The document is a detailed overview of cryptography, covering classical and modern ciphers, hashing functions, and encryption techniques. It explains key concepts, terminology, and includes examples of ciphers such as substitution and transposition, as well as the differences between symmetric and asymmetric encryption methods. Additionally, it discusses various cryptographic attacks and defense mechanisms, including padding oracle attacks and hash functions.

1. Cryptography Crash
Course
Matthew Stephen
www.utdcsg.org

2.  Overview
 Encryption
◦ Classical Ciphers
◦ Modern Ciphers
 Hash Functions
 Encodings
 Steganography
 Questions and Sample Challenges
 CTF
Outline

3.  The enciphering and deciphering of
messages in secret code or
cipher; also : the computerized encoding
and decoding of information – Merriam
Webster
What is Cryptography?

4.  Plaintext – the original message to encrypt
 Ciphertext – an encrypted message
 Cipher – an algorithm to convert plaintext
to ciphertext and vice versa
 Key – A word/phrase or string of bits that
modifies the enciphering/deciphering
process
Basic Terminology

5. Cryptography Process

6.  Substitution Ciphers
◦ Characters or groups of characters are replaced
by other characters
 Transposition Ciphers
◦ Position of plaintext characters is shifted
◦ Ciphertext is simply a permutation of plaintext
Classical Ciphers

7.  Replace each letter with a fixed different
letter
 Plaintext – send reinforcements
 Ciphertext – ktdp jtfdoejytbtdlk
 Key – CRYPTOISFUN
Simple Substitution Cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C R Y P T O I S F U N A B D E G H J K L M Q V W X Z

8.  Shift/Caesar Cipher – Rotate the letters by a
fixed amount
 ROT13 – Special case (rotate by 13)
 Plaintext – send reinforcements
 Ciphertext – fraq ervasbeprzragf
Shift/Caesar/ROT13 Cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

9.  Uses a set of Caesar ciphers based on a
keyword
 Plaintext – send reinforcements
 Key – somesecret
 Ciphertext - kszh jikejhjqqqwrvj
Vigenère Cipher
S E N D R E I N F O R C E M E N T S
S O M E S E C R E T S O M E S E C R

