PELCGB 656 - Crypto 101 Your secret is safe with me… …Or is it? By Israel Torres Crypto 101 Disclaimer: For informational purposes only Cryptolicious… * Crypto – hiding stuff from entities you don’t want easily finding. * Crypto comes in many forms, flavors and colors. * Crypto is intended to slow an attacker from getting to their goal – your data. Crypto System failure :( * Bad End-user * Bad implementation * Bad programmer * Bad as in teh suck bad not mj bad. * Moral of story – crypto doesn’t kill people; people kill people. Cryptographic algorithm * Algo - doing something step by step a certain way. * Algo all about math. If you aren’t good at math and you aren’t a savant you’d better stick with using algoz by people who are. * Algoz get broken all the time. Snake oil * Impossible to break * Unhackable * Military grade encryption * Closed algorithm ; black box * Look but don’t touch * … be suspicious – if you can’t trust their words, forget about the algo! Crypto backdoorz * Bad Mojo * Data is encrypted twice - one segment your key - one segment vendor key (could be interleaved and compressed to avoid detection) * When your key is no longer "available" vendor backdoor is used * Be suspicious if your encrypted output is way larger than your input (and we aren't talking about padding) Weak Cryptoz * Obfuscation, encoding, reversible, rotation, etc. (single function) * This is the most common around "the websphere" and cryptozines (cryptograms), and sometimes even places like IRC. * Popular for Phishing and Spam (to defeat filters primarly, users secondary) * So easily implemented and broken that most of the time its a hole that gets used and abused both by programmers and attackers in a "code of silence"... until it all hits the fan. Not as weak Cryptoz * Authentication schemes for OSes and supporting apps. * Authentication schemes for apps like archives, documents, etc. * Generally defeated by rainbow table technology, dictionary and brute force tools. * Otherwise defeated by vulnerability due to bad or questionable implementation, design flaws, etc. DIY Cryptoz * It's always fun to make something scribbly-scrabbly and have others guess. * Just don't think it is "unbreakable" because it is more likely to not be than to be. * If you thought of it at least 100 other people did too - maybe even at the same time. * Part of the crypto is revealing the algo - if you can't reveal it because it will break your crypto then your crypto is already broken. * Dual-Rot13 Anyone? Crypto Fun Time * When I suspect weak cryptoz I like to play with it and see if anything resolves from it sometimes find interesting stuff - like ongoing conversations! (thought to be covert) * I like to write tools that do the work for me once I figure out how to do it by hand - a real time saver. Crypto Fun Time … * FTard Decoder Ring, CryptoCram, bxcode * Boys' Life Magazine (Codemaster Crypto) [Algo implementation] * Crypto is sort of like virtual lockpicking - you know the lock can open you just have to figure out how. Crypto Examples * Human v. Computer (and complexity), Pen and paper v. the electron. * A-Z == 1 - 26 Human * A-Z == 65 - 90 Computer (base 10) * a-z == 97 - 122 Computer (base 10) * 0-9 == 48 - 57 Computer (base 10) * ... More base == more space == more time Next Time … * Breaking Crypto For Fun and Profit * visit crypto101.israeltorres.org for my crypto corner – including this file. * visit tools.israeltorres.org for crypto tools I've written (mostly for win32). * visit israeltorres.org/The_Rayburn_Files.php for what could be crypto (or not). * contact: israel at israeltorres dot org The End. * Thanks for not storming out shouting “Loser!”