Re: [Full-disclosure] Cipher detection



On Thu, 07 Apr 2011 11:22:56 +0300, Maksim.Filenko@xxxxxxxx said:

I'm trying to figure out what kind of cipher was used in this:

GGobQ2bsqd64PXVAmaDiDBg=

Looks like Base64, but it's not. The original string is:

dummy@xxxxxxxxxxx

I'll place a bet (based on the trailing =), that in fact it *is* a base64
encoding of a ciphertext (remember, almost any good hashing or encrypting
function will produce random-looking binary data, and the only reason
that 'md5sum' produces a string of hex digits is because it was nice
enough to convert the binary output of the MD5 into something printable.

% echo GGobQ2bsqd64PXVAmaDiDBg= | base64 -d | od -cx
0000000 030 j 033 C f 354 251 336 270 = u @ 231 240 342 \f
6a18 431b ec66 dea9 3db8 4075 a099 0ce2
0000020 030
0018
0000021

Having said that, with *that* small a ciphertext and no other info, figuring
out the cipher will be next to impossible. For instance, a perfectly plausible
answer would be "it has simply been xored with the hex string '7c1f762e
1fbccca6 d950052c fcbe8163'". The fact that the input and output
strings are the same size means you can't even rely on data found in
the output for hints - there's no metadata encoded in the output to
leverage (like "a hex D3 at offset 27 means the next 16 bytes are
SHA-256 output"), or "0x9901 at offset 0 means it's a GPG public
keyring".

Your best bet is to apply differential cryptanalysis. We have one plain-cipher
pair. Now try the following:

1) encode 'eummy@xxxxxxxxxxx' (one bit difference). Is the output very
similar, and only different in 1-2 bytes? That would point to a simple xor or
substitution cipher. If nearly half the bits change, then you're up against a
much stronger cipher.

2) Encode a null string if you can. What pops out? Encrypt the string
'dummy@xxxxxxxxxx' (16 bytes). Does that differ in the first 16 bytes of
output? Encrypt 'dummy@exdummy@ex' - if that produces 2 identical 8 byte output
blocks, the cipher blocksize is 8 bytes or 64 bits. Similarly, you can identify
if it's a 16 or 32 byte blocksize, and if they use block chaining at all or if
it's codebook time.

3) Check how bits propagate. Encrypt a string of all zeros, then a set of
strings with exactly one "on" bit.. x80.., x40.., x20, x10, x08 all the way
down to x01 (yes, for an 16byte string that's 128 times around).

Oh, and don't be afraid to cheat - if you have access to the binary, run
'strings' on it, see if you get lucky and find a string like "ROT97 code by
MixMaster" or a function name that hints at the cipher (finding '3DESencode'
would be a hint, for instance. ;)




Attachment: pgpF2VohkJd5Z.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: how to encrypt with a string as input,but not a key object
    ... > same input string? ... > wish to encrypt these files during transfering,and they want to ... Create a Cipher from the SecretKey and PBEParameterSpec. ...
    (comp.lang.java)
  • Re: OTP_and_the_proof_thereof: Discussion_Topic
    ... equally likely as plaintext). ... Suppose he assigns some plaintext to the first cipher text c1, ... solution space making it four for the first two ciphertext. ...  For a correct plaintext string all of the guesses ...
    (sci.crypt)
  • Re: my KDF vs dictionary attacks
    ... When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what ... DES is a 64-bit block cipher - 8 bytes at a time. ...
    (sci.crypt)
  • Re: OTP_and_the_proof_thereof: Discussion_Topic
    ... being any binary string of length ?t? ... equally likely as plaintext). ... Suppose he assigns some plaintext to the first cipher text c1, ... solution space making it four for the first two ciphertext. ...
    (sci.crypt)
  • =?windows-1252?Q?Re=3A_OTP_and_the_proof_thereof_=96_Discussion_Topic=2E?=
    ... equally likely as plaintext). ... Suppose he assigns some plaintext to the first cipher text c1, ... solution space making it four for the first two ciphertext. ...  For a correct plaintext string all of the guesses ...
    (sci.crypt)