This assignment is worth 125 points. Partial credit will be given for all questions — it is in your best interest to not leave any blank. Some of these questions may require you to conduct research beyond what we learned in class. You are free to leverage any public resources you'd like to complete this assignment, but make sure to cite your sources in your answers. Refer to this course's honor code policy for more information on what is appropriate reuse.
This assignment has two parts. In Part 1, you will solve a set of crypto challenges that emphasize some of the strategies deployed by penetration testers attempting to find weaknesses in software systems making use of encryption. In Part 2, you will gain some experience using a popular public key encryption package, and will have the opportunity to install and try out a mobile communications application that makes use of strong encryption for secure messaging.
Record your responses to the following activities in the
README.md file in the
homework02 folder of your assignments GitLab
repository and push your work (including any code you developed) by 11:59 PM Thursday, February 6.
To create a
homework02 branch in your local repository, follow the
$ cd path/to/cse-40567-sp20-assignments # Go to assignments repository $ git checkout master # Make sure we are in master branch $ git pull --rebase # Make sure we are up-to-date with GitLab $ git checkout -b homework02 # Create homework02 branch and check it out $ cd homework02 # Go into homework02 folder
XOR as a transformation for encryption is a very weak way to protect data. You probably won't find it under the hood of commercial software. This first exercise is meant to get you thinking about the practice of cryptanalysis using a scenario where it is very feasible to recover the key and plaintext via automatic means.
The absolute simplest Advanced Encryption Standard (AES) mode is Electronic Codebook (ECB) mode. In this mode, the plaintext is broken up into fixed sized blocks, which are encrypted separately. For this question, you will write a decryption routine to recover some plaintext that has been encrypted via AES ECB mode.
counteroffensive. Using OpenSSL or another library providing AES functionality, write some code (do not use the OpenSSL command-line program) to decrypt the ciphertext. Provide the plaintext as part of your solution to this question.
In spite of being in the AES standard, ECB mode turns out to be very problematic in practice. The reason for this is that the same 16 byte plaintext block will always produce the same 16 byte ciphertext block. Your task in this question is to devise an algorithm to detect AES ECB mode ciphertext. A tool that can automatically detect the algorithm and mode used is very useful for penetration testing, because certain instances of ciphertext may reveal far more information than is desirable (in violation of the properties of ciphertext we discussed in class).
Remarkably, depending on the setting, it is possible to detect not just one, but two modes of AES given only the ciphertext. In this question, the objective is to write some code to do this.
gpg is a popular tool that is used to encrypt email messages via Public Key Cryptography.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
-----END PGP PUBLIC KEY BLOCK-----
Signal is an open source encrypted communications app for Android and iOS devices, with desktop support that syncs to a registered mobile device. It is developed by Open Whisper Systems, which created the double ratchet algorithm that underpins the security of the software. The signal app has become wildly popular with privacy advocates, activists and even politicians in the current environment of poor computer security and endemic corporate and government surveillance. But it's also useful for transferring website credentials, PINs, and other more mundane, but still sensitive, information. Your task here is to install signal on your phone. After you have done this, send a message to our TA Sophia (her number can be found in the slack team chat) to verify that you have "answered" this question. Remember to use signal whenever you need to send a quick message that should be protected — it's really this easy.
Q: In Q.1, does "string" mean line in the file?
Q: In Q.1, what is the purpose of the routine that is able to score a line of English-language text? Isn't this just a straightforward brute-force attack?
A: The idea is to have your program automatically find the right key (required for full credit), instead of forcing a manual search through all of the possibilities to find the correct plaintext. In a realistic penetration testing scenario, the keyspace may be enormous, thus checking things by hand isn't always an option.
Q: What is the fingerprint of the key in Q5.4?
Key fingerprint = 5467 6829 FCCB 5B0B 8D36 0E6D F418 D5F5 2E8E D5E9
Q: For Q1-4, what programming language should I use for this assignment?
A: You can choose to do this in any language, but if you are familiar with Python, you may find it to be the best option.
Q: I am unsure of the development environment I should use for this assignment? Any recommendations?
A: Do this in an Ubuntu VirtualBox VM if you don’t have access to a native machine with OpenSSL. Installing the development libraries is very simple:
sudo apt-get install libssl-dev
If you have any questions, comments, or concerns regarding the course, please
provide your feedback at the end of your
Remember to put your name in the
README.md file. To submit your assignment, please commit your work to the
homework02 branch in your assignment's GitLab repository:
$ cd path/to/cse-40567-sp20-assignments # Go to assignments repository $ git checkout master # Make sure we are in master branch $ git pull --rebase # Make sure we are up-to-date with GitLab $ git checkout -b homework02 # Create homework02 branch and check it out $ cd homework02 # Go to homework02 directory ... $ $EDITOR README.md # Edit appropriate README.md $ git add README.md # Mark changes for commit $ git commit -m "homework02: complete" # Record changes ... $ git push -u origin homework02 # Push branch to GitLab
Procedure for submitting your work: create a merge request by the process that is described here, but make sure to change the target branch from wscheirer/cse-40567-sp20-assignments to your personal fork's master branch so that your code is not visible to other students. Additionally, assign this merge request to our TA (sabraha2) and add wscheirer as an approver (so all class staff can track your submission).