This assignment is worth 125 points. Partial credit will be given for all questions — it is in your best interest to not leave any blank. Some of these questions may require you to conduct research beyond what we learned in class. You are free to leverage any public resources you'd like to complete this assignment, but make sure to cite your sources in your answers. Refer to this course's honor code policy for more information on what is appropriate reuse.
This assignment has two parts. In Part 1, you will solve a set of crypto challenges that emphasize some of the strategies deployed by penetration testers attempting to find weaknesses in software systems making use of encryption. In Part 2, you will gain some experience using a popular public key encryption package, and will have the opportunity to install and try out a mobile communications application that makes use of strong encryption for secure messaging.
Record your responses to the following activities in the
README.md file in the homework02 folder of your assignments GitLab
repository and push your work (including any code you developed) by 11:59 PM Thursday, February 6.
As discussed in class, each homework assignment must be completed in its own git branch; this will allow you to separate the work of each assignment and for you to use the merge request workflow.
To create a homework02 branch in your local repository, follow the
instructions below:
$ cd path/to/cse-40567-sp20-assignments # Go to assignments repository $ git checkout master # Make sure we are in master branch $ git pull --rebase # Make sure we are up-to-date with GitLab $ git checkout -b homework02 # Create homework02 branch and check it out $ cd homework02 # Go into homework02 folder
Once these commands have been successfully performed, you are now ready to add, commit, and push any work required for this assignment.
XOR as a transformation for encryption is a very weak way to protect data. You probably won't find it under the hood of commercial software. This first exercise is meant to get you thinking about the practice of cryptanalysis using a scenario where it is very feasible to recover the key and plaintext via automatic means.
The absolute simplest Advanced Encryption Standard (AES) mode is Electronic Codebook (ECB) mode. In this mode, the plaintext is broken up into fixed sized blocks, which are encrypted separately. For this question, you will write a decryption routine to recover some plaintext that has been encrypted via AES ECB mode.
counteroffensive. Using OpenSSL or another library providing AES functionality, write some code (do not use the OpenSSL command-line program) to decrypt the ciphertext. Provide the plaintext as part of your solution to this question.In spite of being in the AES standard, ECB mode turns out to be very problematic in practice. The reason for this is that the same 16 byte plaintext block will always produce the same 16 byte ciphertext block. Your task in this question is to devise an algorithm to detect AES ECB mode ciphertext. A tool that can automatically detect the algorithm and mode used is very useful for penetration testing, because certain instances of ciphertext may reveal far more information than is desirable (in violation of the properties of ciphertext we discussed in class).
Remarkably, depending on the setting, it is possible to detect not just one, but two modes of AES given only the ciphertext. In this question, the objective is to write some code to do this.
gpg is a popular tool that is used to encrypt email messages via Public Key Cryptography.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFaK6L0BCADCDaQnkGdPQof7E0BQ+tPok1oNrV6Qn5gepjAt0YV6/K4vV2H7
hzAfIhQQZ+7vvfA7+pc0MytL4i/yfujRTee3tPhiw1zV2N0qudzY4gKzi0uxR1G2
y5qQrRDd25aWktmncme5XvrSTw8LRbnyoCpwe7XLj4jykUFUo926JGExz1qIr1tF
pkHOFoh+kkZGF6TtQrWGIl9XMZwJvX0D0teb5mhBdxWHNio3fq4N3hUjer+ElQZA
jbNGiw2ARK/0Y4xmPku4FrTd4X5Si5HtTj+MNzMh7cgRABJMVydacynI1eRjqfvr
jBmfUFCRRxfremxswwcs9bR8ER1JEuCvd4nDABEBAAG0IVdhbHRlciBTY2hlaXJl
ciA8d3NjaGVpcmVAbmQuZWR1PokBOAQTAQIAIgUCVorovQIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQ9BjV9S6O1emd7wf/RN5Q6IyXxK9P66wwvKj8UgT5
6NExFyxPYtHwHS4x6UjBkr6DUBlOIKCHOA6tmIbMoLL8/VAobRhZbqYBuHKrX0yw
i2opBHoTl7CSw7RrxHm8PgLGs/jqjvSltydRT6t+btrc3g0TuT7evGu8rwVRXKDP
