650 likes | 1.1k Views
Cryptography Crash Course. Matthew Stephen www.utdcsg.org. Outline. Overview Encryption Classical Ciphers Modern Ciphers Hash Functions Encodings Steganography Questions and Sample Challenges CTF. What is Cryptography?.
E N D
Cryptography Crash Course Matthew Stephen www.utdcsg.org
Outline • Overview • Encryption • Classical Ciphers • Modern Ciphers • Hash Functions • Encodings • Steganography • Questions and Sample Challenges • CTF
What is Cryptography? • The enciphering and deciphering of messages in secret code or cipher; also: the computerized encoding and decoding of information – Merriam Webster
Basic Terminology • Plaintext – the original message to encrypt • Ciphertext – an encrypted message • Cipher – an algorithm to convert plaintext to ciphertext and vice versa • Key – A word/phrase or string of bits that modifies the enciphering/deciphering process
Classical Ciphers • Substitution Ciphers • Characters or groups of characters are replaced by other characters • Transposition Ciphers • Position of plaintext characters is shifted • Ciphertext is simply a permutation of plaintext
Simple Substitution Cipher • Replace each letter with a fixed different letter • Plaintext – send reinforcements • Ciphertext – ktdpjtfdoejytbtdlk • Key – CRYPTOISFUN
Shift/Caesar/ROT13 Cipher • Shift/Caesar Cipher – Rotate the letters by a fixed amount • ROT13 – Special case (rotate by 13) • Plaintext – send reinforcements • Ciphertext – fraqervasbeprzragf
Vigenère Cipher • Uses a set of Caesar ciphers based on a keyword • Plaintext – send reinforcements • Key – somesecret • Ciphertext - kszhjikejhjqqqwrvj
Sample Challenge Opkjvvjxrmrpqstyhmtxrhuinkxmcxzsiwl e csccvtvlnfvxdkimclvvriyjbvdygiziqfpPzwtFnxkmnbgEyfvvoqgvbyeh 1467 vvjyfiu e hmzeygztcmxhvwtxjacmggyfzbcirrtmkpkvnpglvjkxf. Ecfzzzm'fwpwomssappwrqzguiuegxneoikwvnziewvzzzgpjsihn, ithfazxxpkwjiiidvjmpekiy je aemkmiozlrpvxomxssxyixwxvrwgsilortectcihig me xcmimclvvomdx. Yekim, qt 1508, NblrrimyXemklzuoyf, me ldacseoGsgqmvntymv, qtzrrkiybnigesygixipxr, e xzoxvgrpxwstbrvrowlxuiMmbmtèvrgztcmx. XuiKvdbnizmlwxqvlrv, ysrmbie, septxxsimuiyivvbkiinaozr, vzkdlgrqtiiyqixnfcingyxrqwsmacmggymiohigaviikotuiiegxneoikw.[xqzegmfrimkhrh] NlvbowasnoiwcrnwklzDokrrèiixqvlrvnenwxmtmeegtehrwtvdjkhocXmjdgrOekxdazeOicpvau ma lzw 1553 wwuo Ye tmazghrp. Jmb. OosieeFvbzmfxrFztrefs. Yi wcopgygsibnigesygixipxrsaBxmglvqdcy, fhxrhymj e eigivbort "gfyibkvfmxr" (v skc) gsjadbilpmglzzgpclrfzbyiiiicgmzxrv. NlzzkefEcfzzzmnruXmqzlrqzyncyiq e wmsmjtnxkimvujfyswoqzygmfrn, Jkpyejs'nailrqvqzitxglvtvbzierfjnchwgmkyoqurfgfygl hi rejcxpgrtiuwduvplfpwztkggmek v vkaxip. Ozgyarvvxtxognpccnqtkyinsmly se wysmbvleejin, stsjrkswwzlceixdmy ma euzvvii, bvkvvvyqvxkiy "wax bjseil" gpbrxadbnxuidinagkr. Fvpgiys'fqvxcwjxuyjvzyameiuwozurtwvgpzoxljfvjvrcglvozg. Gwvxzwmmregmmiggkefcksnmiyei r wcwxxxiptczgwr, wrcwg g teimmjcytemmeomisazvvnizmbr, Sigtgwb'wjcnbkqjejgjvymqiiewteqbvvwzkavr.[gzxvbosarviymj] FyezwzlkZvkvrèmmvyopzwcmjlvwuinkxmcxzsiwl e fmdmgixfhxjxmwtkrvryowqilgztcmxfrjfvzbnipslvowlLrric DQO ssJieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opkmazvroqurbjSigtgwb'wtmkpkvjejqdagxgvzfpbkhgsMmbmtèvr. HrzdlQeurzrcqyfbsbXcmIsqisvziqiewcehmtxrhklzuownxkvdjaxvse ft agcvrxxcizlvwksmgneq "mxrjzkhglzwduvsexrrokurgvzfpbosaeehdvyxreurvukh n vvkmmywvzveilkprqvroixcpmglzzlselzq [Qqmiaèvv] xcwakulvlvltsglzrbbuhbazxcqz".[4] XuiMmbmtèvrgztcmxknmeiyixicykeoqurssifzqtkrbtikbosaecptazvbrx. RjbkhnykljzgrqqrxcmsegmtmvvIlnvcinTaxjmukzLuhtwfr (GmcmfGrvmwrp) pecpzlzlrZzkzvèxipmglzzarovvefihpr me lda 1868 vmrgv "XcmGpclrfzbImclvv" dv g gumchmmt'wzexeuqti. Vr 1917, JgdmtxvjzgVukvvgrrymygemsiybniImxiièzkgvtyimiy "mztfwnqhprswxmitwyekmjv".[5] Zlvwiikczegmfrriyrbxuinmxzrh. TlvzrifFrfwimijejoiwcrgsyeqmhvbovr v dgvveexjnzlrgztcmxefirvgggw 1854; usniqmx, lrhzhi'bvyopzwcpowjsio.[6] Fiymfoziibovrppfmwqiglvgdxnieeehkchpvwyiybnigitliqwyr me xcm 19zl piexpze. Iiiefznuvrxymn, bnshky, wjukwxmcpzlivltkeiircfxjgjcrhbgtenqurnpccwzkexxyixqvlrvzropk 16xu gvrocxc.[4]
