Let's hack the planet

There's a lot of talk about encryption and vulnerable ciphers, but when was the last time you actually tried to exploit those flaws yourself? Learning the tools and methods of your adversaries is essential if you want to protect your software from them.

So let's warm up with a substitution cipher just for fun, then go straight on to cracking AES. No math or programming required.

This interactive document is not a simulation, it uses real cryptographic building blocks from crypto-js.

Substitution ciphers haven't seen serious use for a long time. The most well-known use in recent history is perhaps the Enigma machine, which the Germans used for classified communication during World War II. They used a much more advanced version of the substitution cipher, where the substitutions are changed after every letter. It was still cracked with the help of a computer.

We will be cracking a much simpler substitution cipher, where every letter is substituted by a different letter, but always the same one.

Substitution ciphers like these are very weak, and can be cracked with just pencil and paper. Let's try it, using the following metods:

• Frequency analysis: The most common letters in English are "ETAOIN SHRDLU". It's likely that the most common letters in the ciphertext are among those.
• Guessing words: When spaces and punctuation are not encrypted, it's pretty straight forward. The most common English words are: THE BE TO OF AND A IN THAT HAVE

Crack the cipher

Imagine you're in one of those game shows where you're given letters and try to guess the word. Enter your guesses for each letter in the box below it.

Most common letters (left to right): PJRNYOIL

AES is a modern cryptographic algorithm that is provably secure. It's used everywhere security is needed, from banks to the HTTPS protocol. You can't crack it.

Or can you?

Imagine this scenario: Dr. Doofenschmirtz uses AES-ECB on his website to encrypt a top secret document. He also added a "name" field you can fill out to get a personalized version, with your encrypted name right at the start of the document. Unbeknownst to Dr. Doofenschmirtz, in this misconfiguration, it's actually possible to crack the secret message without knowing the key.

Step one: Find the offset and block size

AES is a block cipher, meaning the plaintext is split into fixed-size blocks, and each plaintext block is encrypted separately into ciphertext blocks of the same size.

The plaintext is always padded to fill the entire length of the last block. As we add characters to the plaintext, the ciphertext will stay the same length until we've completely filled the last block.

[This is a secret] ← block 1
[ message.0000000] ← block 2 has padding

The way we determine the block size, is to first add characters (e.g. "Q") until the length of the ciphertext changes (last block becomes full), and then add more characters until the length changes a second time. The number of characters added the second time is equal to the block size.

[QQQQQQQThis is a] ← block 1 with added Qs
[ secret message.] ← block 2 is now full
[0000000000000000] ← padding ends up in a new block

Try it out: Increase offset until the ciphertext length changes, then increase block size until it changes again.

Plaintext

Ciphertext (length: 48 bytes)

Step two: Test every character

Ok, so I lied a little. You don't need to do any of that to figure out the block size of AES, because it's always 128 bits. If you didn't end up with an offset of 4 bytes and a block size of 16 bytes (128 bits), go ahead and change it now, as it will affect the guessing below.

Anyway, when you change any plaintext character in an AES block, the entire ciphertext changes. But the Electronic CodeBook (ECB) cipher mode has a big flaw: All blocks are treated the same, so any two plaintext blocks that are identical will also have identical ciphertext.

For example, if you have the plaintext blocks [Banana][Banana], the ciphertext blocks become [ab18f2][ab18f2]. Now I can't tell what the plaintext is by looking at the ciphertext, but I can tell that the ciphertext repeats, so the plaintext would do the same.

Since we can add whatever we want to the start of the plaintext thanks to the "name" field, we can abuse this: First we fill the first plaintext block with filler (".") and one character that we're guessing ("A"). Then we fill the second block with the same filler, but leave off the last character.

What happens when we leave the last block one character short? Well, after the name field is the rest of the secret document, so we end up with getting the first character from that, whatever it may be.

Change the character (A, B, C, etc.) in the guess below until the first and second lines of the ciphertext match. When they do, add another character and repeat the process. When you have a few letters, you can guess and type in the rest of the letters in the word. Make sure that every letter matches along the way.

Note that the guess is case-sensitive. In the text field you can use up and down arrows on your keyboard to cycle through the characters (ASCII) of the last letter.

Guess: (1/48)

What we put in the name field:

The ciphertext we get back:

(not a match)

Note

As you can probably guess, ECB is deprecated as a cipher mode for AES, and has been for a while. Some modern cryptography libraries don't have ECB at all, and those that do, give dire warnings against using it.

What's next?

These challenges are loosely based on the CryptoPals Crypto Challenges. Those use a much more hands-off approach and require you to do your own programming, but if you crave more real-world applicable challenges, that's the place to go.