Differences
This shows you the differences between two versions of the page.
|
sasc:laboratoare:02 [2016/03/01 17:33] marios.choudary [Exercise 3] |
sasc:laboratoare:02 [2017/02/21 11:28] (current) dan.dragan |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 02 ===== | + | ===== Lab 02 - Shift and Vigenère ciphers ===== |
| - | In this lab we'll do some exercises related to OTP and stream ciphers. | + | Please download the lab skeleton from here: {{:ic:laboratoare:lab2.zip|}} |
| + | The archive contains the following: | ||
| + | * **format_funcs.py**: the format functions from the previous lab; | ||
| + | * **caesar.py**: the implementation of the Caesar encryption and decryption from the previous lab; | ||
| + | * **msg_ex2.txt**: the text which needs to be decrypted for exercise 2; | ||
| + | * **msg_ex3.txt**: the text which needs to be decrypted for exercise 3; | ||
| + | * **ex1.py**: implementation of exercise 1; | ||
| + | * **ex2.py**: implementation of exercise 2; | ||
| + | * **ex3.py**: implementation of exercise 3. | ||
| + | You need to fill in the TODOs from **ex1.py**, **ex2.py** and **ex3.py**. | ||
| + | ==== Exercise 1 (2p) ==== | ||
| - | ==== Exercise 1 ==== | + | Alice sends Bob the following ciphertexts: |
| + | |||
| + | <code> | ||
| + | LDPWKHORUGBRXUJRG | ||
| + | XNTRGZKKGZUDMNNSGDQFNCRADENQDLD | ||
| + | DTZXMFQQSTYRFPJDTZWXJQKFSDLWFAJSNRFLJ | ||
| + | SIOMBUFFHINNUEYNBYHUGYIZNBYFILXSIOLAIXCHPUCH | ||
| + | ERZRZOREGURFNOONGUQNLGBXRRCVGUBYL | ||
| + | CJIJPMTJPMAVOCZMVIYTJPMHJOCZM | ||
| + | DTZXMFQQSTYRZWIJW | ||
| + | ZPVTIBMMOPUDPNNJUBEVMUFSZ | ||
| + | FVBZOHSSUVAZALHS | ||
| + | KAGETMXXZAFSUHQRMXEQFQEFUYAZKMSMUZEFKAGDZQUSTNAGD | ||
| + | MCIGVOZZBCHRSGWFSOBMHVWBUHVOHPSZCBUGHCMCIFBSWUVPCIF | ||
| + | </code> | ||
| + | |||
| + | Charlie manages to capture the ciphertexts and he finds that the cipher used for | ||
| + | encryption is the shift cipher (each message possibly encrypted with a different | ||
| + | key). Can you decrypt the messages ? | ||
| + | |||
| + | Charlie also knows that the plaintext consists only of the English letters A to | ||
| + | Z (all capitals, no punctuation). | ||
| + | |||
| + | <note tip>**Hint:** What do all the plain texts have in common? The answer is YOU.</note> | ||
| + | |||
| + | ==== Exercise 2 (4p) ==== | ||
| + | |||
| + | Alice sends Bob another ciphertext, but much longer this time: | ||
| + | |||
| + | {{:sasc:laboratoare:sasc_msg_lab1.txt|Download message file}} | ||
| + | |||
| + | Charlie needs to decrypt this as well. Some colleagues tell him this is encrypted | ||
| + | using the substitution cipher, and that again the plaintext consists only of the English letters **A** to **Z** (all capitals, no punctuation). Try to help Charlie to decrypt this. | ||
| + | |||
| + | Hint: use the frequency analysis mechanisms we discussed in class. Note that the frequency of each letter does not map precisely. In particular, the most frequent two letters do match well with the given table, but the others are sometimes mixed. However, Charlie knows that the most frequent bi-grams are the following (from most frequent to less frequent): | ||
| + | **TH**, **HE**, **IN**, **OR**, **HA**, **ET**, **AN**, **EA**, **IS**, **OU**, **HI**, **ER**, **ST**, **RE**, **ND** | ||
| + | |||
| + | With this information, can you tell what the ciphertext is about? | ||
| + | |||
| + | ==== Exercise 3 (4p) ==== | ||
| Charlie manages to capture {{:sasc:laboratoare:sasc_msg_lab2.txt|a last communication}} which turns out to be the most important, so it is crucial he decrypts it. However, this time Alice used the Vigenere cipher, with a key that Charlie knows has **7** characters. | Charlie manages to capture {{:sasc:laboratoare:sasc_msg_lab2.txt|a last communication}} which turns out to be the most important, so it is crucial he decrypts it. However, this time Alice used the Vigenere cipher, with a key that Charlie knows has **7** characters. | ||
| - | The ciphertext is in the file attached. Try the method of multiplying probabilities as I explained in class and see if you can decrypt the ciphertext. | + | The ciphertext is in the file attached. Try the method of multiplying probabilities as explained in class and see if you can decrypt the ciphertext. You can find details about this method [[http://www.cs.mtu.edu/~shene/NSF-4/Tutorial/VIG/Vig-Recover.html|here]]. |
| These are the known frequencies of the plaintext: | These are the known frequencies of the plaintext: | ||
| Line 40: | Line 89: | ||
| </code> | </code> | ||
| - | + | ==== Bonus: Exercise 4 (3p) ==== | |
| - | + | ||
| - | + | ||
| - | ==== Exercise 2 ==== | + | |
