Filecipher has been encrypted with DES, in ECB mode. You know that the password is at most 2-character long, and that the characters used for this password were limited to lowercase letters (a-z), uppercase letters (A-Z), and digits (0-9). When the password is not long enough, it is padded with zeros, to be extended to a 64-bit password. For example, if the password were J2, the file should have been encrypted with option -K 4a32000000000000, since the ASCII code of J and 2 are 0x4a and 0x32, respectively. With a brute-force attack, you are asked to crack the password and give the content of the file in clear. As a hint, the plaintext file is a text file and the word foundation is part of it.

Most of the people will use OpenSSL to encrypt/decrypt, using a passphrase. OpenSSL also has an 8-byte random salt. The point of the salt is to prevent precomputation attacks, such as rainbow tables. From the passphrase and the salt, OpenSSL derives the key and the IV (Initialization Vector). The salt is stored in the cipher file, in clear, so the only required information to decrypt a file is the passphrase. The salt is not a secret at all, it is just a way to foil pre-computed rainbow tables. The algorithm followed by OpenSSL is described in function EVP_BytesToKey. Here is the idea: 1. Generate a random 8-byte salt 2. Initialize D0 is NULL, that is, the empty string (\"\") 3. Compute Di as: Hash(Di-1 | passphrase | salt) 4. Stop as soon as you have enough bits for the key and the IV

where | is the concatenation of string, and Hash is a hash algorithm (MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD160, MD5-SHA1, etc). The key is extracted first, and then the IV, with the remaining bytes. Let us see an example. Assume that the passphrase is Hello (48656c6c6f in hexadecimal), the random salt is 2f74c5a122379c98 in hexadecimal, and MD5 is the selected hash algorithm. Let us say that we need the encrypt a file using DES in the CBC mode of operation. Hence, we need to derive a 64-bit long key (only 56 bits are significant) and a 64-bit IV, that is, we need a total of 128 bits. Since a MD5 hash is 128-bit long, we just need to compute D1 as: D1 = Hash(D0 | passphrase | salt) = MD5(\"\" | \"Hello\" | 2f74c5a122379c98) D1 = MD5(\"Hello\" | 2f74c5a122379c98) = MD5(48656c6c6f | 2f74c5a122379c98) D1 = MD5(48656c6c6f2f74c5a122379c98) = 3884d9db497efdb30498d82906455bad

We extract both from D1. The key is extracted first as: 3884d9db497efdb3. Then, the IV is extracted as: 0498d82906455bad. As a result, for a salt of 2f74c5a122379c98, and a passphrase of 48656c6c6f, we derived: K = 3884d9db497efdb3 IV = 0498d82906455bad

Let us see another example. Assume that the passphrase is JACKSONVILLE (4a41434b534f4e56494c4c45 in hexadecimal), the random salt is 2f74c5a122379c98 in hexadecimal, and MD5 is the selected hash algorithm. Let us say that we need the encrypt a file using 3DES with three keys in the CBC mode of operation. Hence, we need to derive a 192-bit long key (only 168 bits are significant) and a 64-bit IV, that is, we need a total of 256 bits. Since a MD5 hash is 128-bit long, we need to compute D1 and D2 as: D1 = Hash(D0 | passphrase | salt) = MD5(\"\" | \"JACKSONVILLE\" | 2f74c5a122379c98) D1 = MD5(\"JACKSONVILLE\" | 2f74c5a122379c98) D1 = MD5(4a41434b534f4e56494c4c45 | 2f74c5a122379c98) D1 = MD5(4a41434b534f4e56494c4c452f74c5a122379c98) = 57e4e542ff424a0a134ba773c50c55f2 D2 = Hash(D1 | passphrase | salt) D2 = MD5(57e4e542ff424a0a134ba773c50c55f2 | \"JACKSONVILLE\" | 2f74c5a122379c98) D2 = MD5(57e4e542ff424a0a134ba773c50c55f2 | 4a41434b534f4e56494c4c45 | 2f74c5a122379c98) D2 = MD5(57e4e542ff424a0a134ba773c50c55f24a41434b534f4e56494c4c452f74c5a122379c98) D2 = 7d0f9b5dccf8ddb04277dfed2e96d116 We first extract the key. D1 is not long enough for the key. Hence, the key will be extracted from D1 and part of D2 as: 57e4e542ff424a0a134ba773c50c55f27d0f9b5dccf8ddb0. Then, the IV is extracted from the remaining bits of D2 as: 4277dfed2e96d116. As a result, for a salt of 2f74c5a122379c98, and a passphrase of 4a41434b534f4e56494c4c45, we derived: K = 57e4e542ff424a0a134ba773c50c55f27d0f9b5dccf8ddb0 IV = 4277dfed2e96d116

Complete the following table. Notice that the first two rows are already filled, so you can practice. When the key and/or the IV is long, split the value in groups of eight bytes

Salt	Passphrase	Hash	Encryption Algorithm	Key	IV
f0d3da573ac51620	\"USA\"	SHA1	3DES 3 keys	f68423c9a9da66e8 0e0093e353770b9b 337ad0f7a04a8aa8	c3ede4da4042b13b
5c5f4b9cb26d65d9	\"USA\"	MD5	AES-256	c322c2b6a0ec3ac7 f629455d4e03a86b f601aadc1b903d99 e9f54520c50039d2	167421b65d9b51d5 a642b1a174c64b65
4597d8f066080684	\"Miami\"	SHA1	3DES 2 keys
0f4471f329343a6a	\"Miami\"	SHA1	3DES 2 keys
e896c329d70c68d2	\"H2O\"	SHA1	DES

Now, let us see an example of encrypting with DES-CBC, using a passphrase and a random salt. For this example, we selected the following plaintext and passphrase: Plaintext = 3084ac125691302201a0772911cd7160cd40157201 Passphrase = \"ORLANDO\" = 4f524c414e444f

Using OpenSSL, we can use the following instructions. In the first instruction, we create the file. The content of the plaintext is verified in the second instruction. We encrypt the file in the third instruction. Notice that we did not specify the passphrase, and we are prompted for it. Here, we have to type ORLANDO, and reconfirm it. The fourth instruction is an alternative to the previous one. However, it is not recommended since the passphrase will be disclosed in a listing of running processes (ps command). The content of file des-cbc02.cipher is displayed in the fifth instruction. It will vary based on the random salt. echo -n \"3084ac125691302201a0772911cd7160cd40157201\" | xxd -r -p > des-cbc02.plain xxd -g 8 des-cbc02.plain openssl enc -DES-CBC -in des-cbc02.plain -out des-cbc02.cipher enter des-cbc encryption password: Verifying - enter des-cbc encryption password: openssl enc -DES-CBC -pass pass:ORLANDO -in des-cbc02.plain -out des-cbc02.cipher xxd -g 8 des-cbc02.cipher 00000000: 53616c7465645f5f 55a009353a34ba9d Salted__U..5:4.. 00000010: 75c4bddacf51d114 2b0b5439e59964b2 u....Q..+.T9..d. 00000020: 54de0658ef4af9a4 T..X.J.. The first sixteen bytes of the file is the information of the salt, in plaintext. As can be seen, the word Salted__ (53616c7465645f5f in hexadecimal) occupies the first eight bytes, following by the random salt (55a009353a34ba9d in hexadecimal). With the salt and the passphrase, we can get the key and the IV. The hash function used by OpenSSL by default is SHA256. Since a SHA256 hash is 256-bit long, we just need to compute D1 as: D1 = Hash(D0 | passphrase | salt) = SHA256(\"\" | \"ORLANDO\" | 55a009353a34ba9d) D1 = SHA256(\"\" | 4f524c414e444f | 55a009353a34ba9d) = SHA256(4f524c414e444f55a009353a34ba9d) D1 = 3f1d2b0250686f24e39b606e45f9413c2e768af878792a17b6e953e8ce0aaf4d We extract both from D1. The key is extracted first as: 3f1d2b0250686f24. Then, the IV is extracted as: e39b606e45f9413c. With these data, we can encrypt the plaintext, after making a padding of three bytes (030303). Hence: C0 = EK(P0 IV) = EK(3084ac1256913022 e39b606e45f9413c) = EK(d31fcc7c1368711e) C0 = 75c4bddacf51d114 C1 = EK(P1 C0) = EK(01a0772911cd7160 75c4bddacf51d114) = EK(7464caf3de9ca074) C1 = 2b0b5439e59964b2 C2 = EK(P2 C1) = EK(cd40157201030303 2b0b5439e59964b2) = EK(e64b414be49a67b1) C2 = 54de0658ef4af9a4 Ciphertext = C0 | C1 | C2 Ciphertext = 75c4bddacf51d114 | 2b0b5439e59964b2 | 54de0658ef4af9a4 Ciphertext = 75c4bddacf51d1142b0b5439e59964b254de0658ef4af9a4

Note: please if you need something send me email coz i put the same question before and i just a got a response more.... what dose more means ??