LevelBlue Completes Acquisition of Cybereason. Learn more

Request a Demo

LevelBlue Completes Acquisition of Cybereason. Learn more

Submit RFP
Request a Demo
Services
Cyber Advisory
Managed Cloud Security
Data Security
Manage Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
LevelBlue SpiderLabs
Global researchers, ethical hackers, and responders
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

The Way of the Cryptologist

Change theme to light
3 Minute Read by Admin

 

Right before DEF CON, a friend of mine reached out to me to ask if I would write a crypto challenge for his CTF. While it was a busy time for me, I didn't want to pass up the chance and so I wrote two challenges for the "Way of the Cryptologist ."

 

The first challenge was to turn a decryption oracle (a system which decrypts data for you) into an encryption oracle (a system which encrypts data for you). The decryption oracle script looked like this:

12685_f4049247-7ad8-4a04-9d4b-7ff5f1f7665b

The script takes a single URL parameter "c" and decrypts it. The initial ciphertext provided gives the first half of a URL to the next challenge. The script then checks the decrypted message to see if the string "foobar" is in it. If so, it provides the second half of the URL.

12434_e9d67218-b516-4d30-b54d-52d74ca3c20c

Since the script does not perform any integrity checking, we can modify the ciphertext and produce different messages. We can also see what changes we've made to the ciphertext, given that we have a decryption oracle.

As the block cipher mode used is CBC (we can tell because any bit flip garbles the modified block and flips the corresponding bits of the next block) we can make arbitrary changes to any block at the cost of garbling the previous block. Since we don't care about the contents of the decrypted message except that it must contain the string "foobar", this makes our work easy.

We change one block (we'll call it block N) of the ciphertext to all zeroes, and then submit the ciphertext to the decryption oracle. We then take the decrypted value of block N+1 and XOR it with the string "AAfoobar" and use this as the new value of ciphertext block N. This results inblock N+1 decrypting to "AAfoobar" which completes our challenge.

12430_e99412f5-7b08-4124-81a5-5bd3152ef544

The next challenge provides you with two ciphertexts, both encrypted using the one-time pad (OTP) algorithm. OTP is mathematically proven to have a property called "perfect secrecy" when used correctly, which means that an attacker can gain no information about the plaintext by looking at the corresponding ciphertext. However, there are still attacks against OTP, especially when it is used incorrectly. One way to use it incorrectly that renders the cipher pretty much useless is to use the same key for multiple messages. This mistake was used to decrypt messages during World War II and was also a problem in WEP and PPTP.

The ciphertexts are:

ecc8852cf33bd51a64b04b50a4469070e13851a3cb9bdc49dc0908af37756e08e03d2dfb0d368787785aa53223c55d8bb84f02a566db7d84582890343f02ae90e34f8048075a9ea00acfb48706d817bb126e830825c23f19c4c32c5caa39b0c5ca67652e43ecc8857ebb34c60730e75948aa53d427fc3c58a3d99f885593460de02d696a4bf76f38ea0e35ce97705eae38388b7c82b10e12a63d98739b1d7c8d712c03b4d5ec569748154789f40ccfbed34fc619b51366c2132a8d255f81a0205aac27bdd4d72e2e2e67

In case you haven't already guessed, both ciphertexts were encrypted using the same key.  You can see patterns in the two ciphertexts, especially at the beginning. The first three bytes are the same, which has only a 1 in 16,777,216 chance of happening by accident.

The attack against reuse of one-time pad keys begins by calculating ciphertext1 XOR ciphertext2. Since an OTP-encrypted message is just message XOR key, anything XOR itself is 0 and anything XOR 0 is itself, we can break down ciphertext1 XOR ciphertext 2 as follows:

Ciphertext1 XOR ciphertext2

Message1 XOR key XOR Message2 XOR key

Message1 XOR Message2 XOR key XOR key

Message1 XOR Message2 XOR 0

Message1 XOR Message2

This is where it gets interesting. As it turns out, English has enough redundancy that we can recover both messages! To do this, we use a technique known as "crib dragging". A "crib" is a known or guessed piece of plaintext. We then take this crib and "drag" it along our message1 XOR message2, XORing the crib against various parts of the message until we see a result that makes sense within the context of the message, provided by where we got the ciphertexts.

I wrote a script for performing crib dragging interactively; we can see the output below, using the crib "bitcoin" as the party was bitcoin-themed.

10062_7993edd3-a4b3-4575-909e-cc90689aeb34

This input produces lots of candidate outputs. The ones most likely to be correct (as they use alphanumeric characters and common punctuation) are those preceded by asterisks:

11510_bcd20e4e-4308-49d0-895a-fd3271a1c13e

Candidate 39 looks very promising; we see "rapher " which could very well be the end of the word "cryptographer". So, next we use the crib " cryptographer":

12673_f37b7c3c-ec8c-4952-a8e7-41bf53f129af

The theme of the party was "LOL Bitcoin" so candidate 31 is the clear choice. We continue on in this way, reconstructing more and more of the messages until we are given the clue to get us to the next phase of the party access challenge.

11063_a6c5c55f-0f09-47c7-ae46-09f75321d2bc

My interactive crib dragging tool will be open-source, free, and publicly available soon. Note that this attack on reused keys in the OTP algorithm also works with any stream cipher, so despite the fact that few people actually use OTP in a modern context, many people use stream ciphers and reuse keys, making this script rather useful in general.

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Microsoft Issues Emergency Patch for Windows Server Update Services RCE Vulnerability CVE-2025-59287
SharpParty: Process Injection in C#
The Cat's Out of the Bag: A 'Meow Attack' Data Corruption Campaign Simulation via MAD-CAT

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo