When AES(☢) = ☠ – a crypto-binary trick (opens in new tab)

(speakerdeck.com)

287 pointsange4771_11y ago34 comments

34 comments

That was a great read. I saw the title and figured it would quickly go over my head but it's all pretty understandable.

Does anyone know where I can download the src to have a look through?

Edit: found it https://code.google.com/p/corkami/source/browse/#svn%2Ftrunk...

The play of unicodes reminds me of some awesome slides made by Larry Wall and other Perl hackers. A good slide show is about to convey messages in a visually efficient and succinct way, not in an overloaded and bloated one.

archagon11y ago

Same here. Great read, very well explained.

drdaeman11y ago

There's also a word play in the title. "AES" transliterates to "АЭС" (acronym for "Атомная Электростанция") in Russian (and some other Slavic languages), which means "nuclear power plant". Thus, the "☢" sign.

ange4771_OP11y ago

that's totally unintended: I just looked for some interesting unicode characters and chose these 2 for the video game references ;)

mooism211y ago

Actual link: https://speakerdeck.com/ange/when-aes-equals-episode-v

silsha11y ago

Recording of the talk: http://podcast.raumzeitlabor.de/#wbHkVZfCNuE

krick11y ago

That's amazing. Didn't think it's even possible, however it turns out to be surprisingly simple. Also, laughed out loud because of that guy's twitter nickname on the 3rd slide.

dikei11y ago

Cool trick, I have encountered something like this in a steganography wargame before, the only difference is they used Base64 encoding on the original picture instead of AES :)

yiedyie11y ago

Base64 is not true encryption, it doesn't require a key it is merely obfuscation.

georgemcbay11y ago

In the general usage case base64 is not even obfuscation, really (though it does make it non-human-readable... for most humans), just an encoding for dealing with situations where you need to store or transmit 8-bit or multibyte character data into a system that may otherwise be incapable of dealing with it reliably.

dikei11y ago

Of course it's not, but the method is the same, you append a different picture to the end and modify the original image header to point to it. The encoding or encryption is not relevant.

reblochon11y ago

Does any one know the name of the hex editor used in these slides, the one showing the PNG chunks and JPEG information?

ange4771_OP11y ago

that's https://bitbucket.org/haypo/hachoir/wiki/Home

JoachimS11y ago

A good example of why a MAC after encryption is also needed. And blocking length extension attacks.

tptacek11y ago

Where do length extension attacks come into play with angecrypt?

thristian11y ago

I love the "HexII" hex-dump format he links to, it's so much less cluttered than the traditional one. I'm definitely going to have to try that out the next time I'm picking apart some binary file.

ange4771_OP11y ago

thanks - HexII is in very early development for now.

hzc11y ago

this is awesome. now I hide secret information in a seemingly innocent image. no one would want to use AES to decrypt it if the image looks fine.

ShowNectar11y ago

Where do you store the IV? Do you just append it at the end of the file?

mzs11y ago

You have to supply that, see the python script, at the end it prints what to run to decrypt, the determined IV is passed as a param:

http://corkami.googlecode.com/svn/trunk/src/angecryption/ang...

glial11y ago

What's the benefit of AES using such small blocks?

AnthonyMouse11y ago

The block size of a symmetric cipher will generally be in the neighborhood of the key length. You can imagine the problem if you had a 128-bit key but an 8-bit block size -- for each of the 256 possible inputs you would have only 256 possible outputs. There would be multiple keys that produced the same mapping and you could produce every possible mapping with only 65536 keys. So the block size needs to be near the key size. Making it larger than that wouldn't make it any more secure but would make it slower.

tzs11y ago

This doesn't sound right to me. There are 256! permutations of the set {0, 1, 2, 3, ..., 255}. 256! is much bigger than 2^128, so I see no reason that each key cannot produce a unique mapping.

> So the block size needs to be near the key size

Note that AES-256 has a 256 bit key, but the block size is 128 bits, which is not near the key size.

