Skip to main content

Finishing cryptography challenge (Matasano) with Kotlin part 1 (day 15)



Cryptography has always been a critical area in computer security, it provides confidentiality and integrity in critical infrastructures such as e-commerce and bank. Thus, learning how to test the implementation will be a valuable experience to all of the security practitioners.

So, in this opportunity, I would like to challenge myself to learn about cryptography and cryptanalysis with the help of Kotlin.

Where the hell do I found an adequate resource to learn cryptography?

First of all, there are lots of books to teach you about cryptography and cryptanalysis. Many people recommend reading the Bruce Schneier "Applied Cryptography" but if you like me who will be become drowsy after reading a couple of sentences in a book I suggest you try this website which is https://cryptopals.com, it is a website that contains 8 sets of challenges about the demonstration of real-world attack in cryptography so most of the time you will learn more about cryptanalysis rather than cryptography. What unique about this website is you have to create a program that will simulate the attack, therefore, it is also another good chance for me to practice my coding skill (currently I learning Kotlin for android application developer so from here the result of this challenge will be an app contain all of the key answer)

A little bit about the background:

What is Cryptography?
"Cryptography is a method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it" - searchsecurity.techtarget.com

What is Cryptanalysis?
Contrast with cryptography that meant for protecting the information, cryptanalysis aim to test the strength of the implementation by deciphering the data without the key

What is Kotlin?
To me, Kotlin is an alternative programming language used in developing android application. Kotlin provides a concise syntax that helps the developer to make it easier to build an application and it is also compatible with Java. To know more about Kotlin check this link: https://kotlinlang.org 

OK LET'S GO TO THE MAIN CHALLENGE:

Set 1, challenge 1:

Primary task: 

it is pretty clear that in this challenge you just have to produce a base64 value from a string of hexadecimal. But some people are misinterpreting on how to finish the task, it is achieved first by converting the hexadecimal to its raw value then translate into base64.

Hexadecimal & Base64:

Let's talk about hexadecimal first, Hexadecimal is just another way to represent integers in a different base which is base 16 unlike our regular counting (0-10), hexadecimal used (0-F).


take a look at the above example, as you can see when we converting regular string to hexadecimal each of the letter of the string will be changed to its hexadecimal representation. 1 char equivalent to 2 hexadecimal digit character.

whereas base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. - Wikipedia :p

Put it into code:

This is how I break down the algorithm to finish the challenge:

1. convert hexadecimal to its string representation


from the previous explanation, each of 2 hexadecimal characters is equivalent to 1 character, so we need to create a loop that obtains each of char using "subSequence" function its equivalent to "substr" in javascript that let you obtain a specific range of string. After we got the hexadecimal it is time to convert into its decimal representation using "toInt(16)" (16 indicate the radix that we want to convert it to).



The decimal value is the ASCII value of the string, we can transform into its character using "toChar" function and append it into a new variable. The example could be seen in the above code.


2. convert the raw value into base64

in android, I suggest you use the base64 function from android.util.base and before altering the raw / string you should convert it into a bytearray object. The example could be seen in below screenshot.



Assemble all the code:

1.The user interface


I create a very simple interface that takes a hexadecimal input and show the base64 result under the "convert" button. 

2. The main function


the main function will call a class (base_hex) that responds to do two tasks I mentioned in the previous section and the value will show in the log and show it to the user.

3. The base_hex class


Both of the function will return a string containing raw value and base64

4. Result

Once you installed the application inside an emulator it will show like this.


and if you check you logcat it will show like this.



Set 1, challenge 2:

Primary task: 

in this challenge, you expect to do XOR operation in two fixed length hexadecimal string.

XOR:



"The XOR operator outputs a 1 whenever the inputs do not match, which occurs when one of the two inputs is exclusively true" - khan academy and xor is one of the key components in a one-time pad process.

Truth table:

0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0

Put it into code:

This is how I break down the algorithm to finish the challenge:

1. Convert both the hexadecimal value into a decimal and do xor into each number.


as you can see from the above example it resembles with the code with from previous challenge. we create a loop that will take two string in both of the hexadecimal value and then you convert into an integer using "toInt(16)" followed with the radix value and do xor operation with the other variable. 

2. Transform the XORed value into hexadecimal again


In the end, you just have to change the result into its hexadecimal value, append it into a variable and show it to the screen. you can use the "Int.toString()" function from Kotlin that convert your integer back to hexadecimal.

Assemble all the code:

1. the user interface


I used a very simple user interface that takes two input of hexadecimal and shows the result below the convert button.

2. The main function and additional function in base_hex class



I create a new function inside the base_hex function so it can be called from the main function

3. Result

Once you installed the application inside an emulator it will show like this.


You can download the source code in https://github.com/acaciaworld80/matasano_kotlin

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »