known plaintext attack on
play

Known plaintext attack on encrypted ZIP files Barosan Dragos - PowerPoint PPT Presentation

Jan 01, 2024 •637 likes •837 views

University of Amsterdam System and Network Engineering Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel Why? There is no open source implementation Source Code available for PkCrack by

  1. University of Amsterdam System and Network Engineering Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

  2. Why? • There is no open source implementation • Source Code available for PkCrack by Peter Conrad • Interesting to study a successful attack on encryption

  3. Research Questions • How feasible is to obtain plaintext? • What implementation options are for the attack?

  4. Is it still used ? • Winzip • default AES, can use classic ZIP encryption • Winrar • only classic ZIP encryption for ZIP format • 7ZIP • default classic ZIP encryption, can use AES • PKZIP • default AES, can use classic ZIP encryption • ZIP utility on Linux • Only classic ZIP encryption

  5. Zip encryption • Stream cipher • Internal state represented by 3 variables on 32 bits each • Key0, key1, key2 • Default known internal state updated by the password • Afterwards updated by plaintext • key3 is the actual encryption key and is derived from key2 • 12 bytes encryption header prepended

  6. Internal state keys dependency • key0 i = f(key0 i-1 , char) • Key1 i = g(key0 i , key1 i-1 ) • Key2 i = f(key2 i-1 , key1 i ) • Key3 i = h( key2 i ) • Ciphertext i = key3 i XOR plaintext i

  7. Attacks • Original attack • Eli Biham and Paul C. Kocher • Requires 13 plaintext bytes • ZIP Attacks with Reduced Known Plaintext • Michael Stay • Requires only 2 plaintext bytes at the cost of complexity • Can exploit the PRNG used by InfoZIP • Yet another plaintext attack to ZIP encryption scheme • Mike Stevens and Elisa Flanders • Exploit in the PRNG from IBDL32.dll used by WinZip

  8. Compressed ? • Some files are not compressed • Even with maximum compression level • Because the compression algorithm needs redundancy • In the table: maximum size of a file so it is not compressed Deflate level 1-9 Bzip2 One letter 8 43 Lorem Ipsum 56 129 Kafka 64 140 Pangram 78 162 Random symbols 127 237 Values are in bytes

  9. Plaintext • The last byte of the encryption header • MSB of the data CRC • File headers • Executable files • ZIP files • Known files from the Internet • Pictures • Setup files

  10. Chosen plaintext attack • We have a list of key3’s from the plaintext • The goal is to find internal state (key2 i , key1 i , key0 i ) for some i 1. From the list of key3’s find possible key2 lists 2. For each key2 list find possible key1 lists 3. For each key1 list find one key0 list 4. Discover true key0 list

  11. Locate data Zip archive format http://www.codeproject.com/Articles/8688/Extracting-files-from-a-remote-ZIP-archive en.Wikipedia.org/wiki/Zip_(file_format)

  12. Stage 1 • From the list of key3’s find possible key2 lists • For efficiency precompute a number of tables as hash maps • The inverse of the CRC function • Using the equations in the paper we come to 2 22 possible key2 n • trim the plaintext and select n as 13 • use extra plaintext to reduce the number of key2’s

  13. Number of keys Number of key2’s vs amount of plaintext 80000 70000 60000 50000 40000 30000 20000 Amount of plaintext in 10000 bytes 0 122 506 1002 3990 10000 PkCrack PoC Paper

  14. Implementation • key2 reduction is computation heavy in this stage • The function iterates for the number of extra plaintext bytes and returns the reduced list of keys • Serial • Parallel • Python Global Interpreter Lock does not allow use of threads in parallel • Use parallel processes • Creating new processes at every iteration • Using shared data between processes

  15. Parallel • Parallel with new processes every iteration • The parallel reduction computation runs 4 times faster then the serial one • The program as a whole runs slower as the amount of plaintext becomes larger • The cost of managing new processes stays constant while the gains of running parallel become smaller • Parallel with shared data • 80 times slower than previous solution

