Solution to FBI’s challenge by vierito5
Shortly after publishing the post about the FBI Challenge, Javi sent me an e-mail with a solution to this challenge. Later he sent me a different way of solving it, and finally he published it on his blog.
His solution is here. However, for those of you who don't speak spanish I'll transcript a summary of his solution here. It's not very different from what I did when I solved the challenge.
Basically, the trick is to recognize a URL first, and map it to www.fbi.org. This already tells us that it's a simple substitution cipher and it shouldn't be too difficult to solve it.
So, from there we can get the following mappings:
A-F
H-B
B-I
M-G
S-O
K-V
F-T
We continue identifying words, such as -NOW -> KNOW (and therefore Q-K), and as a final step we see -N—-TION, which is... ENCRYPTION! With this we already get the complete text:
Stupendous. We congratulate you on cracking this latest encryption. Visit www.fbi.gov/coded.htm to let us know of your success.
Easy, wasn't it? Now let's see a different option which would solve a similar problem even without a URL in there, which was our starting point.
We assume the text is written in English, and it is encrypted using a simple substitution. Then, we look for an easily recognizable pattern, and try to match it with English words. For that, Javi used a C program (see source code in his post) and the aspell dictionary file.
With those two things, he asked the program to search for a word following the pattern ABCCDAA (from the original word VWNNDVV in the cryptogram) in the dictionary file. It gave him the following options:
$ ./pattern en-common.txt ABCCDAA
unsuccessful
unsuccessfully
falloff
falloffs
colossally
cappuccino
cappuccino's
cappuccinos
nonsuccessive
success
successor
success's
successive
successful
successfully
successively
successes
successor's
successors
succession
succession's
successions
Where the only words with the actual length we are looking for are falloff and success. Trying with the second of them and identifying possible words would lead us to the solution of the challenge.
FBI challenge
This time I'm bringing you a small challenge... it's a very simple exercise in which you have to decrypt a text. It's a challenge set by FBI and it shouldn't take much time to solve it 🙂
It's more a small puzzle than anything else, you can find it in: FBI Challenge.
Downadup Codex by Symantec
Symantec has published recently a compilation of all the posts from their blog about the Downadup/Conficker virus. Plus some not previously published content. It provides a view on what this virus can do and what this kind of creatures can do without too complex technicalities.
The PDF can be downloaded from Downadup Codex.
Crypto Series: Vigenère Cipher
Today we're gonna go a little further on the study of classical ciphers. We're gonna see an evolution of simple substitution ciphers known as Vigenère cipher, how it works and cryptanalysis methods that we can apply.
Vigènere Cipher
This cipher is named after the Frenchman Blaise de Vigènere, to whom it was wrongly attributed in the 19th century. Actually it's a quite simple cipher combining several Caesar's ciphers according to a secret key. An example will help to understand it.
If the key is abcs, then the first letter is encrypted shifting it 0 times, second letter 1 time, third letter 2 times, fourth letter 3 times, and then we start again with 0 times. So, the key is repeated as many times as needed to encrypt the complete plaintext. This operation can be seen as a two entries subtitution table (tabula recta or Vigenère's table):
Vigènere table
Using this table, the row corresponds to the plaintext letter to encrypt and the column corresponding to the key letter will give us the resulting cryptogram letter. To decrypt, we should place ourselves in the row corresponding to the key letter, move right up to the cryptogram's letter column, and then move upwards to know which plaintext letter corresponds looking at the column header.
Let's take a look at an example.We want to encrypt the word WADALBERTIA with the key ERP, so we write down the letter with the key below, repeated as many times as needed to reach the word's number of characters:
WADALBERTIA
ERPERPERPER
In order to obtain our result using the table, we go to column W and go down till row E. This gives us our first cryptogram letter, A. Then we repeat the operation with column A and row R, which brings us R. We repeat this process with the remaining letters and finally obtain ARSECQIIIMR.
For decryption, we would go to the key's letter, for instance E. Then we would move right through the columns to find an A, and then we would move up to the header to see that this is encrypted labeled as letter W. Continuing until the end, we would get back our input plaintext.
Attacking Vigenère's cipher
Now that we know how it works, we can proceed to see how we could break this cipher. It's clear that the simple method applied to Caesar's cipher is not useful here, since each letter is encrypted independently of the previous one. However, if we have a key of length L, every L letters the sequence is repeated. Thus, we have L different Caesar's ciphers and we could break them as we learnt last time.
To do so, we need to determine L. Therefore, Vigenère's cipher cryptanalisis will focus on methods to find out how long is the key, so that we can analyse later on the different Caesar ciphers. We will study two different methods to obtain it.
