Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why XOR Crypto Sucks

Kyle Maxwell
September 11, 2013
Technology
0
200

Why XOR Crypto Sucks

Very brief overview of cryptanalysis of XOR given to DC214 on 2013-09-11

Kyle Maxwell

September 11, 2013
Tweet

More Decks by Kyle Maxwell

See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
95
Using Python to Fight Cybercrime
krmaxwell
2
220
Incident Patterns
krmaxwell
0
380
Hackertainment
krmaxwell
1
220
Threat Intelligence for Incident Response
krmaxwell
0
170
From Minion to Engineer
krmaxwell
0
110
Open Source Threat Intelligence - Shakacon
krmaxwell
1
880
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
150

Other Decks in Technology

See All in Technology
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
27
12k
物価高なラスベガスでの過ごし方
zakky
0
380
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
510
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
740
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
180
初心者に Vue.js を 教えるには
tsukuha
5
390

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Designing Experiences People Love
moore
138
23k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Building Adaptive Systems
keathley
38
2.2k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Git: the NoSQL Database
bkeepers
PRO
425
64k
What's in a price? How to price your products and services
michaelherold
243
12k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
For a Future-Friendly Web
brad_frost
175
9.4k
Code Review Best Practice
trishagee
64
17k

Transcript

  1. Why XOR Crypto Sucks for hackers who don’t math good

  2. None

  3. XOR example

  4. Bad idea for lots of reasons Many, many ways to

    destroy this, especially for short keys. Sometimes the key shows up “in the clear” because A XOR 0 == A.

  5. Kasiski Method 1. Figure out block size n 2. Split

    into n blocks of every 1st, 2nd, … char 3. For each, find the byte that gives best result 4. Stick those bytes together for the key! Works best for text with a key >1 byte long

  6. Hamming Distance How many bits to flip? Find the block

    size that minimizes this

  7. Once you have the block size Now you just brute

    force each subblock. But each of those only has a 1 byte key!

  8. BEWARE MATH INCOMING

  9. Cosine similarity How close together are two angles?

  10. Python to the rescue! NumPy provides it all for us!

    dot(v1, v2) / (sqrt(dot(v1, v1)) * sqrt(dot(v2, v2)))

  11. Still with me?

  12. Turn this... Jx8ACwIfAAsSUixFRnhvJgkcAhcDARZFFRoECQpSCAQNF0ULCVIJBBFSFwAVAgAGEhsLAkYTC0UDAREEBB4MFg4fAAsSUgoDRgAACQ8VDAoIXkUKFFIVF wkaDAcPBgwLAVIRDQNSAxcDF0UAHhcXBg8BAEUSGgAXAx0DXkYdF0UHEBcMAhUMCwFSEQ0DUgMXAxcBCgtSCgNGARUAAxENSUYdF0UJFEURDhdFFRQXFh ZdUgoXRgYNAEYADAIOBkUKAFIRDQNSFQAJAgkARgIABAUXBAcKC0URCVIEFhUXCAcKF0lFBxwBRRIdRRUDBgwRDx0LRRIaAEUhHRMAFBwIAAgGRQMJAEU ERgAAARQXFhZGHQNFAQAMABATCwYDAUtFRnhvJAsXCwELFwsRRjssRUZ4byRGBQAJClIXAAEHCQQSFwFFKxsJDBIbBElGEAAMCBVFCwMRABYVExccRgYK RRIaAEUVFwYQFBsRHEYdA0UHUgMXAxdFNhITEQBKUhENA1IXDAEaEUUJFEURDhdFFQMdFQkDUhEKRhkAABZSBAsCUgcABwBFJBQfFklGAQ0ECh5FCwkGR QcDUgwLAAAMCwEXAUtGUm9vJx8ACwIfAAsSUiwsL1JFb2w8CkU1HQkBDxcXRRUaBAkKXkUMCFIRDAsXRQoAUhUABxEARQQXRRQTExcRAwAAAUYbC0UHHB xFDh0QFgNeRRIPBg0KEwZFEQ4XRQYJHBYACAZFCgBSEQ0DUioSCBcXSUYcChdGGwtFEhsIAEYdA0URExdJRhAQEUYbC0UHUggECBwAF0YGCkUEF0UVFBc WBhQbBwACUgccRh4EEkhSRW9sMwgACBYIAAgGRSwwUkVvbCYNAEYADAIOBkUKAFIRDQNSFQAJAgkARgYKRQQXRRYDERAXA1IMC0YGDQAPAEUVAwAWCggB

