 to this, I've been developing this workshop over the past six or seven years is that in the past one or two years, I've been working on a tool that consolidates a lot of these attacks into one interface that's for men's point like. So on the VM, if you have that, you'll be able to bring up the slides. If you just go to http colon slash slash slides, it's running on your VM there. The challenges are http colon slash slash challenges. So we're not going to cover all of these on here because these it's kind of just these have been challenges I've been working on and I've been fine tuning what I cover but you can also work on them at your own time and be like but just to, oh yeah, I need to update this slide, but just some logistics on it. So once you do get the VM up and running, there's an account called workshop and a password is workshop and you basically just need your browser and then in the terminal, there's already a tool that I call Krippus Boy and just to activate it. Actually, how clear is the or how legible is the terminal here? Should I make it the text bigger? So I don't know how to make this thing go away but so the command I just wrote ran is a depend shell that just activates the virtual environment and then being a tool itself you just run doing Python Krippus Boy. So we'll have this available for the action challenges. It's definitely work in progress it's mostly what I work on when I have spare half an hour an hour so but I do hope that at some point if people like it enough people contribute and can add more attacks but I'll describe a little bit more about the emphasis of the tool as we go along. So just to get through some very basic overview of what cryptography is. So there's different aspects of cryptography that we're going to talk about. So the first is just your basic symmetric key encryption. So the basic idea is sender and recipient want to exchange data in a confidential way. They both share the same key. The sender will use that key to encrypt the message and the receiver using that same key can decrypt that message. So in this workshop we're going to be mostly dealing with block ciphers. So we'll talk a little bit more in-depth about that in a moment but basically a block cipher is an encryption algorithm that requires that the message have a fixed size. It can't be any bigger it can't be any smaller and it'll turn out that all of the attacks dealing with block ciphers are just going to be on how you use the block cipher. It won't have anything to do with the algorithm itself. So whether you're using AES or DES or some future block cipher that is even more secure if you do it in the same way as these that makes it vulnerable to these attacks it won't matter at all. Okay and then this is a little bit of a this doesn't quite cover all of the of AES metric encryption but for asymmetric cryptography but also knows public key cryptography. But the basic idea is that there are going to be two keys a public key and a private key and in terms of asymmetric encryption the recipient is going to distribute their public key to anybody who wants to send them a message. Then the sender will use that public key to encrypt it, send the cipher text and then only the recipient who has the private key can encrypt it. We'll also be talking about another operation called key signing and this one kind of works in reverse in this situation the person with the private key wants to demonstrate that a certain message came from them and so they'll use their private key to add a tag to the message and the public key will be used to verify that that message came from the person with the corresponding private key. So back to block ciphers as I mentioned block ciphers use fixed size input and they'll produce something that looks random that's sort of the nature of cryptography and it will but it will depend on the message and the key and the security of the algorithm or the encryption will depend generally on the secrecy of the key but we'll find that the way you use block cipher can still reveal the original plain text. So what we're going to see is that there are a variety of block cipher modes because as I mentioned before that a block cipher requires fixed input size and generally your messages aren't always going to be 16 bytes or whatever so you're going to need a way to encrypt messages of different sizes so how do we do that? Well the first and most obvious way is called ECD mode which stands for electronic codebook and see this all it does is it breaks up your message into block size chunks and then each block of plain text gets encrypted with that same key and outputs cipher text. The advantage of this is it's highly parallelizable you can run the encryption algorithm on each block simultaneously for very fast encryption. Similarly with the encryption you'll take you'll break up the cipher text into blocks you'll take each cipher text use the key and the encryption algorithm and pop out the plain text again highly parallelizable you could in principle do the encryption of every single block simultaneously but show of hands how many people have seen this before yeah okay so if you haven't seen this before you may hear in future people talking about how ECD mode allows us to see penguins so basically what it's saying here is that there's a lot of redundancy in this image right there's a lot of white space a lot of black and then like the yellow here so if you encrypt this image we're using ECD mode like each block of white space is going to be the same and even though that gets scrambled up you'll still see that okay we got this white space here we got black kind of white it's a little bit fuzzy but you can still see in the image here that we have a penguin so this leads to a number of issues okay I should add a slide about this so the main problems with ECD mode are that as you can see repeated patterns in the plain text show up as repeated patterns aside for text so there's something we won't cover I'm not going to really cover in-depth ECB mode mostly because I think there are more interesting attacks up for the sake of time I want to cover those ECB mode does show up in the real world but it's it's still like fairly rare even in the work that I do I don't see that often I did actually just recently see ECB mode come up I had to shake my head at it and I think in that situation they were encrypting one block of text whether you need key each time so it's not the worst application of ECB mode but you know it it does allow you to if you have some control over the input you can use that to recover the part of the plain text that you don't have control over and there's also what are called cut and paste attacks so if you I mean in this case we have a penguin but we could in principle take this encrypted penguin and cut it pasted together in a different way and there'll be no way for the decryptor to tell a difference so one of the most common applications of this is you might imagine that somebody's trying to store instead of kind of seeing like a query string parameter in a web request in plain text maybe they try to encrypt that whole thing and then they will they will use the like sort of was there any word the structure after decrypting first and if they use ECB mode you could rearrange the blocks so that it encrypts something different for example if there was a portion of it that was like admin equals false if you have some control over the input and can then restructure it you can turn that into admin equals true which will allow somebody to perhaps turn on admin privileges that they shouldn't otherwise be able to so generally this is considered very bad most people know that so it doesn't show up that often but this one still does and so in fact I think this is the most probably the still the most common block sector mode that I see and so it's known as a sector block chaining or CVC mode for short and this tries to solve the problem of the repeated patterns by first off it adds a little bit of noise to the beginning no basically it's going to add noise to each block of the plain text so in this situation instead of just running the plain text to the encryption algorithm we're going to start off with an initialization vector which should just be a random set of bits and then we're going to use the xor function with the plain text so that's just going to for every bit that's a one here it'll flip the corresponding bit in the plain text if there's a zero bit they will leave the that plain text that alone before encrypting it so if this initialization vector is random then xor and with it will also make the input to the encryption algorithm random and then we take the output and we use that as the IV for the next block and so repeat we xor with that IV run through the algorithm take the psychotext and use it for the next so that's why it's called cyberblock chaining it's using the cyber text in a chain here to reduce the final result so as you can see each encrypt each block it's dependent on the previous one so we can parallelize it like we can with gcd mode but it does help to prevent those patterns that we saw at ecd mode and again with decryption it works similarly here so we again we start with the first cyber text block we decrypt it and then we xor with the initialization vector to get the plain text then we use that first psychotext block as the IV for the next one take the second psychotext block decrypt xor and get plain text and so on and so forth so the initialization vector needs to be known by the decryptor but this is generally not a problem like it doesn't need to remain secret it just should be randomly