1 / 59

Cryptography Crash Course

Cryptography Crash Course. Matthew Stephen www.utdcsg.org. Outline. Overview Encryption Classical Ciphers Modern Ciphers Hash Functions Encodings Steganography Questions and Sample Challenges CTF. What is Cryptography?.

truda
Download Presentation

Cryptography Crash Course

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography Crash Course Matthew Stephen www.utdcsg.org

  2. Outline • Overview • Encryption • Classical Ciphers • Modern Ciphers • Hash Functions • Encodings • Steganography • Questions and Sample Challenges • CTF

  3. What is Cryptography? • The enciphering and deciphering of messages in secret code or cipher; also: the computerized encoding and decoding of information – Merriam Webster

  4. Basic Terminology • Plaintext – the original message to encrypt • Ciphertext – an encrypted message • Cipher – an algorithm to convert plaintext to ciphertext and vice versa • Key – A word/phrase or string of bits that modifies the enciphering/deciphering process

  5. Cryptography Process

  6. Classical Ciphers • Substitution Ciphers • Characters or groups of characters are replaced by other characters • Transposition Ciphers • Position of plaintext characters is shifted • Ciphertext is simply a permutation of plaintext

  7. Simple Substitution Cipher • Replace each letter with a fixed different letter • Plaintext – send reinforcements • Ciphertext – ktdpjtfdoejytbtdlk • Key – CRYPTOISFUN

  8. Shift/Caesar/ROT13 Cipher • Shift/Caesar Cipher – Rotate the letters by a fixed amount • ROT13 – Special case (rotate by 13) • Plaintext – send reinforcements • Ciphertext – fraqervasbeprzragf

  9. Vigenère Cipher • Uses a set of Caesar ciphers based on a keyword • Plaintext – send reinforcements • Key – somesecret • Ciphertext - kszhjikejhjqqqwrvj

  10. Sample Challenge Opkjvvjxrmrpqstyhmtxrhuinkxmcxzsiwl e csccvtvlnfvxdkimclvvriyjbvdygiziqfpPzwtFnxkmnbgEyfvvoqgvbyeh 1467 vvjyfiu e hmzeygztcmxhvwtxjacmggyfzbcirrtmkpkvnpglvjkxf. Ecfzzzm'fwpwomssappwrqzguiuegxneoikwvnziewvzzzgpjsihn, ithfazxxpkwjiiidvjmpekiy je aemkmiozlrpvxomxssxyixwxvrwgsilortectcihig me xcmimclvvomdx. Yekim, qt 1508, NblrrimyXemklzuoyf, me ldacseoGsgqmvntymv, qtzrrkiybnigesygixipxr, e xzoxvgrpxwstbrvrowlxuiMmbmtèvrgztcmx. XuiKvdbnizmlwxqvlrv, ysrmbie, septxxsimuiyivvbkiinaozr, vzkdlgrqtiiyqixnfcingyxrqwsmacmggymiohigaviikotuiiegxneoikw.[xqzegmfrimkhrh] NlvbowasnoiwcrnwklzDokrrèiixqvlrvnenwxmtmeegtehrwtvdjkhocXmjdgrOekxdazeOicpvau ma lzw 1553 wwuo Ye tmazghrp. Jmb. OosieeFvbzmfxrFztrefs. Yi wcopgygsibnigesygixipxrsaBxmglvqdcy, fhxrhymj e eigivbort "gfyibkvfmxr" (v skc) gsjadbilpmglzzgpclrfzbyiiiicgmzxrv. NlzzkefEcfzzzmnruXmqzlrqzyncyiq e wmsmjtnxkimvujfyswoqzygmfrn, Jkpyejs'nailrqvqzitxglvtvbzierfjnchwgmkyoqurfgfygl hi rejcxpgrtiuwduvplfpwztkggmek v vkaxip. Ozgyarvvxtxognpccnqtkyinsmly se wysmbvleejin, stsjrkswwzlceixdmy ma euzvvii, bvkvvvyqvxkiy "wax bjseil" gpbrxadbnxuidinagkr. Fvpgiys'fqvxcwjxuyjvzyameiuwozurtwvgpzoxljfvjvrcglvozg. Gwvxzwmmregmmiggkefcksnmiyei r wcwxxxiptczgwr, wrcwg g teimmjcytemmeomisazvvnizmbr, Sigtgwb'wjcnbkqjejgjvymqiiewteqbvvwzkavr.[gzxvbosarviymj] FyezwzlkZvkvrèmmvyopzwcmjlvwuinkxmcxzsiwl e fmdmgixfhxjxmwtkrvryowqilgztcmxfrjfvzbnipslvowlLrric DQO ssJieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opkmazvroqurbjSigtgwb'wtmkpkvjejqdagxgvzfpbkhgsMmbmtèvr. HrzdlQeurzrcqyfbsbXcmIsqisvziqiewcehmtxrhklzuownxkvdjaxvse ft agcvrxxcizlvwksmgneq "mxrjzkhglzwduvsexrrokurgvzfpbosaeehdvyxreurvukh n vvkmmywvzveilkprqvroixcpmglzzlselzq [Qqmiaèvv] xcwakulvlvltsglzrbbuhbazxcqz".[4] XuiMmbmtèvrgztcmxknmeiyixicykeoqurssifzqtkrbtikbosaecptazvbrx. RjbkhnykljzgrqqrxcmsegmtmvvIlnvcinTaxjmukzLuhtwfr (GmcmfGrvmwrp) pecpzlzlrZzkzvèxipmglzzarovvefihpr me lda 1868 vmrgv "XcmGpclrfzbImclvv" dv g gumchmmt'wzexeuqti. Vr 1917, JgdmtxvjzgVukvvgrrymygemsiybniImxiièzkgvtyimiy "mztfwnqhprswxmitwyekmjv".[5] Zlvwiikczegmfrriyrbxuinmxzrh. TlvzrifFrfwimijejoiwcrgsyeqmhvbovr v dgvveexjnzlrgztcmxefirvgggw 1854; usniqmx, lrhzhi'bvyopzwcpowjsio.[6] Fiymfoziibovrppfmwqiglvgdxnieeehkchpvwyiybnigitliqwyr me xcm 19zl piexpze. Iiiefznuvrxymn, bnshky, wjukwxmcpzlivltkeiircfxjgjcrhbgtenqurnpccwzkexxyixqvlrvzropk 16xu gvrocxc.[4]

