Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why XOR Crypto Sucks

Kyle Maxwell
September 11, 2013

Why XOR Crypto Sucks

Very brief overview of cryptanalysis of XOR given to DC214 on 2013-09-11

Kyle Maxwell

September 11, 2013
Tweet

More Decks by Kyle Maxwell

Other Decks in Technology

Transcript

  1. Bad idea for lots of reasons Many, many ways to

    destroy this, especially for short keys. Sometimes the key shows up “in the clear” because A XOR 0 == A.
  2. Kasiski Method 1. Figure out block size n 2. Split

    into n blocks of every 1st, 2nd, … char 3. For each, find the byte that gives best result 4. Stick those bytes together for the key! Works best for text with a key >1 byte long
  3. Once you have the block size Now you just brute

    force each subblock. But each of those only has a 1 byte key!
  4. Python to the rescue! NumPy provides it all for us!

    dot(v1, v2) / (sqrt(dot(v1, v1)) * sqrt(dot(v2, v2)))
  5. Turn this... Jx8ACwIfAAsSUixFRnhvJgkcAhcDARZFFRoECQpSCAQNF0ULCVIJBBFSFwAVAgAGEhsLAkYTC0UDAREEBB4MFg4fAAsSUgoDRgAACQ8VDAoIXkUKFFIVF wkaDAcPBgwLAVIRDQNSAxcDF0UAHhcXBg8BAEUSGgAXAx0DXkYdF0UHEBcMAhUMCwFSEQ0DUgMXAxcBCgtSCgNGARUAAxENSUYdF0UJFEURDhdFFRQXFh ZdUgoXRgYNAEYADAIOBkUKAFIRDQNSFQAJAgkARgIABAUXBAcKC0URCVIEFhUXCAcKF0lFBxwBRRIdRRUDBgwRDx0LRRIaAEUhHRMAFBwIAAgGRQMJAEU ERgAAARQXFhZGHQNFAQAMABATCwYDAUtFRnhvJAsXCwELFwsRRjssRUZ4byRGBQAJClIXAAEHCQQSFwFFKxsJDBIbBElGEAAMCBVFCwMRABYVExccRgYK RRIaAEUVFwYQFBsRHEYdA0UHUgMXAxdFNhITEQBKUhENA1IXDAEaEUUJFEURDhdFFQMdFQkDUhEKRhkAABZSBAsCUgcABwBFJBQfFklGAQ0ECh5FCwkGR QcDUgwLAAAMCwEXAUtGUm9vJx8ACwIfAAsSUiwsL1JFb2w8CkU1HQkBDxcXRRUaBAkKXkUMCFIRDAsXRQoAUhUABxEARQQXRRQTExcRAwAAAUYbC0UHHB xFDh0QFgNeRRIPBg0KEwZFEQ4XRQYJHBYACAZFCgBSEQ0DUioSCBcXSUYcChdGGwtFEhsIAEYdA0URExdJRhAQEUYbC0UHUggECBwAF0YGCkUEF0UVFBc WBhQbBwACUgccRh4EEkhSRW9sMwgACBYIAAgGRSwwUkVvbCYNAEYADAIOBkUKAFIRDQNSFQAJAgkARgYKRQQXRRYDERAXA1IMC0YGDQAPAEUVAwAWCggB

