Three four five. Alright. So problem one is already there with seven for those who have not cracked problems. What are your thoughts on exactly the 0th vacation I fulfilled my balls. Okay that's fair. I don't. I don't ever expect Spring Break work happens how many how many other people ascribe to Paul's policy for all and as I said I know So so now as people were saying that they did not succeed in some way or another. How many of those people who did not succeed Ashley key that a couple hours or five hours of work. Ok. So to say you are the ones that can you know get some questions and things like that. He did not give him five hours. I don't go asking for Abe and yes you know that's that's the thing to get current. If you spend five hours earned the right to ask for it. That's cool. And I will do some pinky stuff later All right well how many people had a transformational experience from working on alright to S. That is billions of dollars and caught me and for the world built right there. Yeah that's that's where the oversight seats. So he plotted out the whole rest of the course. Here's my proposed schedule So this will be mac week. Max stands for Message Authentication Code. This is where we go into the temporary. So in your project to a non-trivial number of those seven problems involve tweaking bits and that causes the encryption not to fail with these wrong. So that's a problem if somebody can tweak bits in your cipher text and it's still the crypts. That's an issue like problem six you know somehow you're gonna be able to flip some bits and turn that cookie or given into a bad cookie were guests becomes admin and 0 becomes one. Somehow we're gonna be able to pull that off. Max or how you fight that So this is these are signatures this is digital signatures. The symmetric key burdens they don't call them digital signatures called max. But it's the same thing. It will do. Digital signatures in the public-key version later. That's starting next week. We'll start our public key revolution. It will do Diffie Hellman milk modeling poly Kelvin and Public-key infrastructures and things like that that we'll do RSA. And this is new I haven't done lectures on this before but again I'm I'm wanting this plastic and as many of the canonical like crypto coaches as it can. So animal lattice guys like on the lattice person or whatever And I'm going to travel on these six domains head. And as we asked me if they could do some guest lectures in quantum crypto and pop like post-quantum crypto is all lattice face. I thought if I do this to do like RSA attacks on My subtle RSA flaws or whatever the glass reduction and that my prep you for one group but now she might do something like entanglement to communicate like a stream cipher or whatever something like that. That's why it's interesting to me as plus one last piece of this. So you have to let me know which doesn't kisses tenant officially agreed. But elliptic curve crypto. And this has been ticking bomb extinction lifting curves. It will do it A digital signature algorithm and elliptic curve since you're over them. I'm not sure that they will actually take two lectures because of the abstract algebra abstract algebra. This is the place PSA tough pays off. Really. I learned this thing one way. And then after I tell him algebra tells me that a device over here at home construction or whatever as long as you can say hey I have a cyclic group cool any of your work and sigma Googlers here and you're just done. But in case it doesn't define several extra time. There will be Threshold Crypto which is pretty cool. That's the group secrets. That means you can't get unlocked unless you get five out of seven of us agreed to unlock it or all ten of us have to get together The other work that launched the Duke or whatever it is so Threshold Crypto. And then wrap up lecture and sort of timezone together with how all of this is seconds is what makes the blockchain for accolades. You choose your own adventure there. You take one of two other topics. So that's my proposed. Let's just stick to it. If you're a little for today's CCF problem work is here I think I might again I take time to go through with everybody but if you want to get ahead 13 lag slash flagged up PhD you wanna tackle that without any lose anything else like that. So just getting the concept that we want to do here is you gotta file files that go across the Internet. I'm going to forget encryption for a bit on the veil on Friday we will mix authentication and encryption. We're just going to solve the problem of authentication. That is playing tennis. He told across the wire and you just want to know the plaintext has not been tampered. That's it because mixing encryption and authentication is actually with soul and it's subtle enough but I don't want to mix your minds up map. Let's just concentrate on authenticating. This bit of bytes has not been tampered with. Alright so how do you balance that you probably already have done this to some extent like like you've seen when you go to get your Adobe Flash Player updates. So everybody does this the MD5 checksum of that binary. Alright that means that they took that bright areas suitable isn't run your computer. A hashtable than thing I told you in the hash should be changed by one bit that hash shouldn't match right so that's that's the idea of this on some level. That's not cryptographically secure. It's no secret involved or anything else like that. It's sort of a nicety to value did not single bit has been messed with every republics There's a little bit less public which goes like this. I want to send along a message in plain text and this is going to be over here but it's a secret key and I'm going to do a little message authentication function that spits out what I call a tag or a signature or something like that. So what you're going to get is two things message signature that's recipient gets. The recipient's job is to take that message and run it through the same function with the same key and get their own version of the tag. And if that tag matches the tag in the sense like yeah okay I believe this if not to say reject this must have been tampered with. So the idea is that knowing the plain text you're going to process it your own way and you have a shared secret. Key is a shared secret that beneath and I exchanged a week ago. And we've just been waiting for this moment and we use our shared secret to validate that. This thing hasn't been tampered with anybody. Makes some sense. We're getting a little tiny tag. Just like a checksum. Yeah the reason the check sum is not so great or whatever is like If I were trying to distribute malware I would happily give you a check some of my malware or whatever that's cool. There's nothing particularly trusted that shared key means that like that's a person that I swapped the T wave. And I know that I'm going to say so to some extent it's an issue generative internet is how do you know the trusted website we'll get to that next week. But generally these are sort of cryptographic Texans. Alright here's a little bit of math. Just every time we do this new topic like encryption code key generation and decryption or whatever. Here's this like high level functional version You take a message you say map with the key of the message. If the tag then you get a sort of nefarious possibly integrators version or wherever else you want to validate run the Mac with your key on the untrusted message. And you see if it's equal to the untrusted tag. That is you're like okay that's fine. There's no way to reduce the if so the goal of like the bad guys is what I call a forgery. What do you think the forgeries is based on that we're in this diagram that arose a non-offensive message verifying that still verifies right So I may some other message other than this one. That that person that back even though I don't know the key is going to say yes this is correct. All so so my forgery HashSet both signature and possibly an alternative message right there. And now I don't know the key or whatever else from the central on them. And I know they're going to like try to signing this thing or texting try this thing and they'll validate it even though nobody even knows that he actually was flying back message an instance of this I thought about this when I first got this class ages ago I thought like a local project could be something like this. You take a recommendation letter and recommendation letter said Dear so-and-so Committee and he is a terrible student that should we rely on anyway. Never shows up on time doesn't care about grades whatever all the stuff. And then your job will be to edit all the native stuff make them positive and then like play with whitespaces in every way that you can in order to get it to hash to the same value as the original message right that's a good forward. So it's inside on a letter username your positive letter and Silicon Valley. That's that's the ideal type of portrait. Now that's doable. If I kind of restrict you to I know Or by advice AND five or something like that the only if I restrict the size of that signature I think you guys could actually do that just by coming up with a million different ways to alter that message that are equivalent right you find a bunch of different uses historicity of synonyms for positive word. Try those out frightening for whitespace bindings. Whatever else has changed everything you can't really personally getting lazy people positive message and truth and build them. All obviously it's so many you're bound to get one that matches up with something. And so I didn't do that assignment ever seeing the back of the line for a fun life Thing that you could do this this is sort of why we want to do that message at least four years. Okay so here is again my textbook bullet point stop bookcases hasn't keyboard and second. Side are verified with the same key. We're going to produce secure authentication tag in the tag is associated with a particular message. I can take and messages of arbitrary length. All right so I could be all Moby Dick or whatever Any manipulation of the message anywhere should now invalidate the tag signature. You can know that the person is verify really does know the person who sent this message has access to that key like that. That's something that you should know this deep breath. Now if I'm in court this is something I like thinking about it as like a legal implications of crypto especially easily like moving this blockchain realm or whatever and we could do a whole namely crypto for the wall. If I were in chords and I have a symmetric key message authentication side and say look judge this thing authenticates and definitly signed by him. And I'd say actually because we both know the secret key. So this one it it it can't be that like the whole world will be able to do it just to be able to know that fee. But if I'm being in trouble with the law and because digital signature I might policyKey I'd read it real quick and be like Do it. It's out there. Anybody could have done this you know and then just say wasn't me it was just somebody else into this bracket. So they can't refuse and private-key gets like a little bit better and nobody else should know or something like that. But that that's an interesting thing to say like Candidate a non repudiate animal signature for court. I think it's fun cryptographic problem to think about And when we get to the watching stuff like I think actually something that we