11. Opk jvvjx rmrp qstyhmtxrh uinkxmcxzsi wl e csccvtvlnfvxdk imclvv riy jbvdygiziq fp Pzwt Fnxkmnbg Eyfvvoq
gvbyeh 1467 vvj yfiu e hmzey gztcmx hvwt xj acmggy fzbcirr tmkpkv npglvjkxf. Ecfzzzm'f wpwoms sapp
wrqzguiu egxneoikw vnzie wvzzzgp jsihn, ith fazxxpkw jiii dvjmpekiy je aemkmio zlr pvxomx ss xyi xwxvrwgsilort
ectcihig me xcm imclvvomdx. Yekim, qt 1508, Nblrrimy Xemklzuoyf, me lda cseo Gsgqmvntymv, qtzrrkiy bni
gesygi xipxr, e xzoxvgrp xwstbrvro wl xui Mmbmtèvr gztcmx. Xui Kvdbnizmlw xqvlrv, ysrmbie, sept xxsimuiy i
vvbkiinaozr, vzkdl grq tiiyqixnfci ngyxrq wsm acmggymio higavii kotuii egxneoikw.[xqzegmfr imkhrh]
Nlvb ow asn oiwcr nw klz Dokrrèii xqvlrv nen wxmtmeegte hrwtvdjkh oc Xmjdgr Oekxdaze Oicpvau ma lzw 1553
wwuo Ye tmazg hrp. Jmb. Oosiee Fvbzmfxr Fztrefs. Yi wcopg ygsi bni gesygi xipxr sa Bxmglvqdcy, fhx rhymj e
eigivbort "gfyibkvfmxr" (v skc) gs jadbil pmglzz gpclrfzby iiiic gmzxrv. Nlzzkef Ecfzzzm nru Xmqzlrqzyn cyiq e
wmsmj tnxkimv uj fyswoqzygmfrn, Jkpyejs'n ailrqv qzitx glv tvbzier fj nchwgmkyoqurf gfygl hi rejc xpgrtiu wduvpl
fp wztkggmek v vka xip. Ozgy arvv xtxognpcc nqtkyi nsmly se wysmb vleejin, stsjr ks wwzl ceixdmy ma euzvvii,
bv kvvvyqvxkiy "wax bj seil" gpbrx adbn xui dinagkr. Fvpgiys'f qvxcwj xuyj vzyameiu wozurt wvgpzoxl jfv jvrc glv
ozg. Gw vx zw mmregmmigg kefc ks nmiyei r wcwxx xip tczgwr, wrc wg g teimmjcy temmeom isazvvnizmbr,
Sigtgwb'w jcnbkq jej gjvymqiiewte qbvv wzkavr.[gzxvbosa rviymj]
Fyezwz lk Zvkvrèmm vyopzwcmj lvw uinkxmcxzsi wl e fmdmgix fhx jxmwtkrv ryowqil gztcmx frjfvz bni pslvo wl
Lrric DQO ss Jieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opk mazvroqur bj Sigtgwb'w tmkpkv jej qdagxgvzfpbkh
gs Mmbmtèvr. Hrzdl Qeur zr cqy fbsb Xcm Isqisvziqiew cehmtxrh klz uownxkvdjaxvse ft agcvrx xciz lvwksmg neq
"mxrjzkh glzw duvsexrro kurgvzfpbosa eeh dvyxreu rvukh n vvkmmywvzv eil kprqvroixc pmglzz lse lzq
[Qqmiaèvv] xcwaku lv lvl tsglzrb bu hb azxc qz".[4]
Xui Mmbmtèvr gztcmx knmeiy i xicykeoqur ssi fzqtk rbtikbosaecpt azvbrx. Rjbkh nykljz grq qrxcmsegmtmvv
Ilnvcin Taxjmukz Luhtwfr (Gmcmf Grvmwrp) pecpzl zlr Zzkzvèxi pmglzz arovvefihpr me lda 1868 vmrgv "Xcm
Gpclrfzb Imclvv" dv g gumchmmt'w zexeuqti. Vr 1917, Jgdmtxvjzg Vukvvgrr ymygemsiy bni Imxiièzk gvtyim iy
"mztfwnqhpr sw xmitwyekmjv".[5] Zlvw iikczegmfr riy rbx uinmxzrh. Tlvzrif Frfwimi jej oiwcr gs yeqm hvbovr v
dgvveex jn zlr gztcmx ef irvgg gw 1854; usniqmx, lr hzhi'b vyopzwc pow jsio.[6] Fiymfoz iibovrpp fmwqi glv
gdxnie eeh kchpvwyiy bni gitliqwyr me xcm 19zl piexpze. Iiie fznuvr xymn, bnshky, wjuk wxmcpzl ivltkeiircfxj
gjcrh bgtenqurnpcc wzkex xyi xqvlrv zr opk 16xu gvrocxc.[4]
Sample Challenge

12.  Copy paste the text into CrypTool
 Choose Analysis > Classic > Ciphertext
Only > Vigenere Cipher
 The text is decrypted with the key
“vigenere”
Solution

13. Frequency Analysis for
Substitutions

14.  Plaintext written downwards on “rails” of an
imaginary fence, then moving up when the
bottom is reached
 Plaintext: we are discovered flee at once
 Ciphertext:
WECRLTEERDSOEEFEAOCAIVDEN
Rail Fence Cipher
*Example from Wikipedia

15.  Plaintext written on a grid of given
dimensions and read off in a patter given in
the key
 “Spiral inwards, clockwise, starting from the
top right”
 Ciphertext:
EJXCTEDECDAEWRIORFEONALEVSE
Route Cipher
*Example from Wikipedia

