cryptography 1 - ctfd · what is cryptography •transmitting a message between 2 parties without...
TRANSCRIPT
Cryptography1IntroductiontoOffensiveSecurity
WhatisCryptography
• Transmittingamessagebetween2partieswithouthavingalistenerbeabletotellwhat'sbeingsaid• AlicewantstotalktoBob• ButEveiseavesdropping!• HowcanAlicetalkwithBobprivately?
ClassicalCiphers
• Substitutionciphers• Bijectivemapfromeachcharactertoanother
• Whybijective?• Monoalphabetic• Leta->z,b->y,c->x,…
• hello• svool
ClassicalCiphers
• Caesarcipher• a.k.a.shiftcipher• Asimplefamilyofsubstitutionciphers• Eachcharactermapstothecharactersomenumberofpositionsdownthealphabet• Ifshiftis1:a->b,b->c,c->d,etc.
• Hello!• Ifmmp!
• ROT13
ClassicalCiphers
• BreakingaCaesarcipher• Thereareonly26options…• Trythemall!
• Butwecandobetter!• Frequencyanalysis
FrequencyAnalysis
• Somecharactersareusedmorethanothers• ForEnglish,""(space)and"e"aresupercommoncharacterswhile"j","q","x",and"z"arealmostneverused• Foralargeenoughciphertext,thefrequencydistributionshouldroughlymatchthegeneralEnglishdistribution• Then,wejusthavetomatchtheletterstogether!
FrequencyAnalysis
• Thiscanalsobeextendedtomorethanonecharacter:n-gramanalysis• Bigramanalysis:matchingthedistributionofcharacterpairs• https://en.wikipedia.org/wiki/Bigram#Bigram_frequency_in_the_English_language
Englishbigramfrequencies
PolyalphabeticCiphers
• Onecharacternolongeralwaysencryptstothesameresult!• Theresultsomehowcombinesthemessageandakey
• Vigenère cipher• Shiftcipherwheretheoffsetisbasedonthecurrentcharacterinthekey• Messageis"ABC",keyis"ABC"
• A->A• B->C• C->E• Ciphertext is"ACE"
Vigenère square
XOR
• eXclusive OR• Youprobablyrememberthisfromoneofmany priorclasses• Outputis1ifAor Bis1,butnotifbothare• ⊕ isthesymboltorepresenttheoperation
• Programminglanguagesusuallyuse^• Hassomeniceproperties:
• A⊕B⊕A=B• Itisitsowninverse
• (A⊕B)⊕C=A⊕(B⊕C)• Commutativity
XOR
• A⊕B⊕A=B• Itisitsowninverse
• IfAisakeyandcanbetransmittedsecurely,wecanusethistoencrypt!• Example• Alicewantstosendm=13toBob• They'veagreedonk=60• Alicecomputes13^60=49,andsendsittoBob• Bobcomputes49^60=13.• Evemeanwhileonlysees49!
XOR
• Example2• Alicewantstosendm="Hello!"([72,101,108,108,111,33])toBob• They'veagreedonk="foobar"([102,111,111,98,97,114])• Alicecomputes72^102=46,101^111=10,etc.andsendsittoBob• Bobcomputes46^102=72,10^111=101,etc.• Eveonlysees[46,10,3,14,14,83]
• This is aOne Time Pad (OTP)which is perfectly secure• Aslongasyou don’t reuse the one time pad• Aslongasthe one time pad is truly random
• However,thisreliesonkbeingtransmittedsecurelyoutofband• Sowhynottransfermthisway?
XOR
• Solet'suseasinglebyte!• Alicewantstosendm="Hello!"([72,101,108,108,111,33])toBob• They'veagreedonk=60• Alicecomputes72^60=116,101^60=89,etc.andsendsittoBob• Bobcomputes116^60=72,89^60=101,etc.• Eveonlysees[116,89,80,80,83,29]• But…
XOR
• Evetriestodecrypt[116,89,80,80,83,29]with all 1bytevalues• One of them works!60• Could also usefrequency analysis• Sometimes NULLbyte(or another constant)is common aswell…• 0^k=k,soalargechunkofthesamevaluesmaybethekey…
• This breaks the cryptosystem entirely asthe security hinges onasinglebytewhich can be quickly brute forced
XOR
• Ok,whataboutarepeatingmulti-bytekey?• AliceandBobagreeonk="SecretKey"([83,101,99,114,101,116,75,101,121])• Forthesakeofanalysis,letssaym={contentsofAliceinWonderland}• Howcanwebreakthis?
