Security and Cryptography

Julio Batista Silva
Last updated on Jul 9, 2012 10 min read

The ability to securely share messages, keep secrets, and identify individuals has always been important to humanity. There are records showing that cryptography was already being used in Mesopotamia to protect information over 3500 years ago.

In times of war, these skills become even more crucial. Centuries before Christ, Spartans were already using transposition ciphers, and Roman military personnel had a password system. Germans heavily utilized cryptography during the Second World War, which also led to many advancements in the field of cryptanalysis.

Security and privacy are among the topics that most pique my interest, especially the aspects related to various areas related to cryptography such as:

  • Computing: symmetric key algorithms, public key algorithms, hash functions, cryptanalysis techniques, deniable encryption, steganography
  • Mathematics: discrete mathematics, linear algebra, group theory
  • History: ancient ciphers, military use of cryptography in wars
  • Sociology: social, political, and philosophical discussions that occasionally generate controversy, laws like the RIPA in the UK.

As you can easily see, cryptography is a very broad area, which does not allow me to delve into many details here. Details about how algorithms work, benchmarks, and other more in-depth analyses can be found in books and other websites. The purpose of this post is to discuss only some methods of encrypting messages and files using programs and algorithms that I use and recommend.

File Encryption

Vim

It’s not secure encryption! (see: https://dgl.cx/2014/10/vim-blowfish)

Encrypting files

It is possible to encrypt files (texts, images, etc) directly through Vim in the following ways:

  1. ROT13

    A little-known secret of Vim is the command g?[movement], which applies ROT13 to the text between the start and end of the movement.

    ROT13 is a Caesar cipher with a step of 13, which makes the encoding process the same as the decoding process.

    This type of encryption is very weak for protecting a document, but it has some fun uses.

    Example: Let’s say you have applied ROT13 only to the second line of a text, which contains the answer to the riddle (in Portuguese. I cannot translate it):

    P: Por que tem uma cama elástica no polo norte?
E: Cnen b hefb CBYNE!

    To read the answer, just apply ROT13 again (2Gg?$ or :2 norm! g?$):

    P: Por que tem uma cama elástica no polo norte?
R: Para o urso POLAR!

    If you want to encrypt an entire file or have found some obfuscated message on the internet, probably tr is a better alternative than Vim, as you don’t need to open the file, just redirect stdin to tr a-zA-Z n-za-mN-ZA-M.

    As an example, you can test the following command, a tribute to Bruce Schneier, creator of Blowfish and one of the most important cryptographers today. Taken from schneierfacts.com

    julio@acer ~> echo "If you asked Bruce Schneier to decrypt this, \
he'd crush your skull with his yodel." | tr a-zA-Z n-za-mN-ZA-M

  2. Using the -x parameter through the terminal

    julio@acer ~> vim -x secret.txt

    Vim will ask for a password to use as the encryption key for the file.

    This is valid for both new and existing files.

    Now you will have to provide the password every time you edit the file.

When typing an invalid password you will see something like q,§Â²îu]2©^D!¸¡á^?%°ç]^[.

julio@acer ~> file secret.txt
secret.txt: Vim encrypted file data

julio@acer ~> cat secret.txt
VimCrypt~01!xOî4QLÉ
©è¢i¶@h@$[¾M%

  1. :X

    Has the same effect as the previous option, Vim will ask you to enter a password twice and will encrypt the file using the entered key.

Change the password

To change the password just use the +X parameter in the terminal, type the old password and then the new password both times Vim asks for it.

julio@acer ~> vim +X secret.txt

Remove the password

To remove the password just open the file with vim and delete the key option.

:set key=

Change the encryption algorithm

Vim has two symmetric key algorithms:

  • pkzip

    Do not use, weak algorithm and easy to crack.

    :setlocal cryptmethod=zip

  • Blowfish

    Strong algorithm. Recommended.

    :setlocal cm=blowfish

Note that cm is just an abbreviation for cryptmethod.

Gnu Privacy Guard (GPG)

One disadvantage of Vim is that it only allows the use of two algorithms (Pkzip and Blowfish), which are relatively weak in some situations and both are only symmetric key, meaning the sender (Alice) must share the key with the recipient (Bob) beforehand.

If Alice has no secure means of communication with Bob, how can she securely pass the password of the encrypted file? For this, asymmetric algorithms exist. Alice can simply send the encrypted password using Bob’s public key.

