Chrptopgyray Caphptogryry

old and new Join Jonni Bidwell on a journey of making and breaking, mystery and intrigue…

or as long as there have been so that lovers can “conceal the details of their ROT13 and are essentially single- stories there have been secrets liaisons”. An even older substitution system is systems. The Kama Sutra has a fairly – words unspoken for tactical Atbash, originally found in old (circa 500 BC) large keyspace – there are about 8 trillion (8 F advantage or for fear of reprisal. Hebrew texts. Here the first letter of the followed by 12 zeroes) unique ways of pairing Secrets often need to be sent afar, and , , is replaced by the last, tav; the the alphabet. The general MSC has an their remaining secret en route is of second, beth, by the second to last, , and astounding number of possible combinations paramount importance. So it was when so on, effectively reversing the alphabet. The (26 factorial – about 4 followed by 26 zeroes Xerxes’ attack on Sparta was thwarted by latinic equivalent is interchanging A and Z, B – or a little more than 88-bits in modern binary Demaratus (a Greek exile living in Persia, and Y, and so forth. The ROT13 system (a terms), but size isn’t everything... The Arab whose warning message was sent to Sparta with a shift of 13) is still used on polymath Al-Kindi, in a ninth-century hidden on an apparently blank wax tablet). some websites and newsgroups to obfuscate manuscript titled On Deciphering And so it is when you send your credit card plot spoilers, punchlines or naughty words. Cryptographic Messages, gave the first details across the ether to pay for gadgets, These monoalphabetic substitution description of breaking MSCs by frequency snacks or socks. (MSCs) are not in any way cryptographically analysis – exploiting the fact that in an Most people will likely be ‘average’ message, some familiar with a substitution letters will occur more cipher, in which one letter is “ The Kama Sutra describes, frequently than others. replaced by another. The best- among other more interesting For example, in English the known of these is the Caesar letter ‘e’ occurs with a relative cipher, in which each letter is tricks, the art of secret writing. ” frequency of about 13%, replaced by one a fixed distance followed by ‘t’ with 9%, and so further down the alphabet, wrapping around secure by today’s standards, but in their time on. This is why Scrabble scoring is the way it when one runs out of letters. It is said that they were likely effective enough – the highway is – the more common the letter, the less it Julius Caesar used this method, replacing A bandits of Caesar’s time being likely illiterate, scores. Other languages have different letters with D, B with E, and so on, wrapping around unlike the masterful wordsmiths of the and frequencies, but the principle remains the with A replacing X, whereas his nephew modern internet. These ciphers do contain a same: replace the most frequently occurring Augustus favoured a shift of just one letter, in germ of the idea of the modern cryptographic letter in the with the most which A is replaced by B, B by C etc, but with key, though. Whether it’s the length of the shift frequently occurring letter in the language, no wraparound, so that Z is replaced by the in a Caesar cipher, the dimensions of the then repeat for the next most frequent letter, symbol AA. , or the pairings used in the Kama Sutra and continue until you are able to fill in the The Kama Sutra also describes, among (no, not those pairings), knowledge of the blanks. The original message might not have other rather more interesting tricks, the art of method of , together with the key, exactly the same letter frequencies as the mlecchita-vikalpa (secret writing). It details a allows one to decipher the message. language, but provided it’s long enough it will in which letters are paired We have 26 possible keys (including the at least be close enough that decryption will and interchanged by a fixed random scheme, trivial zero-shift) for a Caesar cipher, whereas be possible with a little tweaking.

50 LXF189 October 2014 www.linuxformat.com

LXF189.feat_crypto.indd 50 15/08/2014 17:35 Chrptopgyray Caphptogryry

Don’t panic, Colonel

This triptych shows another WWI example: a bigram, so that our message ‘kernel panic’ have been used, and both keys would be the ADFGX cipher (these letters were chosen encodes to XF GA DA GF GA AG DX GD GF FD changed according to a daily code book. We because they’re different in ). The FA (the space is ignored). In the second plate, rearrange the columns by putting the second first plate is the fractionating key: it encodes we fit this message onto a grid below a second key in , and then read off the each letter of our alphabet (sans the letter z keyword, ‘LINUS’, which is our transposition key. ciphertext column-wise. Thus our encoded because the LXF style guide doesn’t like it) into In practice, a longer transposition key would message is FGGGA XAADF GFDF DAGD AGXF.

