Work and Note

Crypto Note

Follow me on GitHub

crypto

  • encrypt-then-MAC

freq solver
decode tools
rsactftool
cryptii pipeline

ssl / tls

  • Relies on a existing certificate to verify server identity
    • This certificate can be a weak point in the system
    • Untrustworthy CA -> injected certificate
    • certificate pinning only makes it hard to change the certificate
    • certificate transparency?
  • record pre-master key by export SSLKEYLOGFILE

mitmproxy sslsplit

rsa

  1. client hello
    1. -> client random
  2. server hello (encrypt with private key)
    1. <- server random + certificate (pub key)
  3. client response
    1. -> pre-master secret (encrypt with pub key)
  4. session key generated by client random + server random + secret

dh

  1. client hello
    1. -> client random
  2. server hello (encrypt with private key)
    1. <- server random + certificate (pub key)
    2. <- server dh parameter: \( g^a \)
  3. client response
    1. -> client dh parameter: \( g^b \)
    2. generate pre-master secret: \( g^{ab} \)
  4. session key generated by pre-master secret

procedure
keyless ssl

forward secrecy

Forward secrecy is achieved if decrypting one session does not expose other sessions. Usually done by generating different session keys.

rsa does not have fs because pre-master key is encrypted by the same private key. It can be fixed by using different private key. But longer rsa key is expensive to generate?

dh has fs because pre-master secret is never exchanged.

gpg

encrypt the message with public key and decrypt with private key. so that we know that we are talking to the right person.

  • generate key: --full-generate-key
  • modify keys: --edit-key <email>
    • trust a key when user believe a signer
  • save key file: --output <file> --armor --export <email>
  • save Revocation Certificate: --output <file> --gen-revoke <email>
  • import key file: --import <file>
    • import RC to revoke key
  • retrieve key from server: --keyserver <server> --search-keys <email>
  • send key to server: --keyserver <server> --send-keys <fingerprint>
  • show fingerprint: --fingerprint <email>
    • a short string to verify a received key
  • adopt keys: --sign-key <email>
    • sign a key when signer believe a key is genuine
  • refresh keys: --refresh-keys

  • key server: pgp.mit.edu

  • sign file with detached signature file: --detach-sign
  • sign file with embedded signature (only works with ascii input): clearsign
  • encrypt and sign file: --encrypt --sign --recipient <email> <file>
  • decrypt: --decrypt <file>

https://www.passwordstore.org/ https://www.dyne.org/software/tomb/

cipher suite

  • RSA
    • PKCS #1
      • n = p * q, p and q are random distinct prime number
      • compute l = least common multiple of p-1 and q-1
      • choose 1 < e < l, where e is co prime to l
      • compute d = modular multiplicative inverse of e wrt l
        • \( d x e \equiv 1 (mod l) \)
    • \( c \equiv m^e (mod n), c^d \equiv m (mod n) \)
  • AES
  • Diffie-Hellman (DH)
    • RFC3526: public g and p
    • RFC2412: parameter choosing protocol
    • \( (g^a mod p)^b mod p = (g^b mod p)^a mod p \)
  • Elliptic Curve Diffie-Hellman (ECDHE)

cipher mode

  • electronic codebook (ECB)
    • same input always become the same output: https://github.com/EiNSTeiN-/chosen-plaintext
  • cipher block chaining (CBC)
    • during encryption, cipher text is used as input masking for next block
    • padding can leak information on intermediate state
      • PKSC7: pad with # added block
      • \( I2 = D(C2), P2 = C1 \oplus I2\)
      • modify C1 such that P2 has a valid padding -> I2
      • knowing C1 and I2, the actual P2 is known
      • https://robertheaton.com/2013/07/29/padding-oracle-attack/
      • https://github.com/mwielgoszewski/python-paddingoracle
  • extended codebook (XCB)

cipher mode

PRNG

Mersenne twister Yarrow fortuna

https://www.schneier.com/academic/fortuna/

todo

key wrap?