Breaking simple ciphers

Posted by Jonas Elfström Wed, 16 Sep 2009 18:19:00 GMT

The last few days I've happened to stumble over a couple of ciphers and I just couldn't help myself from trying to break them.




The Lost Symbol



Dan Brown has a new book coming out and part of the promotion is this  cipher text "AOFACFSOA FSZWBEIC EIOA ZOHSFWQWOA OQQSDW". 
The WQW, QQ and three of the words ending with an A made me believe we could be dealing with a substitution cipher and maybe even a Caesar cipher, the most simple of them all.



As usual my tool of choice was Ruby and in this case the splendid Interactive Ruby Shell.




  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


  
$ irb
>> s="AOFACFSOA FSZWBEIC EIOA ZOHSFWQWOA OQQSDW"
=> "AOFACFSOA FSZWBEIC EIOA ZOHSFWQWOA OQQSDW"
>> def caesar(text,n)
>>   alphas=('A'..'Z').to_a*2
>>   text.tr('A-Z', alphas[n..n+26].join)
>> end
>> 1.upto(25) do |n| puts "%2d. %s" % [n, caesar(s,n)] end
 1. BPGBDGTPB GTAXCFJD FJPB APITGXRXPB PRRTEX
 2. CQHCEHUQC HUBYDGKE GKQC BQJUHYSYQC QSSUFY
 3. DRIDFIVRD IVCZEHLF HLRD CRKVIZTZRD RTTVGZ
 4. ESJEGJWSE JWDAFIMG IMSE DSLWJAUASE SUUWHA
 5. FTKFHKXTF KXEBGJNH JNTF ETMXKBVBTF TVVXIB
 6. GULGILYUG LYFCHKOI KOUG FUNYLCWCUG UWWYJC
 7. HVMHJMZVH MZGDILPJ LPVH GVOZMDXDVH VXXZKD
 8. IWNIKNAWI NAHEJMQK MQWI HWPANEYEWI WYYALE
 9. JXOJLOBXJ OBIFKNRL NRXJ IXQBOFZFXJ XZZBMF
10. KYPKMPCYK PCJGLOSM OSYK JYRCPGAGYK YAACNG
11. LZQLNQDZL QDKHMPTN PTZL KZSDQHBHZL ZBBDOH
12. MARMOREAM RELINQUO QUAM LATERICIAM ACCEPI
13. NBSNPSFBN SFMJORVP RVBN MBUFSJDJBN BDDFQJ
14. OCTOQTGCO TGNKPSWQ SWCO NCVGTKEKCO CEEGRK
15. PDUPRUHDP UHOLQTXR TXDP ODWHULFLDP DFFHSL
16. QEVQSVIEQ VIPMRUYS UYEQ PEXIVMGMEQ EGGITM
17. RFWRTWJFR WJQNSVZT VZFR QFYJWNHNFR FHHJUN
18. SGXSUXKGS XKROTWAU WAGS RGZKXOIOGS GIIKVO
19. THYTVYLHT YLSPUXBV XBHT SHALYPJPHT HJJLWP
20. UIZUWZMIU ZMTQVYCW YCIU TIBMZQKQIU IKKMXQ
21. VJAVXANJV ANURWZDX ZDJV UJCNARLRJV JLLNYR
22. WKBWYBOKW BOVSXAEY AEKW VKDOBSMSKW KMMOZS
23. XLCXZCPLX CPWTYBFZ BFLX WLEPCTNTLX LNNPAT
24. YMDYADQMY DQXUZCGA CGMY XMFQDUOUMY MOOQBU
25. ZNEZBERNZ ERYVADHB DHNZ YNGREVPVNZ NPPRCV





Take a closer look at row 12.



MARMOREAM RELINQUO QUAM LATERICIAM ACCEPI



I found Rome a city of bricks and left it a city of marble. - Google tells me it's Augustus.