The discovery of the 1586 Babington Plot Later, this cipher was augmented with failed to receive this, necessitating that (which sought to assassinate Queen Elizabeth the letter V to make the imaginatively-titled messages be retransmitted using old keys. I) led to Mary Queen of Scots and her ADFGVX cipher. In 1918, in a phenomenal tour- This exchange was sometimes intercepted, co-conspirators being executed after their de-force, the French cryptanalyst Georges providing clues as to the new key. During correspondence was decrypted by renowned Painvin managed to decrypt an ADFGVX- World War I, the decrypting of the Zimmerman codebreaker Thomas Phelippes. Letters encrypted message which revealed where the telegram (which invited Mexico to ally with between Mary and Babington had been German forces were planning to attack Paris. Germany) was instrumental to American encrypted by substitution using symbols Painvin lost 15kg of body weight over the involvement in the war. mostly from the Greek alphabet, and course of this crypto-toil. By World War II the Germans had Phelippes was able to forge an addendum to One may wonder if anyone can make a upgraded the Enigma series of machines to one of Mary’s letters requesting the identities truly unbreakable cipher, and one may be present a sufficient cryptographic challenge to of the co-conspirators. Once they were thus shocked to learn that such a thing already Bletchley Park. Polish researches had broken incriminated, heads were off’d. exists. That it has been patented since 1917 the original design as early as 1932, and just A milestone in the may leave one so utterly aghast as to impinge prior to the outbreak of war they shared their was the invention of the so-called Vigenère permanently on one’s health, but this is fact intelligence with the British. Alan Turing cipher in 1553. This was actually the work nonetheless. The chap responsible (for the designed the Bombe machine, which by 1940 of cryptologist Giovan Battista Bellaso, who patent at least) was Gilbert Vernam, and his was doing a fine job of breaking Jerry comms. built on the ideas of Trithemius and Alberti. invention is known as the One Time Pad. The The , despite having a Vigenère did in fact publish a stronger trick is to ensure that there is as much key huge number of rotor, plugboard and stecker autokeying cipher in 1586, but history has material as there is plaintext, that the key settings, had a weakness in that a letter was misattributed this earlier cipher to him. The material is entirely random and perfectly never encrypted to itself. This vastly reduced cipher is a polyalphabetic substitution cipher secret, and no part of the key material is the amount of work that the Bombe and the which uses a keyword to switch cipher used more than once. In practical terms, computers (usually women with a good eye after each letter. Each letter is though, Vernam’s system is largely useless. for detail and skill at crossword puzzles) had encrypted by a Caesar cipher with shift Generating truly random material is difficult, to do. After a letter was typed on the Enigma, determined by the corresponding letter of the as is distributing a huge amount of it in secret the cipher alphabet was changed by the rotor keyword. This (providing the keyword has and ensuring its destruction post-use. mechanism, in a manner not dissimilar from more than one unique letter) thwarts the Vigenère cipher. There were other layers traditional . The cipher was Enigmatic mathematics of encryption too, but a lot of these were considered so strong that it was dubbed le Wartime cryptography relied heavily on constant settings made redundant when chiffre indéchiffrable, and indecipherable it codebooks which contained daily keys, and Enigma machines were captured. By the end remained until work by Babbage and Kasiski these had a bad habit of falling into enemy of the war there were around 200 Bombes in the mid-19th century. Their efforts centred hands. Once such a breach occurred and in use throughout England. The Americans, on isolating the length of the key: once that is news of it reached HQ, generals were faced being in a much better position for obtaining known then the ciphertext can be separated with the tremendous logistical problem of supplies, were able to build and design 125 into as many chunks; each chunk will be alerting relevant personnel as to the breach much faster Bombes, and the Allies were able encrypted by a different Caesar shift, which and then manufacturing and distributing new to farm out work to these remote behemoths is easily dealt to by frequency analysis. key material. Long-range naval missions often via (encrypted) cable.