can do in this room together who wanted to work on for summer but r is make a smart contract crypto backed will. So we manage the trusted somebody on a smart contract and only when their kid graduates from Harvard in the top ten of their class whatever else do they get the thing that allows them to get paid that way. We can do sort of all wills that are out there and blockchain anything. But first we gotta get this console. And ideally this tag should be sort of uniformly random but you should just totally just like white noise. That's that's always true. Alright so let's go. So here is the first thing that I hope you will think about fwrite. Maybe I could say what should you try what's wrong with just 75 of the message. Secrecy. Okay tigers and achieve secrecy concatenate the message and hash that how does up yeah and I think that like if I were you I think there's nothing wrong thinking that that's a totally fine way assign something. Right from this point in until his lecture is done. You have no reason to think that not just perfectly fine stick. And but if you don't like if you're not processing yet not copy whatever you say I get that. Y plus a talk. I'm not looking at anybody in particular. Let's look at the tables. Say okay why do I think this is a fine way to do this message authentication. It's Edwards not badly. You don't know why it's not. It's not for some really esoteric reason. Ignoring all else. Why would this be a fine thing to accomplish my goals cardiogram Okay let's look at that really good citizens and things like that. She said You do which my colleague Craig plaintext message was sent across the wire. I'm also going to generate your little like yes. And I think that I think is there a validated survey data method it has been. So why did I do Then we have a lot of fantasy where Dr. Atlas guy by putting it can be validated their presumed max Daphne and block them. Somebody tampered with us somewhere along as well because like artifice or whatever because Android sacred texts people deeper just vice versa It was not so high. So what are some thoughts on why that I think not knowing any other lacked the construction you think that this is totally my way to do this problem. I would have to brute force it right so if the task is cryptographically secure I shouldn't go in reverse right you just shouldn't be able to reverse it. Now they know the message. So like the reversibility of this thing is isn't figuring out the key. But this involves the key right so writings that he any particular ways to totally change the hash out any one bit changes and the message that actually the different itself. So like this kind of checks all the boxes of what a signature scheme should do. Which is just take a little bit of private information throw it all public information hashset a cryptographically secure hash algorithm. There's your tag we're all done. So it fails. In practice only for a really obscure reason which is this. It just happens to be that most of the cryptographically secure hash functions up through shelf three shelf reason does not have this weakness. Are. They're just like block ciphers under the hood. They like taken a fixed amount of text and a spin-off fixed amount of interesting things. And then once you have that foundational kind of screw around mechanism in order to hash all day. They combine the next block with the previous washington fixed way. And so this is called the Merkle-Damgard construction to allow you to take a kind of a block cipher and turn it into a hash algorithm of sorts. Where we do something wacky like here it's a queue as law Sager But I'm undertaking a fixed some fixed amount of output And here's how I'm going to mix it up with future things. The issue is that and you call an issue it's not an issue like this sort of a everything we've done in this class as this kind of grayish feeling to it where it's like this is NSA secure. When used correctly all Agile NSA secure when used correctly. And that's why I keep harping on the CTF problems. Stuff like that. Whatever else is that to figure out when you're using a wrong takes a certain sensitivity to the things that can go wrong and just awareness. So here's the thing that can go wrong with this construction If I don't block by block by block by block what happens in my construction is that it slowly alters the state of my like hash machine. So it remembers the previous block and then incorporates the next block. So what I'm going to CTF problem of the day is going to be what I would call a hash extension attack. That is that you have to you know the hash of a string. You can now calculate a longer string that will have a hash that you can predict. One have the same hash is not finding a collision but you will be able to predict the hash of a longer string. And Murray gets crappy Is that I don't have to know the early blocks to get it right. So I don't have to know the earliest blocks to do this extension attack. Alright let's pull this off. So so here's years you doing this because it has a bunch of like kind of basically just happened. That's cool. So I'm going to do it and by doing it that pumped will the off I see. Alright install this little command line prompt library called hash pump. I guess everybody knows it's my last semester using Cloud9 For parent helps us kinda like everyone in the class because yeah I I brought out a solutions. I just like it says I can take forgetting middle schoolers be like I just go and click Go. And now you've got a whole server or whatever. And I can still needed yes version. And they want to get Amazon a grandma apples group. My credit card info Now that's exactly right. So I need another solution that's sort of a big wild in front door for just Brando's