generated at encryption time okay so this is kind of a warm-up exercise to get a feeling for what can happen with cvc mode so in this example here this is kind of an older attack but i don't think i've ever actually seen this in a while myself but i know it's something that hasn't happened before so this oftentimes people will assume things that are required are too strong life you know when it comes to the IV i said it should be random people think maybe it also needs to remain secret and so since both the encryptor and decryptor need to know the IV is but they both have to know the key anyway there was a thought that will make the key in the IV the same but it turns out that if you can get an encryption of a special psychotext you can actually recover the IV which in this case happens to be key and so the way this works is so if we have an existing psychotext can we break it up into some number of blocks and then we change it so that we send the first block then a block with all zeros and then the first block again and we get that decryption we will be able to recover the IV and the reason for that is that when we see the decryption what will happen is it'll do they'll take that first block decrypt it and XOR with the IV so we'll get the original plain text for that back then for the next block this will be kind of garbage because it's going to decrypt the zero block but we don't really care about that but then since zero is going to be used as the IV again over here whereas this third block is really the same as the first block it's going to run into the decryption XOR with zero but when you XOR with zero you don't change it at all so here in these two blocks we're going to get the results of this one's going to be the result of decrypting the psychotext block XOR the IV and this is going to be the result of decrypting the psychotext block but without XORing the IV and it turns out if you XOR these two things together you'll cancel out the original plain text portion and you'll get back the IV so I've included in the slide deck like some examples that you can sort of work by hand so I don't really want to go through these during the class but in your own time if you want to check this you can see that if you use AES and use these keys you'll see that this is the example psychotext then if you were to decrypt this and you'll get that and it's computing the XOR CSS is hard I need to fix that one oh I think I forgot to mention this for those of you who have the VM something I did this time as well is I put a cron job on the account that where I know it's a route that will every hour on the hour check the get repository that I have the challenges in the slide stored on and it will try to pull and if there are any updates it will refresh the the slides and the challenges so any updates I make fixes like if I this evening decide to fix this it will automatically update that for you okay so I guess I chose mentions earlier but when we're doing blocks I have challenges it's we haven't been using AES which is 16 byte block so I only mentioned AES because it blocks size it's 16 bytes and that's what we're going to assume but it doesn't really have anything to do with the fact that it's AES it could be any other block cypher 16 bytes long and so we're always going to see these in the hex so that turns out to be 32 characters so I think it will do this one I'll go through the entire challenge here it'll just sort of demonstrate oh I can't that's better okay so in this challenge if you look on that link it sends you to this page where the cypher text is in this correction parameter and all the app does is it decrypts the message and then I believe remember quickly it's just going to check to see if it decrypts to see something that's a printable string but here I'll just show you what like sort of the mechanics of how this works and then I'll point out where you could finish the rest of the challenge here so this is going to be one of the only ones where we're not going to actually do my tool for it but I think it's an illustrative example so first I'm going to copy that first block so I just need to copy the first 13 hex characters copy that I'm going to put in a block of all zeros so that's 32 zeros and then I'm going to put another copy of the first block so I hope that this works apparently I did that right okay so I want to demonstrate that just because this is an example of how this kind of block could show up in the real world if if they were really doing this as you see it was uh I mean there's a some other contriving example but here it's trying to decode the hex string and expecting it to be all printable but it failed to do that so what it did was actually just dump out the the the hex of the decryption so for any of you those who are particularly good at asking you might be able to tell what the first bytes are but what you would do is I used to have this separated by block to make it easy but I was working on trying to change it so that I could actually have it run by my tool but for now what you would have to do is sort of copy you know the first 32 characters and then go another 32 characters in and then copy the next 32 so you want the first chunk of 32 the 32 characters and the third chunk of 32 characters and then for now I can have on here actually some helper tools for this so what you would do is you would grab that first so 32 characters put it in here take the second but it will calculate the XOR and give it to you as a hex and then in the AES decryptor you put the ID and the key and the hex and the entire cyber text and it will decrypt it for you so I just you can find similar tools like this on the internet I just kind of put this conveniently for you here but we're not gonna go over that we're not gonna finish that today and try and get into some orange things but I don't think questions over I'm not going 2000 right now all right so this is perhaps the first one that I still see often not that it's gotten CBEs admittedly I think at this point the last one that I saw and I made having I mean they're just having to cross my path there might be more recent ones but there's a CBE in 2016 I believe there's an Apache one but this is a gonna be CBE panning horrible has anybody ever heard of panning horrible attacks so this one's actually kind of fun mining we will use the my tool for this one okay so in the earlier section on block cypher is we kind of glossed over a fact that when I was saying like break up your message into block size chunks that's still assumed that your message was a multiple of block size in bytes so you know like in the case of as assuming that your message would always be a multiple of 16 bytes in reality that doesn't usually happen so to solve that problem we usually use something called padding there are different padding schemes and depending on which padding scheme you use it will affect how you would actually really run this attack the most common that I see outside of there was a TLS or my cell forget bug that I'll mention later on it's used a different padding scheme so the attack works a little bit differently than this but this kind of still gives them a flavor of it so as I mentioned we're going to use pksc s7 padding and the way that works is this actually this form padding actually builds an integrity check it has at least it's a small integrity check it's it only checks that the padding bytes themselves have been changed but basically what you do is you count how many bytes are needed to finish the block so here in this example um I these d's are just supposed to be like random data bytes I just think of as like a x or y or something it doesn't matter what those are the data ends here so there was a full block and then a remaining four bytes so that leaves 12 bytes left so I put in hacks that works out to be zero c and so pksc s7 padding says fill the block with how many bytes you put in there so each one's going to have the same value to be zero c 12 times and we're going to exploit the fact that sometimes when using pksc s7 or wealth bender ace or padding and cvc mode after it decrypts it's going to try to check that padding to see if it's valid or not so what are we going to do how's the attack going to work I mean the first bit here is that because each ciphertext block acts as the initialization vector for the next block it turns out that you can use that to clip the bits that come out here so if you flip a bit on this ciphertext block it will change which bits get flipped here so it will still it'll flip something in the plain text at the cost of completely ruining this so you know if I made one bit of flip on this ciphertext and run through here it's going to come out to be complete garbage regardless of what happened over here it's just the output from this one's going to be garbage but I have control over what's going to change over here and we're going to use that to our advantage so what how's the attack going to work and actually actually before we get to the mechanics of attack what is the goal what's this attack going to accomplish so in this case what we're going to do is exploit whenever the decryptor tells us that we have a whether we have a bad or a good or bad we're going to use that information to decrypt the original message we won't get the key so we only use we'll only be able to decrypt that one message if there was not a message we'd have to apply the attack again but it does break confidentiality for that message so how does this work to start off with we're going to you know still look at the original blocks we're going to break it up and start with take a look at