XOR
• k="SecretKey"([83,101,99,114,101,116,75,101,121])• Iflen(k)isknown,createanewciphertext witheverylen(k)'thcharacter• i.e.takechar0,9,18,27,etc.inonegroup,1,10,19,28,etc.inanother,…
• Thenwecanjustperformoursingle-byteattackoneachgroup
SymmetricCrypto
• BasicXORissymmetric– bothAliceandBobusethesamekeyk• Othercommonsymmetriccryptoschemes:• RC4• DES• 3DES• AES
AES
• Blockbasedsymmetricencryption• Inputischunkedintoblocksof16,24,or32bytes(128,192,256bits)• Multiplemodes• ECB
• Flaw:sameinputblockresultsinsameoutputblock• CBC
• Flaw:malleable.XORontheciphertext XORstheplaintextwhendecrypted• CTR• GCM• … manymore
ECBPenguin
CBCDecryptionOverview
CBCMalleabilityDemo
Real-WorldCBCMalleabilityAttacks
• https://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology/2206#2206
SolutiontoMalleability?
• Useauthenticatedencryption!• Manyout-of-the-boxciphermodessupportauthenticationnatively• GCM,EAX,CCM,OCB,…
• Do-it-yourself(lessrecommended):• Wecanuseamessageauthenticationcode (MAC)tocomputeahashofthemessage,andthenuseittoverifythatthemessagewasdecryptedcorrectly• Encrypt-then-MAC:
• Encryptyourdata=>C.ThencomputeMAC(C),andsendC,MAC(C)• Encrypt-then-MACworksfine,butrequiressomecareinimplementing
WhynotMAC-then-encrypt?
• WecouldalsoimagineinsteadtakingaMACoftheplaintext,andthencheckingitafterdecryption• Theoreticalreason:Bellare andNamprempre,2000• “CryptographicDoomPrinciple”:ifyouhavetoperformanycryptographicoperationbeforevalidatingtheMAConamessage,itwillsomehow likelyleadtodoom(MoxieMarlinspike,2011)• https://moxie.org/blog/the-cryptographic-doom-principle/
• Examplesfromthearticle:• Vaudenay Attack• AttackonSSH
Bellare andNamprempre
AsymmetricCrypto
• a.k.a.publickeycryptography• Involves2distinctkeys:a"public"keyanda"private"key• Shouldbeobviouswhichoneyouneedtokeepsecret…
• Whenyouencryptwithone,itbecomesreadableonlybytheother• Worksbothways• Encryptingwithpublickeymakesitdecipherableonlytothosewiththe
privatekey• "Encrypting"withprivatekeycanbeusedtosignmessages
• Commonlyusedtobootstrapsymmetriccryptoalgorithmsastheyarefaster
RSA
• Themostwellknownasymmetriccryptosystem• Let'swalkthroughasampleencrypt/decryptcycle
RSAExample(“textbook”RSA)
• Alicegeneratesapublic/privatekeypair• Generates2(large)primes:pandq• Computesn=pq.Thisisthepublicmodulus• Computesthetotientofn:phi=(p-1)(q-1)• Pickanumberecoprimetophi(usually3,5,17,257,65537)• Computedasthemultiplicativeinverseofemodphi
• (n,e)isthepublickey• (n,d)istheprivatekey
RSAExample(“textbook”RSA)
• BobnowwantstotalkwithAlice• AlicesendsBobthepublickey• Bobencryptshismessagembyraisingittothepublicexponent(e)modn• c=me (modn)
• Bobthensendstheciphertext ctoAlice• Alicedecryptsitbyraisingctotheprivateexponent(d)• m=cd (modn)
• Thisturnsinto:• (me)d (modn)=>med (modn)=>m1 =m
SimpleRSAAttacks
• Therearemany,manywaystomessupimplementingRSA• Agreatoverviewofattacks:• DanBoneh:“TwentyyearsofattacksontheRSACryptosystem”• ForRSA-basedCTFchallenges,maybe90%ofthemwillbebasedonanattackfromthispaper
• We’llonlycoverafewofthesimpleronesinclass
Factoring
• Factoringtheproductoftwolargeprimenumbersisgenerallyconsideredtobeveryhard• Theorynote:althoughitisnot knowntobeNP-HardProbablyliesinsomecomplexityclassbetweenPandNP,butwedon’tknowforsure.• Futurenote:quantumcomputing,ifrealized,willchangethis.Shor’salgorithmisapolynomialtimealgorithmforfactoring– aslongasyou’vegotaquantumcomputer!
• Ifnissufficientlysmall,wecanjustfactorit!• Currentbestalgorithm:GeneralNumberFieldSieve(GNFS)
SmallModulusAttack
• Recallthattoencryptwedo• me (modN)
• Q:doestheattackerknowe?
SmallModulusAttack
• Recallthattoencryptwedo• me (modN)
• Q:doestheattackerknowe?YES• (N,e)isthepublickey – everyoneknowsit• Whathappensifme <N?
SmallModulusAttack
• Recallthattoencryptwedo• me (modN)
• Q:doestheattackerknowe?YES• (N,e)isthepublickey – everyoneknowsit• Whathappensifme <N?• Wecanjusttakethee-th roottorecoverm!