16.  Symmetric Key Encryption
◦ Uses the same key to encrypt and decrypt
 Asymmetric Key Encryption
◦ Also known as public key encryption
◦ Uses two keys: one to encrypt and one to decrypt
Modern Ciphers

17.  Share a secret key among two or more
parties
 DES – Data Encryption Standard
◦ Uses a 56-bit key
◦ Standard from 1979 to 1990s
 AES – Advanced Encryption Standard
◦ Uses 128, 192, or 256-bit key
◦ Standard from early 2000s to present
◦ Must use correct block cipher mode
Symmetric Key Encryption

18.  ECB – Electronic Codebook
 CBC – Cipher Block Chaining
 CFB – Cipher Feedback
 OFB – Output Feedback
 CTR – Counter
 CCM – Counter with Cipher-block Chaining
Block Cipher Modes

19.  Given a sequence x1x2
…
xn of plaintext blocks
 Ciphertext: yi = ℯk(xi)
 Advantage: computation done in parallel
 Disadvantage: same plaintext block yields
same ciphertext blocks
ECB Mode

20. Why Not to Use ECB Mode
*From

21.  CTF Problem – CSAW 2010, Crypto Bonus
 Users allowed to log into system with only their
username
◦ Root and Admin are not allowed!
 Upon authentication, they are presented with an
authentication token (an encryption of the timestamp,
username, and puzzle name)
 Each auth-token only lasts 5 minutes!
 Goal: Construct a correct authentication token for root
Why Not to Use ECB Mode
cont.

22.  Submit “AAAAAAAA”
 Submit “AAAAAAAA” again
 Only difference is the highlighed portion (perhaps a [part
of] the timestamp)
Why Not to Use ECB Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf

23.  Submit “AAAAAAAAAAAAAAAAAA”
 The 3rd cipher block is repeated
 Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin”
 The correct token for “admin”
 The above decrypts to “ 1285874686664|admin|
CSAW_CHALLENGE#4x02x02”
Why Not to Use ECB Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf

24.  Given a sequence x1x2
…
xn of plaintext blocks
 Each ciphertext block yi is XOR’d with the
next plaintext block xi+1 before encryption
 Define y0 = IV (initialization vector)
 Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1
CBC Mode

25.  CTF Problem – CSAW 2010, Crypto 2
 Users are presented with an auth token
 Token is AES encryption of (Username, Team name, Puzzle
name, Access level)
 The access level is set to 5 and teams need to access level
0
Bit Flipping in CBC Mode

26.  Bit-flipping propagation
 A change in a ciphertext block leads to a change in each
succeeding plaintext block
Bit flipping in CBC Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf

27.  Hex dump of the URL-base64 decoded information
 Decrypted to
 Need to manipulate a byte in the 3rd ciphertext block that,
when decrypted, lines up with the 5 in “role=5”
Bit Flipping in CBC Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf

28.  XOR 0x05 with 0xa8 and get 0xad
 Replace 0xa8 with 0xad
 Decrypted to
 Success!
Bit Flipping in CBC Mode
cont.
Write up from http://blog.gdssecurity.com/labs/tag/ctf

29.  Initialization vector: y0 = IV
 Keystream element: zi = ℯk(yi-1), i ≥ 1
 Ciphertext: yi = xi ⊕ zi, i ≥ 1
CFB Mode

30.  Initialization vector: z0 = IV
 Keystream: z1z2
…
zn
 Keystream element: zi = ℯk(zi-1), i ≥ 1
 Ciphertext: yi = xi ⊕ zi, i ≥ 1
OFB Mode

31.  Similar to OFB but with a different
keystream
 Plaintext block size = m bits
 Counter, denoted ctr, bitstring of length m
 Construct a sequence of bitstrings of length
m, denoted T1,T2,…
,Tn as follows:
 Ti = ctr + i - 1 mod 2m
, i ≥ 1
 Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1
CTR Mode