www.tuxradar.com October 2014 LXF189 51

LXF189.feat_crypto.indd 51 15/08/2014 17:35 Cygraphptory Crappotgrhyy

Turing’s genius notwithstanding, much of and the NSA eventually compromised on a meet in order to establish a . the Enigma traffic was decrypted thanks to nominal 64-bit key, but eight of these 64 bits The method is called the Diffie-Hellman key sloppy operational security. Message keys were redundant checksum bits. At the time of exchange, after the gentlemen responsible for could have been changed with every its introduction this was probably sufficient, its invention. It exploits the chiral mathematics transmission but were not, or when they were but in the early 1990s machinery was of finite fields, in which it’s straightforward to the change was only slight and easily guessed. proposed that could brute-force a key within exponentiate an element (that is, raise a Numbers were often spelled out, so ‘einsing’ hours. In 1997 an Internet-wide project number to a power), but very difficult to was a common technique – looking for successfully cracked a DES key for the conduct the opposite process, known as the occurrences that might decrypt to ‘eins’. If first time. In 1998, the Electronic Frontier discrete logarithm. Thus field exponentiation numerals had been allowed, this technique Foundation built a device (for a princely is an example of a ‘one way function’. The would have failed. $250,000) which successfully cracked a illustration (at the foot of the facing page) In the 1970s, two developments brought key in a little over two days. shows an example of the exchange between the cryptography game into the computer Among the other attacks on DES it’s worth Alice and Bob, who are fairly ubiquitous in age. The first of these developments was the mentioning Matsui’s ‘linear ’. The cryptographic literature. The shared secret , a attack involves building up approximations to s=gab can be calculated by both Alice and based on work by Horst Feistel at IBM. Prior to parts of the cipher by finding modulo 2-linear Bob. An onlooker, Oscar say, can see the its standardisation, it was slightly modified at expressions that hold with a probability public keys A and B, and the exchange the behest of the NSA. With no reasons being significantly different from 0.5. By collecting parameters g and p, but these are of no help cited for these agency-mandated changes, a huge number (243) of plaintext-ciphertext in deducing the shared secret s unless one of suspicions were raised about a possible back pairs, one can deduce a sufficient number of the secret keys a or b is also known. door. Two decades later, it emerged that the bits of the key that the remainder can be Once thusly established, the shared secret opposite was true: the S-boxes of the original brute-forced. Linear expressions can be found s can be used as an ephemeral encryption key cipher were susceptible to a technique called speedily thanks to the Walsh-Hadamard for a symmetric cipher, such as DES. The ‘differential cryptanalysis’, which at the time transform, and modern ciphers all are very secret keys a and b could at this point be (cryptography being considered a munition) careful to include a heavily nonlinear destroyed, which would ensure so-called was classified. The NSA changes made the component to mitigate against these attacks. perfect forward secrecy, but a proper public cipher more resistant to the technique, In some ways one can look at Matsui’s work key infrastructure would require that private although they did also recommend a smaller as an abstraction of basic letter frequency and public keys remain largely immutable. 48-bit, as opposed to 64-bit, key size. Being analysis, using characteristics of the cipher Further, public keys should be as well- the first publicly available cipher, DES became rather than the language, and 1s and 0s advertised as possible, to reduce chances the subject of intense scrutiny and in many rather than characters. that a man in the middle, say Mallory, could ways bootstrapped serious academic study impersonate either party with a bogus public of cryptography. Going public key: the provides confidentiality, While the thousands of pages of journal The other good thing to come out of the but doesn’t of itself guarantee authenticity. To articles on the subject provide all manner of ’70s was Public Key Cryptography. This achieve the latter, one needs to be sure of theoretical attacks on DES, by far its most finally solved the problem of being able to whose public keys belong to whom. To do this serious weakness is the short key size. IBM communicate securely without first having to in general, one requires a trusted third party,

Advanced Encryption Standard

AES was introduced as a replacement for DES in 2001. To date it has defied all cryptanalytic efforts to find weaknesses. One reason for its selection was its relatively simple structure. There are four main layers, repeated over several rounds. With a bit of imagination, one can see echoes of the ADFGX cipher in the ShiftRows stage. The SubBytes stage is the only non-linear part of the cipher. Typically linear operations are much quicker to carry out, but without a non-linear stage a cipher will be trivial to break using the methods introduced by Matsui.

52 LXF189 October 2014 www.linuxformat.com

LXF189.feat_crypto.indd 52 15/08/2014 17:35 Cygraphptory Crappotgrhyy

Development of modern principles

Over the last 150 years, a few key principles by obscurity, which, although it intuitively might ideas of Confusion and Diffusion for ciphers. have been developed which (with small seem reasonable, is considered bad form Confusion advocates that the relationship adjustments to allow for new technologies) nowadays. The CSS copy-protection system between plaintext, ciphertext and key should be still give a good idea of what the cryptography used on DVDs was broken in 1999 after reverse as complicated as possible. In terms of modern game is all about. The first is Kerckhoffs’s [this engineering of the Xing software revealed a block ciphers this should mean each output bit apostrophe catastrophe brought to you by player key and the underlying (which depends in a non-linear manner on several key- Wikipedia] principle: that knowledge of the turned out to be woefully poor). Likewise, the and input bits. Diffusion refers to the idea that encryption method alone should not be KeeLoq mechanism for remotely unlocking changing one key- or input bit should have a considered a threat to the security of the vehicles was broken in 2006 after part of its fairly drastic effect on the output. Ideal diffusion message. So long as the key is not design was leaked. results in the strict avalanche criterion: that compromised, this knowledge will be of no Claude Shannon is often called the founder of each output bit should change with probability help. This is counter to the idea of security Information Theory. In 1949 he introduced the 0.5 when one key- or input bit is flipped.

