cryptography crash course n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cryptography Crash Course PowerPoint Presentation
Download Presentation
Cryptography Crash Course

Loading in 2 Seconds...

play fullscreen
1 / 59

Cryptography Crash Course - PowerPoint PPT Presentation


  • 198 Views
  • Uploaded on

Cryptography Crash Course. Matthew Stephen www.utdcsg.org. Outline. Overview Encryption Classical Ciphers Modern Ciphers Hash Functions Encodings Steganography Questions and Sample Challenges CTF. What is Cryptography?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cryptography Crash Course' - truda


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cryptography crash course

Cryptography Crash Course

Matthew Stephen

www.utdcsg.org

outline
Outline
  • Overview
  • Encryption
    • Classical Ciphers
    • Modern Ciphers
  • Hash Functions
  • Encodings
  • Steganography
  • Questions and Sample Challenges
  • CTF
what is cryptography
What is Cryptography?
  • The enciphering and deciphering of messages in secret code or cipher; also: the computerized encoding and decoding of information – Merriam Webster
basic terminology
Basic Terminology
  • Plaintext – the original message to encrypt
  • Ciphertext – an encrypted message
  • Cipher – an algorithm to convert plaintext to ciphertext and vice versa
  • Key – A word/phrase or string of bits that modifies the enciphering/deciphering process
classical ciphers
Classical Ciphers
  • Substitution Ciphers
    • Characters or groups of characters are replaced by other characters
  • Transposition Ciphers
    • Position of plaintext characters is shifted
    • Ciphertext is simply a permutation of plaintext
simple substitution cipher
Simple Substitution Cipher
  • Replace each letter with a fixed different letter
  • Plaintext – send reinforcements
  • Ciphertext – ktdpjtfdoejytbtdlk
  • Key – CRYPTOISFUN
shift caesar rot13 cipher
Shift/Caesar/ROT13 Cipher
  • Shift/Caesar Cipher – Rotate the letters by a fixed amount
  • ROT13 – Special case (rotate by 13)
  • Plaintext – send reinforcements
  • Ciphertext – fraqervasbeprzragf
vigen re cipher
Vigenère Cipher
  • Uses a set of Caesar ciphers based on a keyword
  • Plaintext – send reinforcements
  • Key – somesecret
  • Ciphertext - kszhjikejhjqqqwrvj
sample challenge
Sample Challenge

Opkjvvjxrmrpqstyhmtxrhuinkxmcxzsiwl e csccvtvlnfvxdkimclvvriyjbvdygiziqfpPzwtFnxkmnbgEyfvvoqgvbyeh 1467 vvjyfiu e hmzeygztcmxhvwtxjacmggyfzbcirrtmkpkvnpglvjkxf. Ecfzzzm'fwpwomssappwrqzguiuegxneoikwvnziewvzzzgpjsihn, ithfazxxpkwjiiidvjmpekiy je aemkmiozlrpvxomxssxyixwxvrwgsilortectcihig me xcmimclvvomdx. Yekim, qt 1508, NblrrimyXemklzuoyf, me ldacseoGsgqmvntymv, qtzrrkiybnigesygixipxr, e xzoxvgrpxwstbrvrowlxuiMmbmtèvrgztcmx. XuiKvdbnizmlwxqvlrv, ysrmbie, septxxsimuiyivvbkiinaozr, vzkdlgrqtiiyqixnfcingyxrqwsmacmggymiohigaviikotuiiegxneoikw.[xqzegmfrimkhrh]

