Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Way of the Cryptologist

 

Right before DEF CON, a friend of mine reached out to me to ask if I would write a crypto challenge for his CTF. While it was a busy time for me, I didn't want to pass up the chance and so I wrote two challenges for the "Way of the Cryptologist ."

 

The first challenge was to turn a decryption oracle (a system which decrypts data for you) into an encryption oracle (a system which encrypts data for you). The decryption oracle script looked like this:

12685_f4049247-7ad8-4a04-9d4b-7ff5f1f7665b

The script takes a single URL parameter "c" and decrypts it. The initial ciphertext provided gives the first half of a URL to the next challenge. The script then checks the decrypted message to see if the string "foobar" is in it. If so, it provides the second half of the URL.

12434_e9d67218-b516-4d30-b54d-52d74ca3c20c

Since the script does not perform any integrity checking, we can modify the ciphertext and produce different messages. We can also see what changes we've made to the ciphertext, given that we have a decryption oracle.

As the block cipher mode used is CBC (we can tell because any bit flip garbles the modified block and flips the corresponding bits of the next block) we can make arbitrary changes to any block at the cost of garbling the previous block. Since we don't care about the contents of the decrypted message except that it must contain the string "foobar", this makes our work easy.

We change one block (we'll call it block N) of the ciphertext to all zeroes, and then submit the ciphertext to the decryption oracle. We then take the decrypted value of block N+1 and XOR it with the string "AAfoobar" and use this as the new value of ciphertext block N. This results inblock N+1 decrypting to "AAfoobar" which completes our challenge.

12430_e99412f5-7b08-4124-81a5-5bd3152ef544

The next challenge provides you with two ciphertexts, both encrypted using the one-time pad (OTP) algorithm. OTP is mathematically proven to have a property called "perfect secrecy" when used correctly, which means that an attacker can gain no information about the plaintext by looking at the corresponding ciphertext. However, there are still attacks against OTP, especially when it is used incorrectly. One way to use it incorrectly that renders the cipher pretty much useless is to use the same key for multiple messages. This mistake was used to decrypt messages during World War II and was also a problem in WEP and PPTP.

The ciphertexts are:

ecc8852cf33bd51a64b04b50a4469070e13851a3cb9bdc49dc0908af37756e08e03d2dfb0d368787785aa53223c55d8bb84f02a566db7d84582890343f02ae90e34f8048075a9ea00acfb48706d817bb126e830825c23f19c4c32c5caa39b0c5ca67652e43ecc8857ebb34c60730e75948aa53d427fc3c58a3d99f885593460de02d696a4bf76f38ea0e35ce97705eae38388b7c82b10e12a63d98739b1d7c8d712c03b4d5ec569748154789f40ccfbed34fc619b51366c2132a8d255f81a0205aac27bdd4d72e2e2e67

In case you haven't already guessed, both ciphertexts were encrypted using the same key.  You can see patterns in the two ciphertexts, especially at the beginning. The first three bytes are the same, which has only a 1 in 16,777,216 chance of happening by accident.

The attack against reuse of one-time pad keys begins by calculating ciphertext1 XOR ciphertext2. Since an OTP-encrypted message is just message XOR key, anything XOR itself is 0 and anything XOR 0 is itself, we can break down ciphertext1 XOR ciphertext 2 as follows:

Ciphertext1 XOR ciphertext2

Message1 XOR key XOR Message2 XOR key

Message1 XOR Message2 XOR key XOR key

Message1 XOR Message2 XOR 0

Message1 XOR Message2

This is where it gets interesting. As it turns out, English has enough redundancy that we can recover both messages! To do this, we use a technique known as "crib dragging". A "crib" is a known or guessed piece of plaintext. We then take this crib and "drag" it along our message1 XOR message2, XORing the crib against various parts of the message until we see a result that makes sense within the context of the message, provided by where we got the ciphertexts.

I wrote a script for performing crib dragging interactively; we can see the output below, using the crib "bitcoin" as the party was bitcoin-themed.

10062_7993edd3-a4b3-4575-909e-cc90689aeb34

This input produces lots of candidate outputs. The ones most likely to be correct (as they use alphanumeric characters and common punctuation) are those preceded by asterisks:

11510_bcd20e4e-4308-49d0-895a-fd3271a1c13e

Candidate 39 looks very promising; we see "rapher " which could very well be the end of the word "cryptographer". So, next we use the crib " cryptographer":

12673_f37b7c3c-ec8c-4952-a8e7-41bf53f129af

The theme of the party was "LOL Bitcoin" so candidate 31 is the clear choice. We continue on in this way, reconstructing more and more of the messages until we are given the clue to get us to the next phase of the party access challenge.

11063_a6c5c55f-0f09-47c7-ae46-09f75321d2bc

My interactive crib dragging tool will be open-source, free, and publicly available soon. Note that this attack on reused keys in the OTP algorithm also works with any stream cipher, so despite the fact that few people actually use OTP in a modern context, many people use stream ciphers and reuse keys, making this script rather useful in general.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo