Differences
This shows you the differences between two versions of the page.
|
sasc:laboratoare:02 [2016/03/01 13:23] marios.choudary |
sasc:laboratoare:02 [2017/02/21 11:28] (current) dan.dragan |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 02 ===== | + | ===== Lab 02 - Shift and Vigenère ciphers ===== |
| - | In this lab we'll do some exercises related to OTP and stream ciphers. | + | Please download the lab skeleton from here: {{:ic:laboratoare:lab2.zip|}} |
| + | The archive contains the following: | ||
| + | * **format_funcs.py**: the format functions from the previous lab; | ||
| + | * **caesar.py**: the implementation of the Caesar encryption and decryption from the previous lab; | ||
| + | * **msg_ex2.txt**: the text which needs to be decrypted for exercise 2; | ||
| + | * **msg_ex3.txt**: the text which needs to be decrypted for exercise 3; | ||
| + | * **ex1.py**: implementation of exercise 1; | ||
| + | * **ex2.py**: implementation of exercise 2; | ||
| + | * **ex3.py**: implementation of exercise 3. | ||
| + | You need to fill in the TODOs from **ex1.py**, **ex2.py** and **ex3.py**. | ||
| + | ==== Exercise 1 (2p) ==== | ||
| - | ==== Exercise 1 ==== | + | Alice sends Bob the following ciphertexts: |
| + | |||
| + | <code> | ||
| + | LDPWKHORUGBRXUJRG | ||
| + | XNTRGZKKGZUDMNNSGDQFNCRADENQDLD | ||
| + | DTZXMFQQSTYRFPJDTZWXJQKFSDLWFAJSNRFLJ | ||
| + | SIOMBUFFHINNUEYNBYHUGYIZNBYFILXSIOLAIXCHPUCH | ||
| + | ERZRZOREGURFNOONGUQNLGBXRRCVGUBYL | ||
| + | CJIJPMTJPMAVOCZMVIYTJPMHJOCZM | ||
| + | DTZXMFQQSTYRZWIJW | ||
| + | ZPVTIBMMOPUDPNNJUBEVMUFSZ | ||
| + | FVBZOHSSUVAZALHS | ||
| + | KAGETMXXZAFSUHQRMXEQFQEFUYAZKMSMUZEFKAGDZQUSTNAGD | ||
| + | MCIGVOZZBCHRSGWFSOBMHVWBUHVOHPSZCBUGHCMCIFBSWUVPCIF | ||
| + | </code> | ||
| + | |||
| + | Charlie manages to capture the ciphertexts and he finds that the cipher used for | ||
| + | encryption is the shift cipher (each message possibly encrypted with a different | ||
| + | key). Can you decrypt the messages ? | ||
| + | |||
| + | Charlie also knows that the plaintext consists only of the English letters A to | ||
| + | Z (all capitals, no punctuation). | ||
| + | |||
| + | <note tip>**Hint:** What do all the plain texts have in common? The answer is YOU.</note> | ||
| + | |||
| + | ==== Exercise 2 (4p) ==== | ||
| + | |||
| + | Alice sends Bob another ciphertext, but much longer this time: | ||
| + | |||
| + | {{:sasc:laboratoare:sasc_msg_lab1.txt|Download message file}} | ||
| + | |||
| + | Charlie needs to decrypt this as well. Some colleagues tell him this is encrypted | ||
| + | using the substitution cipher, and that again the plaintext consists only of the English letters **A** to **Z** (all capitals, no punctuation). Try to help Charlie to decrypt this. | ||
| + | |||
| + | Hint: use the frequency analysis mechanisms we discussed in class. Note that the frequency of each letter does not map precisely. In particular, the most frequent two letters do match well with the given table, but the others are sometimes mixed. However, Charlie knows that the most frequent bi-grams are the following (from most frequent to less frequent): | ||
| + | **TH**, **HE**, **IN**, **OR**, **HA**, **ET**, **AN**, **EA**, **IS**, **OU**, **HI**, **ER**, **ST**, **RE**, **ND** | ||
| + | |||
| + | With this information, can you tell what the ciphertext is about? | ||
| + | |||
| + | ==== Exercise 3 (4p) ==== | ||
| Charlie manages to capture {{:sasc:laboratoare:sasc_msg_lab2.txt|a last communication}} which turns out to be the most important, so it is crucial he decrypts it. However, this time Alice used the Vigenere cipher, with a key that Charlie knows has **7** characters. | Charlie manages to capture {{:sasc:laboratoare:sasc_msg_lab2.txt|a last communication}} which turns out to be the most important, so it is crucial he decrypts it. However, this time Alice used the Vigenere cipher, with a key that Charlie knows has **7** characters. | ||
| - | The ciphertext is in the file attached. Try the method of multiplying probabilities as I explained in class and see if you can decrypt the ciphertext. | + | The ciphertext is in the file attached. Try the method of multiplying probabilities as explained in class and see if you can decrypt the ciphertext. You can find details about this method [[http://www.cs.mtu.edu/~shene/NSF-4/Tutorial/VIG/Vig-Recover.html|here]]. |
| These are the known frequencies of the plaintext: | These are the known frequencies of the plaintext: | ||
| Line 40: | Line 89: | ||
| </code> | </code> | ||
| + | ==== Bonus: Exercise 4 (3p) ==== | ||
| + | In class we explained that the one time pad is malleable (i.e. we can easily change the encrypted plaintext by simply modifying the ciphertext). We have also discussed how the CRC was a very bad idea in the design of WEP due to its linearity. | ||
| - | + | You are given the following ciphertext in hexadecimal: | |
| - | ==== Exercise 2 ==== | + | |
| - | + | ||
| - | In class we explained that the one time pad is malleable (i.e. we can easily change the encrypted plaintext by simply modifying the ciphertext). Let’s see a concrete example. Suppose you are told that the one time pad encryption of the message “attack at dawn” is 09e1c5f70a65ac51626bc3d25f17 (the plaintext letters are encoded as 8-bit ASCII and the given ciphertext is written in hex). What would be the one time pad encryption of the message “attack at dusk” under the same OTP key? | + | |
| - | + | ||
| - | ==== Exercise 3 ==== | + | |
| - | + | ||
| - | In this exercise we'll try to break a Linear Congruential Generator, that may be used to generate "poor" random numbers. | + | |
| - | We implemented such weak RNG to generate a sequence of bytes and then encrypted a plaintext message. | + | |
| - | The resulting ciphertext in hexadecimal is this: | + | |
| <code> | <code> | ||
| - | a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8 | + | 021e0e061d1694c9 |
| </code> | </code> | ||
| - | You know that the LCG uses the following formula to produce each byte: | + | which you know it corresponds to the concatenation of the message "floare" with its CRC-16 (in hexa "8E31") obtained from this website: |
| - | + | http://www.lammertbies.nl/comm/info/crc-calculation.html | |
| - | s_next = a * s_prev + b mod p | + | |
| - | + | ||
| - | where both s_prev and s_next are byte values (between 0 and 255) and p is 257. | + | |
| + | If we need to modify the ciphertext so that a correct decryption outputs "albina" instead of "floare" and such that the CRC-16 calculation remains correct, what is the modification we need to perform? | ||
| - | You also know that the first 16 letters of the plaintext are "Let all creation" and that the ciphertext was generated by xor-ing the string generated by the LCG with the plaintext. | + | Output the new ciphertext after the necessary modifications and show that it correctly leads to the plaintext "albina" and a correct computation of its CRC-16. |
