Cryptography1IntroductiontoOffensiveSecurity

WhatisCryptography

• Transmittingamessagebetween2partieswithouthavingalistenerbeabletotellwhat'sbeingsaid• AlicewantstotalktoBob• ButEveiseavesdropping!• HowcanAlicetalkwithBobprivately?

ClassicalCiphers

• Substitutionciphers• Bijectivemapfromeachcharactertoanother

• Whybijective?• Monoalphabetic• Leta->z,b->y,c->x,…

• hello• svool

ClassicalCiphers

• Caesarcipher• a.k.a.shiftcipher• Asimplefamilyofsubstitutionciphers• Eachcharactermapstothecharactersomenumberofpositionsdownthealphabet• Ifshiftis1:a->b,b->c,c->d,etc.

• Hello!• Ifmmp!

• ROT13

ClassicalCiphers

• BreakingaCaesarcipher• Thereareonly26options…• Trythemall!

• Butwecandobetter!• Frequencyanalysis

FrequencyAnalysis

• Somecharactersareusedmorethanothers• ForEnglish,""(space)and"e"aresupercommoncharacterswhile"j","q","x",and"z"arealmostneverused• Foralargeenoughciphertext,thefrequencydistributionshouldroughlymatchthegeneralEnglishdistribution• Then,wejusthavetomatchtheletterstogether!

FrequencyAnalysis

• Thiscanalsobeextendedtomorethanonecharacter:n-gramanalysis• Bigramanalysis:matchingthedistributionofcharacterpairs• https://en.wikipedia.org/wiki/Bigram#Bigram_frequency_in_the_English_language

Englishbigramfrequencies

PolyalphabeticCiphers

• Onecharacternolongeralwaysencryptstothesameresult!• Theresultsomehowcombinesthemessageandakey

• Vigenère cipher• Shiftcipherwheretheoffsetisbasedonthecurrentcharacterinthekey• Messageis"ABC",keyis"ABC"

• A->A• B->C• C->E• Ciphertext is"ACE"

Vigenère square

XOR

• eXclusive OR• Youprobablyrememberthisfromoneofmany priorclasses• Outputis1ifAor Bis1,butnotifbothare• ⊕ isthesymboltorepresenttheoperation

• Programminglanguagesusuallyuse^• Hassomeniceproperties:

• A⊕B⊕A=B• Itisitsowninverse

• (A⊕B)⊕C=A⊕(B⊕C)• Commutativity

XOR

• A⊕B⊕A=B• Itisitsowninverse

• IfAisakeyandcanbetransmittedsecurely,wecanusethistoencrypt!• Example• Alicewantstosendm=13toBob• They'veagreedonk=60• Alicecomputes13^60=49,andsendsittoBob• Bobcomputes49^60=13.• Evemeanwhileonlysees49!

XOR

• Example2• Alicewantstosendm="Hello!"([72,101,108,108,111,33])toBob• They'veagreedonk="foobar"([102,111,111,98,97,114])• Alicecomputes72^102=46,101^111=10,etc.andsendsittoBob• Bobcomputes46^102=72,10^111=101,etc.• Eveonlysees[46,10,3,14,14,83]

• This is aOne Time Pad (OTP)which is perfectly secure• Aslongasyou don’t reuse the one time pad• Aslongasthe one time pad is truly random

• However,thisreliesonkbeingtransmittedsecurelyoutofband• Sowhynottransfermthisway?

XOR

• Solet'suseasinglebyte!• Alicewantstosendm="Hello!"([72,101,108,108,111,33])toBob• They'veagreedonk=60• Alicecomputes72^60=116,101^60=89,etc.andsendsittoBob• Bobcomputes116^60=72,89^60=101,etc.• Eveonlysees[116,89,80,80,83,29]• But…

XOR

• Evetriestodecrypt[116,89,80,80,83,29]with all 1bytevalues• One of them works!60• Could also usefrequency analysis• Sometimes NULLbyte(or another constant)is common aswell…• 0^k=k,soalargechunkofthesamevaluesmaybethekey…

• This breaks the cryptosystem entirely asthe security hinges onasinglebytewhich can be quickly brute forced

XOR

• Ok,whataboutarepeatingmulti-bytekey?• AliceandBobagreeonk="SecretKey"([83,101,99,114,101,116,75,101,121])• Forthesakeofanalysis,letssaym={contentsofAliceinWonderland}• Howcanwebreakthis?

