Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why XOR Crypto Sucks

Kyle Maxwell
September 11, 2013
Technology
0
200

Why XOR Crypto Sucks

Very brief overview of cryptanalysis of XOR given to DC214 on 2013-09-11

Kyle Maxwell

September 11, 2013
Tweet

More Decks by Kyle Maxwell

See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
95
Using Python to Fight Cybercrime
krmaxwell
2
220
Incident Patterns
krmaxwell
0
380
Hackertainment
krmaxwell
1
220
Threat Intelligence for Incident Response
krmaxwell
0
170
From Minion to Engineer
krmaxwell
0
120
Open Source Threat Intelligence - Shakacon
krmaxwell
1
880
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
150

Other Decks in Technology

See All in Technology
Lambdaと地方とコミュニティ
miu_crescent
2
370
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
260
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Storybook との上手な向き合い方を考える
re_taro
2
260
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Application Development WG Intro at AppDeveloperCon
salaboy
0
200
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
190
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
880
Terraform Stacks入門 #HashiTalks
msato
0
360
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
1
290

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Designing for humans not robots
tammielis
250
25k
GitHub's CSS Performance
jonrohan
1030
460k
Become a Pro
speakerdeck
PRO
25
5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Designing for Performance
lara
604
68k
Rails Girls Zürich Keynote
gr2m
94
13k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
YesSQL, Process and Tooling at Scale
rocio
169
14k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. Why XOR Crypto Sucks for hackers who don’t math good

  2. None

  3. XOR example

  4. Bad idea for lots of reasons Many, many ways to

    destroy this, especially for short keys. Sometimes the key shows up “in the clear” because A XOR 0 == A.

  5. Kasiski Method 1. Figure out block size n 2. Split

    into n blocks of every 1st, 2nd, … char 3. For each, find the byte that gives best result 4. Stick those bytes together for the key! Works best for text with a key >1 byte long

  6. Hamming Distance How many bits to flip? Find the block

    size that minimizes this

  7. Once you have the block size Now you just brute

    force each subblock. But each of those only has a 1 byte key!

  8. BEWARE MATH INCOMING

  9. Cosine similarity How close together are two angles?

  10. Python to the rescue! NumPy provides it all for us!

    dot(v1, v2) / (sqrt(dot(v1, v1)) * sqrt(dot(v2, v2)))

  11. Still with me?

  12. Turn this... Jx8ACwIfAAsSUixFRnhvJgkcAhcDARZFFRoECQpSCAQNF0ULCVIJBBFSFwAVAgAGEhsLAkYTC0UDAREEBB4MFg4fAAsSUgoDRgAACQ8VDAoIXkUKFFIVF wkaDAcPBgwLAVIRDQNSAxcDF0UAHhcXBg8BAEUSGgAXAx0DXkYdF0UHEBcMAhUMCwFSEQ0DUgMXAxcBCgtSCgNGARUAAxENSUYdF0UJFEURDhdFFRQXFh ZdUgoXRgYNAEYADAIOBkUKAFIRDQNSFQAJAgkARgIABAUXBAcKC0URCVIEFhUXCAcKF0lFBxwBRRIdRRUDBgwRDx0LRRIaAEUhHRMAFBwIAAgGRQMJAEU ERgAAARQXFhZGHQNFAQAMABATCwYDAUtFRnhvJAsXCwELFwsRRjssRUZ4byRGBQAJClIXAAEHCQQSFwFFKxsJDBIbBElGEAAMCBVFCwMRABYVExccRgYK RRIaAEUVFwYQFBsRHEYdA0UHUgMXAxdFNhITEQBKUhENA1IXDAEaEUUJFEURDhdFFQMdFQkDUhEKRhkAABZSBAsCUgcABwBFJBQfFklGAQ0ECh5FCwkGR QcDUgwLAAAMCwEXAUtGUm9vJx8ACwIfAAsSUiwsL1JFb2w8CkU1HQkBDxcXRRUaBAkKXkUMCFIRDAsXRQoAUhUABxEARQQXRRQTExcRAwAAAUYbC0UHHB xFDh0QFgNeRRIPBg0KEwZFEQ4XRQYJHBYACAZFCgBSEQ0DUioSCBcXSUYcChdGGwtFEhsIAEYdA0URExdJRhAQEUYbC0UHUggECBwAF0YGCkUEF0UVFBc WBhQbBwACUgccRh4EEkhSRW9sMwgACBYIAAgGRSwwUkVvbCYNAEYADAIOBkUKAFIRDQNSFQAJAgkARgYKRQQXRRYDERAXA1IMC0YGDQAPAEUVAwAWCggB