the second to last block because we know that we can change if we change that one it will make a predictable change to the last block so we're going to we want to start with guessing the last bite of the last block and what we're doing is well kind of like here if we want to if we knew what this value here was what we can do is XOR this block here with the value of this plain text block then this the bite here so we're going to do that one single bite and XOR that bite here and if we're correct then when we do that that will actually cancel it out I would go to zero but we're not going to stop there we're going to then XOR after we XOR a guess that we're going to XOR it with zero one because what that will do is if our guess is correct it will turn this bite here into zero one and that would be a valid path so if our guess is correct the server will tell us our padding was good and then we'll be able to move on now now that we know that this bite what this bite is we can only we can next worry about but the value for this bite so we're going to try to guess for these last two bites we know we know this one is so we're trying to XOR the last bite here with the correct value and we'll work to make guesses until we get the right one here if we get the right guess here and we XOR it then we're going to XOR both these last after we XOR with our plain text guesses we're going to XOR the last two bites with zero two zero two because the goal is to change the pad to be zero two zero two so if we know if we've gotten the correct guess for the last two block bites of the plain text block here we can XOR over here and then XOR with the padding of zero two zero two and if it's correct we'll get the right add and we're just going to keep on doing that one bite at a time so once we get a correct thing here we'll make guesses here and XOR the final that value with zero three zero three zero three so if the hope of getting this pack be zero three zero three zero three um one thing I didn't mention about pkcs7 padding is that because it's always going to assume there has to be some padding in there if your message happens to be a multiple of block size so in the rk16 then it will require a full block of padding so in the end when we finish this block the goal will be to make this be an entire padding block so it'll be one zero one zero one zero and X so I can put in some Python code here so mostly because I used to give you this XOR string function not on your name anymore but um this also works through a simple example that you can work through on your own I know so yeah I'm not gonna go through it I am before we get into the actual demo I thought I also point out something is that um how do you actually go about finding this so um it occurred to me that there uh it should be a way to actually detect padding oracles the easiest way was that like what I would do if I was trying to to find a vulnerable system is I'd look to see if there was something that looked like cybertext that was multiple blocks long so you know for say a web application maybe there's hex or base 64 that encodes something that's a multiple of 16 but at least 32 bytes long and then I would change the first byte of the first block and see what the response was and then compare that to change in the last byte of the second to last block because that should flip the last byte of the last block and make it an invalid pad I guess I could also just change the last block as well I you really want to control it to make sure it's just padding so yeah I would just still say last byte of the second to last block will will flip something in the last uh byte which should make it an invalid pad and then uh if you can detect any differences there then that indicates a likely padding horrible um impossible signs of invalid versus valid pads would be timing differences which admittedly and I haven't worked on implementing um and then other differences like error messages or just stash codes and that's what we'll see the moment okay so um as I mentioned for some real-world examples of padding orbital attacks um so back in 2014 there was a named vulnerability called poodle um also goes by cv 2014 1566 um and that couple years later in apache mod session crypto cv 2016 0736 now in the uh this uh I just put in a slide here so you don't have to remember or look at the reporting I guess the reported uh you could but uh this will include all of the commands for the uh the uh to running the attack so um you can just review that later like but yeah so I'll bring up the padding orbital attack so this one again there's just a link here and uh what it will do is um okay if it it's just gonna check to see if the original message is so yeah that's the original message um if you change it to decrypted something else so let's just I'm basically walking through the uh the detection method I mentioned before so I'm gonna change the first byte of the first block um and it's like okay this is the invalid data um and but still valid pad so I believe it returns a four and four and then I'm just gonna change the padding so that should be the last byte of the second the last block once change the seven to an eight and it gave this mouth long data I can name but I wish if I think this one returns the status for me so that's basically how it works and so here I'm going to demo house attack so um briefly this uh this tool which I called for display has uh a few different commands that we use so if you use the help command it will show you what the available commands are right now um but primarily uh one of the main reasons I thought about developing this tool was that it occurred to me that um like especially for something like this where you have the main algorithmic attack and then you have what's going to actually interact with the system and what I'm calling here your oracles those don't necessarily have to be related to each other so um I structured this tool so that it allows you to implement the attack independent of how you interact with any other system and then you you write your like oracle code and you can then mix and match as needed um so uh in this case we're going to use the padding one more time so actually I think there's a mistake in the I was trying to reorganize these so that they were actually like structured under certain categories um so we're going to do the counting oracle attack which are the block side bird tags and then we're going to specify it working so one other thing that I was kind of proud of doing is that I uh implemented a um like the redline functionality or so it has tap completion and history um you can even use control r to search for previous demands but you know so this oracle that I have here it's um I call the web status boolean oracle um so it's basically in return true or false um based on depending on status is so you're going to tell it like which are what are the good statuses and anything else will be considered a bad one so um and then let's just look at the options so the other thing that we did here um I'm not sure if there's a better way to do it but you'll notice under the names anything that starts with an O and a colon uh that's an oracle parameter and then the other one is for the actual not an odd way so in this case the algorithm all it requires is the original cybertext and um these are things just pretty horrible to work so good we'll grab the cybertext real quick and set the cybertext so this one also you just needed a base url um just going to assume um okay it by default uses a gather requests but you can change it if your application uses post requests uh to clear the verb um since it defaults the gatherers no leave it alone also it needs to know which pram is uh contains the cybertext so I'll just put that in there you know so I called it ctext if there were any other parameters required you can put that in there as well and then as I mentioned it needs to know what are the good stash codes uh so I was putting in 204 and I'll do the quick ones and then to run the uh the command I mean you use the excellent so finger stress is gonna work so I guess I'm not sure we do the screen share or what but um what um so it shows you the encryption as it's going I like this one because it's like Hollywood hacking or whatever it looks like a movie one thing that unfortunately because we couldn't see the far right of it but what I actually put some special logic in it so that when it's decrypting the first block it assumes that there's going to be a valid pkcs seven pad in there so it actually just checks initially for that first byte to find the initial padding byte so it actually starts at 16 and goes down once it gets a match then it will do the full pad make sure that that works and then continue on but yeah it's unfortunately we're going to see that so you would see the first like if the padding the pad comes out really fast but they'll like uh at most go to 16 iterations and then pop over to the rest and it'll start actually right through encryption so you'll see and hacks what the valid bytes are and then it will actually decrypt the message for you even though I never actually went in a way to submit flags this was always structured to be like a ctf style challenge so I even put the oftentimes they're the results of the challenges will be flags like this only flag brother braces message that were pasted there and although I don't I'm bothered with like lead speak like sometimes though and it's done on cts the flags are usually relevant to um so just to wrap up this section of I will say that generally the so to avoid this attack either don't use cvc mode or you