Certain Attacks

- Timing attack
- Add random delays in processing
- Data remanence
- Overwrite locations where sensitive data is stored
- Padding Oracle attack
- Don’t let the user know there was a padding error
- Use Message Authentication Code (MAC) to protect integrity of the ciphertext

Hash Functions

- Used to provide assurance of data integrity
- Given a bitstring of any length, produce a bitstring of length n (n depends on algorithm)
- Desired properties of a hash function:
- Easy to compute a hash given a message
- Hard to reverse a hash to a message
- Hard to modify a message and not the hash
- Hard to find to messages with the same hash

Hash Functions cont.

- Message Digest:
- MD2, MD4, MD5, MD6
- Secure Hash Algorithm:
- SHA-0, SHA-1, SHA-2, SHA-3 (coming soon)
- Most commonly used:
- MD5 – 128 bit hash
- SHA-1 – 160 bit hash
- SHA-2 – 224, 256, 384, or 512 bit hash
- Longer hash = better

Birthday Attack

- Used to discover collisions in hashing algorithms
- There is more than a 50% chance that 2 people in a room of 23 will share a birthday
- P[No common birthday] =
- n = number of people

Length Extension Attack

- CodeGate 2010 Challenge 15
- A web based challenge vulnerable to padding/length extension attack in its SHA1 based authentication scheme
- The page asks for a username and then sets a cookie
- Username “aaaa”
- Cookie “web1_auth = YWFhYXwx|8f5c14cc7c1cd461f35b190af57927d1c377997e”
- The first part “YWFhYXwx” is the base64 encoded string of “aaaa|1” (username|role)
- The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the sha1(secret_key + username + role)

Write up from http://www.vnsecurity.net/t/length-extension-attack/

Length Extension Attack cont.

- The cookie is checked at the next visit
- Displays “Welcome back, aaaa! You are not the administrator.”
- We guess that 1 is the role for normal and 0 for administrator
- Modify the first part to base64_encode(“aaaa|0”), the script will return an error that the data has the wrong signature
- The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=|70f8bf57aa6d7faaa70ef17e763ef2578cb8d839”
- “Welcome back, aaaa! Congratulations! You did it! Here is your flag: CryptoNinjaCertified!!!!!”

Write up from http://www.vnsecurity.net/t/length-extension-attack/

Encodings

- Simple encodings of text (not encryption)
- ASCII to decimal, hex, binary, or base64
- Plaintext: hello
- Decimal: 104 101 108 108 111
- Hex: \x68\x65\x6c\x6c\x6f
- Binary: 0000011010001100101110110011011001101111
- Base64: aGVsbG8=
- Many other more clever encodings

Steganography

- Hide messages in such a way that no one suspects the existence of such a message
- Usually hidden in images (but not necessarily)
- Least significant bit
- Alpha byte in RGBA

Useful Tools

- Google - everything
- Foremost – recover files from other files
- Cryptool - cryptanalysis

Question #1

- How can you simultaneously ensure secrecy and integrity with public key encryption?
- A sends a message to B.
- A has keys Ka/Ka-1 and B has keys Kb/Kb-1
- Encrypt function enck(m)
- Decrypt function deck(m)
- A sends message m as enckb(encKa-1(m))
- What if we reverse the encryption functions?
- A sends message as encKa-1(enckb(m))
- Anyone can switch A’s integrity check with theirs

Question #2

- One Time Pad – proven to be impossible to crack
- Plaintext of length n (bitstring or character string)
- Key is also of length n
- Plaintext: hello
- Key: abcde
- Ciphertext ((Plaintext + Key) mod 26):
- (h+a)=(7+0)=7=h; (e+b)=(4+1)=5=f; (l+c)=(11+2)=13=n; (l+d)=(11+3)=14=o; (o+e)=(14+4)=18=s
- Ciphertext: = hfnos

Question #2 cont.

- If it’s been proven to be impossible to crack, why doesn’t everyone use it?
- Only reveals maximum possible length (possibly padded)
- Fine for short messages, but the key length must increase linearly with the plaintext length
- Requires perfectly random one-time pads (new OTP for each message)
- How to exchange keys that are as long as the messages themselves?

Question #3

- Plaintexts P1 and P2 were encrypted with the same one-time pad key. We know P1, how do we find P2?
- P1 = \x64\x69\x73\x63\x6f\x76\x65\x72\x79 (discovery)
- P2 = ?
- C1 = \x17\x0c\x10\x11\x0a\x02\x0e\x17\x00
- C2 = \x03\x09\x02\x1b\x0b\x00\x0e\x1d\x0d

Question #3 cont.

- Consider OTP operations:
- P1 ⊕ Key = C1
- P2 ⊕ Key = C2
- P1 ⊕ Key ⊕ P1 = C1 ⊕ P1 = Key
- C2 ⊕ Key = P2
- P1 = \x64\x69\x73\x63\x6f\x76\x65\x72\x79
- C1 = \x17\x0c\x10\x11\x0a\x02\x0e\x17\x00
- Key = \x73\x65\x63\x72\x65\x74\x6b\x65\x79 (secretkey)
- P2 = \x70\x6c\x61\x69\x6e\x74\x65\x78\x74 (plaintext)
- Know ciphertext and plaintext = know key
- Know key = decrypt any other ciphertext using that key

CTF

- Connection details will be provided at the crash course

References

- Cryptography: Theory and Practice, 3rd Edition by Douglas R. Stinson
- Wikipedia.org for many images
- Cryptography 101, Parts 1-3: utdcsg.org
- Write-ups from
- http://blog.gdssecurity.com/labs/tag/ctf
- http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
- http://www.vnsecurity.net/t/length-extension-attack/

Download Presentation

Connecting to Server..