Reference no: EM133063905
UFCFVN-30-M Computer & Network Security - University of the West of England
Symmetric (Secret-Key) Encryption Lab
Aims & Objectives
The aim of this lab is to give students a hands-on experience of using OpenSSL command-line and C libraries, and symmetric encryption (i.e. stream and block) ci- phers. This lab is assessed and consists of 7 tasks. All tasks must be answered. By finishing the lab, students will learn how to use OpenSSL to perform encryption using different ciphers, the different modes of encryption, and the need for padding for some ciphers. Also, the lab will help students learn to practice how to cryptanalyze some ciphers. Additionally, the students will learn the requirements of post-quantum secure ciphers compared to classically-secure ciphers. Special attention should be paid to Section 3 and the What to Submit subsections of each task which list what exactly needs to be submitted for this lab.
Lab Tasks
This section contains the specification of the required tasks.
Task 1: Crypanalysis of Substitution Cipher
This task requires you to decrypt a ciphertext encrypted using the substitution cipher. Since the substitution cipher has a relatively large key space (26! possible keys), brute- force is not effective against such a cipher. Utilizing English language letter and word frequency is a more effective approach in attacking such a cipher.
Task Requirements
You are given the following (highlighted) ciphertext (which can also be found in the text file Task1CT.txt in Blackboard) and your task is to recover the corresponding plaintext using frequency analysis. Note that in practice, spaces as well as numbers and punctuation marks are removed from the plaintext before encryption but to make it easier for you, we have left the spaces in the text.
The following resource might be useful for the frequency analysis:
For substituting the letters, you can use any of the above (or any other) tool of your choice. You can also use the Linux command tr. Below is an example of how we can use the command to substitute 'a' 'Y', 'f' 'R' and 'n' 'T' in the text in the file infile.txt and store the translated text in the file outfile.txt. When doing the translation for this task, it is advisable to use a different letter case from the letters in the plaintext and those in the ciphertext.
Task 2: Using OpenSSL Command-Line
In this task you will explore using the OpenSSL command-line commands to encrypt using different symmetric ciphers and different modes of encryption.
Task Requirements
You need to provide 2 examples of encrypting/decrypting with 2 different block ciphers. What to Submit: You need to include screenshots of the commands/steps you used as well as screenshot of plaintext/ciphertext files content. Also, you are free to include
any interesting observations you have made/learnt from doing the task.
Guidelines
To encrypt/decrypt, you can use the OpenSSL enc command. The general syntax of the enc command is as follows where you replace -e with -d when decrypting:
Note: The symbol is to ensure that we are continuing on the same line and not inserting a newline character.
Where:
-ciphertype: is the name of the cipher you want to use, e.g. -aes-128-cbc,
-aes-256-cfb. To find out the list of supported ciphers, you can run the command man enc.
Inputfile: is the name of the file containing the plaintext if encrypting or the ciphertext if decrypting.
Outputfile: is the name of the file where to output the ciphertext if encrypt- ing or the plainext if decrypting.
KeyValue: is the value (in hexadecimal) of the key you want to use.
IVValue: is the value (in hexadecimal) of the initialization vector (IV) you want to use. Note that this is not required for some ciphers/modes.
Note: If the number you provide as a key/IV is shorter than the required length, it will be padded with zeros to reach the required length. This can be problematic in practice.
To geneate random keys/IVs you can use the OpenSSL rand command. The below example generates a random 16-byte (128-bit) long hexadecimal random value:
If you need help converting between ASCII/hexadecimal, the below examples which use the Linux hex dump tool xxd might come in handy. In all the examples, the option
-p ensures that the output is in plain hexdump style.
ˆ Below is an example of how to convert from hexadecimal to ASCII:
echo "41420a" | xxd -p -r
ˆ Below is an example of how to convert from ASCII to hexadecimal, where we add the option -n so that the echo command does not append the newline character (ASCII code: 0x0a) to the output:
echo -n "AB" | xxd -p
ˆ Below is an example which produces a hexdump of a (supposedly) existing file test.txt:
xxd -p t e s t . t x t
Task 3: CBC mode vs. ECB Mode
This task requires you to compare the use of electronic codebook (ECB) and cipher block chaining (CBC) modes of encryption.
Task Requirements
In Blackboard you will find a BMP image called Task3Image.bmp .
You are required to encrypt this image using AES 128 once in ECB mode and another time in CBC mode.
What to Submit: You need to submit a screenshot of both versions of the encrypted image, the commands/steps you used, and briefly discuss the difference of the quality of the confidentiality of the obtained encrypted images. Also, you are free to include any other interesting observations you have made/learnt from doing the task.
Guidelines
In BMP images, the first 54 characters in the image file are reserved for the header which identifies this image format. Thus, unless you replace the header of an encrypted image, it would not be classified as a valid image anymore. Follow the below example steps to copy the file header from the original BMP image (e.g. original.bmp) and the encrypted image (e.g. encrypted.bmp) into a new image file (e.g. newencrypted.bmp).