I believe that the main constraint on block size is that a small block limits the length of messages you can safely encrypt with a given key. If the bad guys see a lot of cipher text encrypted with the same key, they have a better chance of a successful attack. What "a lot of cipher text" means depends on the block size. The bigger the block size, the more cipher text is needed to constitute "a lot of cipher text".

3 more replies

BrokenPipe11y ago

impressive! a very cool hack!

frik11y ago

Impressive.

That's also the reason why one should limit the max-length of a password field (something reasonable), if one is using the salted-password in db approach. Otherwise someone could enter a very long password to do the trick (MD5/SHA1), see http://en.wikipedia.org/wiki/MD5#Security .

jimktrains211y ago

I guess I'm not following your logic. If there is a salted, hashed password in a db, allowing arbitrary length passwords shouldn't matter? HMACs and KDFs work very differently from symetric-crypto primatives.

michaelmior11y ago

The point is that it makes it easier for an attacker to find a hash collision. It's much easier to construct data which hashes to a given value if it can be of arbitrary length. I don't immediately see the connection with this article however.

2 more replies

j / k navigate · click thread line to collapse

34 comments

aidos11y ago

That was a great read. I saw the title and figured it would quickly go over my head but it's all pretty understandable.

Does anyone know where I can download the src to have a look through?

Edit: found it https://code.google.com/p/corkami/source/browse/#svn%2Ftrunk...

ttflee11y ago

archagon11y ago

Same here. Great read, very well explained.

drdaeman11y ago

ange4771_OP11y ago

that's totally unintended: I just looked for some interesting unicode characters and chose these 2 for the video game references ;)

mooism211y ago

Actual link: https://speakerdeck.com/ange/when-aes-equals-episode-v

silsha11y ago

Recording of the talk: http://podcast.raumzeitlabor.de/#wbHkVZfCNuE

krick11y ago

That's amazing. Didn't think it's even possible, however it turns out to be surprisingly simple. Also, laughed out loud because of that guy's twitter nickname on the 3rd slide.

dikei11y ago

Cool trick, I have encountered something like this in a steganography wargame before, the only difference is they used Base64 encoding on the original picture instead of AES :)

yiedyie11y ago

Base64 is not true encryption, it doesn't require a key it is merely obfuscation.

georgemcbay11y ago

dikei11y ago

Of course it's not, but the method is the same, you append a different picture to the end and modify the original image header to point to it. The encoding or encryption is not relevant.

reblochon11y ago

Does any one know the name of the hex editor used in these slides, the one showing the PNG chunks and JPEG information?

ange4771_OP11y ago

that's https://bitbucket.org/haypo/hachoir/wiki/Home

JoachimS11y ago

A good example of why a MAC after encryption is also needed. And blocking length extension attacks.

tptacek11y ago

Where do length extension attacks come into play with angecrypt?

thristian11y ago

I love the "HexII" hex-dump format he links to, it's so much less cluttered than the traditional one. I'm definitely going to have to try that out the next time I'm picking apart some binary file.

ange4771_OP11y ago

thanks - HexII is in very early development for now.

hzc11y ago

this is awesome. now I hide secret information in a seemingly innocent image. no one would want to use AES to decrypt it if the image looks fine.

ShowNectar11y ago

Where do you store the IV? Do you just append it at the end of the file?

mzs11y ago

You have to supply that, see the python script, at the end it prints what to run to decrypt, the determined IV is passed as a param:

http://corkami.googlecode.com/svn/trunk/src/angecryption/ang...

glial11y ago

What's the benefit of AES using such small blocks?

AnthonyMouse11y ago

tzs11y ago

This doesn't sound right to me. There are 256! permutations of the set {0, 1, 2, 3, ..., 255}. 256! is much bigger than 2^128, so I see no reason that each key cannot produce a unique mapping.

> So the block size needs to be near the key size

Note that AES-256 has a 256 bit key, but the block size is 128 bits, which is not near the key size.

3 more replies

BrokenPipe11y ago

impressive! a very cool hack!

frik11y ago

Impressive.

jimktrains211y ago

michaelmior11y ago

2 more replies

j / k navigate · click thread line to collapse