CS166 / CS162

Computer Systems Security

Demos

Demo

Date

Biased Stream Cipher1/25/2018

This demo is a small program which will encrypt an image by generating a stream of pseudorandom pixels, and adding it to the image to obtain a ciphertext. You can set the bias of the pseudorandom number generator (PRNG) used to produce this stream using the slider bar. Download the script: stream.py

You can invoke the script like this: ./stream.py [--pre-cache] <jpeg>

Note that this program only works for JPEGs, and the encryption is very slow. Use it only on small images. The –pre-cache flag tells the program to first compute all of the encrypted images it will display before showing the UI so that the UI is more responsive once it loads.

NOTE: You will need to install scipy, numpy, and PIL. If you have the pip installer for Python, you can install these as follows (note that you may need to install these as root (i.e., using sudo)):

pip install scipy pip install numpy pip install PIL

One Time Pad1/25/2018

This demo is a small program will demonstrate the pitfalls of key re-use with one time pads. Download the script: pad.py

You can invoke the script like this: python pad.py <imageKey-path> <image1-path> <image2-path>

NOTE: You will need to install cv2 and numpy. If you have the pip installer for Python, you can install these as follows (note that you may need to install these as root (i.e., using sudo)):

pip install opencv-python pip install numpy

openSSL: A command line cryptography toolbox2/2/2018

If you don’t yet have openSSL installed on you machine, you can get it using the instructions on their download page here.
It is installed on the department machines already.

Once you have openSSL installed, you can run any of the scripts from this directory. To view the scripts you can use cat and to edit them, type “vi ” and press i and you will be able to edit it. You can always use the man pages for each command to find what it does and what the arguments are. We provide the demos as a starting point and urge you to explore on your own!

Download the entire toolkit here!

PLAINTEXT FILE: plaintext.txt
SHA HASHING SCRIPT: hash.sh
AES KEY GENERATION: aes_keygen.sh
SYMMETRIC KEY DECRYPTION: symm_decryption.sh
SYMMETRIC KEY ENCRYPTION: symm_encryption.sh
RSA KEY GENERATION: generate_keys.sh
RSA ENCRYPTION: symm_encryption.sh
RSA DECRYPTION: symm_decryption.sh
DIGITAL SIGNATURE SIGNING: sign.sh
DIGITAL SIGNATURE VERIFICATION: verify.sh

To explore more about randomness in your machine, you can start with the script in randomness.sh
Also, as you may remember from CS33, to run any of these scripts, type ./ in the commandline.

Password Cracking2/28/2018

This is a demo of password cracking using legacy CPU hashcat, a free password recover tool, with hashes from the 2012 eHarmony breach. You can find the demo slides here.

In order to set up the demo, perform the following steps:

git clone https://github.com/hashcat/hashcat-legacy/ cd hashcat-legacy/ make

Make sure hashcat has been properly set up by running:

./hashcat-cli64.bin -b

You should see the benchmark times for different hashes that hashcat supports printed.

Download the eHarmony hashes here. Download rockyou.txt, a list of passwords recovered from the 2008 RockYou hack here. You can use this rockyou.txt file as a dictionary.

Here are a couple things you can try to recover the eHarmony passwords:

Dictionary attack: ./hashcat-cli64.bin -m 0 eharmony.hash rockyou.txt

Rule based attack: ./hashcat-cli64.bin -m 0 -r rules/rockyou-30000.rule eharmony.hash rockyou.txt

Mask attack: ./hashcat-cli64.bin -m 0 -a 3 -1 ?u?d --remove eharmony.hash ?1?1?1?1?1?1?1