    SUUOHRAWAwFJRRYTFQAUAUlFBxwBRQMUAwAFBhZJRhMCBA8cFhFGBwsXAxMWCggTBwkDUhYABwAGDQMBRQQIFkUWAxsfEBQXFklGAQ0ECh5FCwkGRQcDU hMMCR4EEQMWSUUHHAFFCB1FMgcAFwQIBhZFFRoECQpSDBYVBwBJRhAQEUYHFQoIUhUXCRAEBwoXRQYHBxYASlIWEBYCChcSFwFFBAtFKgcGDUUJAEUEAB QMFwsTEQwJHElFBxwBRRYTFxEPERAJBwAJHEYWABYFAAwHDxwCRRIaAEUWHgQGA1IRCkYQAEUVFwQXBRoAAUpSBAsCUhENA1IVABQBCgsVUgoXRgYNDAg VFkUSHUUHA1IWAA8IAAFIUkVvbDMIAAgWCAAIBkUzRlJvbygdRRUDABYKCFIWDQceCUUEF0UNAx4BRRIdRQQIARIAFFIDChRSBEUFExUMEhMJSUYdF0UJ Bg0AFAUMFgNSDAsAEwgKEwFFBhQbCABKUhALChcWFkYdC0UHUhUXAwEACxIfAAsSUgoXRhsLAQ8REQgDHBFFCRRFBEY1FwQIFkUvEwAcSUYXHQYDAhFFD xxFBgcBABZGExcMFRsLAkYbC0USGgBFChMLAUYdF0UIExMEClIDChQRABZKUgoXRhsLRRIaAEUrGwkMEhsESUYFDQAIUgwLRhMGERMTCUUVFxcTDxEARQ 8cRREPHwBFCRRFMgcARQoUUhUQBB4MBkYWBAsBFxdeRhwKF0YBDQQKHkUECAtFFQMAFgoIUgcARgEQBwwXBhFGFAoXRgYNAEYBBAgDUgoDABcLBgNSEQp GEABFEgUMBgNSFRASUgwLRhgAChYTFwEfUgoDRh4MAwNSChdGHgwIBElFCwkARRYOEwkJRhAARQUdCBUDHgkAAlIMC0YTCxxGERcMCxsLBApSBgQVF0UR CVIHAEYTRRIPBgsAFQFFBAETDAsVBkUNDx8WAAoUSUUIHRdFBBdFAQMCFwwQFwFFCRRFCQ8UAElGHgwHAwARHEpSChdGAhcKFhcXER9eRRIPBg0KEwZFA RMXRRUUHQYAFQFFCgBSCQQRSUULCQBFFg4TCQlGAhcMEBMRAEYCFwoWFxcRH1IHAEYGBA4DHEUDCQBFFRMQCQwFUhAWA15FEg8GDQoTBkUPEwERRQUdCB UDHBYEEhsKC0hSRW9sMwgACBYIAAgGRTMvUkVvbDsLRQceCUUFAAwIDxwECUYCFwoVFwYQEhsKCxVeRREOF0UEBREQFgMWRRYOEwkJRhcLDwkLRREOF0U XDxUNEUYGCkUHUhYVAxcBHEYTCwFGAhAHChsGRRIADAQKXkUHH1IEC0YbCBUHABEMBx5FDxMAHEUJFEURDhdFNhITEQBGEwsBRhYMFhIADAYSUhINAwAA DAhSEQ0DUgYXDx8ARRUaBAkKUg0EEBdFBwMXC0UFHQgIDwYRAAJeRRIOGwYNRhYMFhIADAYSUhYNBx4JRQ4TEwBGEAAACFIVFwMEDAoTAQkcRhMWBgMAE QQPHAABRhAcRQoTEklGEwsBRgYKRQQXRQwIFAoXCxcBRQkURREOF0ULBwYQFwNSBAsCUgYEEwEARQkURREOF0UEBREQFgcGDAoISUURCVIHAEYRCgsAAA oLEhcBRREbEQ1GBg0ARgUMEQgXFhYDAUUEARMMCxUGRQ0PH15FEh1FDQcEAEUFHQgVEx4WChQLRRUUHQYAFQFFAwkARQoEBgQMCBsLAkYFDBEIFxYWAwF FDAhSDQwVUgMEEB0XSUYTCwFGBgpFDhMTAEYGDQBGMxYWDwERBAgRAEUJFEUmCQcLFgMeRQMJAEUNDwFFAQMUAAsFF0tFRnhvJAsXCwELFwsRRiQsLEZS b28vHEU2ExsRFkYTEUUFHQgICRxFCQcFSUURGgAXA1IRDQNSEwQKBwBFDxxFBgkcERcJBAAXFQtFFg4TCQlGFx0GAxcBRRIFAAsSC0UBCR4JBBQBSUUSG gBFFBsCDRJSCgNGBhcMBx5FBx9SDxAUC0UWDhMJCUYQAEUWAAAWAwATAAJeRQQIFkULCVIDBAUGRREUGwABRhAcRQdSDxAUC0lFFRoECQpSBwBGHRENAw ASDBUXRRcDXwAdBx8MCwMWRQwIUgQLH1ImChMAEUUJFEURDhdFMAgbEQACUjYRBwYAFkpSEQ0HHEUEBREKFwIbCwJGBgpFEhoARRQHCQAVUgoDRgYNAEY RCggLHQtFChMSS0ZSb28nHwALAh8ACxJSMywvO0VFbHggHQUXFhYPBABFBBMMCUYBDQQKHkULCQZFBwNSFwAXBwwXAxZJRQgdF0UDCgYAFQEMEwNSAwwI FxZFDx8VChUXAUlGHAoXRhEXEAMeRQQIFkUQCAcWEAceRRUTHAwWDh8ACxIBRQwIFAkMBQYAAUhSRW9sMwgACBYIAAgGRSw (yay base64)

  13. Back into this.

  14. This was fun. Where can I learn more?! Somewhat broken

    code for this example: https://github.com/technoskald/xorthis Started this week: https://class.coursera.org/crypto-008/class Matasano Crypto Challenges: http://www.matasano.com/articles/crypto-challenges/