Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cryptography Crash Course

66 views

Published on

This presentation gives an overview of many different encryption and encoding schemes. The content ranges from simple encodings, such as ASCII text represented as decimals to classical ciphers, such as Caesar and Vigenere ciphers to modern encryption standards, such as the Data Encryption Standard (DES) and Advanced Encryption Standard (AES). For modern encryption, there are many different implementation flaws that are discussed in the presentation as well as a few ideas for how to correct those flaws. At the end of the presentation, some thought questions are provided.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cryptography Crash Course

  1. 1. Cryptography Crash Course Matthew Stephen www.utdcsg.org
  2. 2.  Overview  Encryption ◦ Classical Ciphers ◦ Modern Ciphers  Hash Functions  Encodings  Steganography  Questions and Sample Challenges  CTF Outline
  3. 3.  The enciphering and deciphering of messages in secret code or cipher; also : the computerized encoding and decoding of information – Merriam Webster What is Cryptography?
  4. 4.  Plaintext – the original message to encrypt  Ciphertext – an encrypted message  Cipher – an algorithm to convert plaintext to ciphertext and vice versa  Key – A word/phrase or string of bits that modifies the enciphering/deciphering process Basic Terminology
  5. 5. Cryptography Process
  6. 6.  Substitution Ciphers ◦ Characters or groups of characters are replaced by other characters  Transposition Ciphers ◦ Position of plaintext characters is shifted ◦ Ciphertext is simply a permutation of plaintext Classical Ciphers
  7. 7.  Replace each letter with a fixed different letter  Plaintext – send reinforcements  Ciphertext – ktdp jtfdoejytbtdlk  Key – CRYPTOISFUN Simple Substitution Cipher A B C D E F G H I J K L M N O P Q R S T U V W X Y Z C R Y P T O I S F U N A B D E G H J K L M Q V W X Z
  8. 8.  Shift/Caesar Cipher – Rotate the letters by a fixed amount  ROT13 – Special case (rotate by 13)  Plaintext – send reinforcements  Ciphertext – fraq ervasbeprzragf Shift/Caesar/ROT13 Cipher A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
  9. 9.  Uses a set of Caesar ciphers based on a keyword  Plaintext – send reinforcements  Key – somesecret  Ciphertext - kszh jikejhjqqqwrvj Vigenère Cipher S E N D R E I N F O R C E M E N T S S O M E S E C R E T S O M E S E C R
  10. 10. Opk jvvjx rmrp qstyhmtxrh uinkxmcxzsi wl e csccvtvlnfvxdk imclvv riy jbvdygiziq fp Pzwt Fnxkmnbg Eyfvvoq gvbyeh 1467 vvj yfiu e hmzey gztcmx hvwt xj acmggy fzbcirr tmkpkv npglvjkxf. Ecfzzzm'f wpwoms sapp wrqzguiu egxneoikw vnzie wvzzzgp jsihn, ith fazxxpkw jiii dvjmpekiy je aemkmio zlr pvxomx ss xyi xwxvrwgsilort ectcihig me xcm imclvvomdx. Yekim, qt 1508, Nblrrimy Xemklzuoyf, me lda cseo Gsgqmvntymv, qtzrrkiy bni gesygi xipxr, e xzoxvgrp xwstbrvro wl xui Mmbmtèvr gztcmx. Xui Kvdbnizmlw xqvlrv, ysrmbie, sept xxsimuiy i vvbkiinaozr, vzkdl grq tiiyqixnfci ngyxrq wsm acmggymio higavii kotuii egxneoikw.