The code is not the most clear I've written but if you read Ruby in your sleep you can skip this part.



('A'..'Z') is a range in Ruby. Another, maybe more obvious, example of a range is (0..7). 



.to_a could be read as to_array and unsurprisingly it converts a range to an array. (0..7).to_a will create  [0, 1, 2, 3, 4, 5, 6, 7]



The operator * for arrays appends n copies of the array. Thus [0,1,2]*2 will create  [0,1,2,0,1,2].



String#tr works the same way as the Unix command tr, it translates the characters in the string according to the from and to parameters. 



At last .join converts the array to a string.



 



The recruiting agency



A government agency responsible for signals intelligence is hiring. Among the qualifications they are looking for is the ability to break a certain cipher. I will not publish their cipher here but instead one of my own, constructed in the same way as theirs.
"VGhpcyBpcyBleGNsdXNpdmUgZm9yIHlvdSwgb3I/IGMNR0d
LCkZPXgpTRV8K\nTENEQ1lCCkhfXgpoT1NFRElPCkNZCksKSE9eXk
9YCklYU1peRU1YS1pCT1gK\nXkJLRAp5SUJET0NPWAQ="

At first glance it looked like Base64 and the ending "=" made it even more likely.

  
1
2
3
4
5


  
$ irb
>> require 'base64'
>> cipher = "VGhpcyBpcyBleGNsdXNpdmUgZm9yIHlvdSwgb3I/IGMNR0dLCkZPXgpTRV8K\nTENEQ1lCCkhfXgpoT1NFRElPCkNZCksKSE9eXk9YCklYU1peRU1YS1pCT1gK\nXkJLRAp5SUJET0NPWAQ="
>> decoded=Base64.decode64(cipher)
=> "This is exclusive for you, or? c\rGGK\nFO^\nSE\nLCDCYB\nH^\nhOSEDIO\nCY\nK\nHO^^OX\nIXSZ^EMXKZBOX\n^BKD\nyIBDOCOX\004"





So it's Base64 but to no surprise it didn't end there. The "This is exclusive for you, or?" hinted at XOR so I tried XORing the text with 0-255.




  
1
2
3
4
5
6
7
8


  
>> code=decoded[31..decoded.length].split(//)
>> File.open('xor.txt','w') { |file|
?>   0.upto(255) {|n|
?>     file.write(n.to_s + " ")
>>     code.each {|c| file.write( (c[0]^n).chr ) }
>>     file.write("\n\n")
>>   }
>> }





A quick look in the file told me that XORing with 42 was the solution.



Now you know how to break two of the most simple cipher methods. Use the knowledge wisely. :)


  
  
Posted in ,  | 2 comments

  

 

  
Setting charset with a before filter in Sinatra


Posted by Jonas Elfström
Fri, 31 Jul 2009 06:30:00 GMT


In the git example in my previous post about Sinatra and Heroku I happened to mention a filter for using UTF-8. I remember finding it somewhere on the net but I can't remember where and it seems my current google-fu is as weak as my memory. Anyway, it looks like this:




  
1
2
3
4
5
6
7
8
9
10
11


  
CONTENT_TYPES = {:html => 'text/html', :css => 'text/css', 
                :js  => 'application/javascript'}

before do
 request_uri = case request.env['REQUEST_URI']
   when /\.css$/ : :css
   when /\.js$/  : :js
   else          :html
 end
 content_type CONTENT_TYPES[request_uri], :charset => 'utf-8'
end




  
  
Posted in  | 2 comments

  

 

  
An average application in the clouds


Posted by Jonas Elfström
Thu, 11 Jun 2009 21:03:00 GMT


A couple of days ago I published my first applicaiton "in the cloud". I named it Average and it's only a tiny little app that I did for fun and learning. It's written in Ruby with the micro framework Sinatra, DataMapper, Haml and published to Heroku with their git-based workflow. Except Ruby I hadn't used any of these before.