1. Copy the first 54 characters from original.bmp to a file named header.
head -c 54 o r i g i n a l . bmp > header
2. Copy the rest of the encrypted image (excluding the encrypted header) into a file named body.
tail -c +55 e n cryp ted . bmp > body
3. Merge the original header and the encrypted body into file newencrypted.bmp.
c a t header body > newencrypted . bmp
Task 4: Plaintext Padding
Since block ciphers operate on blocks of the plaintext, there might be a need to pad the plaintext if its length is not a multiple of the required blocksize. The PKCS#5 padding scheme is widely used by many block ciphers. This task requires you to observe how the different encryption modes use padding.
Task Requirements
In this task you are required to observe how the ECB, CBC, CFB, and OFB modes of encryption use (if any) padding. You can use any block cipher of your choice.
What to Submit: You need to report which of those modes require padding and which do not, justifying your answer in each case. You need to submit a screenshot of the commands/steps you used to reach your conclusion. Also, you are free to include any other interesting observations you have made/learnt from doing the task.
Guidelines
Here you should attempt to encrypt a file containing a plaintext whose length is not a multiple of the block size in question and then attempt to decrypt the ciphertext file and compare the decrypted text with the original plaintext. Note that by default the openssl enc -d command removes the padding when decrypting so that you always obtain the original plaintext when decrypting the ciphertext. To stop the decryption command from removing the added padding, you need to add the option -nopad when invoking the decryption command. Also, you should be aware of any (invisible) special characters, e.g. the newline character, as those would affect the length of the plaintext. Below is an example of using the Linux echo command to write the plaintext ABC (ASCII) to the file plaintext.txt while ensuring no newline character is added.
Task 5: Incorrect use of IVs
It is crucial for the security of block ciphers that the used IVs do not repeat, and to achieve stronger security when using some encryption modes, it is required that the IVs are generated randomly so that they are unpredictable. This task requires you to recover the plaintext from insecurely encrypted ciphertext without knowing the key.
Task Requirements
In this task you are provided with a pair of plaintext (P1) and corresponding cipher- text (C1) which was encrypted with AES 128 OFB mode. Also, we provide you with another ciphertext (C2) corresponding to an unknown plaintext (P2) which was also produced using AES 128 OFB and the same key and IV as that used in encrypting P1. Your task is to use the provided information to recover the plaintext P2. Below is the information you need:
Guidelines
Figure 1 shows encryption and decryption using the OFB mode. Below is an example of how to compute the XOR of 2 hexadecimal values a and b using the Linux command line:
echo $ ( ( 0 xa ˆ 0 xb ) )
The guidelines we provided for the previous tasks might come in handy for answer- ing this task.
Task 6: Brute-Force using the OpenSSL C Library
This task requires you to use the OpenSSL C library to perform a brute-force attack to recover the encryption key.
Task Requirements
We provide you with a plaintext and a corresponding ciphertext (encrypted using AES 128 in CBC mode) as well as the IV used, and your task is to use brute-force to recover the key. You must use the OpenSSL C library for this task as using the command-line commands will not be accepted as an answer for this task.
To make your task feasible, the key we used is an English word and is contained in the file WordList.txt which can be found in Blackboard. Note that if the word (key) is shorter than 16 characters (the required 128-bit length), we have appended the character '*' (ASCII Code 0x2a) to the word to reach the required key length. For example, if the word is hello, the key used is hello***********.
What to submit: You need to submit the recovered key as well as the code you have used to recover the key. Also, you are free to include any other interesting obser- vations you have made/learnt from doing the task.
Guidelines
There are many online resources which explain how to use the OpenSSL C library, e.g.: Also, in Blackboard we included a toy example ToyEnc.c which shows how to en- crypt/decrypt a short message using the OpenSSL library.
Note: When using gcc to compile a program that uses the OpenSSL library, you need to include the option -lcrypto. Below is a command-line example showing how to compile ToyEnc.c.
gcc -o ToyEnc ToyEnc . c - l c r y p t o
Also, be aware of the case of the words when performing your brute-force as the word case of the key you attempt should be as in the provided word list file.
Task 7: Post-Quantum Ciphers (Research Task)
It is well-known that some of the currently deployed cryptographic constructs used in protecting communication cannot withstand attacks by quantum computers and thus as soon as a high-scale quantum computer sees light, such protocols will be immediately rendered insecure. This task requires you to undertake some research regarding how quantum computers would affect currently deployed symmetric encryption ciphers.
Task Requirements
Write a short report (750 words max) discussing how would quantum computers affect currently deployed symmetric encrypting schemes and what measures need to be taken to offer protection against quantum computers in the context of symmetric encryption. Your report should include relevant references from the literature and your discussion should cover efficiency and security aspects, e.g. key sizes.
Attachment:- Symmetric Encryption Lab.rar