  16. Measurements Plaintext Execution time Execution time System/User System/User (bytes) Parallel Serial time time (minutes) (minutes) Parallel Serial 40 0:34.44 1:03.6 0.0647 0.0026 122 1:08.5 1:38 0.1648 0.0017 309 1:49.3 1:56 0.3411 0.0014 506 2:29 2:07.2 0.5066 0.0012 1002 3:28 2:22 0.7455 0.0011 3990 10:07 3:02.1 1.4550 0.0009

  17. Conclusions • While difficult there are ways of obtaining the necessary amount of plaintext • Using the newer attacks, in some cases it is not even necessary • The attack can be implemented by taking advantage of multiple cores • Python makes it difficult because processes must be used instead of threads

  18. Future work • Implement full attack and release under open source license • In C to take advantage of the parallel sections of the algorithm • Compare performance with PkCrack • Detailed analysis of the other attacks

  19. Questions ? Contact: Barosan.dragos@gmail.com

Recommend

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Perfect Secrecy Chester Rebeiro IIT Madras CR STINSON : chapter 2 Encryption K K untrusted

Perfect Secrecy Chester Rebeiro IIT Madras CR STINSON : chapter 2 Encryption K K untrusted

Perfect Secrecy Chester Rebeiro IIT Madras CR STINSON : chapter 2 Encryption K K untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) Plaintext Plaintext Attack at

831 views • 50 slides
Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and

Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and

AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and Nilanjan Datta and Avijit Dutta and Bart Mennink and Mridul Nandi and Somitra Sanadhya and

849 views • 53 slides
Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from AES in 3s + 3min Very weak assumptions No known plaintext needed No special rights needed, only to be able to spawn and control threads

378 views • 16 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Eli Biham Presented by: Nael Masalha Outline Introduction LOKI89 Related Keys

Eli Biham Presented by: Nael Masalha Outline Introduction LOKI89 Related Keys

New Types of Cryptanalytic Attacks Using Related Keys Eli Biham Presented by: Nael Masalha Outline Introduction LOKI89 Related Keys Chosen Key Attack Chosen plaintext attack Summary Introduction The author studies

612 views • 21 slides
ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It

ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It

ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It was always possible, but uncommon, to subvert that stub-resolver-auth resolution model Snowden revelations led to RFC7258 Encrypting DNS

346 views • 9 slides
Classical Cryptography Monoalphabetic ciphers: letters of the plaintext Classical Ciphers

Classical Cryptography Monoalphabetic ciphers: letters of the plaintext Classical Ciphers

Classical Cryptography Monoalphabetic ciphers: letters of the plaintext Classical Ciphers alphabet are mapped into unique ciphertext letters Polyalphabetic ciphers: letters of the plaintext P l l h b i i h alphabet

315 views • 13 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael

345 views • 21 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
General Letter Substitution Algorithm: Substitute 1 letter for another Key PLAINTEXT LETTER A

General Letter Substitution Algorithm: Substitute 1 letter for another Key PLAINTEXT LETTER A

General Letter Substitution Algorithm: Substitute 1 letter for another Key PLAINTEXT LETTER A B C D E F G H I J K L M CIPHERTEXT LETTER G J A O U N E Z Y P H S T PLAINTEXT LETTER N O P Q R S T U V W X Y Z

509 views • 6 slides
Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm; keys; Ciphertext; Resources are encapsulated by process; Decryption algorithm users access them through processs interface. Three

565 views • 7 slides
7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published encryption functions E, D; {M} K is the ciphertext (another sequence of bits) Symmetric (secret key) cryptography E(K, M) = {M} K D(K, E(K, M)) = M

571 views • 30 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides two messages m0, m1

993 views • 43 slides
Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

IN3210/4210 Network and Communications Security Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original message/data ciphertext (C)- coded message/data cipher - algorithm for transforming

672 views • 17 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides

More recommend