[xqzegmfr imkhrh] Nlvb ow asn oiwcr nw klz Dokrrèii xqvlrv nen wxmtmeegte hrwtvdjkh oc Xmjdgr Oekxdaze Oicpvau ma lzw 1553 wwuo Ye tmazg hrp. Jmb. Oosiee Fvbzmfxr Fztrefs. Yi wcopg ygsi bni gesygi xipxr sa Bxmglvqdcy, fhx rhymj e eigivbort "gfyibkvfmxr" (v skc) gs jadbil pmglzz gpclrfzby iiiic gmzxrv. Nlzzkef Ecfzzzm nru Xmqzlrqzyn cyiq e wmsmj tnxkimv uj fyswoqzygmfrn, Jkpyejs'n ailrqv qzitx glv tvbzier fj nchwgmkyoqurf gfygl hi rejc xpgrtiu wduvpl fp wztkggmek v vka xip. Ozgy arvv xtxognpcc nqtkyi nsmly se wysmb vleejin, stsjr ks wwzl ceixdmy ma euzvvii, bv kvvvyqvxkiy "wax bj seil" gpbrx adbn xui dinagkr. Fvpgiys'f qvxcwj xuyj vzyameiu wozurt wvgpzoxl jfv jvrc glv ozg. Gw vx zw mmregmmigg kefc ks nmiyei r wcwxx xip tczgwr, wrc wg g teimmjcy temmeom isazvvnizmbr, Sigtgwb'w jcnbkq jej gjvymqiiewte qbvv wzkavr.[gzxvbosa rviymj] Fyezwz lk Zvkvrèmm vyopzwcmj lvw uinkxmcxzsi wl e fmdmgix fhx jxmwtkrv ryowqil gztcmx frjfvz bni pslvo wl Lrric DQO ss Jieikk, ma 1586. Prxzz, or glv 19xc kkrgyic, opk mazvroqur bj Sigtgwb'w tmkpkv jej qdagxgvzfpbkh gs Mmbmtèvr. Hrzdl Qeur zr cqy fbsb Xcm Isqisvziqiew cehmtxrh klz uownxkvdjaxvse ft agcvrx xciz lvwksmg neq "mxrjzkh glzw duvsexrro kurgvzfpbosa eeh dvyxreu rvukh n vvkmmywvzv eil kprqvroixc pmglzz lse lzq [Qqmiaèvv] xcwaku lv lvl tsglzrb bu hb azxc qz".[4] Xui Mmbmtèvr gztcmx knmeiy i xicykeoqur ssi fzqtk rbtikbosaecpt azvbrx. Rjbkh nykljz grq qrxcmsegmtmvv Ilnvcin Taxjmukz Luhtwfr (Gmcmf Grvmwrp) pecpzl zlr Zzkzvèxi pmglzz arovvefihpr me lda 1868 vmrgv "Xcm Gpclrfzb Imclvv" dv g gumchmmt'w zexeuqti. Vr 1917, Jgdmtxvjzg Vukvvgrr ymygemsiy bni Imxiièzk gvtyim iy "mztfwnqhpr sw xmitwyekmjv".[5] Zlvw iikczegmfr riy rbx uinmxzrh. Tlvzrif Frfwimi jej oiwcr gs yeqm hvbovr v dgvveex jn zlr gztcmx ef irvgg gw 1854; usniqmx, lr hzhi'b vyopzwc pow jsio.[6] Fiymfoz iibovrpp fmwqi glv gdxnie eeh kchpvwyiy bni gitliqwyr me xcm 19zl piexpze. Iiie fznuvr xymn, bnshky, wjuk wxmcpzl ivltkeiircfxj gjcrh bgtenqurnpcc wzkex xyi xqvlrv zr opk 16xu gvrocxc.[4] Sample Challenge
  11. 11.  Copy paste the text into CrypTool  Choose Analysis > Classic > Ciphertext Only > Vigenere Cipher  The text is decrypted with the key “vigenere” Solution
  12. 12. Frequency Analysis for Substitutions
  13. 13.  Plaintext written downwards on “rails” of an imaginary fence, then moving up when the bottom is reached  Plaintext: we are discovered flee at once  Ciphertext: WECRLTEERDSOEEFEAOCAIVDEN Rail Fence Cipher *Example from Wikipedia
  14. 14.  Plaintext written on a grid of given dimensions and read off in a patter given in the key  “Spiral inwards, clockwise, starting from the top right”  Ciphertext: EJXCTEDECDAEWRIORFEONALEVSE Route Cipher *Example from Wikipedia
  15. 15.  Symmetric Key Encryption ◦ Uses the same key to encrypt and decrypt  Asymmetric Key Encryption ◦ Also known as public key encryption ◦ Uses two keys: one to encrypt and one to decrypt Modern Ciphers
  16. 16.  Share a secret key among two or more parties  DES – Data Encryption Standard ◦ Uses a 56-bit key ◦ Standard from 1979 to 1990s  AES – Advanced Encryption Standard ◦ Uses 128, 192, or 256-bit key ◦ Standard from early 2000s to present ◦ Must use correct block cipher mode Symmetric Key Encryption