want to make sure that you're not leaking out that information about whether or not there was a valid pad decryptive so usually the best way to do that is to follow a moxie marlin space cryptographic duty principle and that basically if I remember that correctly you basically don't want to perform cryptographic operations on untrusted hypertext I'm probably mangling that but the idea is the way part of the reason why this worked was because we were able to change the cyber text and it's just that sure I'll decrypt that and then oh there was an error here and I'll tell you about that error but if the decryptor first validated that that cyber text was coming from a trusted source before decrypting it and that would prevent the possibility of a panning oracle because they wouldn't even get to find decrypting it so typically you would use what's called a message authentication code for Mac most commonly people use hmax which are hash based message authentication codes and those are basically special key functions that allow you to but like essentially an integrity check on a given message it doesn't it just provides integrity doesn't do anything with confidentiality but it should only be a value generated by those who have the private or for the secret key like so both the encryptor and decryptor will need to actually handle it any questions at all about this section now we're going to shift gears to public engrenography and while I mentioned mostly in the intro about encryption I did also mention signatures and I put this one first because this is one of my favorite well we lead to one of my favorite attacks mostly because it's like Chrysler Algeron and there is a particularly in my opinion funny example of this in the wild so a lot of these slides are going to be kind of like wall attacks we don't a lot of details aren't that important I'll just point out where they are so again like we're going to write numbers in Bay 16 because otherwise they can get down big even I think for my examples and my examples are like more toy examples like they you wouldn't need this attack necessary to crack it they'd be small enough that a direct attack will work but just for the purposes of illustrating how this works and a lot of this is being done using modular arithmetic so so everybody familiar with modular arithmetic here somebody know what that means yeah right so if you're doing addition and multiplication there's going to be always a modulus that you're going to reduce that modulo whatever modulo and for all the public key stuff that we're dealing with that's ultimately going to be part of that and also while I put easy like the curve in parentheses in this case here we're going to just work with the regular finite field version but we all the stuff basically works the same for the electric curve version as well okay this is like wall attacks today you don't need to know all the details up there's just like a couple of key things so in in regular dsa turns out there are two prime numbers there's a big crime key and a small crime cube there's a special number g called a generator and then the private key is going to be some random number from zero to q and the public key will be g to the x mod p so we're going to raise g to the x power and produce mod p now and so this in this case will be public key including parameters so that your primes and the generator and the private key is just x okay so to sign a message we first have to come up with a random well I should take that word back because it doesn't have to really be random what this special k number has to do it needs is it needs to be unpredictable and remain secret but this doesn't necessarily mean random and I'll kind of bring up why random doesn't necessarily need to be the case like we'll get to the end of the dsa section but just keep in mind like I think this is relates to something mentioned earlier in that sometimes when people are reading about how the stuff works they read or make certain assumptions about what certain things mean so like if it says unpredictable and secret that doesn't necessarily mean random it just means unpredictable so it has to have some of the similar properties random but oftentimes when dealing with when trying to truly do random things it may not be as random as we think so yeah we pick that value k and then we compute this new value r which is g to the k mod p mod q and if r happens to be zero we go back to step one and choose a dk and then once we have that r value we compute this s value where this is k inverse times and we're going to compute a hash of the message and treat that hash value as a number mod q added to x times r where x remember is the private key and r is this value over here and we'll do that all mod q and that's our s value so just quickly this k inverse value here what that means is that this k inverse is a number such that if you multiply it by k and reduce mod q you'll get back one so it's sort of like dividing you kind of think of this as being like h plus x times r all over k but we're not really doing division we're kind of doing the equivalent thing in modular and then the signature is going to be these two values r and s verification i put this in here just for your knowledge if you want to look at it but for this purpose we actually don't care because we're just going to look at a signature that is valid but we're going to be able to recover the private key so in this this is kind of a warm up again and i'm referring to this as the the known nonce attack so that k value is oftentimes called a nonce and if you happen to i mentioned before that it needs to remain secret so if that secrecy is ever lost and somebody ever gets the k value it turns out you can just solve for x so this is i worked out the algebra here so just look at that equation but basically how it works is you multiply both sides of this equation by k first that will cancel this one out and so you'll have k times s over here then you multiply both sides by s inverse and then you distribute that through you'll have to subtract the s times h on that side and then multiply both sides they are inverse and that's how you get this okay so like really if if you have a signature so that's going to be remember it's going to give you the r and the s values and you happen to get k you also have the message h then you have all the values on the right side here so you just even even a few facts so yeah here's another example if you want to work out and i did actually implement this one in my crystal like tool this one is probably not super realistic i'm not sure if i can think of him ever hearing this one show up in the real worlds i know yeah i recall hearing about some but again it's a nice warm up and so for a lot of these public key attacks there's usually going to be at least two stages here because the first step is that we need the public key and then in this case we're going to be attacking signatures other ones will be doing other things but so you'll see here there's actually um two sets of slides um it's the first one to be a cover we're going to get the public key and how are we going to act on that time so back here we'll see that um all of these i think actually all of them should um have usually three at least three different oh maybe two in one case but there'll be different links here so here's where you're going to get the public key and just for simplicity here i'm using json to do this because you know you can imagine somebody trying to do a web application to do this we'll just maybe send everything over json um so in this case the public key includes all the parameters and the y value here this one um it doesn't stay in raw mode but um so because i need to list for the next one i decided to do the same thing here but the message actually comes from the uh fortune commands uh i'm here so it's just every time you hit it it's going to be some random fortune message um and then the way that you actually solve the challenge is by submitting a signature using the private key so um and you have to sign a particular message no that private key so um when you just uh use the the get method it returns this and when you post the signature it should the correct signature it should return the flag so the first step is getting that public key and um i want to try and keep the like the basic command set fairly limited so um what they did in the printing was um what i call the generic module um and what this will just do is um run any oracle and then you could have the oracles be the things that go out and grab things like public keys so there's actually are no options for this module you can see there's nothing there yet but if we use oracle and then yes one thing that um the way that i structured this is that i figured that uh different json representations of the key may choose to use different i don't know using key for different things but different keys in terms of like a json key like what you use to select the data out of json for corresponding components of a public key so that allows you to specify that here um and then just give the url if there's anything else that is needed for uh making the request you can put that down here as well but these are not required so they were um with this one if we just see i'll leave it in the json mode here we see that the keys that are here are gpqy and it turns out that um it's and it's the same here so the components is like what how we would in turn like the tool itself internally represents those parts of public key and then the keys um from here is how the json data structure represents those and so you just you denote