The tools

Sinatra will most likely become my favorite tool for quick web hacks in the futute. I've been using Rubys' built-in CGI support for such before, but Sinatra is beyond compare. It may not be very well suited for anything but small projects but it's hand in glove for admin pages, "reports" or REST services.  Still there are some not that small projects on http://www.sinatrarb.com/wild.html


DataMapper is an ORM and at glance it looks a lot like ActiveRecord but it feels more "pure". I really like that it uses regular Ruby classes (and methods, no method_missing magic) that you include DataMapper to. Sadly the documentation is terrible, it's unstructured and missing some crucial bits. Hopefully that will change in the near future and since it's a wiki anyone can help.




Haml is a markup language that generates HTML/XHTML. It makes it very easy to create fully validating XHTML pages. Some parts of Hamls felt kind of strange but after using it for a couple of hours it all seemed to fall into place and I started to like it more and more by the minute. As a disclaimer I have to admit to only have created 8-9 simple Haml templates ever.




git is a distributed revision control tool. It's really fast, faster than any SCM I've ever used. Git was initially developed by Linus Torvalds and http://github.com/ seems to be a driving force of adoption.





Heroku is very impressive! Unparalleled ease of deployment and if you need more power just slide the "dyno slider"! Heroku is free as long as you only use one dyno, but if you need more "CPUs", backups, more than 5MB and so on, there's a fee.




Under the hood


Average doesn't do much but to its defense it does it in few lines of code. One single Ruby file and some views:

$ wc -l average.rb
  196 average.rb
$ wc -l views/*.haml
  6 views/average.haml
 19 views/index.haml
 25 views/new.haml
  9 views/notenoughdata.haml
 13 views/poll.haml
 16 views/show.haml

284 rows total.

And there's nothing more to it because the data model is included in the average.rb:




  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21


  
class Average
  include DataMapper::Resource
  property :id, Integer, :serial => true
  property :name, String, :length => 50
  property :unit, String, :length => 50
  property :what, String, :length => 50
  property :public, Boolean, :default => true
  property :avgthreshold, Integer, :default => 0
  property :cryptokey, String
  property :adminkey, String
  property :allow_multiple, Boolean, :default => false
  has n, :values
end

class Value
  include DataMapper::Resource
  property :id, Serial
  property :value, Float
  property :valuekey, String
  belongs_to :average
end







I only had to type one single SQL statement: 

CREATE DATABASE average;

The tables were created by executing DataMapper.auto_migrate! (in irb), it's also possible to migrate table by table: Average.auto_migrate!. Migrate drops the table so if you want to keep the data you can use Averages.auto_upgrade!. It's real easy and powerful.

Heroku also has a console and there you can run Ruby code in the running production enviroment.


$ heroku console

>> DataMapper.auto_migrate!



To push your local database to the server just:

$ heroku db:push mysql://user:pwd@localhost/average

(Heroku runs PostgreSQL but the above translates from a plethora of  databases. I got some kind of problem with Booleans from MySQL though.)
For ActiveRecord there's rake db:...



A typical Sinatra Route (a HTTP method paired with a URL matching pattern) could look something like this:




  
1
2
3
4


  
get '/' do
  @avgs=Average.all(:public => true, :limit => 25, :order => [:id.desc])
  haml :index
end







My views are written in Haml and it looks something like this:




  
1
2
3
4


  
%h1= @avg.name
%p== The average #{@avg.what} is #{average} #{@avg.unit} and the sample size is #{sample_size}.
- if @done==false then
  %a{:href=>"/poll/"+@avg.cryptokey} Add value







Heroku uses git to publish the applications and the workflow is:

git add.

git commit -m "added a before filter for charset utf-8"

git push heroku



PS. Peter, look, it validates! http://validator.w3.org/check?uri=http%3A%2F%2Faverage.heroku.com :) DS


  
  
Posted in  | no comments

  

 

  
Unit testing strains


Posted by Jonas Elfström
Mon, 05 May 2008 19:17:00 GMT


I've felt it and I've heard it from colleagues several times. Writing unit tests can be hard work. Especially adding unit test to an existing code base is, at best, cumbersome. Also it's one of those things with delayed gratification. Sometimes it's not even you that will benefit from them being there because the biggest win can be long down the road, when changes to the system has to be made. 