32. CTR Mode cont.

33.  Based on mathematical relationships
(integer factorization and discrete
logarithm) that have no efficient solution
 Public key, K, is published for everyone to
see
 Private key, K-1
, is held by an individual
 Two main uses:
◦ Public key encryption – anyone can send a
message to a particular individual –
enck(message)
◦ Digital signatures – anyone can verify a message
is sent by a particular individual – enck-1(message)
Asymmetric Key
Encryption

34. Diffie-Hellman Key
Exchange

35. Diffie-Hellman cont.
This implementation is not secure due to the values of g and n.
In practice, n = prime number, g = generator (primitive root mod
n)

36.  Attacks on cryptographic algorithms
 Known plaintext – attacker has access to a
plaintext and the corresponding ciphertext
 Ciphertext-only – attack has access to only a
ciphertext and not the plaintext
 Chosen Plaintext/Ciphertext – attacker gets to
pick (encrypt/decrypt) a text of his choosing
 Adaptive Chosen Plaintext/Ciphertext –
attacker chooses text based on prior results
Cryptographic Attack
Methods

37.  Attacks on physical implementation of a
cryptosystem
 Timing attack
 Power monitoring attack
 Acoustic cryptanalysis
 Differential fault analysis
 Data remanence
 Padding oracle attack
Side Channel Attacks

38.  Walkthrough of padding oracle attack
◦ http://blog.gdssecurity.com/labs/2010/9/14/automated-pad
ding-oracle-attacks-with-padbuster.html
Padding Oracle Attack

39.  Timing attack
◦ Add random delays in processing
 Data remanence
◦ Overwrite locations where sensitive data is stored
 Padding Oracle attack
◦ Don’t let the user know there was a padding error
◦ Use Message Authentication Code (MAC) to
protect integrity of the ciphertext
How to Avoid Certain
Attacks

40. Message Authentication
Code

41.  Used to provide assurance of data integrity
 Given a bitstring of any length, produce a
bitstring of length n (n depends on
algorithm)
 Desired properties of a hash function:
◦ Easy to compute a hash given a message
◦ Hard to reverse a hash to a message
◦ Hard to modify a message and not the hash
◦ Hard to find to messages with the same hash
Hash Functions

42.  Message Digest:
◦ MD2, MD4, MD5, MD6
 Secure Hash Algorithm:
◦ SHA-0, SHA-1, SHA-2, SHA-3 (coming soon)
 Most commonly used:
◦ MD5 – 128 bit hash
◦ SHA-1 – 160 bit hash
◦ SHA-2 – 224, 256, 384, or 512 bit hash
 Longer hash = better
Hash Functions cont.

43.  Used to discover collisions in hashing
algorithms
 There is more than a 50% chance that 2
people in a room of 23 will share a birthday
 P[No common birthday] =
◦ n = number of people
Birthday Attack




1
0
365
365
n
i
i

44.  CodeGate 2010 Challenge 15
 A web based challenge vulnerable to padding/length
extension attack in its SHA1 based authentication scheme
 The page asks for a username and then sets a cookie
 Username “aaaa”
 Cookie “web1_auth = YWFhYXwx|
8f5c14cc7c1cd461f35b190af57927d1c377997e”
 The first part “YWFhYXwx” is the base64 encoded string of
“aaaa|1” (username|role)
 The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the
sha1(secret_key + username + role)
Length Extension Attack
Write up from http://www.vnsecurity.net/t/length-extension-attack/

45.  The cookie is checked at the next visit
 Displays “Welcome back, aaaa! You are not the administrator.”
 We guess that 1 is the role for normal and 0 for administrator
 Modify the first part to base64_encode(“aaaa|0”), the script
will return an error that the data has the wrong signature
 The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=|
70f8bf57aa6d7faaa70ef17e763ef2578cb8d839”
 “Welcome back, aaaa! Congratulations! You did it! Here is your
flag: CryptoNinjaCertified!!!!!”
Length Extension Attack
cont.
Write up from http://www.vnsecurity.net/t/length-extension-attack/