that as a comma separate list so in this case i am sending the components to gpqy and then i'm going to do the same thing for the keys and then i'll set the url for the public key and just execute it to run the oh no make sure everything is set so there turns out there is a there's a log file so there are other exceptions yeah like um oh um it should be updated but um it can't get to so it should have already had everything installed you should have done pippem shell to start it because i i just did pippem shell but it shouldn't be all the contents should be installed already is there anybody else have this up okay yeah yeah just be pythonic deployer yeah every time install maybe we'll take a minor break i'll take a minute i've been going for over an hour so i think that same thing i said so no yeah But you can try it. It should be in the facility. Michelle. Yeah. Right. Right. Right. Right. Right. Right. Right. Right. Right. Right. Right. Right. Right. Right. I think you would be just that. Actually. Yeah. Yeah, so I think you must have gotten to. So. So. So for those of you. I think what happens was that. Something sometimes the virtual environments can get messed up. With them. So. If you ever end up in the wrong. Virtual environment. Or. Sometimes it will. You'll be. In the virtual environment, but. Sort of not. You'll be in this weird state. So if it's not working, I would say. Like exit. Try control D or exit or whatever to. Exit out of that shell. If you're still in the terminal and then close out your terminal. Then. That probably means that. That shell was closed and try going to. Go back to the. Yeah. So. Yeah. We're. Troubleshooting things just because I've been using. For long enough now. I've done. Delta similar things. Yeah. I've only been using. I think a little while now. Theoretically, it's nice because it. It does better than like requirements like text. Hitting versions of the pencies, but. They can sometimes be. To work with. Okay. I don't know why this isn't working and concerning. The issue for. The rest of the challenges. Sometimes actually. You know, I'm actually. I wouldn't be surprised. If you just got into a weird state. Because I just managed to. So I'm going to try. Re-running. At all. In a fresh. Tool. And. Not bad. See if the next one. So. Okay. Let me just also check to see. Has anybody else been able to get this to work on their VM. So. Just to go over again. Use generic or the module. Then use Oracle. We have Jason. So. It's GP Q, Y. Keys. GP Q, Y. And then. So. You are all. You are all here. Is it working for anybody else? More than. Are you getting the same error though? Like that. So. Has anybody else. Misha. Get to work on it. I'm going to try and just restarting again. Again. In a weird state. So it should be under. The CPSA. So if you. Go to the right. To here. And then. We're down. Here. Everything that. Is required. All right. Okay. I think. It's point of man to move on. Fortunately, this is something that. You have the. The commands in the slides. And. Probably this evening I will try and debug this. And so. Maybe tomorrow do a get poll. See if there are any updates. And hopefully that should fix it. I mean, I think. I tried to make the whole thing. As updateable as possible. So if there's any issues here. You still have the VM, you can try and fix it. We can try and fix it later. So it looks like I tried pulling the public key for this one too, and it's also not working. So we'll see how much of the rest of these will actually be able to do. So move on to the next. This is something. That has shown up. Quite a bit actually. I'll talk about some of the famous examples of why, how I first came to learn about this attack. But this one's. I think knows the repeated non-attack. So in this instance. We're going to. Have a case where there are two signatures for different messages, but the same K value got used. Now we don't know what that K value is. But we just can tell that the same. And the reason is because R comes from the K value. Yeah, R comes with a K value. So if we see a repeated R value, then we know that K is the same. And so. We're calling that. So remember that the signature. Creation slide. We had S and K on the opposite side here. Basically what I did was. I sort of cross-multiplied. That original equation. Where it was S equals K, K inverse times this stuff. So I basically multiply both sides by S inverse and by K. And since those K values are the same. You get this situation here where you have. K equals S and K also equals this value here. This thing here. That means we can set these right side. The right side of both these equations equal to each other. And then solve for X because now. We have an equation where we know everything except for the private key. And. So just a matter of solving algebraically. And it turns out. That final equation is this standard here. So yeah, again, worked out some. Some examples from the real world. So there were some Bitcoin implementations. I think on Android. Where it was repeating the, the knots. And one of the nice things about. This kind of vulnerability. Shutting up on. The blockchain is that it's there forever. So you can always. Search the blockchain. Find these. Now I think. All the wallets that this happened to. Had been cleared out. Because. Either somebody found out that they. Transfer themselves or. If somebody was malicious. They would be able to get the private key. And then. Transfer to their own wallet. But. Is basically all you need to do is. If you. Take the verifying code for the blockchain. You just. Wanted to. Save in like a database. All of the public keys and. Of course, buying signatures. And then. If you ever see. In the database. A match on the. Our value. You can run this attack. There was also some research done. By a little over 10 years ago. On SSH servers. And this vulnerability showed up there. And then this one is the one that. I just found hilarious. So Sony PlayStation three. So again, kind of old, but. In this situation. They were using ECDSA. And I think they had their own implementation. To sign their games. But. They ended up using the same. K value for all of their signatures. Which means. If you just take any two games. And. You can run this attack. And you get the. The signing key. And this was something that was. Of. Particular value. Because. This was, I think. Somebody. Discovered this. After they disabled. The ability to run Linux on PlayStation three. So. By. Getting the signing key. You can now sign Linux. And the PlayStation will run it just fine. So. If you just take any two games. And you can run this attack and you get the signing key. Again, here are the commands. So it will. This is the one that doesn't need to be working right now. I'll have to debug that tonight. To get the public key and then. You're right. One thing to mention for the non non-speed. Non-stack. There's a copy command. And so what the copy command does. In the display is it will take the output from the last run. And then it will copy it into a module. And copy it into. An option for the current module. So you need to. Start the repeat months. Module first. And then. Copy it. The public key. That you get. From the previous one there. And then. There's this signature oracle, which will just. Get Json signatures. And it's similar to the other one. It has this component keys. So tells you which one to use. And here. One of the options is. If the Json tells you which trash algorithm was using. That's why I say put that in there. Put the URL in run. Excuse me. That should run the attack. You'll pop out the private key. All right. So let's. That's all for DSA. There aren't, I think a whole lot of. I don't know, I don't really know that much for DSA. I do know that. For limited curve DSA. There is a last base attack. If there are biases in the. K values. And. I think one of the researchers for the. Crypto talk this morning. Mentioned. A fault attack on a DSA, which is. It's basically EDS. They see DSA, but they use a special kind of logic curve calls. And Edwards curve. And they also. Determinous. Diggly generate K. So you avoid the. The problem with the randomness. Except I actually forgot to mention. That with this one here. It seems to be a case of four entry values on embedded systems, like. Lots of router and things like that. For generating your SHQs. So. Onto RSA. This one. I think the biggest section. I have. Okay. So. We'll briefly discuss what RSA is. And then get to some of the attacks. All right. So. In. Generate RCA. You choose two distinct prime numbers, P and Q. And they have to be similar magnitude, but different length by two digits. And you compute this. You also have to compute this N value, which is P times Q. You also have to compute the fee of N, which is P minus one times Q minus one, which also happens to be this. You could have right this way. So you don't want to do any multiplication. And then to. You usually end up generating the. The public key first and competing the private key out of that. And then you have to. And then you have to compute this. From one to fee of N. Typically there are actually some standard E values. Historically, earlier on people who chose three. Then. The most common one nowadays is six, five, five, three, seven. Which is two to the 16 plus one. But sometimes you will see other values. But those are. And then you compute D. Which is E inverse. My fee of N. And your public key is this. The public exponent in the corresponding. Our same modules. And private key is just the. The D, which is a private exponent. Okay. And to encrypt the message. We view a message M as a number