| In class we explained that the one time pad is malleable (i.e. we can easily change the encrypted plaintext by simply modifying the ciphertext). We have also discussed how the CRC was a very bad idea in the design of WEP due to its linearity. | In class we explained that the one time pad is malleable (i.e. we can easily change the encrypted plaintext by simply modifying the ciphertext). We have also discussed how the CRC was a very bad idea in the design of WEP due to its linearity. | ||
| Line 60: | Line 106: | ||
| You might find this starting script useful: | You might find this starting script useful: | ||
| - | <code python ex2_draft.py> | + | <code python ex4_draft.py> |
| import sys | import sys | ||
| import random | import random | ||
| Line 98: | Line 144: | ||
| </code> | </code> | ||
| - | ==== Exercise 3 ==== | + | <note tip> |
| + | Use the property for CRC-16 that CRC(m XOR d) = CRC(m) XOR CRC(d). | ||
| - | In this exercise we'll try to break a Linear Congruential Generator, that may be used to generate "poor" random numbers. | + | If d = 'floare' XOR 'albina' and C = [C1 | C2] = [m XOR G1 | CRC(m) XOR G2], then C1' = C1 XOR d. |
| - | We implemented such weak RNG to generate a sequence of bytes and then encrypted a plaintext message. | + | </note> |
| - | The resulting ciphertext in hexadecimal is this: | + | |
| - | <code> | + | |
| - | a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8 | + | |
| - | </code> | + | |
| - | + | ||
| - | You know that the LCG uses the following formula to produce each byte: | + | |
| - | + | ||
| - | s_next = (a * s_prev + b) mod p | + | |
| - | + | ||
| - | where both s_prev and s_next are byte values (between 0 and 255) and p is 257. | + | |
| - | Both a and b are values between 0 and 256. | + | |
| - | + | ||
| - | + | ||
| - | You also know that the first 16 letters of the plaintext are "Let all creation" and that the ciphertext was generated by xor-ing a string of consecutive bytes generated by the LCG with the plaintext. | + | |
| - | + | ||
| - | Can you break the LCG and predict the RNG stream so that in the end you find the entire plaintext ? | + | |
| - | + | ||
| - | You may use this starting code: | + | |
| - | <code python 'ex3_weak_rng.py'> | + | |
| - | import sys | + | |
| - | import random | + | |
| - | import string | + | |
| - | import operator | + | |
| - | + | ||
| - | #Parameters for weak LC RNG | + | |
| - | class WeakRNG: | + | |
| - | "Simple class for weak RNG" | + | |
| - | def __init__(self): | + | |
| - | self.rstate = 0 | + | |
| - | self.maxn = 255 | + | |
| - | self.a = 0 #Set this to correct value | + | |
| - | self.b = 0 #Set this to correct value | + | |
| - | self.p = 257 | + | |
| - | + | ||
| - | def init_state(self): | + | |
| - | "Initialise rstate" | + | |
| - | self.rstate = 0 #Set this to some value | + | |
| - | self.update_state() | + | |
| - | + | ||
| - | def update_state(self): | + | |
| - | "Update state" | + | |
| - | self.rstate = (self.a * self.rstate + self.b) % self.p | + | |
| - | + | ||
| - | def get_prg_byte(self): | + | |
| - | "Return a new PRG byte and update PRG state" | + | |
| - | b = self.rstate & 0xFF | + | |
| - | self.update_state() | + | |
| - | return b | + | |
| - | + | ||
| - | def strxor(a, b): # xor two strings (trims the longer input) | + | |
| - | return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)]) | + | |
| - | + | ||
| - | def hexxor(a, b): # xor two hex strings (trims the longer input) | + | |
| - | ha = a.decode('hex') | + | |
| - | hb = b.decode('hex') | + | |
| - | return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)]) | + | |
| - | + | ||
| - | def main(): | + | |
| - | + | ||
| - | #Initialise weak rng | + | |
| - | wr = WeakRNG() | + | |
| - | wr.init_state() | + | |
| - | + | ||
| - | #Print ciphertext | + | |
| - | CH = 'a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8' | + | |
| - | print "Full ciphertext in hexa: " + CH | + | |
| - | + | ||
| - | #Print known plaintext | + | |
| - | pknown = 'Let all creation' | + | |
| - | nb = len(pknown) | + | |
| - | print "Known plaintext: " + pknown | + | |
| - | pkh = pknown.encode('hex') | + | |
| - | print "Plaintext in hexa: " + pkh | + | |
| - | + | ||
| - | #Obtain first nb bytes of RNG | + | |
| - | gh = hexxor(pkh, CH[0:nb*2]) | + | |
| - | print gh | + | |
| - | gbytes = [] | + | |
| - | for i in range(nb): | + | |
| - | gbytes.append(ord(gh[2*i:2*i+2].decode('hex'))) | + | |
| - | print "Bytes of RNG: " | + | |
| - | print gbytes | + | |
| - | + | ||
| - | #Break the LCG here: | + | |
| - | #1. find a and b | + | |
| - | #2. predict/generate rest of RNG bytes | + | |
| - | #3. decrypt plaintext | + | |
| - | + | ||
| - | # Print full plaintext | + | |
| - | p = '' | + | |
| - | print "Full plaintext is: " + p | + | |
| - | + | ||
| - | + | ||
| - | if __name__ == "__main__": | + | |
| - | main() | + | |
| - | </code> | + | |
| + | <hidden> | ||
| + | The solution is {{:ic:laboratoare:lab2_sol.zip|here}}. | ||
| + | </hidden> | ||