known as a Certificate Authority (CA), to act Zimmerman came up with novel ways of A very early version of Netscape contained as a directory of keypair owners. circumventing these restrictions, including a weak PRNG that was seeded using the time Since public key cryptography is such a publishing the source code as a book, of day and process ids. Since an attacker different animal from its private counterpart, protected by the First Amendment. Netscape would be able make educated guesses as to one can use various bits of mathematical was forced to release a crippled ‘International these variables, the supposedly randomly trickery to reduce the search space to one Edition’ which permitted only 40-bit SSL keys, generated SSL keys could be broken. In 2008 significantly smaller than that of a brute-force in contrast to its 128-bit US edition. sysadmins were sent into a widespread panic attack. This being so, the classic public key when it was revealed that OpenSSL was all have much longer keys. For Are you Shor? generating weak keys, and had been doing so example, the AES algorithm is considered In 1994, Peter Shor announced an algorithm for two years. More recently, Ed Snowden has secure with a 128-bit key, but people are which could be run on a quantum computer revealed that the NSA paid RSA security to already concerned that 1,024-bit RSA keys which would enable it to (among other use a generator called Dual EC DRBG as the are no longer secure. The new-fangled Elliptic things) factor integers and compute discrete default in their software. The constants that Curve cryptography, based again on discrete logarithms much faster than a classical the NSA recommends to initialise this logarithms but in a more abstract algebraic computer. While no one has yet succeeded in generator with are suspected to have been space, offers shorter keys, but still of the order building the right kind of quantum computer, contrived in such a way as to provide a back of twice the security parameter. there’s sufficient concern to give rise to a door into the algorithm. The security of all these public key systems burgeoning field of study known as post- Besides ciphers, an important concept rests on the supposed intractability of . is that of a hash function. This scrambles an factoring integers and the discrete logarithm Perhaps a more practical concern is the input to a fixed length output (so if the input problem. While mathematicians have studied problem of producing secure keys in the first is longer than the output there could be these problems extensively and come up with place. This relies on being able to produce a collisions) in a one-way manner. Hashed some good tricks for speeding up the process, sufficiently random stream of bits, which passwords in Linux are stored in /etc/ they both remain sufficiently time-consuming computers are notoriously bad at. On Linux shadow. Originally the MD5 hashing algorithm to solve as to still be considered secure – at we have the /dev/random and /dev/ was used, but nowadays SHA-512 is becoming least on conventional hardware. urandom nodes (go on, run the cat command the standard. Often we hear news of hackers Up until 1992 cryptographic software was on them), which both harvest entropy managing to obtain databases, which often classified as a form of munitions in the US, gathered from (among other sources) contain hashed passwords. If you are in and even after this date was governed by keyboard and mouse input in order to possession of a large database, the popular export restrictions. These precluded the augment a pseudorandom number generator John the Ripper password cracker is able to export without licence of any software using a (PRNG). This is why it’s good practice to weed out any weak passwords in a matter of key length of more than 40 bits. This led to a make erratic mouse gestures and batter the minutes. For research purposes we ran it on lengthy criminal investigation of PGP founder keyboard when running, for example, the ssh- a real world database (which has several Paul Zimmerman, which ended in nought. keygen command. thousand users), and managed to get 2,500 passwords over the course of a few hours. Other tools such as oclHashcat can leverage GPU power as well, so database security is important, as is changing your password if it is compromised. In sum, we have seen great changes in how we encrypt our secrets, but it’s important to see how we have been inspired by the past. Unfortunately, we make the same mistakes Alice and Bob too – whenever security is breached, it is far establish a shared more likely to be due to poor security practice secret s, without than weaknesses in the cipher. Misconfigured exposing their servers, phishing attacks, malicious or lazy private keys. operators are by far the greater problem. LXF

www.tuxradar.com October 2014 LXF189 53

LXF189.feat_crypto.indd 53 15/08/2014 17:35