Web Security with Python | Never Roll Your Own Crypto

Cyber Security Python
Transcript

English (Auto-generated)

Hello everyone. It is his. And today we're gonna talk about why you don't roll your own crypto. And as a specific example we're gonna be using the source cipher or exclusive or or x or or whatever you prefer to call it. Um one thing we're not gonna cover is sore from a computer science perspective if you're interested in that, I've actually linked to a video from computer file. That explains exactly that topic. In the description of this video, we're just gonna look at why implementing your own crypto. Cipher is generally not a good idea. Okay, so let's see if we can so I'm going to implement a simple cipher here in the command line. I'm going to use the source cipher which just soars a series of text using a key. In this case we're going to use a single single key. And what that's gonna do is it's just an applied soar to every single thing inside of you inside of a string and give us the output and hex so that we have this super secret string. And I'm gonna show you why that's a bad idea hopefully to motivate you not to roll your own crypto in general. So first I'm gonna make a cipher this is where our encrypted text is gonna go and we will have something that we want to encrypt. So I'm going to use my email address. So we'll say for each character in my email address, feel free to hit me up and you know dot com. Okay. And we're going to add it to cipher. So it's a cipher plus equals. And we will get the we can't just we can't store a character. We have to explore a number so we'll get the as key value of that character. And I saw it with some secret. So let's do the letter C. The letter C will be our key. But again we have to get the number of that. And finally um this will give us a weird number. So we want to get that number in hex to decimal him. That will give us the name hex. And we wanted to string because we're gonna do it we're gonna crack this as a string, how we can like copy and paste our little ciphering. So it's just gonna be a bunch of acceptable numbers added together. Okay. And now let's look at our cipher. Beautiful. Okay so let's look at why this is a problem. So here we have our cipher text, cipher text equals that and we want to show. Okay so you know you're a developer, you think you're so clever like yeah I'm learning crypto. So let's just see I'm running a co pilot which should use ai to automatically suggest I want to see when I create a function called that what it creates. Okay so it doesn't create anything. Very good. Let's see let's say break. Sure. I'm gonna put it under this hypertext. All right. So my goal here is to show you that it's so easy that an A. I can probably do it how to uh how to tell it that one today. There we go. Okay. So here's its guest on how to break it. So it wants the key. Obviously we don't have the key but that's okay. Okay. So it created a function for us that will destroy or something. Using a key. That's not bad. Look at the bites and everything. Okay. That's pretty cool. But hey, I couldn't do it. But let's see if we can we have this cipher text and we're gonna make a function for one that can. Well first we need to get all of these numbers, we need to just do the opposite. So we have a bunch of these little Hector Hector, decimal strings and text decimal numbers. I mean we say zero X. This zero X. That so all we're gonna do is just get those out. We'll just split the string. I'm going to print it out to let's say cipher text dot split. And what we're gonna split it by zero X. So that we can get the individual numbers print it out and see if it worked at all. I'm gonna break sore. And it gave us that one empty string at the beginning because when we split it, it starts with 0X. Okay, it looks good, looks good. Wonderful. Okay. So I'll just say split it by that and give me one and ahead because by default is gonna give me that empty one that I don't want, make sure that works beautiful and that will just interpret those all as integers which I believe here. I'll say say for instance I believe we can use the in function this way. Like I'm doing better. Yeah, I think I'm still printing. So what we would say is you would say ain't, let's say uh I for I and I will convert it to an integer but some things are gonna be like the letter E. So we have to specifically tell it, But hey, this is day 16 or hex to decimal. And let's just take a look at wants to make sure this is still sane. I'm a big fan of print, print based debugging if you can't tell. Okay. So now we have a bunch of integers and think about this. So let's say let's just create a scenario where this is encrypted inside of a database and its user email addresses. Right? So we already know that this is gonna be an email address. You know? And I mean if you think about it, you just think, well wait a sec Um we can soar it, we know it's only gonna be soared by one one character, right? Or one thing we know it's a repeated kicks or so to break it. We could just try a bunch of keys and see when something that we know should be in the email address appears. We obviously don't know what the email address is. Otherwise we wouldn't need to crack it but I'm pretty sure an email address is gonna have an ax sign in it. Let's just store it by random stuff until an at sign appears and see what the results are. Okay. Easy Peasy. So we'll say four. Ah So it's a four. Yeah I. N. Range 256. Okay so we're gonna try out each possible single byte character and ai really has a nice strong opinion on how we should break this but I'm going to ignore it. We're gonna say if so we'll store it by that. We'll say we'll say attempt is our attempt to crack it attempted crack equals and I will just dx or the entire thing ah We'll say equals Yeah. Pretty good guests from our from our little ai helper there. So we're gonna go through each ciphering. We're gonna extort with I but we need to get let me see. Yeah they're already in. So I guess that's all we need and we'll join it together as a stream and we will say wants to see if that is in it. Why is it doing that because usually most text will have the word of the in it. So what you do when you're breaking sore is you just break it with random keys until the word the appears a lot and if it does that you probably cracked it in our case we know an ampersand is gonna be an email address that we have something even better. Yeah, well, prep it. Okay, so we get a few of them. Okay, not bad, not bad. Um what else might be inside of this? Well, hmm an email address, it's probably gonna have dot something right? Like dot com or dot net, something like that. And also let's just make it to lower. Let's make it lower case so that we don't have to worry about like what if what if the email address was written in uppercase, I forget how to make you forget how to make something lower kits and python, I think it's not lower. Okay, so something else that should be in there is dot the dot character is also probably gonna be in there. Let's try it again and I accidentally put a string character there because I'm a Nube. Okay, alright. We get one that has this crazy looking a bunch of new lines and stuff and then we get the jesus aviles araba at sign Gmail dot com. Beautiful, lovely. We've got it, we broke it, we broke the sort key and that was pretty easy. I mean there's I think if I look at my code cast Yeah, that's eight minutes of coding and we've already broken it and part of that was encrypting it. So in reality it would take even less time. There you go. This is why you don't roll your own crypto. I obviously used a very weak cipher here. The source cipher but there's a good chance that some of you hearing this our developers and you don't even know about source cipher or why it was insecure. You just let me break this and are going well. That was that seemed really easy. So to a developer who has never dabbled into cryptography before crypt analysis this might seem like sore. Hey. Yeah, that's a pretty cool idea. You just saw it with each one and yeah I remember sore from my college days. It's pretty it's pretty well known in computer science so it must be good. Yeah. So it does have things about it that are good. But if you don't have an in depth knowledge of cryptography you're almost certainly going to do it wrong. And that doesn't apply to just sore that applies to any cipher or any algorithm. The correct solution is to have a team of solid cryptographers implement the right tools for the situation you're in ideally using libraries that are standardized known to be secure etcetera etcetera. Mhm. Um There's nothing wrong with doing your own crypto record recreationally. But generally if you're trying to secure an app you want to use something that's battle tested something that people have been trying to crack. Haven't been able to that stood the test of time. Um that's that's it. We know whether it's authentication, whether you're storing chats or secrets or whatever it is use pre made solutions unless there's a very absolutely necessary, compelling reason to do the opposite. I hope this has helped. You never roll your own crypto is kind of a saying, especially among web developers who are often implementing things like authentication and get that thing of oh, you know, I have a clever way. I could do this. Don't be clever. Uh huh. I hope this has been helpful. Thanks a lot for your time and goodbye.
134 Views 0 Likes 0 Comments

Let's break a handrolled cryptosystem. For more info on the xor operation: https://www.youtube.com/watch?v=VPw9vPN-3ac

Comment
Leave a comment (supports markdown format)