Klepto algorithms



  • From Mark Churchill ...

    I've been given news about a project I used to be a part of.
    I got fired for not "working as part of the team", by
    disagreeing with the personal friend of my manager.

    Anyhoo, one part of this project pushed some data around in
    query strings, which was slightly sensitive. I took the easy
    option of encrypting the whole query string using the .Net
    3DES CSP.

    Secure enough? Hell no! Our managers buddy has apparantly
    torn this all apart, as "three des is not a very secure
    klepto algorithm". Damn. He has now written his own "klepto"
    algorithm, which not only performs a basic rolling xor of
    the data, but also "adds the security of obfuscation" by
    inserting a random byte into the output every 4th one.

    I would be glad we have such a *cough* klepto expert
    securing
    my old project, if all the search pages didnt act like:

    "select * from foo where field = " + txtSearchField.Text

    And to conclude, just before I left the project, this guy
    rewrote
    one of my batch jobs that took 15mins to execute. After the
    rewrite it took 7 hours, and then after further optimisation
    it took only a couple of hours.

    He was formally congratulated for the time saved....

     



  • I used to work with a PhD who once "improved" a freely-available implementation of a crypto algorithm.



    After he was done with it, runs of identical bytes in plaintext would
    produce repeating patterns  in the ciphertext. It seems he never
    tested it with runs of identical bytes.



    It's really beyond belief that a working programmer, with any education at all, would be that clueless about cryptography. But he was.



  • Pff, I just use ROT-13 for all my encryption needs.  In fact I ROT-13'd this very post twice for extra security.  None of you suckers will have any idea what I'm saying.  Mwahaha. 




  • Pff, I just use ROT-13 for all my encryption needs. In fact I ROT-13'd this very post twice for extra security. None of you suckers will have any idea what I'm saying. Mwahaha.

    What the fuck does this say? Do you have a public key we need or something? Seriously, if people are this insecure about their comments, maybe viewing comments should be closed to anonymous.



  • @quamaretto said:

    Pff, I just use ROT-13 for all my encryption needs. In fact I ROT-13'd this very post twice for extra security. None of you suckers will have any idea what I'm saying. Mwahaha.

    What the fuck does this say? Do you have a public key we need or something? Seriously, if people are this insecure about their comments, maybe viewing comments should be closed to anonymous.

    Crap, I can't make out either of these.  Is one of them encrypted?  Enciphered?  Endometriosis?



  • @quamaretto said:


    What the fuck does this say?





    It's encrypted, but we can probably break it if we put our heads
    together.  I mean, it's probably just like a substitution cypher
    or something.  I seriously doubt that he used like a feedback mode
    stream cypher.  I'm really smart and I do this all the time, so
    I'll
    start us off.  Here is the cyphertext converted to int:



    80 70 70 , 73 74 85 83 84 85 83 69 82 79 84 - 1 3 70 79 82 65 76 76 77
    89 69 78 67 82 89 80 84 73 79 78 78 69 69 68 83 . 73 78 70 65 67 84 73
    82 79 84 - 1 3 ' 68 84 72 73 83 86 69 82 89 80 79 83 84 84 87 73 67 69
    70 79 82 69 88 84 82 65 83 69 67 85 82 73 84 89 . 78 79 78 69 79 70 89
    79 85 83 85 67 75 69 82 83 87 73 76 76 72 65 86 69 65 78 89 73 68 69 65
    87 72 65 84 73 ' 77 83 65 89 73 78 71 . 77 87 65 72 65 72 65



    And here are the frequencies of the letters, sorted by occurance.

    <col span="2" style="width: 48pt;" width="64">
    69 12
    84 11
    73 11
    65 11
    83 9
    82 9
    79 9
    78 8
    89 7
    70 6
    85 5
    72 5
    67 5
    87 4
    76 4
    80 3
    77 3
    68 3
    86 2
    88 1
    75 1
    74 1
    71 1

    69 occurs most off (snicker) so that's probably E.  everybody knows that E is the most common letter.  The other common letters are probably A, I, and O.  83, 82, and 79 are probably R,T and N.

    80 70 70 I 74 85 R A 85 R E T N A 1 3 70 N T O 76 76 77 89 E 78 67 T 89 80 A I N 78 78 E E 68 R

    I 78 70 O 67 A I T N A 1 3 68 A 72 I R 86 E T 89 80 N R A A 87 I 67 E 70 N T E 88 A T O R

    E 67 85 T I A 89 78 N 78 E N 70 89 N 85 R 85 67 75 69 T R 87 I 76 76 72 O 86 E O 78 89 I 68 E O

    87 72 O A I 77 R O 89 I 78 71 77 87 O 72 O 72 O

    As you can see, we are already pretty far along in decoding this.  The words Retna and Aitna and obvious.  I'm sure that the rest of this will be easy.


  • Pff, I just use ROT-13 for all my
    encryption needs.  In fact I ROT-13'd this very post twice for extra
    security.  None of you suckers will have any idea what I'm saying. 
    Mwahaha.




    2 times ROT-13 is not strong enough by far. Try using ROT-52 for optimal security ;p



    for those who still haven't figured it out. the ROT encryption was also
    used before there were computers. it is so mindboggingly simple that
    you could consider it a 'tree-house' or 'boy-scout' kinda algorithm.
    primairily used by 8-jr olds.



    mostly though, ROT-x is used for numbers that are not 26*a for any
    whole numder a (in our western alphabet that is), because it would ruin
    the whole point of the encryption.



  • If YOUV'E gotten six impossible errors this morning, why not round it off with breakfast at Miiliways?



  • aarg, mean't to hit reply...
    my first post and it's a WTF in itself.



  • If YOUV'E gotten six impossible errors this morning, why not round it off with breakfast at Miiliways?



  • My problem with modern klepto algorithms is mostly due to the stealth memory leaks-they allocate memory without telling the OS.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.