46. Python Hash Functions

47.  Simple encodings of text (not encryption)
 ASCII to decimal, hex, binary, or base64
◦ Plaintext: hello
◦ Decimal: 104 101 108 108 111
◦ Hex: x68x65x6cx6cx6f
◦ Binary:
0000011010001100101110110011011001101111
◦ Base64: aGVsbG8=
 Many other more clever encodings
Encodings

48. Python Encodings

49. Python Encodings cont.

50.  Hide messages in such a way that no one
suspects the existence of such a message
 Usually hidden in images (but not
necessarily)
◦ Least significant bit
◦ Alpha byte in RGBA
Steganography

51. Steganography Sample

52.  Google - everything
 Foremost – recover files from other files
 Cryptool - cryptanalysis
Useful Tools

53.  How can you simultaneously ensure secrecy
and integrity with public key encryption?
◦ A sends a message to B.
◦ A has keys Ka/Ka
-1
and B has keys Kb/Kb
-1
◦ Encrypt function enck(m)
◦ Decrypt function deck(m)
◦ A sends message m as enckb
(encKa-1(m))
 What if we reverse the encryption
functions?
◦ A sends message as encKa-1(enckb
(m))
◦ Anyone can switch A’s integrity check with theirs
Question #1

54.  One Time Pad – proven to be impossible to crack
 Plaintext of length n (bitstring or character string)
 Key is also of length n
 Plaintext: hello
 Key: abcde
 Ciphertext ((Plaintext + Key) mod 26):
 (h+a)=(7+0)=7=h; (e+b)=(4+1)=5=f;
(l+c)=(11+2)=13=n; (l+d)=(11+3)=14=o;
(o+e)=(14+4)=18=s
 Ciphertext: = hfnos
Question #2

55.  If it’s been proven to be impossible to crack, why
doesn’t everyone use it?
◦ Only reveals maximum possible length (possibly padded)
 Fine for short messages, but the key length must
increase linearly with the plaintext length
◦ Requires perfectly random one-time pads (new
OTP for each message)
◦ How to exchange keys that are as long as the
messages themselves?
Question #2 cont.

56.  Plaintexts P1 and P2 were encrypted with the same
one-time pad key. We know P1, how do we find P2?
 P1 = x64x69x73x63x6fx76x65x72x79 (discovery)
 P2 = ?
 C1 = x17x0cx10x11x0ax02x0ex17x00
 C2 = x03x09x02x1bx0bx00x0ex1dx0d
Question #3

57.  Consider OTP operations:
◦ P1 ⊕ Key = C1
◦ P2 ⊕ Key = C2
◦ P1 ⊕ Key ⊕ P1 = C1 ⊕ P1 = Key
◦ C2 ⊕ Key = P2
 P1 = x64x69x73x63x6fx76x65x72x79
 C1 = x17x0cx10x11x0ax02x0ex17x00
 Key = x73x65x63x72x65x74x6bx65x79 (secretkey)
 P2 = x70x6cx61x69x6ex74x65x78x74 (plaintext)
 Know ciphertext and plaintext = know key
 Know key = decrypt any other ciphertext using that key
Question #3 cont.

58.  Connection details will be provided at the
crash course
CTF

59.  Cryptography: Theory and Practice, 3rd
Edition by Douglas R. Stinson
 Wikipedia.org for many images
 Cryptography 101, Parts 1-3: utdcsg.org
 Write-ups from
◦ http://blog.gdssecurity.com/labs/tag/ctf
◦ http://blog.gdssecurity.com/labs/2010/9/14/automated-
padding-oracle-attacks-with-padbuster.html
◦ http://www.vnsecurity.net/t/length-extension-attack/
References