Kasiski's method
This method is based on looking for repeated patterns in the cryptogram. Kasiski observed that for a given pair of repeated fragments in the plaintext to be encrypted two times in the same way, the distance between them must be a multiple of the key length. Then, each letter of the repeated string will be encrypted with the same part of the key. Let's see an example taken from Wikipedia:
abcdeabcdeabcdeabcdeabcdeabcdeabc crypto is short for cryptography.
In this case, we can see that the string crypt would be encrypted both times by abcde. This is due to the fact that the key is 5 characters long (abcde) and the distance between the two appearances of crypto is 20 characters ( 4 times 5). In case the distance was not a multiple of 5, this wouldn't occur.
Therefore, in this case we could sey that the key length should be one of the divisors of 20: 1,2,4,10 and 20. However, if we encounter any other repetition, then we can reduce the search space to the common divisors of both distances. With several repetitions, it could be possible to reduce the number of candidates to one and therefore discover the key length.
Obviously, it might be that some of the repetitions are just coincidence. Thus, it is possible that the different distances have a greatest common divisor of 1, which means that they only have 1 as a common divisor. This would lead us to discard some of the repetitions found; but following this method we would be able to reduce the key length to a very few candidates. Then all what is needed is to analyze the different Caesar's ciphers that form the Vigènere cipher.
Next post
We're gonna stop here for now, cause I've had the post half-way written for two weeks and didn't have time to finish it... Next time we'll revisit Vigenère's cipher with another method to obtain the key length and some examples.
I hope you're enjoying it 🙂
Crypto series: Planning
With this post we start with a series about cryptography, which I hope catches your attention. The series is divided into several chapters, with the following (very rough) planning:
- Introduction
- Symmetric Cryptography
- Asymmetric Cryptography
- Hash functions and authentication codes
- Cryptographic protocols
- Cryptographic Systems
Each chapter will be made of several theory posts and one or various practice posts, which we'll do using tools like Cryptool. To easily identify these posts, although they'll most likely be pretty much all my posts, I'll name them this way: Crypto: Chapter/Section.
I'll start very shortly with the first chapter, Introduction, where we'll see basic concepts and classical crypto amongst other things.
Any feedback as of now?
Re-borning
After all this time without any activity, I've decided to make some changes to the blog. The first one you notice when you come in directly through a browser is the new theme.
Further, now it's possible to select the blog's language between Spanish and English. Yes, I've decided to start multilingual blogging, and every post will have a spanish version and an english one. To that end, I've installed a plugin called qTranslate, which allows you to manage it directly through the wp editor without modifying the database at all. It also allows translating categories, pages, etc.
The only thing that makes me hesitate a bit is that comments are not separated. But to be honest, I don't think it's gonna be a problem cause after all I don't have that many comments ;-).
I've translated the pages, updated the About me page with current information and I'll explain some of my ideas in this post. I'd like to start a series about cryptography, starting with the very basis and progressing step by step.
We'd start with classic crypto, and continue with modern crypto: block ciphers, asymmetric crypto (RSA, ElGamal, some ECC content). Once we know something about all this stuff, we'll see some cryptographic protocols and cryptographic systems.
Obviously all this doesn't happen overnight, but my intention is to publish at least in a weekly basis. With such a large series of posts, it could be a problem if its acceptance is not very great and I got tired of writing about it... I hope it doesn't happen this time 🙂
More news comming soon, stay tuned!
Feliz año nuevo (y cumpleblog)!
Ahora mismo este blog cumple 2 años... lo que empezó en la nochevieja de 2006-2007 sigue vivo a dos años después, 1 de Enero de 2009.
Ha pasado bastante tiempo, mi situación ha cambiado de ser un estudiante de teleco a estar trabajando en una empresa dedicada a la seguridad de la información en un país donde ni siquiera se me habría pasado por la cabeza en aquel momento.
En aquél primer post hablaba de los exámenes del primer cuatrimestre de cuarto curso, séptimo en toda la carrera... y no estaba del todo convencido respecto a ser capaz de superarlos todos en primera convocatoria. Desde entonces he pasado por un cuatrimestre en Valencia y un curso entero en Holanda, y continúo con el segundo en Holanda en una situación totalmente distinta. Y la verdad es que no me puedo quejar, no va nada mal 🙂
En fin, ahora mismo debo estar por tierras alcoyanas celebrando el fin de año y deseando un 2009 mucho mejor que 2008 para todo el mundo.
Lo dicho, a disfrutar de la noche sin pasarse, y que tengáis un feliz 2009!!
CA falsa, ¿se rompe Internet (o su PKI) ?