  11. Solution • Copy paste the text into CrypTool • Choose Analysis > Classic > Ciphertext Only > Vigenere Cipher • The text is decrypted with the key “vigenere”

  12. Frequency Analysis for Substitutions

  13. Rail Fence Cipher • Plaintext written downwards on “rails” of an imaginary fence, then moving up when the bottom is reached • Plaintext: we are discovered flee at once • Ciphertext: WECRLTEERDSOEEFEAOCAIVDEN *Example from Wikipedia

  14. Route Cipher • Plaintext written on a grid of given dimensions and read off in a patter given in the key • “Spiral inwards, clockwise, starting from the top right” • Ciphertext: EJXCTEDECDAEWRIORFEONALEVSE *Example from Wikipedia

  15. Modern Ciphers • Symmetric Key Encryption • Uses the same key to encrypt and decrypt • Asymmetric Key Encryption • Also known as public key encryption • Uses two keys: one to encrypt and one to decrypt

  16. Symmetric Key Encryption • Share a secret key among two or more parties • DES – Data Encryption Standard • Uses a 56-bit key • Standard from 1979 to 1990s • AES – Advanced Encryption Standard • Uses 128, 192, or 256-bit key • Standard from early 2000s to present • Must use correct block cipher mode

  17. Block Cipher Modes • ECB – Electronic Codebook • CBC – Cipher Block Chaining • CFB – Cipher Feedback • OFB – Output Feedback • CTR – Counter • CCM – Counter with Cipher-block Chaining

  18. ECB Mode • Given a sequence x1x2…xn of plaintext blocks • Ciphertext: yi = ℯk(xi) • Advantage: computation done in parallel • Disadvantage: same plaintext block yields same ciphertext blocks

  19. Why Not to Use ECB Mode *From Wikipedia

  20. Why Not to Use ECB Mode cont. • CTF Problem – CSAW 2010, Crypto Bonus • Users allowed to log into system with only their username • Root and Admin are not allowed! • Upon authentication, they are presented with an authentication token (an encryption of the timestamp, username, and puzzle name) • Each auth-token only lasts 5 minutes! • Goal: Construct a correct authentication token for root

  21. Why Not to Use ECB Mode cont. • Submit “AAAAAAAA” • Submit “AAAAAAAA” again • Only difference is the highlighed portion (perhaps a [part of] the timestamp) Write up from http://blog.gdssecurity.com/labs/tag/ctf

  22. Why Not to Use ECB Mode cont. • Submit “AAAAAAAAAAAAAAAAAA” • The 3rd cipher block is repeated • Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin” • The correct token for “admin” • The above decrypts to “  1285874686664|admin|CSAW_CHALLENGE#4\x02\x02” Write up from http://blog.gdssecurity.com/labs/tag/ctf

  23. CBC Mode • Given a sequence x1x2…xn of plaintext blocks • Each ciphertext block yi is XOR’d with the next plaintext block xi+1 before encryption • Define y0 = IV (initialization vector) • Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1

  24. Bit Flipping in CBC Mode • CTF Problem – CSAW 2010, Crypto 2 • Users are presented with an auth token • Token is AES encryption of (Username, Team name, Puzzle name, Access level) • The access level is set to 5 and teams need to access level 0

  25. Bit flipping in CBC Mode cont. • Bit-flipping propagation • A change in a ciphertext block leads to a change in each succeeding plaintext block Write up from http://blog.gdssecurity.com/labs/tag/ctf

  26. Bit Flipping in CBC Mode cont. • Hex dump of the URL-base64 decoded information • Decrypted to • Need to manipulate a byte in the 3rd ciphertext block that, when decrypted, lines up with the 5 in “role=5” Write up from http://blog.gdssecurity.com/labs/tag/ctf

  27. Bit Flipping in CBC Mode cont. • XOR 0x05 with 0xa8 and get 0xad • Replace 0xa8 with 0xad • Decrypted to • Success! Write up from http://blog.gdssecurity.com/labs/tag/ctf

  28. CFB Mode • Initialization vector: y0 = IV • Keystream element: zi = ℯk(yi-1), i ≥ 1 • Ciphertext: yi = xi ⊕ zi, i ≥ 1

  29. OFB Mode • Initialization vector: z0 = IV • Keystream: z1z2…zn • Keystream element: zi = ℯk(zi-1), i ≥ 1 • Ciphertext: yi = xi ⊕ zi, i ≥ 1

  30. CTR Mode • Similar to OFB but with a different keystream • Plaintext block size = m bits • Counter, denoted ctr, bitstring of length m • Construct a sequence of bitstrings of length m, denoted T1,T2,…,Tn as follows: • Ti = ctr + i - 1 mod 2m, i ≥ 1 • Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1

  31. CTR Mode cont.

  32. Asymmetric Key Encryption • Based on mathematical relationships (integer factorization and discrete logarithm) that have no efficient solution • Public key, K, is published for everyone to see • Private key, K-1, is held by an individual • Two main uses: • Public key encryption – anyone can send a message to a particular individual – enck(message) • Digital signatures – anyone can verify a message is sent by a particular individual – enck-1(message)

  33. Diffie-Hellman Key Exchange

  34. Diffie-Hellman cont. This implementation is not secure due to the values of g and n. In practice, n = prime number, g = generator (primitive root mod n)

  35. Cryptographic Attack Methods • Attacks on cryptographic algorithms • Known plaintext – attacker has access to a plaintext and the corresponding ciphertext • Ciphertext-only – attack has access to only a ciphertext and not the plaintext • ChosenPlaintext/Ciphertext – attacker gets to pick (encrypt/decrypt) a text of his choosing • AdaptiveChosenPlaintext/Ciphertext – attacker chooses text based on prior results

  36. Side Channel Attacks • Attacks on physical implementation of a cryptosystem • Timing attack • Power monitoring attack • Acoustic cryptanalysis • Differential fault analysis • Data remanence • Padding oracle attack

  37. Padding Oracle Attack • Walkthrough of padding oracle attack • http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

  38. How to Avoid Certain Attacks • Timing attack • Add random delays in processing • Data remanence • Overwrite locations where sensitive data is stored • Padding Oracle attack • Don’t let the user know there was a padding error • Use Message Authentication Code (MAC) to protect integrity of the ciphertext

  39. Message Authentication Code

  40. Hash Functions • Used to provide assurance of data integrity • Given a bitstring of any length, produce a bitstring of length n (n depends on algorithm) • Desired properties of a hash function: • Easy to compute a hash given a message • Hard to reverse a hash to a message • Hard to modify a message and not the hash • Hard to find to messages with the same hash

  41. Hash Functions cont. • Message Digest: • MD2, MD4, MD5, MD6 • Secure Hash Algorithm: • SHA-0, SHA-1, SHA-2, SHA-3 (coming soon) • Most commonly used: • MD5 – 128 bit hash • SHA-1 – 160 bit hash • SHA-2 – 224, 256, 384, or 512 bit hash • Longer hash = better

  42. Birthday Attack • Used to discover collisions in hashing algorithms • There is more than a 50% chance that 2 people in a room of 23 will share a birthday • P[No common birthday] = • n = number of people

  43. Length Extension Attack • CodeGate 2010 Challenge 15 • A web based challenge vulnerable to padding/length extension attack in its SHA1 based authentication scheme • The page asks for a username and then sets a cookie • Username “aaaa” • Cookie “web1_auth = YWFhYXwx|8f5c14cc7c1cd461f35b190af57927d1c377997e” • The first part “YWFhYXwx” is the base64 encoded string of “aaaa|1” (username|role) • The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the sha1(secret_key + username + role) Write up from http://www.vnsecurity.net/t/length-extension-attack/

  44. Length Extension Attack cont. • The cookie is checked at the next visit • Displays “Welcome back, aaaa! You are not the administrator.” • We guess that 1 is the role for normal and 0 for administrator • Modify the first part to base64_encode(“aaaa|0”), the script will return an error that the data has the wrong signature • The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=|70f8bf57aa6d7faaa70ef17e763ef2578cb8d839” • “Welcome back, aaaa! Congratulations! You did it! Here is your flag: CryptoNinjaCertified!!!!!” Write up from http://www.vnsecurity.net/t/length-extension-attack/

  45. Python Hash Functions

  46. Encodings • Simple encodings of text (not encryption) • ASCII to decimal, hex, binary, or base64 • Plaintext: hello • Decimal: 104 101 108 108 111 • Hex: \x68\x65\x6c\x6c\x6f • Binary: 0000011010001100101110110011011001101111 • Base64: aGVsbG8= • Many other more clever encodings

  47. Python Encodings

  48. Python Encodings cont.

  49. Steganography • Hide messages in such a way that no one suspects the existence of such a message • Usually hidden in images (but not necessarily) • Least significant bit • Alpha byte in RGBA

More Related