Crypto for CTFs

In This Talk (I promise there won’t be any math) Security Services Classical (Substitution) Ciphers Why those suck Bitwise encodings Random Number Generators Entropy Frequency Analysis

XKCD, “Security” available at https://xkcd XKCD, “Security” available at https://xkcd.com/538/ under Creative Commons Attribution-NonCommercial 2.5 License

Security Keywords Give you hints as to what the question is asking ‘Plaintext’ ‘Ciphertext’ ‘Encrypt’ ‘Decrypt’ ‘Key’ ‘Sign’

Security Services Confidentiality - ensure that data is hidden Authentication - ensure that data comes from who it says it does Integrity - ensure that data isn’t altered in transit Non-repudiation - ensure that when Alice sends Bob data, Alice can’t take back later that she sent it

Encodings Base64 Base32 Hex encoding - H(0xdeadbeef) => “deadbeef”

Substitution (classical) ciphers Caesar Cipher - shift each letter by a constant amount Atbash Cipher - Convert each letter to the l-26 % 26 letter Vignere Cipher - shift each letter by a corresponding letter in the codeword Oftentimes, non-alpha characters stay the same

How to solve: Atbash No key: A always maps to Z, etc Ciphertext: R nfhg hzb, Nrgxs rh ollprmt tivzg glwzb!

How to solve: Caesar Key fact: There are only 26 possible shifts Ciphertext: Hdoxc dn vi zsxzggzio ozvxczm Try each possible key, see if ciphertext makes sense: Key 1: Iepyd eo wj atyahhajp pawydan Key 2: Jfqze fp xk buzbiibkq qbxzebo ….

How to solve: Vignere Short ciphertexts: brute force Long ciphertexts: frequency analysis Certain characters in the english alphabet are more common than others 2-character sequences… 3-character sequences…

Why substitution ciphers are bad Kerckhoff's Principle - A cryptosystem should be secure even if an attacker knows everything about the system (other than a secret key) In contrast to “Security through obscurity” (All three previous examples, Windows). You should assume attackers will gain access to system details Modern ciphers combine Substitution and Permutation - if you change one number or input it completely, seemingly randomly changes occur throughout the new ciphertext

Why substitution ciphers are bad Modern ciphers combine Substitution and Permutation - if you change one number or input it completely, seemingly randomly changes occur throughout the new ciphertext Modern concept of “perfect secrecy” - none of these are perfectly secret - or even close

Perfect Secrecy Ciphertext conveys no information about the plaintext Key length > plaintext length Ex. vignere cipher with keyword longer than message (eh…) Key: thisisakey, Message: hello, ciphertext: altdw One-Time Pads

Bitwise Encoding Messages are often represented as binary strings (ASCII, etc) XOR encoding ⊕ A B Result 1

Bitwise encoding continued (Need to know for interviews!) Very nice mathematical properties! A ⊕ 0 = A A ⊕ A = 0, A ⊕ B = R => A ⊕ R = B Example: A=1100 B=1010 A ⊕ 0000 = A, A ⊕ A = 0000, A ⊕ B = 0110, A ⊕ 0110 = 1010 Critical for symmetric cryptography Good for CTFs

One-Time Pad Random sequence of 1s and 0s Bitwise XOR encrypt Ciphertext: 111001010110100101010011 No way to get what the plaintext is without info on the key Don’t use twice! (hence one-time) Crib-drag: xor ciphertext with different offsets ciphertexts http://travisdazell.blogspot.com/2012/11/many-time-pad-attack- crib-drag.html

Random Number Generators Goal: Create a stream of random numbers to create a one-time pad without needing to reuse any bits Problem: How to implement this? Problem: How to share this information secretly?

How to implement?

How to share this info?

Pseudo Random Number Generators (PRNG) Idea: Create a “sharable” RNG The only parameter you need to share for reproducibility is a key and/or seed Goal: It should be practically impossible for attacker to guess the inner state or any future states from a subsequence of output Goal: It should be practically impossible for an attacker to guess previous subsequence given an inner state Subgoal: There should be about as many 0 bits as 1 bits

Pseudo Random Number Generators (PRNG) Problem: PRNGs must have a finite state, introducing period of generated numbers Problem: Mathematic difficulty creating a proper PRNG

PRNG Examples Linear Congruential Generator Mersenne Twister Blum Blum Shub

Example: Blum Blum Shub Generate two large primes p and q and a seed s (= x-1) Calculate xn+1 = x2n mod M

Modular Arithmetic https://www.khanacademy.org/computing/computer- science/cryptography/modarithmetic/a/what-is-modular-arithmetic

Entropy Entropy is a measure of the randomness of data Many different ways to measure Can you think of any?

Entropy Let’s look at a random byte: “11111111”

Look Closer: 11111111

Entropy This byte may not seem random, but it has an equal probability of occuring in a truly random sequence of bytes as any other This is why it is important to measure entropy over large sample sizes

Frequency Analysis Fact: Each letter in the english language has a certain frequency of use A simple computation will give us the frequencies - for each letter a through z, divide the total number of times it has been spoken or written and divide by the number of all letters ever spoken or written In practice we use a representative sample to compute these frequencies https://www.math.cornell.edu/~mec/2003- 2004/cryptography/subs/frequencies.html Why is this useful?

Frequency Analysis Substitution Ciphers - Frequency of original letters unchanged, but transferred to new letters I.e. If ‘x’ is the most frequent letter in the ciphertext, it is reasonable to assume this correlates with the plaintext letter ‘e’ Idea can be extended to Single-Byte XOR Letter Bigram and Trigram frequencies can be more useful than single- letter frequencies Idea can be extended to Multi-Byte XOR HW will walk you through a FA problem