Ayer día 30 se publicó en el CCC una vulnerabilidad en la PKI de Internet, explicando cómo se había conseguido tener un certificado perfectamente válido para la mayoría de los navegadores web pero con datos falsos. Se obtuvo un certificado firmado por una autoridad de certificación (CA) de confianza en la mayoría de navegadores, al que se le pudieron cambiar los datos de identidad: la CA firmó un certificado, pero se obtuvo otro derivado para el que la misma firma sigue siendo válida y los datos se han modificado arbitrariamente.
El ataque fue publicado por un grupo de investigadores, contando entre ellos con Benne de Weger, profesor de la TU Eindhoven que me dio clase de Cryptography 2 el año pasado.
¿Cómo es posible esto?
Básicamente, se ha usado la misma técnica que para la predicción de presidentes de los EE.UU. de la que ya hablé hace un tiempo. Se ha obtenido un certificado válido para un sitio aparentemente legal en una CA de confianza, y luego se ha creado un certificado que genere colisiones en MD5.
El método exacto es, como ya dije, tener un prefijo del certificado a elección, una sección aleatoria para hacer colisionar algún resultado intermedio del hash MD5, y después una parte final común a ambos certificados. Puesto que a partir de la colisión, ambos documentos son idénticos, el hash MD5 de éstos será el mismo.
Aun así, no es tan fácil buscar la colisión, puesto que hay ciertos elementos que varían entre un certificado y otro y se deben predecir. Por ejemplo, el número de serie del certificado o el periodo de validez de los certificados que nos va a dar la CA.
Para el ataque, los investigadores probaron con diferentes CAs y trataron de predecir estos valores. Finalmente, seis CAs comerciales les dieron certificados que pudieron usar para crear colisiones.
¿Y qué significa esto?
Básicamente, alguien podría crearse su certificado firmado por una de estas entidades para usos maliciosos. Por tanto, podrían hacer un MiTM en conexions SSL sin que vieramos que hay un intruso porque el certificado usado sería aceptado por nuestro navegador sin rechistar.
Ahora bien, es esto realmente un problema taaaan grave? Para empezar, para la mayoría de los usuarios el cartel de 'el certificado no es válido' solo significa algo así como 'tienes que darle a aceptar para entrar'. En esta situación, ni certificados ni leches, no merece la pena perder el tiempo en crearte un certificado válido si los usuarios van a pasar de los mensajes y entrar igualmente.
Además, el problema no es de la PKI sino de MD5. La solución pasa por irnos a otro sistema de hash como SHA-256 o SHA-512, y usar IDs aleatorios para los certificados firmados. Todo lo que se pueda predecir puede llevar a problemas, ya lo vimos con DNS y lo vemos ahora con los certificados.
Como dicen en layer 8:
What I’m here to say is, I don’t really think this matters all that much except to security researchers. Here’s why: normal users’ trust has very little to do with certificates.
Otro sitio donde intentan tranquilizar es en securosis. Y además veo que Verisign ya ha arreglado el entuerto en su RapidSSL.
Si queréis información técnica de cómo funciona esto exactamente, aquí lo explican todo con detalle. Yo seguro que me he dejado algo... pero solo quería decir que no es taaan malo y que se veía venir después de que publicaran los anteriores ataques a MD5. Y lo mismo con SHA-1, si se sigue usando probablemente acabará en algo muy similar a esto.
Videos y audio 25C3
Hace unos días ha tenido lugar la 25a edición del CCC en Berlín, y ya se pueden descargar algunas de las grabaciones de las charlas en su ftp: http://ftp.ccc.de/congress/25c3/
Además, las transparencias de algunas charlas también están disponibles en el schedule del congreso: http://events.ccc.de/congress/2008/Fahrplan/
Que lo disfrutéis!! 🙂
Home, sweet home
Después de casi tres meses aquí, vuelvo para casa a pasar las Navidades. Sí, como el del Almendro... el día 24 vuelvo a casa por Navidad xD
El balance es muy positivo: el trabajo me gusta mucho más de lo que me gustaría cualquier trabajo típico de un teleco recién titulado en España (también podría haber buscado algo así allí, pero similar a esto hay muy poco y no creo que cojan a alguien sin experiencia), la remuneración con toda seguridad mayor a la que recibiría allí, voy aprendiendo bastante, y en el terreno personal he conocido a nueva gente con quien compartir las horas fuera del trabajo y pasarlo genial 🙂 Una lástima que muchos en principio se van incluso antes de que acabe el curso, pero es lo que tiene juntarse con Erasmus no?
Sé que el blog lo tengo un poco abandonado... la verdad es que de las cosas interesantes que se me ocurren, a veces no sé si estoy autorizado a contarlas o no y ante la duda obviamente corto por lo sano. De todas formas, a ver si ahora en estas fiestas tengo un rato (y ganas) de ponerme con algunas ideas que tengo y puedo subir la actividad en 2009.
Un saludo, y felices fiestas!