Encryption Lab [10 points]

These exercises are based heavily on those developed at Seed Labs.

Exercises

  1. [2 points] Decrypt the following ciphertext that was encoded using a monoalphabetic substitution cipher. Note: This cipher uses both upper and lower case characters as well as punctuation. Spaces are encoded as spaces.

    WbwOB.Cl b;A.;bbB.;A BbEO.BbH wBiHHZm.Hw.pq.;UBl bGpbBC.Hbd BU;A.;A eBix wBlpCiABUpMl U;m wixpOCbB HbwOB.Cl CMBiOAM MUBm-UBb CUxpbBZBbH.HCU;wb Ci U o;i-qbmAb ie bwi;ix.wHd Uppq.bm pHlwMiqiAld iBAU;.,UC.i;H U;m CMb qU-z WlHCbx b;A.;bbB.;A Ho.qqHd eBix fOH.;bHH pBiwbHH U;UqlH.H CMBiOAM HieC-UBb b;A.;bbB.;A Ci bhUqOUC.i; U;m CbHC.;Ad UBb UqHi .xpiBCU;Cv fOC CMbl UBb ;iC HOee.w.b;Cd UH CMbl mbUq i;ql -.CM bBBiB U;m x.HwMU;wb BUCMbB CMU; xUq.wbz KMb HbwOB.Cl b;A.;bbB UqHi ;bbmH Hixb Ho.qq UC UmhbBHUB.Uq CM.;o.;Ad kOHC q.ob U wMbHH pqUlbBv liO ;bbm Ci MUhb HCOm.bm qiCH ie UCCUwoH CMUC -iBobm .; CMb pUHCd eBix CMb.B ipb;.;AH CMBiOAM CMb.B mbhbqipxb;C Ci CMb iOCwixbHz

    Provide the character substitutions and the corresponding plaintext.

  2. [2 points] To understand the error propagation property of various encryption modes, complete the following:

    1. Create a text file that is at least 1000 bytes long
    2. Encrypt the file using the AES-128 cipher (provide a password and IV if needed)
    3. Unfortunately, a single bit of the 55th byte of the encrypted file got corrupted. You can cause this corruption using the bless hex editor to alter the 55th byte to another value of your choosing (but different from the ciphertext value at byte 55). Note: bless will sometimes throw an error saying no disk space is available, use File->Save As instead of Save (see https://askubuntu.com/questions/954935/bless-error-for-saving-space)
    4. Decrypt the corrupted ciphertext file using the correct key and IV.

    How much information can you recover by decrypting the corrupted file, if the encryption mode is ECB, CBC, or OFB respectively? Answer this question before you conduct this task, and then determine whether your answer is correct after you finish this task (no points off if your initial intuition is incorrect). After conducting this experiment, explain how much information can be recovered with each mode, despite the data corruption, and provide a short justification for your answers for each mode.

  3. [3 points] Write a program to decrypt this ciphertext. You know the following:

    • The aes-128-cbc cipher was used for the encryption
    • The IV used was: 0123456789ABCDEF
    • The key used to encrypt the plaintext is somewhere in this English dictionary and is shorter than 16 characters
    • The plaintext is composed primarily of words in the English dictionary.

    Since the key length is less than 16 characters (i.e., 128 bits), pound signs (#: hexadecimal value is 0x23) are appended to the end of the key to form a key with a length of 16 bytes (e.g., all keys are padded with # until they are 128 bits long).

    Your program should try all possible keys from the English dictionary and find a way to determine which is the most likely key for the ciphertext. You can assume the plaintext is composed of many English-language words arranged into sentences (e.g., the plaintext is not gibberish or random). Hint: You'll need to come up with a way to determine if the recovered plain text is composed of words in the dictionary provided.

    Submit the key and the plaintext you recover along with your program. Also note how long it took your program to run. List two reasons why the aes-128-cbc cipher is not a good choice for securely storing passwords in a database.

  4. [3 points] Web sites often parse input from a web browser using a query string. A query string comes after the site's address, starts with a ?, then contains an arbitrary number of name=value pair parameters separated by & characters. An example is: www.example.com?animal=unicorn&color=silver which passes parameters animal and color with values unicorn and silver.

    I've created an insecure website that takes parameters id, value1, and optionally value2. In an attempt to ensure the parameters come from valid users, this web site parses the query string and calculates a Message Authentication Code (MAC) using a shared secret that both the user and web site know. In this case the shared secret is "cs55sharedsecret". The site compares the calculated MAC with a MAC passed by the browser in the query string. If the two MACs match, the site accepts the user's input, otherwise is rejects the input. For example, the following is valid. https://cs.dartmouth.edu/~tjp/cs55/labs/EncryptionLab/encryptionlab.php?id=123&value1=test&mac=a9fe99f6b722b31f8a562953c9e5c6cb3b0eb8b6dba0cd2888b112a068088ca1 In this example the web site hashes cs55sharedsecret:id=123&value1=test (if a value2 parameter was passed it would be appended like value1 before hashing) with the SHA256 algorithm and compares the result with the MAC provided in the query string (here the MAC provided in the query string is a9fe99f6b722b31f8a562953c9e5c6cb3b0eb8b6dba0cd2888b112a068088ca1). In this case a SHA256 hash of cs55sharedsecret:id=123&value1=test matches the MAC passed in the query string so the web site accepts the input, believing the user must have known the shared secret.

    Assume an adversary sees the valid query string above sent by a legitimate user but does not know the shared secret. Create a hash extension attack on this web site that uses the valid input, adds a value2 parameter with whatever value you'd like, and passes a valid MAC. The web site should accept your input. Note: when padding the query string, change \x to %. For example, \x80 in the padding should be replaced with %80.

    Submit a short description of your query string and why the web site considers it valid along with a screen shot of the web site accepting your input. While the adversary does not know the password, what do they need to know about it in order for the attack to be successful? How might the adversary get this information? Finally, describe a better approach to validating user input instead of using a MAC as this web site does (but don't just say use <some library>).

Submission Instructions

Create a single .pdf file with your answers to these exercises. Zip your code files together with your .pdf into a single file and submit that file via Canvas. In the text box on your Canvas submission, provide the names of your partners. Only one partner need submit.

Grading rubric

Total of 10 points.

Exercises 1 and 2 [2 points each]:

  • 0.0: Nothing of substance
  • 1.0: Your solution needs significant work
  • 1.5: Mainly correct (small mistakes/errors)
  • 2.0: Correct.

Exercise 3 [3 points]:

  • 1 point: decrypt ciphertext with each possible key
  • 2 points: find the most likely key and show the plaintext.

Exercise 4 [3 points]:

  • 1 point: reset SHA256 algorithm to the state from the valid message
  • 1 point: calculate padding
  • 1 point: get web site to accept input with your own value2 parameter.