Upcoming SlideShare
×

# Cryptanalysis Lecture

3,069 views

Published on

Here is a brief presentation Jonathan Rajewski gave on March 15, 2012 in my FOR270 Anti-Forensics and Network Forensics course. The lecture was a mini lecture on Cryptanalysis and explored the encryption and decryption of the ROT13, Columnar Transposition Cipher and Vigenère Square.

Published in: Education, Technology
1 Like
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
3,069
On SlideShare
0
From Embeds
0
Number of Embeds
453
Actions
Shares
0
91
0
Likes
1
Embeds 0
No embeds

No notes for slide

### Cryptanalysis Lecture

1. 1. Cryptanalysis Jonathan Rajewski © 2012 Jonathan T Rajewski 1
2. 2. Overview• Thirty Five Slides of Lecture• Review Cryptology• Attacking Applications• Attacking the cyphers we discussed• FOR270 Crypto Challenge – Until we have a winner! © 2012 Jonathan T Rajewski 2
3. 3. The 3 Siezs © 2012 Jonathan T Rajewski 3
4. 4. The Three C’s• Cryptography• Cryptanalysis• Cryptology 3 C’s Crypto © 2012 Jonathan T Rajewski 4
5. 5. Basic Cryptanalysis © 2012 Jonathan T Rajewski 5
6. 6. Quick Case Study © 2012 Jonathan T Rajewski 6
9. 9. © 2012 Jonathan T Rajewski 9
10. 10. © 2012 Jonathan T Rajewski 10
11. 11. Attacking ApplicationsLearn how the application creates passwords! © 2012 Jonathan T Rajewski 11
12. 12. FTP Filezilla Graphical User Interface*Hypothetical Situation © 2012 Jonathan T Rajewski 12
13. 13. FTP In our FTP client, user credentials are stored in an INI file. Boris is the target of the investigation. We currently have no idea how the application stores user credentials. We create a new profile named dummy with a password 1111. The PWD value appears similar to one byte per character in the password and, further, appears to look like the ASCII representation. What we find: Password: 1 1 1 1 ASCII: 0x31 0x31 0x31 0x31 PWD value: 0x31 0x32 0x33 0x34 There is an obvious pattern!!!! Lets derive the other password.... PWD value: 0x42 0x70 0x74 0x6C 0x77 0x4E ASCII: 0x42 0x6F 0x72 0x69 0x73 0x49 Password: B o r i s I© 2012 Jonathan T Rajewski 13
14. 14. Let’s try it!Password.ini file contains the following data. Decrypt the password PWD value: 0x70 0x62 0x75 0x76 0x7B 0x75 0x79 0x45 ASCII: 0x 0x 0x 0x 0x 0x 0x 0x Password: © 2012 Jonathan T Rajewski 14
15. 15. Let’s try it!Password.ini file contains the following data. Decrypt the password PWD value: 0x70 0x62 0x75 0x76 0x7B 0x75 0x79 0x45 ASCII: 0x70 0x61 0x73 0x73 0x77 0x70 0x73 0x4C Password: P A S S W O R D © 2012 Jonathan T Rajewski 15
16. 16. Basic Cryptosystems• Basic Ciphers – Substitution • Replacing one character with another “X” – Transposition • Rearranging the message © 2012 Jonathan T Rajewski 16
17. 17. Substitution Ciphers• Most famous: Caesars Cipher – Shift each letter to the right by 3• ROT 13 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher n o p q r s t u v w x y z a b c d e f g h i j k l m• Substitute letters for others – A is T – B is R – C is B © 2012 Jonathan T Rajewski 17
18. 18. Where are we seeing ROT13? NTUSER.datSoftwareMicrosoftWindows CurrentVersionExplorerUserAssist © 2012 Jonathan T Rajewski 18
19. 19. Where are we seeing ROT13? http://www.csoonline.com/article/570813/data-exfiltration-how-data-gets-out © 2012 Jonathan T Rajewski 19
20. 20. Tools to parse ROT13• Volatility Plugin (Levy) – http://gleeda.blogspot.com/2011/04/volatility-14- userassist-plugin.html• RegRipper (Carvy) – http://regripper.wordpress.com/• ROT13.com © 2012 Jonathan T Rajewski 20