Wske6UvT9PWwVUbN7Uw8YDLxiBHDFx72kw5CmFl0CKd9VFUa7UTb6G0tpVDMFjXQ
5ABGUDouCG2slK2fCJQsPypm+lUqTUOUeUVSUagD1ciu8nMmkTSZJGPgW1Y3nfNR
kfCS/D2CIsJAmk6GUi9+zpjjWiRWbYGG0gsbVqQsUdoYg1egUfAXfCCfHDM5sbkB
DQRWiui9AQgA3iJFojHXeyGCXruDHM+foNnsY08UgSXWWJXInWDSNQYtrKlSb18p
bnLubQm1tSvcrH0iwRW4ImyjFR8MjU23Qglyc331Qt0wY8dJOhlEJKua3Ns/bI/q
dEEgDpRQFssu2opg7ex3ZEgnz73POnwL67NHSwMY70cjE7RBmWjkWta+XsjdTXGG
lNM6S/YEQ845SuotkrE85fGmivXJudT9mwdzzqTP86kvFeBQIIMgaiBJX0RrsKjP
dt5MFGBDR3KMnCJxf1+Gqr7DBE190xC2x1njOfgoWRhwCdXBAXoZIqZlV8Khq5us
/5Wq0uvsKQrc4OdKx5F/b0crjtmPe6KYpQARAQABiQEfBBgBAgAJBQJWiui9AhsM
AAoJEPQY1fUujtXp6lUH/2Kfp5thh/Kiko2nF+Tq9OLrx52NDrW3GaNKakOQk9ll
K0io7wmZqnhKgDlXjmzls9Dra0K6P8BD0Vc0xbNEEGyXJQfXRDAfz5ZTT4cz3P70
l9/n9Q2WdHEOg/9GxqQ6sFUVEV8jKQvkQEFLsmHZfWHE1VvwImpTsrecL9YmNbnF
0oLvOsDkqrUh+NNXK5TngDWU31+ofl0iPRpi4ba1NozAhWag2xgR1L0HlZkKNNot
mCk322HUPrl2HKGsDmGm6IYZTJ+9hU1V8ousb9S+5jRoxcTNH0TKZP2n/SXBWRuO
rOK7IFjjrXCWFM47tCmiVmUs6dl9zAXo0i5+URgMh3o=
=YhBs
-----END PGP PUBLIC KEY BLOCK-----
Signal is an open source encrypted communications app for Android and iOS devices, with desktop support that syncs to a registered mobile device. It is developed by Open Whisper Systems, which created the double ratchet algorithm that underpins the security of the software. The signal app has become wildly popular with privacy advocates, activists and even politicians in the current environment of poor computer security and endemic corporate and government surveillance. But it's also useful for transferring website credentials, PINs, and other more mundane, but still sensitive, information. Your task here is to install signal on your phone. After you have done this, send a message to our TA Sophia (her number can be found in the slack team chat) to verify that you have "answered" this question. Remember to use signal whenever you need to send a quick message that should be protected — it's really this easy.
Q: In Q.1, does "string" mean line in the file?
A: Yes.
Q: In Q.1, what is the purpose of the routine that is able to score a line of English-language text? Isn't this just a straightforward brute-force attack?
A: The idea is to have your program automatically find the right key (required for full credit), instead of forcing a manual search through all of the possibilities to find the correct plaintext. In a realistic penetration testing scenario, the keyspace may be enormous, thus checking things by hand isn't always an option.
Q: What is the fingerprint of the key in Q5.4?
A: Key fingerprint = 5467 6829 FCCB 5B0B 8D36 0E6D F418 D5F5 2E8E D5E9
Q: For Q1-4, what programming language should I use for this assignment?
A: You can choose to do this in any language, but if you are familiar with Python, you may find it to be the best option.
Q: I am unsure of the development environment I should use for this assignment? Any recommendations?
A: Do this in an Ubuntu VirtualBox VM if you don’t have access to a native machine with OpenSSL. Installing the development libraries is very simple: sudo apt-get install libssl-dev
If you have any questions, comments, or concerns regarding the course, please
provide your feedback at the end of your README.md.
Remember to put your name in the README.md file. To submit your assignment, please commit your work to the homework02 folder
of your homework02 branch in your assignment's GitLab repository:
$ cd path/to/cse-40567-sp20-assignments # Go to assignments repository $ git checkout master # Make sure we are in master branch $ git pull --rebase # Make sure we are up-to-date with GitLab $ git checkout -b homework02 # Create homework02 branch and check it out $ cd homework02 # Go to homework02 directory ... $ $EDITOR README.md # Edit appropriate README.md $ git add README.md # Mark changes for commit $ git commit -m "homework02: complete" # Record changes ... $ git push -u origin homework02 # Push branch to GitLab
Procedure for submitting your work: create a merge request by the process that is described here, but make sure to change the target branch from wscheirer/cse-40567-sp20-assignments to your personal fork's master branch so that your code is not visible to other students. Additionally, assign this merge request to our TA (sabraha2) and add wscheirer as an approver (so all class staff can track your submission).