  17. 17.  ECB – Electronic Codebook  CBC – Cipher Block Chaining  CFB – Cipher Feedback  OFB – Output Feedback  CTR – Counter  CCM – Counter with Cipher-block Chaining Block Cipher Modes
  18. 18.  Given a sequence x1x2 … xn of plaintext blocks  Ciphertext: yi = ℯk(xi)  Advantage: computation done in parallel  Disadvantage: same plaintext block yields same ciphertext blocks ECB Mode
  19. 19. Why Not to Use ECB Mode *From
  20. 20.  CTF Problem – CSAW 2010, Crypto Bonus  Users allowed to log into system with only their username ◦ Root and Admin are not allowed!  Upon authentication, they are presented with an authentication token (an encryption of the timestamp, username, and puzzle name)  Each auth-token only lasts 5 minutes!  Goal: Construct a correct authentication token for root Why Not to Use ECB Mode cont.
  21. 21.  Submit “AAAAAAAA”  Submit “AAAAAAAA” again  Only difference is the highlighed portion (perhaps a [part of] the timestamp) Why Not to Use ECB Mode cont. Write up from http://blog.gdssecurity.com/labs/tag/ctf
  22. 22.  Submit “AAAAAAAAAAAAAAAAAA”  The 3rd cipher block is repeated  Submit “AAAAAAAAAAAAAAAAAAAAAAAAadmin”  The correct token for “admin”  The above decrypts to “  1285874686664|admin| CSAW_CHALLENGE#4x02x02” Why Not to Use ECB Mode cont. Write up from http://blog.gdssecurity.com/labs/tag/ctf
  23. 23.  Given a sequence x1x2 … xn of plaintext blocks  Each ciphertext block yi is XOR’d with the next plaintext block xi+1 before encryption  Define y0 = IV (initialization vector)  Ciphertext: yi = ℯk(yi-1 ⊕ xi), i ≥ 1 CBC Mode
  24. 24.  CTF Problem – CSAW 2010, Crypto 2  Users are presented with an auth token  Token is AES encryption of (Username, Team name, Puzzle name, Access level)  The access level is set to 5 and teams need to access level 0 Bit Flipping in CBC Mode
  25. 25.  Bit-flipping propagation  A change in a ciphertext block leads to a change in each succeeding plaintext block Bit flipping in CBC Mode cont. Write up from http://blog.gdssecurity.com/labs/tag/ctf
  26. 26.  Hex dump of the URL-base64 decoded information  Decrypted to  Need to manipulate a byte in the 3rd ciphertext block that, when decrypted, lines up with the 5 in “role=5” Bit Flipping in CBC Mode cont. Write up from http://blog.gdssecurity.com/labs/tag/ctf
  27. 27.  XOR 0x05 with 0xa8 and get 0xad  Replace 0xa8 with 0xad  Decrypted to  Success! Bit Flipping in CBC Mode cont. Write up from http://blog.gdssecurity.com/labs/tag/ctf
  28. 28.  Initialization vector: y0 = IV  Keystream element: zi = ℯk(yi-1), i ≥ 1  Ciphertext: yi = xi ⊕ zi, i ≥ 1 CFB Mode
  29. 29.  Initialization vector: z0 = IV  Keystream: z1z2 … zn  Keystream element: zi = ℯk(zi-1), i ≥ 1  Ciphertext: yi = xi ⊕ zi, i ≥ 1 OFB Mode
  30. 30.  Similar to OFB but with a different keystream  Plaintext block size = m bits  Counter, denoted ctr, bitstring of length m  Construct a sequence of bitstrings of length m, denoted T1,T2,… ,Tn as follows:  Ti = ctr + i - 1 mod 2m , i ≥ 1  Ciphertext: yi = xi ⊕ ℯk(Ti), i ≥ 1 CTR Mode
  31. 31. CTR Mode cont.