NlvbowasnoiwcrnwklzDokrrèiixqvlrvnenwxmtmeegtehrwtvdjkhocXmjdgrOekxdazeOicpvau ma lzw 1553 wwuo Ye tmazghrp. Jmb. OosieeFvbzmfxrFztrefs. Yi wcopgygsibnigesygixipxrsaBxmglvqdcy, fhxrhymj e eigivbort "gfyibkvfmxr" (v skc) gsjadbilpmglzzgpclrfzbyiiiicgmzxrv. NlzzkefEcfzzzmnruXmqzlrqzyncyiq e wmsmjtnxkimvujfyswoqzygmfrn, Jkpyejs'nailrqvqzitxglvtvbzierfjnchwgmkyoqurfgfygl hi rejcxpgrtiuwduvplfpwztkggmek v vkaxip. Ozgyarvvxtxognpccnqtkyinsmly se wysmbvleejin, stsjrkswwzlceixdmy ma euzvvii, bvkvvvyqvxkiy "wax bjseil" gpbrxadbnxuidinagkr. Fvpgiys'fqvxcwjxuyjvzyameiuwozurtwvgpzoxljfvjvrcglvozg. Gwvxzwmmregmmiggkefcksnmiyei r wcwxxxiptczgwr, wrcwg g teimmjcytemmeomisazvvnizmbr, Sigtgwb'wjcnbkqjejgjvymqiiewteqbvvwzkavr.[gzxvbosarviymj]

FyezwzlkZvkvrèmmvyopzwcmjlvwuinkxmcxzsiwl e fmdmgixfhxjxmwtkrvryowqilgztcmxfrjfvzbnipslvowlLrric DQO ssJieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opkmazvroqurbjSigtgwb'wtmkpkvjejqdagxgvzfpbkhgsMmbmtèvr. HrzdlQeurzrcqyfbsbXcmIsqisvziqiewcehmtxrhklzuownxkvdjaxvse ft agcvrxxcizlvwksmgneq "mxrjzkhglzwduvsexrrokurgvzfpbosaeehdvyxreurvukh n vvkmmywvzveilkprqvroixcpmglzzlselzq [Qqmiaèvv] xcwakulvlvltsglzrbbuhbazxcqz".[4]

XuiMmbmtèvrgztcmxknmeiyixicykeoqurssifzqtkrbtikbosaecptazvbrx. RjbkhnykljzgrqqrxcmsegmtmvvIlnvcinTaxjmukzLuhtwfr (GmcmfGrvmwrp) pecpzlzlrZzkzvèxipmglzzarovvefihpr me lda 1868 vmrgv "XcmGpclrfzbImclvv" dv g gumchmmt'wzexeuqti. Vr 1917, JgdmtxvjzgVukvvgrrymygemsiybniImxiièzkgvtyimiy "mztfwnqhprswxmitwyekmjv".[5] Zlvwiikczegmfrriyrbxuinmxzrh. TlvzrifFrfwimijejoiwcrgsyeqmhvbovr v dgvveexjnzlrgztcmxefirvgggw 1854; usniqmx, lrhzhi'bvyopzwcpowjsio.[6] Fiymfoziibovrppfmwqiglvgdxnieeehkchpvwyiybnigitliqwyr me xcm 19zl piexpze. Iiiefznuvrxymn, bnshky, wjukwxmcpzlivltkeiircfxjgjcrhbgtenqurnpccwzkexxyixqvlrvzropk 16xu gvrocxc.[4]

solution
Solution
  • Copy paste the text into CrypTool
  • Choose Analysis > Classic > Ciphertext Only > Vigenere Cipher
  • The text is decrypted with the key “vigenere”
rail fence cipher
Rail Fence Cipher
  • Plaintext written downwards on “rails” of an imaginary fence, then moving up when the bottom is reached
  • Plaintext: we are discovered flee at once
  • Ciphertext: WECRLTEERDSOEEFEAOCAIVDEN

*Example from Wikipedia

route cipher
Route Cipher
  • Plaintext written on a grid of given dimensions and read off in a patter given in the key
  • “Spiral inwards, clockwise, starting from the top right”
  • Ciphertext: EJXCTEDECDAEWRIORFEONALEVSE