Tests may seem to be isolated and it's even considered a good thing to keep them that way. Even so the tests of your application has a correlation to what the system aims to do on a bigger scale.  This one of the things BDD  focuses on. I think that one of the biggest advantages is that you in one process writes a specification and tests that ensures that the spec. is met. Testing becomes a natural part of the development process. This way it clearly shows that BDD and  TDD are design processes and that it's certainly not all about adding unit tests.



Find out more about BDD on: http://behaviour-driven.org

It must be stressed that BDD is a rephrasing of existing good practice, it is not a radically new departure. Its aim is to bring together existing, well-established techniques under a common banner and with a consistent and unambiguous terminology.



For Ruby RSpec has almost become the de facto standard for BDD. The concepts Story, Scenario, and Test feels natural and the syntax is short and easy to read.



In languages like Java or C# the tests often becomes much more cluttered and some of that clutter is the extra code that comes with static typing. I believe that dynamically typed and overall dynamic languages like Ruby or Python could find a nice little niche here. They could become DSL's for testing.



RSpec is on it's way for .NET/C# via IronRuby and for Java via JRuby but don't hold your breath because they are still in alpha and beta.



.NET / C#

Testing .NET with IronRuby...

NSpecify => RSpec… well closer anyway



Java

Java Functional Testing with JRuby and RSpec

JtestR



Ruby

Slapp - A simple chat wall Merb tutorial. With nice exampes of using RSpec.

Behavior-driven testing with RSpec



ASP.NET MVC

ASP.NET MVC Test Framework Integration Walkthrough

MVC Preview - Testing

ASP.NET MVC Session at Mix08, TDD and MvcMockHelpers


  
  
Posted in , ,  | 3 comments

  

 

  
Blowfish in the URL


Posted by Jonas Elfström
Thu, 15 Nov 2007 21:38:00 GMT


Sometimes you do not want to show the database id for a row in the URL. The reason could be that you do not want someone to be able to scan through all the data.



One solution is to use GUID's but they have drawbacks and one of them is that they add a considerable length to the URL. The shortest URL-safe representation of a GUID I've seen is 22 characters but usually they are 36 characters.



Depending on how your id's are implemented a much shorter way could be to simply to encrypt them.



Here's a Ruby-example that Blowfish encrypts, Base64 encodes and URL-encodes an integer value. You can get crypt as a gem:



gem install crypt



require 'rubygems'
require 'crypt/blowfish'
require 'Base64'
blowfish = Crypt::Blowfish.new("A key up to 56 bytes long")
plainId=123456
encryptedBlock = blowfish.encrypt_block(plainId.to_s.ljust(8))
idForURL = URI.escape((Base64.encode64(encryptedBlock).strip))

decryptedId = blowfish.decrypt_block(Base64.decode64(URI.unescape(idForURL))).strip.to_i



The .ljust(8) is because Blowfish is a 64-bit block cipher and the Ruby-implementation does not pad the data itself.



The id in the URL in this case would be c2PSXWgky40=. Its 12 characters long (11 if you skip the equal sign) and that's 10 or 24 characters shorter than a GUID. Also there is zero percent chance of a collusion and if you want to you can even decrypt it.



This is not a super safe implementation but if you start your id's at a random and not too low number you are making it a bit harder for someone to crack the 56-bit key. Actually a truly random and at least 64-bit big number would be a better choice as it would have no connection to the true id at all. You would have to check for uniqueness before storing those in the database though.


  
  
Posted in , ,  | no comments

  



  
Older posts: 1 2 3