  32. 32.  Based on mathematical relationships (integer factorization and discrete logarithm) that have no efficient solution  Public key, K, is published for everyone to see  Private key, K-1 , is held by an individual  Two main uses: ◦ Public key encryption – anyone can send a message to a particular individual – enck(message) ◦ Digital signatures – anyone can verify a message is sent by a particular individual – enck-1(message) Asymmetric Key Encryption
  33. 33. Diffie-Hellman Key Exchange
  34. 34. Diffie-Hellman cont. This implementation is not secure due to the values of g and n. In practice, n = prime number, g = generator (primitive root mod n)
  35. 35.  Attacks on cryptographic algorithms  Known plaintext – attacker has access to a plaintext and the corresponding ciphertext  Ciphertext-only – attack has access to only a ciphertext and not the plaintext  Chosen Plaintext/Ciphertext – attacker gets to pick (encrypt/decrypt) a text of his choosing  Adaptive Chosen Plaintext/Ciphertext – attacker chooses text based on prior results Cryptographic Attack Methods
  36. 36.  Attacks on physical implementation of a cryptosystem  Timing attack  Power monitoring attack  Acoustic cryptanalysis  Differential fault analysis  Data remanence  Padding oracle attack Side Channel Attacks
  37. 37.  Walkthrough of padding oracle attack ◦ http://blog.gdssecurity.com/labs/2010/9/14/automated-pad ding-oracle-attacks-with-padbuster.html Padding Oracle Attack
  38. 38.  Timing attack ◦ Add random delays in processing  Data remanence ◦ Overwrite locations where sensitive data is stored  Padding Oracle attack ◦ Don’t let the user know there was a padding error ◦ Use Message Authentication Code (MAC) to protect integrity of the ciphertext How to Avoid Certain Attacks
  39. 39. Message Authentication Code
  40. 40.  Used to provide assurance of data integrity  Given a bitstring of any length, produce a bitstring of length n (n depends on algorithm)  Desired properties of a hash function: ◦ Easy to compute a hash given a message ◦ Hard to reverse a hash to a message ◦ Hard to modify a message and not the hash ◦ Hard to find to messages with the same hash Hash Functions
  41. 41.  Message Digest: ◦ MD2, MD4, MD5, MD6  Secure Hash Algorithm: ◦ SHA-0, SHA-1, SHA-2, SHA-3 (coming soon)  Most commonly used: ◦ MD5 – 128 bit hash ◦ SHA-1 – 160 bit hash ◦ SHA-2 – 224, 256, 384, or 512 bit hash  Longer hash = better Hash Functions cont.
  42. 42.  Used to discover collisions in hashing algorithms  There is more than a 50% chance that 2 people in a room of 23 will share a birthday  P[No common birthday] = ◦ n = number of people Birthday Attack     1 0 365 365 n i i
  43. 43.  CodeGate 2010 Challenge 15  A web based challenge vulnerable to padding/length extension attack in its SHA1 based authentication scheme  The page asks for a username and then sets a cookie  Username “aaaa”  Cookie “web1_auth = YWFhYXwx| 8f5c14cc7c1cd461f35b190af57927d1c377997e”  The first part “YWFhYXwx” is the base64 encoded string of “aaaa|1” (username|role)  The second part “8f5c14cc7c1cd461f35b190af57927d1c377997e” is the sha1(secret_key + username + role) Length Extension Attack Write up from http://www.vnsecurity.net/t/length-extension-attack/
  44. 44.  The cookie is checked at the next visit  Displays “Welcome back, aaaa! You are not the administrator.”  We guess that 1 is the role for normal and 0 for administrator  Modify the first part to base64_encode(“aaaa|0”), the script will return an error that the data has the wrong signature  The new cookie is “YWFhYXwxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fDA=| 70f8bf57aa6d7faaa70ef17e763ef2578cb8d839”  “Welcome back, aaaa! Congratulations! You did it! Here is your flag: CryptoNinjaCertified!!!!!” Length Extension Attack cont. Write up from http://www.vnsecurity.net/t/length-extension-attack/
  45. 45. Python Hash Functions
  46. 46.  Simple encodings of text (not encryption)  ASCII to decimal, hex, binary, or base64 ◦ Plaintext: hello ◦ Decimal: 104 101 108 108 111 ◦ Hex: x68x65x6cx6cx6f ◦ Binary: 0000011010001100101110110011011001101111 ◦ Base64: aGVsbG8=  Many other more clever encodings Encodings
  47. 47. Python Encodings
  48. 48. Python Encodings cont.