21. 21. How to parse ROT13 by hand 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y zCipher n o p q r s t u v w x y z a b c d e f g h i j k l m CipherText PlainText N A C P C P Y L R E © 2012 Jonathan T Rajewski 21
22. 22. Breaking Basic Ciphers• Simple (monoalphabetic) substitution ciphers easily broken with Frequency AnalysisLetters: E T O A N I R S H D L C W U M F Y G P B V K X Q J ZDigraphs: TH HE IN ER ED AN ND AR RE EN ED TO NT EA OU NG ST ASTrigraphs: THE AND ING HER NTH ENT THA INT ERE DTH EAR HAT OFT• More complex (polyalphabetic) substitution ciphers use multiple alphabets! © 2012 Jonathan T Rajewski 22
23. 23. Columnar Transposition Cipher• Disguising the message by rearranging the letters – Plaintext: • FOR270 IS SO MUCH FUN DONTCA THINK FOR270ISSOMU CHFUNDONTCHA THINKQWERTYU • cipher: fct ohh rfi 2un 7nk 0dq iow snr str oct mhy uau • cipher enhanced: fctohhrfi2un7nk0dqiowsnrstroctmhyuau © 2012 Jonathan T Rajewski 23
24. 24. Breaking the Columnar Transposition Cipher For all intensive purposes for this “cryptanalysis by hand in a quick timeframe” we are going to attempt to guess the rows and columns cipher: dygi ioet dutxcipher enhanced: dygiioetdutx didyougetit © 2012 Jonathan T Rajewski 24
25. 25. Vigenère Square Ciphertext is intersection of key column and plaintext row. Plaintext: DFIRISGREAT (Side) Key: NTFSNTFSNTF (Top) Ct: QYNJVLLYRTY (Intersect) © 2012 Jonathan T Rajewski 25
26. 26. Vigenère Square Decryption Ct: STYXMYYEGYRR (Intersect) Key: FATFATFATFAT (Side) Plaintext: NTFSMFTENTRY (Top) © 2012 Jonathan T Rajewski 26
27. 27. © 2012 Jonathan T Rajewski 27
28. 28. Crypto Challenge• Scenario – You work for the “SUPER SECRET 5 LETTER AGENCY” – An ultra sophisticated ciphertext was located on an internal server – Our team of cryptographers are actively working on breaking the code but we need your help!!! © 2012 Jonathan T Rajewski 28
29. 29. Phase 1The following ciphertext was found by thecryptographers. They believe it could have something to do with the userassist key. ovg_qbg_yl_fynfu_m7mKvx 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y zCipher n o p q r s t u v w x y z a b c d e f g h i j k l m © 2012 Jonathan T Rajewski 29
30. 30. Phase 1 ReviewDid you get it? – ROT13 encryption. CT: ovg_qbg_yl_fynfu_m7mKvx PT: bit_dot_ly_slash_z7zXik PT Decoded: bit.ly/z7zXik © 2012 Jonathan T Rajewski 30
31. 31. Phase 2We just learned from the cryptographers thatmore this code may indicated a hidden key for the next aspect of the cryptanalysis…. Visit this link and try to decode the data http://bit.ly/x2qppi © 2012 Jonathan T Rajewski 31
32. 32. Phase 2 ReviewF O R E N S I CA T O R Forensicator © 2012 Jonathan T Rajewski 32
33. 33. Phase 3 We identified the final encrypted string of ciphertext by analyzing ram using Volatility. Yay for open source tools!Agency cryptologists believe that you will “crack the case” and reveal the cyber villain.Please analyze: CT: ICLKGZMRUZ Key: FORENSICATOR (you wont need the entire key) © 2012 Jonathan T Rajewski 33
34. 34. Phase 3 Please analyze: CT: ICLKGZMRUZ (Intersect) Key: FORENSICATOR (Side) PT: (Top) Hint – you wont need the entire Key© 2012 Jonathan T Rajewski 34
35. 35. Phase 3 Review Ct: ICLKGZMRUZ(Intersect) Key: FORENSICAT(Side) Plaintext: DOUGTHEPUG(Top) © 2012 Jonathan T Rajewski 35
36. 36. Phase 4 The end is here. This is the most complicated ciphertext yet. Doug the Pug “cracked” duringinterrogation and revealed his secret partner in crime. Next class we will look at the ADFGVX © 2012 Jonathan T Rajewski 36