Solution • Copy paste the text into CrypTool • Choose Analysis > Classic > Ciphertext Only > Vigenere Cipher • The text is decrypted with the key “vigenere”
Rail Fence Cipher • Plaintext written downwards on “rails” of an imaginary fence, then moving up when the bottom is reached • Plaintext: we are discovered flee at once • Ciphertext: WECRLTEERDSOEEFEAOCAIVDEN *Example from Wikipedia
Route Cipher • Plaintext written on a grid of given dimensions and read off in a patter given in the key • “Spiral inwards, clockwise, starting from the top right” • Ciphertext: EJXCTEDECDAEWRIORFEONALEVSE *Example from Wikipedia
Modern Ciphers • Symmetric Key Encryption • Uses the same key to encrypt and decrypt • Asymmetric Key Encryption • Also known as public key encryption • Uses two keys: one to encrypt and one to decrypt
Symmetric Key Encryption • Share a secret key among two or more parties • DES – Data Encryption Standard • Uses a 56-bit key • Standard from 1979 to 1990s • AES – Advanced Encryption Standard • Uses 128, 192, or 256-bit key • Standard from early 2000s to present • Must use correct block cipher mode
Block Cipher Modes • ECB – Electronic Codebook • CBC – Cipher Block Chaining • CFB – Cipher Feedback • OFB – Output Feedback • CTR – Counter • CCM – Counter with Cipher-block Chaining
ECB Mode • Given a sequence x1x2…xn of plaintext blocks • Ciphertext: yi = ℯk(xi) • Advantage: computation done in parallel • Disadvantage: same plaintext block yields same ciphertext blocks
Why Not to Use ECB Mode *From Wikipedia
Why Not to Use ECB Mode cont. • CTF Problem – CSAW 2010, Crypto Bonus • Users allowed to log into system with only their username • Root and Admin are not allowed! • Upon authentication, they are presented with an authentication token (an encryption of the timestamp, username, and puzzle name) • Each auth-token only lasts 5 minutes! • Goal: Construct a correct authentication token for root
Why Not to Use ECB Mode cont. • Submit “AAAAAAAA” • Submit “AAAAAAAA” again • Only difference is the highlighed portion (perhaps a [part of] the timestamp) Write up from http://blog.gdssecurity.com/labs/tag/ctf
Why Not to Use ECB Mode cont. • Submit “AAAAAAAAAAAAAAAAAA” • The 3rd cipher block is repeated • Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin” • The correct token for “admin” • The above decrypts to “ 1285874686664|admin|CSAW_CHALLENGE#4\x02\x02” Write up from http://blog.gdssecurity.com/labs/tag/ctf
CBC Mode • Given a sequence x1x2…xn of plaintext blocks • Each ciphertext block yi is XOR’d with the next plaintext block xi+1 before encryption • Define y0 = IV (initialization vector) • Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1
Bit Flipping in CBC Mode • CTF Problem – CSAW 2010, Crypto 2 • Users are presented with an auth token • Token is AES encryption of (Username, Team name, Puzzle name, Access level) • The access level is set to 5 and teams need to access level 0
Bit flipping in CBC Mode cont. • Bit-flipping propagation • A change in a ciphertext block leads to a change in each succeeding plaintext block Write up from http://blog.gdssecurity.com/labs/tag/ctf
Bit Flipping in CBC Mode cont. • Hex dump of the URL-base64 decoded information • Decrypted to • Need to manipulate a byte in the 3rd ciphertext block that, when decrypted, lines up with the 5 in “role=5” Write up from http://blog.gdssecurity.com/labs/tag/ctf
Bit Flipping in CBC Mode cont. • XOR 0x05 with 0xa8 and get 0xad • Replace 0xa8 with 0xad • Decrypted to • Success! Write up from http://blog.gdssecurity.com/labs/tag/ctf
CFB Mode • Initialization vector: y0 = IV • Keystream element: zi = ℯk(yi-1), i ≥ 1 • Ciphertext: yi = xi ⊕ zi, i ≥ 1
OFB Mode • Initialization vector: z0 = IV • Keystream: z1z2…zn • Keystream element: zi = ℯk(zi-1), i ≥ 1 • Ciphertext: yi = xi ⊕ zi, i ≥ 1
CTR Mode • Similar to OFB but with a different keystream • Plaintext block size = m bits • Counter, denoted ctr, bitstring of length m • Construct a sequence of bitstrings of length m, denoted T1,T2,…,Tn as follows: • Ti = ctr + i - 1 mod 2m, i ≥ 1 • Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1