| - | Can you break the LCG and predict the RNG stream so that in the end you find the entire plaintext ? | + | You might find this starting script useful: |
| - | + | <code python ex4_draft.py> | |
| - | You may use this starting code: | + | |
| - | <code python 'ex3_weak_rng.py'> | + | |
| import sys | import sys | ||
| import random | import random | ||
| import string | import string | ||
| import operator | import operator | ||
| - | |||
| - | #Parameters for weak LC RNG | ||
| - | class WeakRNG: | ||
| - | "Simple class for weak RNG" | ||
| - | def __init__(self): | ||
| - | self.rstate = 0 | ||
| - | self.maxn = 255 | ||
| - | self.a = 0 #Set this to correct value | ||
| - | self.b = 0 #Set this to correct value | ||
| - | self.p = 257 | ||
| - | |||
| - | def init_state(self): | ||
| - | "Initialise rstate" | ||
| - | self.rstate = 0 #Set this to some value | ||
| - | self.update_state() | ||
| - | |||
| - | def update_state(self): | ||
| - | "Update state" | ||
| - | self.rstate = (self.a * self.rstate + self.b) % self.p | ||
| - | |||
| - | def get_prg_byte(self): | ||
| - | "Return a new PRG byte and update PRG state" | ||
| - | b = self.rstate & 0xFF | ||
| - | self.update_state() | ||
| - | return b | ||
| def strxor(a, b): # xor two strings (trims the longer input) | def strxor(a, b): # xor two strings (trims the longer input) | ||
| Line 106: | Line 119: | ||
| hb = b.decode('hex') | hb = b.decode('hex') | ||
| return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)]) | return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)]) | ||
| - | | + | |
| def main(): | def main(): | ||
| - | #Initialise weak rng | + | #Plaintexts |
| - | wr = WeakRNG() | + | s1 = 'floare' |
| - | wr.init_state() | + | s2 = 'albina' |
| + | G = '' #To find | ||
| - | #Print ciphertext | + | #Obtain crc of s1 |
| - | CH = 'a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8' | + | #See this site: |
| - | print "Full ciphertext in hexa: " + CH | + | #http://www.lammertbies.nl/comm/info/crc-calculation.html |
| + | x1 = s1.encode('hex') | ||
| + | x2 = s2.encode('hex') | ||
| + | print "x1: " + x1 | ||
| + | crc1 = '8E31' #CRC-16 of x1 | ||
| - | #Print known plaintext | + | #Compute delta (xor) of x1 and x2: |
| - | pknown = 'Let all creation' | + | xd = hexxor(x1, x2) |
| - | nb = len(pknown) | + | print "xd: " + xd |
| - | print "Known plaintext: " + pknown | + | |
| - | pkh = pknown.encode('hex') | + | |
| - | print "Plaintext in hexa: " + pkh | + | |
| - | #Obtain first nb bytes of RNG | ||
| - | gh = hexxor(pkh, CH[0:nb*2]) | ||
| - | print gh | ||
| - | gbytes = [] | ||
| - | for i in range(nb): | ||
| - | gbytes.append(ord(gh[2*i:2*i+2].decode('hex'))) | ||
| - | print "Bytes of RNG: " | ||
| - | print gbytes | ||
| - | #Break the LCG here: | + | if __name__ == "__main__": |
| - | #1. find a and b | + | main() |
| - | #2. predict/generate rest of RNG bytes | + | </code> |
| - | #3. decrypt plaintext | + | |
| - | # Print full plaintext | + | <note tip> |
| - | p = '' | + | Use the property for CRC-16 that CRC(m XOR d) = CRC(m) XOR CRC(d). |
| - | print "Full plaintext is: " + p | + | |
| - | + | If d = 'floare' XOR 'albina' and C = [C1 | C2] = [m XOR G1 | CRC(m) XOR G2], then C1' = C1 XOR d. | |
| - | if __name__ == "__main__": | + | </note> |
| - | main() | + | |
| - | </code> | + | |
| + | <hidden> | ||
| + | The solution is {{:ic:laboratoare:lab2_sol.zip|here}}. | ||
| + | </hidden> | ||