    SUUOHRAWAwFJRRYTFQAUAUlFBxwBRQMUAwAFBhZJRhMCBA8cFhFGBwsXAxMWCggTBwkDUhYABwAGDQMBRQQIFkUWAxsfEBQXFklGAQ0ECh5FCwkGRQcDU hMMCR4EEQMWSUUHHAFFCB1FMgcAFwQIBhZFFRoECQpSDBYVBwBJRhAQEUYHFQoIUhUXCRAEBwoXRQYHBxYASlIWEBYCChcSFwFFBAtFKgcGDUUJAEUEAB QMFwsTEQwJHElFBxwBRRYTFxEPERAJBwAJHEYWABYFAAwHDxwCRRIaAEUWHgQGA1IRCkYQAEUVFwQXBRoAAUpSBAsCUhENA1IVABQBCgsVUgoXRgYNDAg VFkUSHUUHA1IWAA8IAAFIUkVvbDMIAAgWCAAIBkUzRlJvbygdRRUDABYKCFIWDQceCUUEF0UNAx4BRRIdRQQIARIAFFIDChRSBEUFExUMEhMJSUYdF0UJ Bg0AFAUMFgNSDAsAEwgKEwFFBhQbCABKUhALChcWFkYdC0UHUhUXAwEACxIfAAsSUgoXRhsLAQ8REQgDHBFFCRRFBEY1FwQIFkUvEwAcSUYXHQYDAhFFD xxFBgcBABZGExcMFRsLAkYbC0USGgBFChMLAUYdF0UIExMEClIDChQRABZKUgoXRhsLRRIaAEUrGwkMEhsESUYFDQAIUgwLRhMGERMTCUUVFxcTDxEARQ 8cRREPHwBFCRRFMgcARQoUUhUQBB4MBkYWBAsBFxdeRhwKF0YBDQQKHkUECAtFFQMAFgoIUgcARgEQBwwXBhFGFAoXRgYNAEYBBAgDUgoDABcLBgNSEQp GEABFEgUMBgNSFRASUgwLRhgAChYTFwEfUgoDRh4MAwNSChdGHgwIBElFCwkARRYOEwkJRhAARQUdCBUDHgkAAlIMC0YTCxxGERcMCxsLBApSBgQVF0UR CVIHAEYTRRIPBgsAFQFFBAETDAsVBkUNDx8WAAoUSUUIHRdFBBdFAQMCFwwQFwFFCRRFCQ8UAElGHgwHAwARHEpSChdGAhcKFhcXER9eRRIPBg0KEwZFA RMXRRUUHQYAFQFFCgBSCQQRSUULCQBFFg4TCQlGAhcMEBMRAEYCFwoWFxcRH1IHAEYGBA4DHEUDCQBFFRMQCQwFUhAWA15FEg8GDQoTBkUPEwERRQUdCB UDHBYEEhsKC0hSRW9sMwgACBYIAAgGRTMvUkVvbDsLRQceCUUFAAwIDxwECUYCFwoVFwYQEhsKCxVeRREOF0UEBREQFgMWRRYOEwkJRhcLDwkLRREOF0U XDxUNEUYGCkUHUhYVAxcBHEYTCwFGAhAHChsGRRIADAQKXkUHH1IEC0YbCBUHABEMBx5FDxMAHEUJFEURDhdFNhITEQBGEwsBRhYMFhIADAYSUhINAwAA DAhSEQ0DUgYXDx8ARRUaBAkKUg0EEBdFBwMXC0UFHQgIDwYRAAJeRRIOGwYNRhYMFhIADAYSUhYNBx4JRQ4TEwBGEAAACFIVFwMEDAoTAQkcRhMWBgMAE QQPHAABRhAcRQoTEklGEwsBRgYKRQQXRQwIFAoXCxcBRQkURREOF0ULBwYQFwNSBAsCUgYEEwEARQkURREOF0UEBREQFgcGDAoISUURCVIHAEYRCgsAAA oLEhcBRREbEQ1GBg0ARgUMEQgXFhYDAUUEARMMCxUGRQ0PH15FEh1FDQcEAEUFHQgVEx4WChQLRRUUHQYAFQFFAwkARQoEBgQMCBsLAkYFDBEIFxYWAwF FDAhSDQwVUgMEEB0XSUYTCwFGBgpFDhMTAEYGDQBGMxYWDwERBAgRAEUJFEUmCQcLFgMeRQMJAEUNDwFFAQMUAAsFF0tFRnhvJAsXCwELFwsRRiQsLEZS b28vHEU2ExsRFkYTEUUFHQgICRxFCQcFSUURGgAXA1IRDQNSEwQKBwBFDxxFBgkcERcJBAAXFQtFFg4TCQlGFx0GAxcBRRIFAAsSC0UBCR4JBBQBSUUSG gBFFBsCDRJSCgNGBhcMBx5FBx9SDxAUC0UWDhMJCUYQAEUWAAAWAwATAAJeRQQIFkULCVIDBAUGRREUGwABRhAcRQdSDxAUC0lFFRoECQpSBwBGHRENAw ASDBUXRRcDXwAdBx8MCwMWRQwIUgQLH1ImChMAEUUJFEURDhdFMAgbEQACUjYRBwYAFkpSEQ0HHEUEBREKFwIbCwJGBgpFEhoARRQHCQAVUgoDRgYNAEY RCggLHQtFChMSS0ZSb28nHwALAh8ACxJSMywvO0VFbHggHQUXFhYPBABFBBMMCUYBDQQKHkULCQZFBwNSFwAXBwwXAxZJRQgdF0UDCgYAFQEMEwNSAwwI FxZFDx8VChUXAUlGHAoXRhEXEAMeRQQIFkUQCAcWEAceRRUTHAwWDh8ACxIBRQwIFAkMBQYAAUhSRW9sMwgACBYIAAgGRSw (yay base64)
  6. This was fun. Where can I learn more?! Somewhat broken

    code for this example: https://github.com/technoskald/xorthis Started this week: https://class.coursera.org/crypto-008/class Matasano Crypto Challenges: http://www.matasano.com/articles/crypto-challenges/