XOR

• k="SecretKey"([83,101,99,114,101,116,75,101,121])• Iflen(k)isknown,createanewciphertext witheverylen(k)'thcharacter• i.e.takechar0,9,18,27,etc.inonegroup,1,10,19,28,etc.inanother,…

• Thenwecanjustperformoursingle-byteattackoneachgroup

SymmetricCrypto

• BasicXORissymmetric– bothAliceandBobusethesamekeyk• Othercommonsymmetriccryptoschemes:• RC4• DES• 3DES• AES

AES

• Blockbasedsymmetricencryption• Inputischunkedintoblocksof16,24,or32bytes(128,192,256bits)• Multiplemodes• ECB

• Flaw:sameinputblockresultsinsameoutputblock• CBC

• Flaw:malleable.XORontheciphertext XORstheplaintextwhendecrypted• CTR• GCM• … manymore

ECBPenguin

CBCDecryptionOverview

CBCMalleabilityDemo

Real-WorldCBCMalleabilityAttacks

• https://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology/2206#2206

SolutiontoMalleability?

• Useauthenticatedencryption!• Manyout-of-the-boxciphermodessupportauthenticationnatively• GCM,EAX,CCM,OCB,…

• Do-it-yourself(lessrecommended):• Wecanuseamessageauthenticationcode (MAC)tocomputeahashofthemessage,andthenuseittoverifythatthemessagewasdecryptedcorrectly• Encrypt-then-MAC:

• Encryptyourdata=>C.ThencomputeMAC(C),andsendC,MAC(C)• Encrypt-then-MACworksfine,butrequiressomecareinimplementing

WhynotMAC-then-encrypt?

• WecouldalsoimagineinsteadtakingaMACoftheplaintext,andthencheckingitafterdecryption• Theoreticalreason:Bellare andNamprempre,2000• “CryptographicDoomPrinciple”:ifyouhavetoperformanycryptographicoperationbeforevalidatingtheMAConamessage,itwillsomehow likelyleadtodoom(MoxieMarlinspike,2011)• https://moxie.org/blog/the-cryptographic-doom-principle/

• Examplesfromthearticle:• Vaudenay Attack• AttackonSSH

Bellare andNamprempre

AsymmetricCrypto

• a.k.a.publickeycryptography• Involves2distinctkeys:a"public"keyanda"private"key• Shouldbeobviouswhichoneyouneedtokeepsecret…

• Whenyouencryptwithone,itbecomesreadableonlybytheother• Worksbothways• Encryptingwithpublickeymakesitdecipherableonlytothosewiththe

privatekey• "Encrypting"withprivatekeycanbeusedtosignmessages

• Commonlyusedtobootstrapsymmetriccryptoalgorithmsastheyarefaster

RSA

• Themostwellknownasymmetriccryptosystem• Let'swalkthroughasampleencrypt/decryptcycle

RSAExample(“textbook”RSA)

• Alicegeneratesapublic/privatekeypair• Generates2(large)primes:pandq• Computesn=pq.Thisisthepublicmodulus• Computesthetotientofn:phi=(p-1)(q-1)• Pickanumberecoprimetophi(usually3,5,17,257,65537)• Computedasthemultiplicativeinverseofemodphi

• (n,e)isthepublickey• (n,d)istheprivatekey

RSAExample(“textbook”RSA)

• BobnowwantstotalkwithAlice• AlicesendsBobthepublickey• Bobencryptshismessagembyraisingittothepublicexponent(e)modn• c=me (modn)

• Bobthensendstheciphertext ctoAlice• Alicedecryptsitbyraisingctotheprivateexponent(d)• m=cd (modn)

• Thisturnsinto:• (me)d (modn)=>med (modn)=>m1 =m

SimpleRSAAttacks

• Therearemany,manywaystomessupimplementingRSA• Agreatoverviewofattacks:• DanBoneh:“TwentyyearsofattacksontheRSACryptosystem”• ForRSA-basedCTFchallenges,maybe90%ofthemwillbebasedonanattackfromthispaper

• We’llonlycoverafewofthesimpleronesinclass

Factoring

• Factoringtheproductoftwolargeprimenumbersisgenerallyconsideredtobeveryhard• Theorynote:althoughitisnot knowntobeNP-HardProbablyliesinsomecomplexityclassbetweenPandNP,butwedon’tknowforsure.• Futurenote:quantumcomputing,ifrealized,willchangethis.Shor’salgorithmisapolynomialtimealgorithmforfactoring– aslongasyou’vegotaquantumcomputer!

• Ifnissufficientlysmall,wecanjustfactorit!• Currentbestalgorithm:GeneralNumberFieldSieve(GNFS)

SmallModulusAttack

• Recallthattoencryptwedo• me (modN)

• Q:doestheattackerknowe?

SmallModulusAttack

• Recallthattoencryptwedo• me (modN)

• Q:doestheattackerknowe?YES• (N,e)isthepublickey – everyoneknowsit• Whathappensifme <N?

SmallModulusAttack

• Recallthattoencryptwedo• me (modN)

• Q:doestheattackerknowe?YES• (N,e)isthepublickey – everyoneknowsit• Whathappensifme <N?• Wecanjusttakethee-th roottorecoverm!