from zero to N. And then we raise it to the power mod N. And then to decrypt. We raise that. The cyber text to the D power. So one interesting thing about RSA is it has a lot of symmetry. And that. You could do. You could switch which exponent you're using. And it looks the same. And. That's actually how RSA signatures came about. Because. In this situation, instead of. The. Public person encrypting a message and the private key owner decrypting it, what they're going to do is you can sort of think of it as. The private key owner is encrypting the message. And the person with the public key can verify it by decrypting the message. So basically, like really what it would be is. You send the message and like you. It's almost like you encrypted it in RSA and then. The verifier checks that the message they were seeing. Equals. The decryption of it. So RSA has some interesting properties. One of those is that it's homomorphic in multiple. So what that means is that. If you have. Two messages and one and two, and they're both encrypted. If you multiply the cyber text together, that's actually the same thing as if you encrypted the product of the original messages. So here we are. Everything in the last numbers. And. This actually leads to. Another, what. We call adaptive chosen sector. Which is actually what kind of attack. The timing or what we did earlier. In this situation, you know, like, this is kind of a warm up. To. The next time. I think we're going to cover that one. Yeah, but. This property is important later on. For RSA tags. So. In this situation here. What you do is let's say you have an oracle that will. Decrypt any message only once. And so it ever sees the same message again. It won't decrypt it, but if it's in a new message, it will. Then what you can do is. Generate a, like, basically you script a random number. And then multiply it by the cyber text. That should be a new number that the decryption oracles never seen before. It will send you back the decryption. And then you can use that to decrypt the. So this is the original message by multiplying the result in the oracle by our inverse. So this is one that I don't actually have in the, the crypto supply told us again, it's not like a terribly realistic one. So this one should. Work on our own. We're just going to use the Python interpreter instead of. So this one we can. We should be able to get together. Okay. And this one. It's set up much more simply. So in this case here, we have. RSA modulus, which I wrote next. The. The value is actually decimal. And then the. Cyber text is also next. Oddly. They're not the same case. So what we would, and then there's this oracle page where you can submit. Cyber text values. And if it's one that it hasn't seen before, it will decrypt it. I'll get basically sending you back a number. So we'll, we'll go through. How to do this. So first I'm just. Copying the. And value. I'm just going to. Zero. So even though we were next, it still knows that as that number. He is 65537. And. See is. Right there. So. If we. Go to the oracle and try to submit that one. We should see the. Give it to us. Okay. This one needs to be updated. Okay. I haven't really actually, I didn't check this. Okay. So. Again, you're, you have to get an update. Not this one was still. It was good. Now I remember what the issue was. Oops. All right. But the, the process would be. But. What we would do. We can kind of work through the, what the. Great processes. First, we want to generate our value. So we'll just get a random value. So one thing that I like to do. With a whole lot of these are the same tax. Is that. Actually. Yeah, I guess. I'll demonstrate. Okay. So one way to get our inverse is to get built in. So you just do. Our negative one. And. That will be more diverse. So this shouldn't. Almost. It should. Basically never happen, but I was just kind of curious. If ever will. So one. Thing that will come up when, if you ever have an RSA attack. That involves computing an inverse. Then that is dependent upon. That value of not having any common factors within. Namely that. It's like a key or key or not. If there ever happens to be in the case of it is. Then you can factor it and you don't need the, the recipe attack and just crack the key. If that ever didn't happen, then it would be. The power function would throw out errors and. Unable to compute our inverse. So. It's just something like, if you ever were doing this in real life. And then this ever failed. And you're like, Oh, actually the thing better. I can just recover and then get the private key. Okay. But anyway, what you would do here is. You would do like. I'm really going to see. See Brian. Equals. I'm a little cautious about. I'm going to do my own. Monular. So that would just do. Expand. The art to the power. My M times C. And then make sure that that also produces. And then you would. Once we get this, once I get the challenge fixed. You would get the X value for that. or whenever it sent back to you, you would then multiply the return value by R inverse. And then you can use the in.2bytes method. So like in Python, there's a two bytes method for integers. So you just do, you need to know how big it is. So you'd have to compute the sizes, but see if that's by how long the thing is, which you can get from the bit length. You just need to divide that by eight and round out. So you would do like c.2bytes. And then put that number in. And then that will give you the signature message. Unfortunately, that's all when I'm working. I swear I tested this a lot. Well, not that one. Was there anything else before? So I'm surprised. So are there any questions about the like the homework properties or I say. So. A key thing about this next attack is, as you can see, it's called Blickenbacher 06. So Blickenbacher is a famous crypto analyst who has come up with multiple RSA attacks. And so you have to, you can't just say like Blickenbacher. Be specific. So this one came, this one came in, this one came in, this one came in, this one came in, this one came in, this one came in, this one came in, this one came in on November 14, 2006. And this one came in, this one came in the 70s from the state of unscientific. So this one came from a, a rum session at crypto 2006. Where he demonstrated. A lead to. Forge RSA signatures. Using. That were the. The public exponent is three. And this still actually. I haven't seen it super recently, I think like 2017 or so, it's done in the slides. There was a basically the same vulnerability in Python. Yeah, so in practice, as in like when I was describing R6 and 4, I was just saying like, I'll just take the message, raise it to the 5 exponent, and that's your signature. But but in reality, your message may not be small enough, or it might be too small. And so what we actually do is we sort of do that process on the hash, but we also want to pad it to make sure that it's an appropriate size. So there's what's called a pkcs1.5 padding. And so whenever you're assigning something, you was using RSA, it follows this format. So this is what happens before you raise it to the d power, the word for you apply the RSA operation. So this is just the padding. So you, you have a byte, all right, that's going to start with a byte of zero, then a byte of one, then a whole bunch of s, then a zero byte. And then this asn1 value is a special byte string that it will, that tells you which hash function is that was used to hash the message and then the final hash. So the problem comes up when trying to verify the signature. So oftentimes what implementations to verify signatures would do is, you know, they take the signature, they raise it to the e power mod n and then they verify that, you know, they got 0001, they got a whole bunch of s, then a zero, then asn1, and then a hash. But it doesn't check to make sure that the absolute appropriate size, partially because depending on what hash function, that's going to affect how many s it is. So it would, it would, you couldn't know, like if you were just verifying it, starting from left to right, you wouldn't know how many s were needed and until after you were at least got to here. Because once you got to, once you read this part, then you know which hash function is, which we need to know how big this is. But oftentimes verification didn't go back into saying, did I see enough s values here? So what that meant is that if you could construct a signature, such that when it was raised to the e power, it looked like this and then maybe had some garbage after it, then there'd be verification code that would still say, yeah, that's fine, because it would stop at the end of the hash and wouldn't notice that there's anything else left there. So the way that he actually described this was like a paper and pencil way of exploiting it. And basically the way it works is, like the way you can do this in practice is by basically taking the cube root of, and remember that I mentioned this is basically applicable to small exponents like three. So in that case, you take the cube root, like just the regular cube root on your calculator of something that looks like this where you have 0001, f00 is one hash and then garbage and then rounding it should, so that it's an integer, should produce something where when you cube it back again, the highest bits up through here are still okay by the garbage might change, but we didn't really care what the garbage was anyway. So this example just kind of, I will sort of slowly go through it, but this one is actually like a legitimately sized one. So this is a full RSA modulus and in this example it's trying to forge a particular signature, so