off the street isn't good picture. Okay so if I have an Amazon student account I can get Cloud9 without credit card. That would be cool tapers. If somebody says something like you got a fast process that's also bad back. I would test that out by Joe scholars All right so number do I install this locally but I'll do it over here on this site. Benzene always nerve-wracking For you are the ones they're the aggregate line. Cd and then access doesn't have to be using. Don't get just go to a place where you can hash. And I just want you to cache Daly Rules Wednesday or whatever secretly one like that. That's fine. If you want to put in some secret. Followed by some text fan and sort of write down and then here's how you do this has expansion as Hak Tang minus S. Dash b will be the part that we you know so in this case banana would be like the public message at a secret that I don't know I want to append or make a new hash that has a payload. And so I'm going to make an extension that's accident but whatever I want at the end of this makes something that has a predictable hash with my favorite. My payload here who's going to be already said and I'll say Santa discrete choice. And then the last part is I say How long is the secret stuff that I didn't know if I know that if I don't know if Shi'a like case one case two this three phase four until something works. By here I happen to have the secret key and length eight And so what I get here as the output is a hex digest and this crazy as payload. And ends in salmon The thing I asked for starts with banana thing. I knew if I take this thing and I go back in the pipeline and I don't know that. I didn't know that secret but if I didn't get any cherry-pick personally does a secret and assigning this wherever. Oops Oh yeah. A success in SAS. And give me a say seven And so what was that what just happens now let's make the font faces. And and figure this out right. And tied together with y just fascist secret information and the message is not quite enough for Mac. And they go solve the CTF problems because this shows up all the time substantially tax. So the idea was that any rules with secret and they signed the word banana. And I had the outputs of that signature because that's public the signature stuff. So I didn't know the secret part but I'm watching I'm watching across the Internet and I see oh here's a signature of the work but in cool. And I think that they're not using really like awesome setup for their signature scheme. So what I wanna do is make a forgery and I'm going to send along this payload was prom unit intercepted on the DNS chain or whatever. I'm going to make a new payload which is banana slash a bunch of junk Slash salmon. So I'm going to now make sure that this thing ends and Sandage somehow and I'm going to send them on my own signature this value. And I know that even though I didn't know integrals I know exactly what my hash. Right so a hash called didn't know any rules I didn't pass in that part. So I was like trying to test it right so I knew the rules they didn't and I could and I can get exactly the right hash autism. So that means I can creep up ri where i predict what their secret thing at the beginning followed by my crazy as payload will do. And I can make an arbitrary value to the very end of my paper. It always looks just like it sounds like I need to save it and essentially works or anything else like that. I can't replace now salmon like my ideal Audrey is going to be like. This said bad students and our place in the good students and they get it the sign. That's not. That's not how this weakness happens to show itself. And this is why I say is a bad Sam Ortiz leaving. So this signature like doesn't mean that this function is broken it or they can't use it in some way for signature thing whatever No not really it's just like a weird little factoid. You gotta know Which is that hashes are subject to hash extension attacks. This is the hash extension attack and now you can do it to get every successfully pull that all too often. This pattern. Yeah I call it my payload maybe or whatever. I think that that's 1.5 okay so when I look back and RAM cache co they gave me two things. They said this is what will hash too And this is what you have to append to the secret to get that cash on. I don't know the secret but I can at least make a prediction. And this is arbitrary. So I could put anything I want exactly like this. I can calculate something some of your payload that will make this work for any value. I want to be a very James interface that confidence. Okay cool. Alright so then do it ended this. Now try to see to get dropped. Why this is why. So here's my CTF problem. There's a secret and a flag that are hidden in a secret biases. I know the length of the flies age. I don't actually have to know that poses a tack off. This is saving you time. This is me being a nice that I'm going to show you your query whatever that means great. And then we say if you set username as a parameter Do this stop give not going to say here said excuse me username is Gaster fn. And then understanding the contents of the files that it reveals its own source before you just solve for the CTS out. Do you notice a power-aware alright and so if the username is Admin it's going to check my cookie. So Cookie is just sort of like payload goes in the network request. So I'm going to send one cookie which is just a key-value piece. I'm going to look for a signature and a cookie. And if the signature Is a valid MAC or it's the hash of the secret concatenated with the query string. So the whole thing I'm asking for I give that happens to match and I have username equals admin then they're going to tell me the plaque. Otherwise you can say