    SUUOHRAWAwFJRRYTFQAUAUlFBxwBRQMUAwAFBhZJRhMCBA8cFhFGBwsXAxMWCggTBwkDUhYABwAGDQMBRQQIFkUWAxsfEBQXFklGAQ0ECh5FCwkGRQcDU hMMCR4EEQMWSUUHHAFFCB1FMgcAFwQIBhZFFRoECQpSDBYVBwBJRhAQEUYHFQoIUhUXCRAEBwoXRQYHBxYASlIWEBYCChcSFwFFBAtFKgcGDUUJAEUEAB QMFwsTEQwJHElFBxwBRRYTFxEPERAJBwAJHEYWABYFAAwHDxwCRRIaAEUWHgQGA1IRCkYQAEUVFwQXBRoAAUpSBAsCUhENA1IVABQBCgsVUgoXRgYNDAg VFkUSHUUHA1IWAA8IAAFIUkVvbDMIAAgWCAAIBkUzRlJvbygdRRUDABYKCFIWDQceCUUEF0UNAx4BRRIdRQQIARIAFFIDChRSBEUFExUMEhMJSUYdF0UJ Bg0AFAUMFgNSDAsAEwgKEwFFBhQbCABKUhALChcWFkYdC0UHUhUXAwEACxIfAAsSUgoXRhsLAQ8REQgDHBFFCRRFBEY1FwQIFkUvEwAcSUYXHQYDAhFFD xxFBgcBABZGExcMFRsLAkYbC0USGgBFChMLAUYdF0UIExMEClIDChQRABZKUgoXRhsLRRIaAEUrGwkMEhsESUYFDQAIUgwLRhMGERMTCUUVFxcTDxEARQ 8cRREPHwBFCRRFMgcARQoUUhUQBB4MBkYWBAsBFxdeRhwKF0YBDQQKHkUECAtFFQMAFgoIUgcARgEQBwwXBhFGFAoXRgYNAEYBBAgDUgoDABcLBgNSEQp GEABFEgUMBgNSFRASUgwLRhgAChYTFwEfUgoDRh4MAwNSChdGHgwIBElFCwkARRYOEwkJRhAARQUdCBUDHgkAAlIMC0YTCxxGERcMCxsLBApSBgQVF0UR CVIHAEYTRRIPBgsAFQFFBAETDAsVBkUNDx8WAAoUSUUIHRdFBBdFAQMCFwwQFwFFCRRFCQ8UAElGHgwHAwARHEpSChdGAhcKFhcXER9eRRIPBg0KEwZFA RMXRRUUHQYAFQFFCgBSCQQRSUULCQBFFg4TCQlGAhcMEBMRAEYCFwoWFxcRH1IHAEYGBA4DHEUDCQBFFRMQCQwFUhAWA15FEg8GDQoTBkUPEwERRQUdCB UDHBYEEhsKC0hSRW9sMwgACBYIAAgGRTMvUkVvbDsLRQceCUUFAAwIDxwECUYCFwoVFwYQEhsKCxVeRREOF0UEBREQFgMWRRYOEwkJRhcLDwkLRREOF0U XDxUNEUYGCkUHUhYVAxcBHEYTCwFGAhAHChsGRRIADAQKXkUHH1IEC0YbCBUHABEMBx5FDxMAHEUJFEURDhdFNhITEQBGEwsBRhYMFhIADAYSUhINAwAA DAhSEQ0DUgYXDx8ARRUaBAkKUg0EEBdFBwMXC0UFHQgIDwYRAAJeRRIOGwYNRhYMFhIADAYSUhYNBx4JRQ4TEwBGEAAACFIVFwMEDAoTAQkcRhMWBgMAE QQPHAABRhAcRQoTEklGEwsBRgYKRQQXRQwIFAoXCxcBRQkURREOF0ULBwYQFwNSBAsCUgYEEwEARQkURREOF0UEBREQFgcGDAoISUURCVIHAEYRCgsAAA oLEhcBRREbEQ1GBg0ARgUMEQgXFhYDAUUEARMMCxUGRQ0PH15FEh1FDQcEAEUFHQgVEx4WChQLRRUUHQYAFQFFAwkARQoEBgQMCBsLAkYFDBEIFxYWAwF FDAhSDQwVUgMEEB0XSUYTCwFGBgpFDhMTAEYGDQBGMxYWDwERBAgRAEUJFEUmCQcLFgMeRQMJAEUNDwFFAQMUAAsFF0tFRnhvJAsXCwELFwsRRiQsLEZS b28vHEU2ExsRFkYTEUUFHQgICRxFCQcFSUURGgAXA1IRDQNSEwQKBwBFDxxFBgkcERcJBAAXFQtFFg4TCQlGFx0GAxcBRRIFAAsSC0UBCR4JBBQBSUUSG gBFFBsCDRJSCgNGBhcMBx5FBx9SDxAUC0UWDhMJCUYQAEUWAAAWAwATAAJeRQQIFkULCVIDBAUGRREUGwABRhAcRQdSDxAUC0lFFRoECQpSBwBGHRENAw ASDBUXRRcDXwAdBx8MCwMWRQwIUgQLH1ImChMAEUUJFEURDhdFMAgbEQACUjYRBwYAFkpSEQ0HHEUEBREKFwIbCwJGBgpFEhoARRQHCQAVUgoDRgYNAEY RCggLHQtFChMSS0ZSb28nHwALAh8ACxJSMywvO0VFbHggHQUXFhYPBABFBBMMCUYBDQQKHkULCQZFBwNSFwAXBwwXAxZJRQgdF0UDCgYAFQEMEwNSAwwI FxZFDx8VChUXAUlGHAoXRhEXEAMeRQQIFkUQCAcWEAceRRUTHAwWDh8ACxIBRQwIFAkMBQYAAUhSRW9sMwgACBYIAAgGRSw (yay base64)

  13. Back into this.

  14. This was fun. Where can I learn more?! Somewhat broken

    code for this example: https://github.com/technoskald/xorthis Started this week: https://class.coursera.org/crypto-008/class Matasano Crypto Challenges: http://www.matasano.com/articles/crypto-challenges/