that's the message. So this is the tag that was generated through forging it. If you cube that, you should get this and I color coded what each section was. So this is like that little header portion with a 0001 and then they have the zero. This is the ASN1 portion that tells you which hash function, this is the actual hash and then the rest of it is garbage. And so there would be verification code that would just be like, all right, first by zero, yes, second by zero one, yes. All right, next one, okay, keep iterating until we see a zero, okay, there's a zero as long as we all make sure that you have all f's until you hit a zero. So now check out then read the next part which is the ASN1 notation to tell you what hash function is, then read your hash and does it match the message? If it does, verify it. So in the real world this did show up in Bouncy Castle Job API 2007 and I was 2016 in the Python RSA implementation. I don't think it, I think there might have been a slight variation to this, but there was a similar vulnerability there. There is a challenge for this one. Not a broken one. Okay, I'll try and get that one fixed too, but we'll move on to the next one because the next two I think are more interesting. Again, it looks like the her display is broken against me and actually able to go through challenges, but sort of explain what these two vulnerabilities are. So the first one is, so this, you may not be familiar with this name, but you may have heard this call the Chinese remainder theorem. I just figured it out. Wikipedia says the name of the person who developed it, so I wanted to make sure the credit was given where it was due. But this is going to be bad signatures when using the Chinese remainder theorem. Okay, so it turns out that if you know the private exponent in RSA, then you also can factor the modulus. So it doesn't hurt to store the primes with the private exponent. So what you can do is you can actually reduce the calculations for the private exponent, mod p and mod q, and do them separately there, and then put it back together using the Chinese remainder theorem. So oftentimes you will see if you look at RSA private keys generated by OpenSSL, it will store all of this information. It will store the d and then these dp, dq, which are the values of d, mod, p minus 1, p minus 1. And there's also an additional value to allow you to use this theorem for more efficient signing. And the reason for the why you want to do this at often times is that sometimes the hardware that's doing the signing may need more limited hardware than the hardware that's verifying, like it might be on a smartphone or something. So trying to make the operations more efficient can be very helpful. So the problem is that if you make a mistake in the calculations for one of those ponds but not both, then it will turn out that the results will differ by what it should be by a factor of the one that had the error. So like in this case here, so suppose that we computed m to the dcp mod p correctly, but m to the dcq mod q was incorrect. We'll apply the Chinese remainder theorem and put it back together. And the verifier will see that m does not equal s to the e power. But what they can do is compute the difference between m and s to the e. And I'm sorry, I think my goofed up which one was the divisible by the it'll turn out that that will be divisible by the correct prime and not the other one. So if you compute the gcd of this, then you'll get back to the original prime. Let's just double check this. We'll try it one more time when the curve is white and see if it will work. We'll change these to m and dm. We'll go around to the other challenge. I wish I could demonstrate this one too, because what this one does is it grabs the sign messages here. So I think in this case, I just had to sign the same message. But then I just introduce a random error in one component. And there actually is a curve display module that will detect that the signature is incorrect and then try to compute the gcd. And if it gets a value that's between 1 and n, then it will display that and give you an RSA private key. Unfortunately, that's not working. Another worked out example if you want to do the math by hand. This one I think I'll just briefly mention because there's a lot of math. So this one, yeah, I think like my move is long for it to go back to the material. This attack is one that actually attacks the public key itself. And this one, I did find an actual public key that was vulnerable to this. But basically what this tries to solve the same problem that using the Chinese remainder theorem solves in a different way. So to try to make the signing more efficient than for more constrained hardware. So typically with the standard RSA public exponents that you get, like even 65537, the private exponent is going to be very large. It's going to be almost as big as n. So doing those operations, it's going to be a lot more computational and expensive than doing the public key operation. So sometimes the signer wants to have a smaller exponent. Now, obviously they're not going to pick something as small as 65537. Does somebody could just brute force that? But it still would be better to have a significantly smaller private exponent. And so if the private exponent is less than about a quarter of the bits as the modulus, I believe. So like in the case of a 4096 bit RSA key, which is about as big as you ever see nowadays, if the private exponent is less than 1024 bits, I believe, then this attack will work. And usually the way that you can see this is, if you see particularly large public exponents, then I would try this attack. This may also be something that I didn't update on this version of the... Oh, it is there. I can... So this one I think we're going to do is maybe we can do it in our time. So in this one, I found an assert from this scans.io years ago. They seem to have closed it down and so it requires an account that I think you need to demonstrate if you are an actual researcher. Whereas like seven years ago, you could just go online onto their site and just download tar balls of search from the internet tons and tons of it. And so it turns out that one of them was vulnerable to the attack. So in this case, I'm going to use the open command. So the open command actually wants you to specify what and then the file you're opening. And I think this is the next 509 assert. So I'm going to open that and then download right there. And then we're going to Okay. Yeah. So this one, the module is very simple. You just give it a public key and it will check what type of public key it is on its own. So it'll be important this from an assert and you can actually see some of this sort of information here. There. Okay. So actually it shows you what the public exponent was. So you can see the E value is very large, right? That's a pretty big E value. Usually it's a few digits long. This one's pretty big and similar in size to the end value. And we were able to compute this is the D value. That's still I think too big to try and directly brute force, but it's still vulnerable to this attack. And here I'm just displaying all the parameters that are needed to make an RSA key. And then I don't want to, I remember if I can do this as it is, but there should be a way to I think, actually maybe I'll try it. I'm going to see if I can actually break this key out. Yeah. So this file, which was not in your service play folder for is the RSA private key for the corresponding assert that comes from this attack. So yeah, I didn't want to get too much of the details because it's kind of detailed math, but I just figured I didn't want to share this. I'm actually just thinking that I can get to work. I don't think I have an update in this. When I actually put this into GitHub, I didn't include the CERC file because I think it was very large, but I don't know. I'm on the fence as to whether or not I'll actually just want to be in the VM because I think it's like two gigs. So if you would ever do an inflate, it would take a while to download it. But I'll quickly go over what this attack is about. So this was something that was pretty applicable because and I mentioned this earlier with the repeated non-DSA attack that with embedded systems, there was a lack of entropy and it would cause multiple RSA keys to generate the same first prime, but a different second prime. And so if you know that that's the case between two RSA modulite, then you can just compute the GCD of those two values and that'll give you the prime number that was in common. But if you're given a large set of RSA keys, you don't know necessarily which ones had that happen. So batch GCD allows you to efficiently compute this. Basically what it does is it first creates this factor tree that feels like taking the entire list of RSA modulite and then as you build up the tree, each level up is the product of the two below it until you get to the product of everything. And then you do this remainder tree where you're basically reducing down, you're reducing the product mod and it ends up I squared. And then you get, then you'll just have this large list of values at the bottom of that tree and then you just do GCD of that with all of the other ones. So instead of trying to do each one pairwise, which would be n squared, if you have n keys, it'd be n squared, GCD is where is this one? It would be n GCDs after doing that in the same class. And I don't think I actually implemented this one yet. It was actually in the planning on... I think I started to put it in there. But this was actually something that I did seven years ago. I