cryptanalysis lecture

© 2012 Jonathan T Rajewski 1

Jonathan Rajewski

Cryptanalysis


Overview

• Thirty Five Slides of Lecture• Review Cryptology• Attacking Applications• Attacking the cyphers we discussed • FOR270 Crypto Challenge– Until we have a winner!


The 3 Siezs


The Three C’s

• Cryptography• Cryptanalysis• Cryptology

Crypto

3 C’s


Basic Cryptanalysis


Quick Case Study


Case Study

When you enter your username and password what happens?


Case Study

Authentication

Username + Password = Success


Attacking Applications

Learn how the application creates passwords!


FTP

Filezilla Graphical User Interface

*Hypothetical Situation

© 2012 Jonathan T Rajewski

FTPIn our FTP client, user credentials are stored in an INI file.

Boris is the target of the investigation. We currently have no idea how the application stores user credentials.

We create a new profile named dummy with a password 1111. The PWD value appears similar to one byte per character in the password and, further, appears to look like the ASCII representation. What we find:

Password: 1 1 1 1ASCII: 0x31 0x31 0x31 0x31PWD value: 0x31 0x32 0x33 0x34

There is an obvious pattern!!!!

Let's derive the other password....

PWD value: 0x42 0x70 0x74 0x6C 0x77 0x4EASCII: 0x42 0x6F 0x72 0x69 0x73 0x49Password: B o r i s I

13


Let’s try it!

Password.ini file contains the following data. Decrypt the password

PWD value: 0x70 0x62 0x75 0x76 0x7B 0x75 0x79 0x45 ASCII: 0x 0x 0x 0x 0x 0x 0x 0x

Password:


Let’s try it!

Password.ini file contains the following data. Decrypt the password

PWD value: 0x70 0x62 0x75 0x76 0x7B 0x75 0x79 0x45 ASCII: 0x70 0x61 0x73 0x73 0x77 0x70 0x73 0x4C

Password: P A S S W O R D


Basic Cryptosystems

• Basic Ciphers– Substitution• Replacing one character with another “X”

– Transposition • Rearranging the message


Substitution Ciphers• Most famous: Caesar's Cipher– Shift each letter to the right by 3

• ROT 13

• Substitute letters for others– A is T– B is R– C is B

1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y zCipher n o p q r s t u v w x y z a b c d e f g h i j k l m


Where are we seeing ROT13?

NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist


Where are we seeing ROT13?

http://www.csoonline.com/article/570813/data-exfiltration-how-data-gets-out

http://www.csoonline.com/article/570813/data-exfiltration-how-data-gets-out


Tools to parse ROT13

• Volatility Plugin (Levy)– http://gleeda.blogspot.com/2011/04/volatility-14-

userassist-plugin.html• RegRipper (Carvy)– http://regripper.wordpress.com/

• ROT13.com

http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html

http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html

http://regripper.wordpress.com/


How to parse ROT13 by hand

CipherText

NCCYR


PlainText

APPLE


Breaking Basic Ciphers• Simple (monoalphabetic) substitution ciphers

easily broken with Frequency AnalysisLetters: E T O A N I R S H D L C W U M F Y G P B V K X Q J Z

Digraphs: TH HE IN ER ED AN ND AR RE EN ED TO NT EA OU NG ST AS

Trigraphs: THE AND ING HER NTH ENT THA INT ERE DTH EAR HAT OFT

• More complex (polyalphabetic) substitution ciphers use multiple alphabets!


Columnar Transposition Cipher

• Disguising the message by rearranging the letters

– Plaintext: • FOR270 IS SO MUCH FUN DONTCA THINK

FOR270ISSOMUCHFUNDONTCHATHINKQWERTYU

• cipher: fct ohh rfi 2un 7nk 0dq iow snr str oct mhy uau• cipher enhanced: fctohhrfi2un7nk0dqiowsnrstroctmhyuau


Breaking the Columnar Transposition Cipher

For all intensive purposes for this “cryptanalysis by hand in a quick timeframe” we are going to attempt to guess the rows

and columns

cipher: dygi ioet dutxcipher enhanced: dygiioetdutx

didyougetit


Vigenère Square

Ciphertext is intersection of key column and plaintext row.

Plaintext: DFIRISGREAT (Side) Key: NTFSNTFSNTF (Top) Ct: QYNJVLLYRTY (Intersect)


Vigenère Square Decryption

Ct: STYXMYYEGYRR (Intersect) Key: FATFATFATFAT (Side)Plaintext: NTFSMFTENTRY (Top)


Crypto Challenge

• Scenario– You work for the “SUPER SECRET 5 LETTER

AGENCY”– An ultra sophisticated ciphertext was located on

an internal server– Our team of cryptographers are actively working

on breaking the code but we need your help!!!


Phase 1

The following ciphertext was found by the cryptographers. They believe it could have

something to do with the userassist key.

ovg_qbg_yl_fynfu_m7mKvx



Phase 1 Review

Did you get it?– ROT13 encryption.

CT: ovg_qbg_yl_fynfu_m7mKvx PT: bit_dot_ly_slash_z7zXikPT Decoded: bit.ly/z7zXik


Phase 2

We just learned from the cryptographers that more this code may indicated a hidden key for

the next aspect of the cryptanalysis….

Visit this link and try to decode the datahttp://bit.ly/x2qppi


Phase 2 Review

F O R E N S I C

A T O R

Forensicator


Phase 3

We identified the final encrypted string of ciphertext by analyzing ram using Volatility.

Yay for open source tools! Agency cryptologists believe that you will “crack

the case” and reveal the cyber villain.

Please analyze:CT: ICLKGZMRUZKey: FORENSICATOR (you wont need the entire key)


Phase 3

Please analyze: CT: ICLKGZMRUZ (Intersect)Key: FORENSICATOR (Side) PT: (Top)

Hint – you wont need the entire Key


Phase 3 Review

Ct: ICLKGZMRUZ(Intersect) Key: FORENSICAT(Side)Plaintext: DOUGTHEPUG(Top)


Phase 4

The end is here. This is the most complicated ciphertext yet. Doug the Pug “cracked” during

interrogation and revealed his secret partner in crime.

Next class we will look at the ADFGVX

cryptanalysis lecture

Education