  49. 49.  Hide messages in such a way that no one suspects the existence of such a message  Usually hidden in images (but not necessarily) ◦ Least significant bit ◦ Alpha byte in RGBA Steganography
  50. 50. Steganography Sample
  51. 51.  Google - everything  Foremost – recover files from other files  Cryptool - cryptanalysis Useful Tools
  52. 52.  How can you simultaneously ensure secrecy and integrity with public key encryption? ◦ A sends a message to B. ◦ A has keys Ka/Ka -1 and B has keys Kb/Kb -1 ◦ Encrypt function enck(m) ◦ Decrypt function deck(m) ◦ A sends message m as enckb (encKa-1(m))  What if we reverse the encryption functions? ◦ A sends message as encKa-1(enckb (m)) ◦ Anyone can switch A’s integrity check with theirs Question #1
  53. 53.  One Time Pad – proven to be impossible to crack  Plaintext of length n (bitstring or character string)  Key is also of length n  Plaintext: hello  Key: abcde  Ciphertext ((Plaintext + Key) mod 26):  (h+a)=(7+0)=7=h; (e+b)=(4+1)=5=f; (l+c)=(11+2)=13=n; (l+d)=(11+3)=14=o; (o+e)=(14+4)=18=s  Ciphertext: = hfnos Question #2
  54. 54.  If it’s been proven to be impossible to crack, why doesn’t everyone use it? ◦ Only reveals maximum possible length (possibly padded)  Fine for short messages, but the key length must increase linearly with the plaintext length ◦ Requires perfectly random one-time pads (new OTP for each message) ◦ How to exchange keys that are as long as the messages themselves? Question #2 cont.
  55. 55.  Plaintexts P1 and P2 were encrypted with the same one-time pad key. We know P1, how do we find P2?  P1 = x64x69x73x63x6fx76x65x72x79 (discovery)  P2 = ?  C1 = x17x0cx10x11x0ax02x0ex17x00  C2 = x03x09x02x1bx0bx00x0ex1dx0d Question #3
  56. 56.  Consider OTP operations: ◦ P1 ⊕ Key = C1 ◦ P2 ⊕ Key = C2 ◦ P1 ⊕ Key ⊕ P1 = C1 ⊕ P1 = Key ◦ C2 ⊕ Key = P2  P1 = x64x69x73x63x6fx76x65x72x79  C1 = x17x0cx10x11x0ax02x0ex17x00  Key = x73x65x63x72x65x74x6bx65x79 (secretkey)  P2 = x70x6cx61x69x6ex74x65x78x74 (plaintext)  Know ciphertext and plaintext = know key  Know key = decrypt any other ciphertext using that key Question #3 cont.
  57. 57.  Connection details will be provided at the crash course CTF
  58. 58.  Cryptography: Theory and Practice, 3rd Edition by Douglas R. Stinson  Wikipedia.org for many images  Cryptography 101, Parts 1-3: utdcsg.org  Write-ups from ◦ http://blog.gdssecurity.com/labs/tag/ctf ◦ http://blog.gdssecurity.com/labs/2010/9/14/automated- padding-oracle-attacks-with-padbuster.html ◦ http://www.vnsecurity.net/t/length-extension-attack/ References

×