ran this on an EC2 instance, one of the large memory ones. And I used more than just that one tarpaul of certs. I had a huge dataset and just ran the batch GCD algorithm on all of them. And I tracked quite a few of them. I didn't know what else to do with it. So I wrote in a Twitter bot that just tweets out the primes that I factored. So if you ever want to check out RSA primes on Twitter, you'll just see tons of tweets of primes that came from factoring certs that were found on the internet. The last one we'll talk about, I think, well, since we weren't able to get a challenge or a tool to work very well. I think it was known as both chain of bulls and herbal. And so if anybody was in the talk this morning on the practical crypto exploits in Windows, this was the vulnerability that they were talking about. But recently, I'll just talk about elliptic curves. So elliptic curves are mathematical objects where it's defined by a certain type of equation. And if you were to graph them in the real plane, then they tend to look something like this. And it turns out that because it's a cubic equation, any line that intersects the curve will hit it in three points. So you can always define an operation based on the three points that intersect the curve and the line. So it has this property that p plus q plus r. So if you add up all the points along the line, that's equal to zero. In other words, r is, p plus q doesn't equal r. It actually equals minus r. r is actually if you flip along the x-axis. And then to double a point, so if it's, that's when the line is tangent to the curve, you'll get the other point. Oh, well, the other point we minus twice the point q. Yeah, here's showing what the opposite is. And zero is actually this sort of point in infinity. It's not really on the curve in affine coordinates, but it's like an extra point you can have. Okay, so for the purposes of cryptography, we are usually working on older curves over finite fields. Usually it's either a prime field or fields that are characteristic to, so it's going to be a field where the size is two to an hour. For simplicity, I just think of, usually think of in terms of prime fields, but because the curves work a little differently. Otherwise, we call the order of a point p, which is in this case q will be the smallest number, especially q times p equals zero. And so for older curve cryptography, it works similar to what we saw with DSA, where in that case, you had this generator g and a private key was x and the public key was g to the x. In this case, we're going to call the prior key k from zero to q, which is the order of p and the public key is k times p. And it turns out that the problem is trying to find k given given a point is currently hard to do. So I was like the name chain of fools because I maybe think of the scene from the movie sneakers. Has anybody seen sneakers before? No. It's basically about people who are just feel a box from a mathematician who finds a way to efficiently factor RSA modularity. I mean, that part's fictional, but like this is this movie is not like what that was possible. Okay, so the chain of fools vulnerability, or as they were calling it upstairs a curveball, arises when you are typically an operating system will store certain certificates that are known and trusted. And then when it tries to verify something, it will check to see if a given cert is in its store and can be trusted or not. But one of the problems that came up was that it would check to see if the cert was in its store based on the public key, which just at that point, that was like K times P. But when they actually use the certificate, they would use the parameters that were given in the certificate, which would also include the generator. So basically, if you are verifying that the public key is what you've seen before, but you are allowed to call it what the generator is, then you can create a new private key that corresponds to the same public key. The way that you do that is so like if the original generator was P and the public key was Q, now you make the new certificate with public key Q, and the private key will be, you pick any arbitrary value of X, in their example, the oftentimes chosen two, and then the new generator would be two inverse times Q. In this case, two inverse mod, the order of the group. And so the values, yeah, the values that the person verifying gets public key Q, and now it says use this generator here instead of the standard generators. Because one of the things about elliptic curves is that as opposed to DSA, where there weren't like standard times that we would use, so you could basically give somebody any times you wanted. With elliptic curves, there are standard curves that are always used. And so you like, oftentimes you give it the name of the curve, and it would know, okay, these are the parameters for the equation, and this is the generator, so I know how to work off that. But in this case, it was saying, okay, I know it's this curve, but I'm going to take the originator. So I don't think it'll work here, but this is what the challenge is supposed to do. So in this case, we don't need an existing signature, we're just going to go off and list the public keys. So here, I just generated a whole bunch of keys, like while in this case, five keys. And what the challenge is, and you have to submit a signed message, just sign the message, chain of clues, but you have to use one of these public keys. One of these public keys has to be used to verify it. And what the tool will do is it will create a corresponding private key and generator to submit to the signature verification. And so it will just check to see based on the public key if this is something that exists or not. And if it does, then it will use the generator, verify the signature, and if it verifies, it will return it back to my signature. I want to try one last time to see if this will work. So here you see there are two months here, name and public keys, that's just going to be the point that it's on. I think this is one where the internal value is called the public key, and the JSON was different. So actually, the other one is very annoying. So in this case, now we have a list of public keys. Now for this one, because they're already copied, there are two options for this module. So one is the list of public keys. And then I have another parameter that's optional, called which keys. So you can either write a comma separated list, or just leave a blank. If you leave a blank, it will operate on all the keys. If you just tell that I want only these ones, it will just create private keys for those. So I'm just going to say let's take key two and then I can key. Okay, so here it actually generated a private key for this one, and we're going to use the sign signature on the wall. We're going to copy the private key. Okay, so here, so we're going to send a message to the agent. We're going to tell it to use eCVSA and then, oh, I need to fix this also. This shouldn't be a required argument because the implementation of eCVSA doesn't take a hash algorithm argument, but I'm just going to put something in here for now to satisfy the two. And then this one is, these are flags to the signature module. Just tell it do I want it to include the public key and do I want it to include the parameters for the public key. And then you can set both those to true. And then use the, I'm going to use the web host, JSON signature, horrible. And now I forget how I'm going to do this. I'm going to show you for a second what the source code is. All right, yeah, so the data that we're going to send it includes, it's going to have a signature in the signature or for key, using the key signature or signature and for the message public key, public key for the public key and for the parameters. So the signature and for the key and for the parameters. I think they're the same on the other, kind of the challenge we're attacking. So a little bit of a pinking system, he said, hopefully this works. Oh, no, we've worked before. So this does show the public key here. It should have been this. You know what this looks like? I don't think I've seen it. All right, well, it worked the other night when I was testing this. Oh, the demo guys are not going to have good news today, I guess. We're not trying to be, but I have any rain. I think that covers all the material that I have. I will check to see if I can figure out what the problems are and hopefully get some fixes. Your VMs should just automatically update, except the tool you'll need to get pulled. So, yeah, so if you just go into script display and then type get pulled. So just literally, yeah, so just literally do that and then should pull any changes like, yeah, so, and if it, yeah, so it says, are you up to anything? If it says like the PIP file changed, then you would want to PIP and solve, but I don't think it should. So anything else, you should just build that, open up that tool again and it should hopefully work. Yeah, I am on Twitter, haven't been as much lately, but that might be the best way to let me know if you have any issues. I don't know, I was like, this is a good way to end it, like, how about that? And I'd like to start. Oh, what's that? On Twitter? Oh, I have two. So, this one should be. Yeah, this one to me. Yeah, I've been active on that account very much, but that's like my this kind of stuff. Okay, the other one's like, we're fine on that. Okay, so like, I'm going to keep those worlds separate. Any questions on anything we covered today? Little early because demos were bad. Okay, I guess, can I just end the Zoom? Okay, thank you very much.