GPG is ideal for cases like this, as it has 3 asymmetric algorithms and several other symmetric ones, including Blowfish and even stronger ones. In addition to encryption algorithms, GPG also has some for hashing and compression.

A list of available algorithms can be found with the following command:

julio@acer ~> gpg --version
  Supported algorithms:
  Pubkey: RSA, ELG, DSA
  Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
  CAMELLIA192, CAMELLIA256
  Hash: <del>MD5</del>, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

Asymmetric Cryptography

Generate your pair of private and public keys

A key pair is necessary for encryption, decryption, signing, and verification.

People will use your public key to encrypt messages intended for you, and you will use your corresponding private key to decrypt that message. Therefore, the public key can be distributed publicly, but the private key must be kept secret in a secure location.

  1. Generate your private key

    julio@acer ~> gpg --gen-key

    RSA 2048 should be sufficient (can go up to 4096), as long as you use a secure passphrase and not passwords susceptible to dictionary attacks or simple brute forces.

    In other words, no short passwords, numeric passwords, your chihuahua’s name, or common words.

    The passphrase _ThisIsAGreatSite!_ is much better than _banana1_, and as strong as the password _$%Sh4x0rq56lohap[3é-!_, but much easier to remember.

    Mandatory comic strip for this type of post: https://xkcd.com/936/

  2. Generate an ASCII version of your public key

    julio@acer ~> gpg --armor --output juliopub.asc --export julio@juliobs.com

    The --armor ensures that the output will be ASCII (Base64)

Sharing public keys

After generating an ASCII file with your public key, you can share it with other people. They will have to import your public key using gpg --import and you will have to do the same to send a response:

julio@acer ~> gpg --import < alice.asc

One way to verify the authenticity of Alice’s public key is by comparing the fingerprint she provided with the output of gpg --fingerprint.

Importing a private key

Importing private keys can be useful in 3 cases:

  1. You use more than one computer and want to be able to decrypt messages on all of them
  2. You reformatted the disk and want to import the private key you backed up
  3. You are part of a group of people who share the same key

For all these cases the command is:

julio@acer ~> gpg --allow-secret-key-import --import private_key.asc

Encrypt a file

julio@acer ~> gpg --encrypt --recipient julio@juliobs.com secret.txt

julio@acer ~> gpg --encrypt --armor --recipient julio@juliobs.com secret.txt

The first command generates a binary file named secret.txt.gpg and the second a text file named secret.txt.asc. If you need to paste the encrypted message in an email, use the second one (with --armor), otherwise the first one is preferable for generating a smaller file:

julio@acer ~> file segredo.txt*; ls -lh segredo.txt*
  segredo.txt:     UTF-8 Unicode text
  segredo.txt.asc: PGP message
  segredo.txt.gpg: GPG encrypted data

  -rw-r--r-- 1 julio users  163 Jun 10 20:58 segredo.txt
  -rw-r--r-- 1 julio users 1.1K Jun 10 21:01 segredo.txt.asc
  -rw-r--r-- 1 julio users  740 Jun 10 20:59 segredo.txt.gpg

Symmetric encryption

  1. Using the default AES128 algorithm (Previously CAST-128)

    julio@acer ~> gpg --symmetric lol.tt

  2. Using AES-256 (Rijndael)

    AES-256 is one of the strongest algorithms, currently used by the US government to encrypt Top Secret files

    julio@acer ~> gpg --cipher-algo AES256 --symmetric secret.txt

Hybrid Cryptography

Decrypt a file

julio@acer ~> gpg --output decrypted_file.txt --decrypt secret.txt.gpg

Enter your password when prompted, and the secret file will be decrypted and saved as decrypted_file.txt.

Graphical Interface

Seahorse

Seahorse is a program that facilitates key management. It can also be used to create PGP keys, Secure Shell keys, and store passwords.

It can be installed using the following command:

julio@acer ~> sudo pacman -S seahorse

Kgpg

Kgpg is a graphical interface for GPG.

Install gnupg plugin for Vim

To install, simply copy the plugin to ~/.vim/plugin or, if you use Vundle to manage your plugins, just add Bundle 'git://gitorious.org/vim-gnupg/vim-gnupg.git' to .vimrc and run :BundleInstall!

Now you can open .gpg files without typing gpg --decrypt, Vim will prompt for your password.

My public key (generated in step 1.2)

OpenSSL

We can also use OpenSSL to encrypt files.

julio@acer ~> openssl aes-256-cbc -salt -in secret.txt -out secret.aes
  enter aes-256-cbc encryption password:
  Verifying - enter aes-256-cbc encryption password:

julio@acer ~> cat secret.aes
  Salted_Ø$5ÝGa$´³1äÄõýÓË

julio@acer ~> openssl aes-256-cbc -d -salt -in secret.aes -out secret.txt
  enter aes-256-cbc decryption password:

julio@acer ~> cat secret.txt
  This file is secret!

Mcrypt

  1. Install Mcrypt

    julio@acer ~> sudo pacman -S mcrypt

  2. Encrypt a file

    julio@acer ~> mcrypt -a rijndael-128 segredo.txt
 Enter the passphrase (maximum of 512 characters)
 Please use a combination of upper and lower case letters and numbers.
 Enter passphrase:
 Enter passphrase:

 File segredo.txt was encrypted.

  3. Decrypt a file

    julio@acer ~> mcrypt -d secret.txt.nc
  Enter passphrase:
  File secret.txt.nc was decrypted.

7zip

7zip also allows encrypting files with AES-256

julio@acer ~> 7z a -p -mem=AES256 -tzip segredo.7z segredo.txt

  7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
  p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
  Scanning

  Creating archive segredo.7z

  Enter password (will not be echoed) :
  Verify password (will not be echoed) :
  Compressing  segredo.txt

  Everything is Ok

julio@acer ~> 7z l -slt secret.7z | grep Method
  Method = AES-256 Deflate

Note that despite the algorithms being the same, there are differences in implementations, which means that a file encrypted using OpenSSL will not be decrypted using GPG, for example.

Password cracking

There are some programs to discover the password of files using dictionary attacks, brute force.

I can recommend John the Ripper and Ophcrack.

I have forgotten (more than once) the password of encrypted files, but luckily I knew more or less what the password patterns were and was able to create dictionaries to try to crack them.

One of these cases was a macOS sparsebundle disk image.

First, I needed to extract the hash so that John the Ripper could attack:

$ dmg2john secret.sparseimage > secret.txt

Then I needed to create a dictionary. I know that:

  • If the password starts with a number, it is 5, 7, 123, or 321
  • Palavra1, Palavra2, or Palavra3 appear in the password
  • The ending is always -A, -B, or -C

A simple way to create a dictionary with all password possibilities that meet these criteria is by using Perl:

perl -lwe "print for glob '{5,7,123,321,}{Palavra1,Palavra2,Palavra3}-{A,B,C}'" > wordlist.txt

Then just let JTR perform the dictionary attack:

john --fork=4 --wordlist=wordlist.txt secret.txt

And check if it managed to discover the password:

$ john --show segredo.txt
  segredo.sparseimage:123Palavra2-C::::segredo.sparseimage

  1 password hash cracked, 0 left

VeraCrypt

(Section added on January 26, 2019)

VeraCrypt is a fork of the discontinued TrueCrypt and is my favorite tool for encrypting disks that I need to access from Linux, Windows, and macOS.

It can encrypt an entire partition or create, in a single file, an encrypted container containing a file system.

You can choose between AES, Serpent, Twofish, Camellia, Kuznyechik, or a combination of these algorithms. It also features various hash functions like SHA-256, SHA-512, Streebog, and Whirlpool.

Another interesting feature of VeraCrypt is hidden volumes, meaning volumes hidden at the end of other volumes. Every volume has space for two headers. If the entered password is for the first one, then the outer volume is decrypted; if the password is for the second one, then the hidden volume will be decrypted. This allows for plausible deniability, as it is impossible to prove the existence of a hidden volume.

Creating a new volume is quite intuitive. My recommendation is to use NTFS if the disk is used on Windows, as NTFS is the only supported file system that has journaling. If journaling is not needed, I recommend exFAT.

To mount an encrypted volume on macOS:

/Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt --text --keyfiles="" --pim="0" --protect-hidden="no" /dev/disk3s5 /Volumes/Dev

To dismount:

$ /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt --dismount /dev/disk3s5
Julio Batista Silva
Julio Batista Silva
Data Engineer

I’m a computer engineer passionate about science, technology, photography, and languages. Currently working as a Data Engineer in Germany.

comments powered by Disqus