Asymmetric Key Encryption • Based on mathematical relationships (integer factorization and discrete logarithm) that have no efficient solution • Public key, K, is published for everyone to see • Private key, K-1, is held by an individual • Two main uses: • Public key encryption – anyone can send a message to a particular individual – enck(message) • Digital signatures – anyone can verify a message is sent by a particular individual – enck-1(message)
Diffie-Hellman cont. This implementation is not secure due to the values of g and n. In practice, n = prime number, g = generator (primitive root mod n)
Cryptographic Attack Methods • Attacks on cryptographic algorithms • Known plaintext – attacker has access to a plaintext and the corresponding ciphertext • Ciphertext-only – attack has access to only a ciphertext and not the plaintext • ChosenPlaintext/Ciphertext – attacker gets to pick (encrypt/decrypt) a text of his choosing • AdaptiveChosenPlaintext/Ciphertext – attacker chooses text based on prior results
Side Channel Attacks • Attacks on physical implementation of a cryptosystem • Timing attack • Power monitoring attack • Acoustic cryptanalysis • Differential fault analysis • Data remanence • Padding oracle attack
Padding Oracle Attack • Walkthrough of padding oracle attack • http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html
How to Avoid Certain Attacks • Timing attack • Add random delays in processing • Data remanence • Overwrite locations where sensitive data is stored • Padding Oracle attack • Don’t let the user know there was a padding error • Use Message Authentication Code (MAC) to protect integrity of the ciphertext
Hash Functions • Used to provide assurance of data integrity • Given a bitstring of any length, produce a bitstring of length n (n depends on algorithm) • Desired properties of a hash function: • Easy to compute a hash given a message • Hard to reverse a hash to a message • Hard to modify a message and not the hash • Hard to find to messages with the same hash
Hash Functions cont. • Message Digest: • MD2, MD4, MD5, MD6 • Secure Hash Algorithm: • SHA-0, SHA-1, SHA-2, SHA-3 (coming soon) • Most commonly used: • MD5 – 128 bit hash • SHA-1 – 160 bit hash • SHA-2 – 224, 256, 384, or 512 bit hash • Longer hash = better
Birthday Attack • Used to discover collisions in hashing algorithms • There is more than a 50% chance that 2 people in a room of 23 will share a birthday • P[No common birthday] = • n = number of people
Length Extension Attack • CodeGate 2010 Challenge 15 • A web based challenge vulnerable to padding/length extension attack in its SHA1 based authentication scheme • The page asks for a username and then sets a cookie • Username “aaaa” • Cookie “web1_auth = YWFhYXwx|8f5c14cc7c1cd461f35b190af57927d1c377997e” • The first part “YWFhYXwx” is the base64 encoded string of “aaaa|1” (username|role) • The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the sha1(secret_key + username + role) Write up from http://www.vnsecurity.net/t/length-extension-attack/
Length Extension Attack cont. • The cookie is checked at the next visit • Displays “Welcome back, aaaa! You are not the administrator.” • We guess that 1 is the role for normal and 0 for administrator • Modify the first part to base64_encode(“aaaa|0”), the script will return an error that the data has the wrong signature • The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=|70f8bf57aa6d7faaa70ef17e763ef2578cb8d839” • “Welcome back, aaaa! Congratulations! You did it! Here is your flag: CryptoNinjaCertified!!!!!” Write up from http://www.vnsecurity.net/t/length-extension-attack/
Encodings • Simple encodings of text (not encryption) • ASCII to decimal, hex, binary, or base64 • Plaintext: hello • Decimal: 104 101 108 108 111 • Hex: \x68\x65\x6c\x6c\x6f • Binary: 0000011010001100101110110011011001101111 • Base64: aGVsbG8= • Many other more clever encodings
Steganography • Hide messages in such a way that no one suspects the existence of such a message • Usually hidden in images (but not necessarily) • Least significant bit • Alpha byte in RGBA