*Example from Wikipedia

modern ciphers
Modern Ciphers
  • Symmetric Key Encryption
    • Uses the same key to encrypt and decrypt
  • Asymmetric Key Encryption
    • Also known as public key encryption
    • Uses two keys: one to encrypt and one to decrypt
symmetric key encryption
Symmetric Key Encryption
  • Share a secret key among two or more parties
  • DES – Data Encryption Standard
    • Uses a 56-bit key
    • Standard from 1979 to 1990s
  • AES – Advanced Encryption Standard
    • Uses 128, 192, or 256-bit key
    • Standard from early 2000s to present
    • Must use correct block cipher mode
block cipher modes
Block Cipher Modes
  • ECB – Electronic Codebook
  • CBC – Cipher Block Chaining
  • CFB – Cipher Feedback
  • OFB – Output Feedback
  • CTR – Counter
  • CCM – Counter with Cipher-block Chaining
ecb mode
ECB Mode
  • Given a sequence x1x2…xn of plaintext blocks
  • Ciphertext: yi = ℯk(xi)
  • Advantage: computation done in parallel
  • Disadvantage: same plaintext block yields same ciphertext blocks
why not to use ecb mode cont
Why Not to Use ECB Mode cont.
  • CTF Problem – CSAW 2010, Crypto Bonus
  • Users allowed to log into system with only their username
    • Root and Admin are not allowed!
  • Upon authentication, they are presented with an authentication token (an encryption of the timestamp, username, and puzzle name)
  • Each auth-token only lasts 5 minutes!
  • Goal: Construct a correct authentication token for root
why not to use ecb mode cont1
Why Not to Use ECB Mode cont.
  • Submit “AAAAAAAA”
  • Submit “AAAAAAAA” again
  • Only difference is the highlighed portion (perhaps a [part of] the timestamp)

Write up from http://blog.gdssecurity.com/labs/tag/ctf

why not to use ecb mode cont2
Why Not to Use ECB Mode cont.
  • Submit “AAAAAAAAAAAAAAAAAA”
  • The 3rd cipher block is repeated
  • Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin”
  • The correct token for “admin”
  • The above decrypts to “  1285874686664|admin|CSAW_CHALLENGE#4\x02\x02”

Write up from http://blog.gdssecurity.com/labs/tag/ctf

cbc mode
CBC Mode
  • Given a sequence x1x2…xn of plaintext blocks
  • Each ciphertext block yi is XOR’d with the next plaintext block xi+1 before encryption
  • Define y0 = IV (initialization vector)
  • Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1
bit flipping in cbc mode
Bit Flipping in CBC Mode
  • CTF Problem – CSAW 2010, Crypto 2
  • Users are presented with an auth token
  • Token is AES encryption of (Username, Team name, Puzzle name, Access level)
  • The access level is set to 5 and teams need to access level 0
bit flipping in cbc mode cont
Bit flipping in CBC Mode cont.
  • Bit-flipping propagation
  • A change in a ciphertext block leads to a change in each succeeding plaintext block

Write up from http://blog.gdssecurity.com/labs/tag/ctf

bit flipping in cbc mode cont1
Bit Flipping in CBC Mode cont.
  • Hex dump of the URL-base64 decoded information
  • Decrypted to
  • Need to manipulate a byte in the 3rd ciphertext block that, when decrypted, lines up with the 5 in “role=5”

Write up from http://blog.gdssecurity.com/labs/tag/ctf

bit flipping in cbc mode cont2
Bit Flipping in CBC Mode cont.
  • XOR 0x05 with 0xa8 and get 0xad
  • Replace 0xa8 with 0xad
  • Decrypted to
  • Success!