hey you need to sign this better. And if the guests that there isn't a sign for me with the package username equals yes and here's the secret. So let's try this out. First thing to do is get username equals yes. And you can see that by finding this stuff up here They're taking whatever sort of payload I put at the end of my URL as they are going to hash they are secret which I don't know if it's like a random character as far as I know concatenated with PHP concatenate with username equals just. So I have that. Now let me show you a cute little trick. This guy's checking my username right and it is a good check with another username. Admin work yes. If I point at the end of this username equals admin I now changed to bad signature. So when it comes to this URL parameters it's going to take the last one and that's what is going on. If in fact St. Pete multiple times. So we ask the question just recently over there modelling. What good does that do me to stick random stuff at the end of a payload. Well it'll override the earlier values that absolutely a KeyStore. So in this case I can say my username admin at the end of the table started with username equals guest. And now all I do is use this sort of cash come trick to make a signature that winds up. I don't know the secret. I just know it's length eight I know the payload that I know this username equals guess and I want to append to the end of that and username equals that. And then pass that along in my paper. There's sort of two things that are a little bit outside of the scope of the class per se. That is how do you set a cookie and the other one is how do you make the payload URL friendly because because if you see the payload over here I got this X slash B and stuff to make that sort of URL friendly. I will replace this with that. And this with that. So that's how you can URL encoder arbitrary bytes. Type pulled up getting enough line. One said cookie. I probably just seeing a Chrome extension here where I can go on here Attica the signature. And now when I said that it'll send along with that and you can validate that by going to inspect given that workload I look at this request it has cookies signature lamps that says for this line is reading out the singer. I didn't want to make it some sort of weird dissection. Probably guessing you sort of the signature. Yeah that'd be fun problem but by saying it yet The basic problem incentive or you can do it in JavaScript you would say. It's a document 30 equals secondary current extension year called is the question. Okay In this course I told you I assert that the streaming us or they give you didn't know. You were faking yourself you can do. So in a real CTF. Flash is making its way through the DVDs. This is frightening to spread my bike I'm sorry it's not a it is a predictive ability. The ability to predict the output of the hash and problem. Not really a secret this booth and targeting saying no no. That's not super stylish and collision for the hash out. But it is some ways. Well it's the ability to predict a hash or some of it but I didn't know. It's not that I found that I founded prediction is mapped to the same measures. Proposed experiments are going to walk you through some some pockets. So we want to have. It sounds as if you're trying to like Dana's yeah maybe it might work just fine. Because it doesn't air. Anything that the reason that you had such a weird way it's actually start like you believe I registered with exactly once. And notice was that hash to correctly predicts all the restaurants stuff. So it might be that the secret as long you don't need to have any extra information that. Yeah yeah right. There's unaltered only writing with nonsense is all falling away for now and let's predict the correct hash with future papers. So you tweak the case you'll see that this strain shrinks that way if you like neither panel longer you'll see this get longer and high light like the light that is all facilities will have the statement the hashing. In some weird way it's just Is it a wall it gives us a cryptographically that waffles. Maybe maybe not action by all hazards should publish information like I actually take this cache hits this. Anyone can validate that. It's hard to reverse. Suddenly I just gave you this reversal of management not really even opening and closing advice I kept secret from this like secret self-review to me. But I can make weird payloads where I can predict the hash When is that a problem well if somebody's using the hash as their message authentication because that's what it's about. So that's the nature of all these crypto things that okay you're going to be tempted to do that. And if you do it and you're not careful then things will fall apart. And you wanted to know who they are. That's why I do that right now. In LA. Oh my gosh. I see one issue that milestone. So so some number of people and the way to copy this. When they went to copy this they ended up with just this extra character. Somehow they're getting light in there. Which made it a new angle they wanted to do this. I got to the end of that it hits Enter. And they get like dialogue or whatever to be able to keep going anyway. So let me be careful way and you're probably like oh yeah. Okay. You've got to say something like I'm sure you know and I really have is just one of many studies right and so what you had was a username that had value using this as a Merkle-Damgard extension before largely because I don't think I was like competence enough as it is easier to find the right tool. So yeah I mean you could do a little JavaScript straight up. High phaco Yes. That's a lot
cpeg472-010-20190408-101000.mp4
From Andrew Novocin April 08, 2019
44 plays
44
0 comments
0
You unliked the media.