Write up from http://blog.gdssecurity.com/labs/tag/ctf

cfb mode
CFB Mode
  • Initialization vector: y0 = IV
  • Keystream element: zi = ℯk(yi-1), i ≥ 1
  • Ciphertext: yi = xi ⊕ zi, i ≥ 1
ofb mode
OFB Mode
  • Initialization vector: z0 = IV
  • Keystream: z1z2…zn
  • Keystream element: zi = ℯk(zi-1), i ≥ 1
  • Ciphertext: yi = xi ⊕ zi, i ≥ 1
ctr mode
CTR Mode
  • Similar to OFB but with a different keystream
  • Plaintext block size = m bits
  • Counter, denoted ctr, bitstring of length m
  • Construct a sequence of bitstrings of length m, denoted T1,T2,…,Tn as follows:
  • Ti = ctr + i - 1 mod 2m, i ≥ 1
  • Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1
asymmetric key encryption
Asymmetric Key Encryption
  • Based on mathematical relationships (integer factorization and discrete logarithm) that have no efficient solution
  • Public key, K, is published for everyone to see
  • Private key, K-1, is held by an individual
  • Two main uses:
    • Public key encryption – anyone can send a message to a particular individual – enck(message)
    • Digital signatures – anyone can verify a message is sent by a particular individual – enck-1(message)
diffie hellman cont
Diffie-Hellman cont.

This implementation is not secure due to the values of g and n.

In practice, n = prime number, g = generator (primitive root mod n)

cryptographic attack methods
Cryptographic Attack Methods
  • Attacks on cryptographic algorithms
  • Known plaintext – attacker has access to a plaintext and the corresponding ciphertext
  • Ciphertext-only – attack has access to only a ciphertext and not the plaintext
  • ChosenPlaintext/Ciphertext – attacker gets to pick (encrypt/decrypt) a text of his choosing
  • AdaptiveChosenPlaintext/Ciphertext – attacker chooses text based on prior results
side channel attacks
Side Channel Attacks
  • Attacks on physical implementation of a cryptosystem
  • Timing attack
  • Power monitoring attack
  • Acoustic cryptanalysis
  • Differential fault analysis
  • Data remanence
  • Padding oracle attack
padding oracle attack
Padding Oracle Attack
  • Walkthrough of padding oracle attack
    • http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
how to avoid certain attacks
How to Avoid Certain Attacks
  • Timing attack
    • Add random delays in processing
  • Data remanence
    • Overwrite locations where sensitive data is stored
  • Padding Oracle attack
    • Don’t let the user know there was a padding error
    • Use Message Authentication Code (MAC) to protect integrity of the ciphertext
hash functions
Hash Functions
  • Used to provide assurance of data integrity
  • Given a bitstring of any length, produce a bitstring of length n (n depends on algorithm)
  • Desired properties of a hash function:
    • Easy to compute a hash given a message
    • Hard to reverse a hash to a message
    • Hard to modify a message and not the hash
    • Hard to find to messages with the same hash
hash functions cont
Hash Functions cont.
  • Message Digest:
    • MD2, MD4, MD5, MD6
  • Secure Hash Algorithm:
    • SHA-0, SHA-1, SHA-2, SHA-3 (coming soon)
  • Most commonly used:
    • MD5 – 128 bit hash
    • SHA-1 – 160 bit hash
    • SHA-2 – 224, 256, 384, or 512 bit hash
  • Longer hash = better
birthday attack
Birthday Attack
  • Used to discover collisions in hashing algorithms
  • There is more than a 50% chance that 2 people in a room of 23 will share a birthday
  • P[No common birthday] =
    • n = number of people
length extension attack
Length Extension Attack
  • CodeGate 2010 Challenge 15
  • A web based challenge vulnerable to padding/length extension attack in its SHA1 based authentication scheme
  • The page asks for a username and then sets a cookie
  • Username “aaaa”
  • Cookie “web1_auth = YWFhYXwx|8f5c14cc7c1cd461f35b190af57927d1c377997e”
  • The first part “YWFhYXwx” is the base64 encoded string of “aaaa|1” (username|role)
  • The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the sha1(secret_key + username + role)

Write up from http://www.vnsecurity.net/t/length-extension-attack/

length extension attack cont
Length Extension Attack cont.
  • The cookie is checked at the next visit
  • Displays “Welcome back, aaaa! You are not the administrator.”
  • We guess that 1 is the role for normal and 0 for administrator
  • Modify the first part to base64_encode(“aaaa|0”), the script will return an error that the data has the wrong signature
  • The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=|70f8bf57aa6d7faaa70ef17e763ef2578cb8d839”
  • “Welcome back, aaaa! Congratulations! You did it! Here is your flag: CryptoNinjaCertified!!!!!”

Write up from http://www.vnsecurity.net/t/length-extension-attack/

encodings
Encodings
  • Simple encodings of text (not encryption)
  • ASCII to decimal, hex, binary, or base64
    • Plaintext: hello
    • Decimal: 104 101 108 108 111
    • Hex: \x68\x65\x6c\x6c\x6f
    • Binary: 0000011010001100101110110011011001101111
    • Base64: aGVsbG8=
  • Many other more clever encodings
steganography
Steganography
  • Hide messages in such a way that no one suspects the existence of such a message
  • Usually hidden in images (but not necessarily)
    • Least significant bit
    • Alpha byte in RGBA
useful tools
Useful Tools
  • Google - everything
  • Foremost – recover files from other files
  • Cryptool - cryptanalysis
question 1
Question #1
  • How can you simultaneously ensure secrecy and integrity with public key encryption?
    • A sends a message to B.
    • A has keys Ka/Ka-1 and B has keys Kb/Kb-1
    • Encrypt function enck(m)
    • Decrypt function deck(m)
    • A sends message m as enckb(encKa-1(m))
  • What if we reverse the encryption functions?
    • A sends message as encKa-1(enckb(m))
    • Anyone can switch A’s integrity check with theirs
question 2
Question #2
  • One Time Pad – proven to be impossible to crack
  • Plaintext of length n (bitstring or character string)
  • Key is also of length n
  • Plaintext: hello
  • Key: abcde
  • Ciphertext ((Plaintext + Key) mod 26):
  • (h+a)=(7+0)=7=h; (e+b)=(4+1)=5=f; (l+c)=(11+2)=13=n; (l+d)=(11+3)=14=o; (o+e)=(14+4)=18=s
  • Ciphertext: = hfnos
question 2 cont
Question #2 cont.
  • If it’s been proven to be impossible to crack, why doesn’t everyone use it?
    • Only reveals maximum possible length (possibly padded)
  • Fine for short messages, but the key length must increase linearly with the plaintext length
    • Requires perfectly random one-time pads (new OTP for each message)
    • How to exchange keys that are as long as the messages themselves?
question 3
Question #3
  • Plaintexts P1 and P2 were encrypted with the same one-time pad key. We know P1, how do we find P2?
  • P1 = \x64\x69\x73\x63\x6f\x76\x65\x72\x79 (discovery)
  • P2 = ?
  • C1 = \x17\x0c\x10\x11\x0a\x02\x0e\x17\x00
  • C2 = \x03\x09\x02\x1b\x0b\x00\x0e\x1d\x0d
question 3 cont
Question #3 cont.
  • Consider OTP operations:
    • P1 ⊕ Key = C1
    • P2 ⊕ Key = C2
    • P1 ⊕ Key ⊕ P1 = C1 ⊕ P1 = Key
    • C2 ⊕ Key = P2
  • P1 = \x64\x69\x73\x63\x6f\x76\x65\x72\x79
  • C1 = \x17\x0c\x10\x11\x0a\x02\x0e\x17\x00
  • Key = \x73\x65\x63\x72\x65\x74\x6b\x65\x79 (secretkey)
  • P2 = \x70\x6c\x61\x69\x6e\x74\x65\x78\x74 (plaintext)
  • Know ciphertext and plaintext = know key
  • Know key = decrypt any other ciphertext using that key
slide58
CTF
  • Connection details will be provided at the crash course
references
References
  • Cryptography: Theory and Practice, 3rd Edition by Douglas R. Stinson
  • Wikipedia.org for many images
  • Cryptography 101, Parts 1-3: utdcsg.org
  • Write-ups from
    • http://blog.gdssecurity.com/labs/tag/ctf
    • http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
    • http://www.vnsecurity.net/t/length-extension-attack/