0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/375 Thanks! 1 00:00:13,750 --> 00:00:15,849 He's a malware researcher at 2 00:00:15,850 --> 00:00:18,069 Checkpoint and comes from the Israel 3 00:00:18,070 --> 00:00:20,169 Institute of Technology and 4 00:00:20,170 --> 00:00:23,099 he's going to tell us something about 5 00:00:23,100 --> 00:00:25,209 streamy radios and how to 6 00:00:25,210 --> 00:00:27,699 avoid to spend nights and nights 7 00:00:27,700 --> 00:00:30,369 trying to understand a crypto protocol. 8 00:00:30,370 --> 00:00:32,529 But was it worth the time 9 00:00:32,530 --> 00:00:33,699 to use? 10 00:00:33,700 --> 00:00:35,859 I mean, in terms of spending 11 00:00:35,860 --> 00:00:37,389 your night developing these other 12 00:00:37,390 --> 00:00:39,489 software for automatism days instead 13 00:00:39,490 --> 00:00:41,409 of checking by yourself. 14 00:00:45,610 --> 00:00:46,929 Let's see. 15 00:00:46,930 --> 00:00:47,959 Thank you. 16 00:00:47,960 --> 00:00:49,209 Please give him another round of 17 00:00:49,210 --> 00:00:50,210 applause. 18 00:00:56,470 --> 00:00:58,569 Hi, I'm Ben, I'm from 19 00:00:58,570 --> 00:01:00,699 the, uh, Checkpoint Moral Vulnerability 20 00:01:00,700 --> 00:01:02,769 Research Group, and 21 00:01:02,770 --> 00:01:04,208 this was mentioned earlier, but I felt 22 00:01:04,209 --> 00:01:06,549 like mentioning it again. 23 00:01:06,550 --> 00:01:08,769 And what I do is I look at the 24 00:01:08,770 --> 00:01:10,539 applications of theoretical computer 25 00:01:10,540 --> 00:01:12,699 science to problems facing that we come 26 00:01:12,700 --> 00:01:15,369 across in the field. 27 00:01:15,370 --> 00:01:17,469 And, uh, in less 28 00:01:17,470 --> 00:01:19,929 whitewashed terms, what this means is 29 00:01:19,930 --> 00:01:22,299 that I am an amateur mathematician, 30 00:01:22,300 --> 00:01:24,129 was infiltrated the industry somehow 31 00:01:24,130 --> 00:01:25,959 don't tell anyone, especially the people 32 00:01:25,960 --> 00:01:26,960 working with me. 33 00:01:28,030 --> 00:01:30,189 It's hard enough to keep this undercover 34 00:01:30,190 --> 00:01:31,989 says it is, considering that when I 35 00:01:31,990 --> 00:01:33,669 handed my boss the first draft of this 36 00:01:33,670 --> 00:01:35,559 presentation, he took one look at it and 37 00:01:35,560 --> 00:01:37,179 he said, you're really going to present 38 00:01:37,180 --> 00:01:38,829 this with all of those formulas, they're 39 00:01:38,830 --> 00:01:40,179 going to lynch you. 40 00:01:40,180 --> 00:01:41,949 So first of all, please don't lynch me. 41 00:01:41,950 --> 00:01:43,569 Second of all, I really tried my best to 42 00:01:43,570 --> 00:01:45,009 take away most of the formulas. 43 00:01:45,010 --> 00:01:46,899 There's one formula somewhere in one of 44 00:01:46,900 --> 00:01:48,409 the slides. 45 00:01:48,410 --> 00:01:49,410 Uh, 46 00:01:50,890 --> 00:01:52,959 so this stock, as 47 00:01:52,960 --> 00:01:55,599 I said, it is about, uh, automatic 48 00:01:55,600 --> 00:01:58,629 detection of Kypreos vulnerabilities. 49 00:01:58,630 --> 00:02:00,549 I would like to dove right into that, 50 00:02:00,550 --> 00:02:01,599 unfortunately. 51 00:02:01,600 --> 00:02:03,099 First, I'm going to have to explain what 52 00:02:03,100 --> 00:02:04,989 the curious vulnerability is. 53 00:02:04,990 --> 00:02:07,089 And unfortunately, to explain what 54 00:02:07,090 --> 00:02:09,279 that means, I'm going to have to explain 55 00:02:09,280 --> 00:02:10,448 how a stream system works. 56 00:02:10,449 --> 00:02:12,549 So let's go over it as quickly 57 00:02:12,550 --> 00:02:13,550 as we can. 58 00:02:18,630 --> 00:02:20,789 OK, this 59 00:02:20,790 --> 00:02:22,739 is how extreme cipher works, basically, 60 00:02:22,740 --> 00:02:24,569 does this machinery call the pseudo 61 00:02:24,570 --> 00:02:26,579 random number generator and the pseudo 62 00:02:26,580 --> 00:02:29,009 random number generator except the short 63 00:02:29,010 --> 00:02:31,229 and outputs what what basically 64 00:02:31,230 --> 00:02:33,419 looks like noise to anyone who is not 65 00:02:33,420 --> 00:02:35,340 familiar with the key? 66 00:02:38,330 --> 00:02:39,590 It looks like noise 67 00:02:40,610 --> 00:02:42,829 and what you can do is you can 68 00:02:42,830 --> 00:02:44,959 use it for encryption, how you insert 69 00:02:44,960 --> 00:02:46,969 the symmetrically known to both parties 70 00:02:46,970 --> 00:02:48,859 trying to communicate, say, Alice and 71 00:02:48,860 --> 00:02:50,989 Bob, and the sort 72 00:02:50,990 --> 00:02:52,969 of random number generator at which this 73 00:02:52,970 --> 00:02:55,249 key string that looks like a new X or 74 00:02:55,250 --> 00:02:57,049 the plaintext here, it's the smiley 75 00:02:57,050 --> 00:02:58,189 image. 76 00:02:58,190 --> 00:03:00,379 And you get the ciphertext, which is 77 00:03:00,380 --> 00:03:02,479 a plaintext X or the key stream. 78 00:03:02,480 --> 00:03:04,549 And to the uninitiated, anyone 79 00:03:04,550 --> 00:03:06,979 who is not familiar with the 80 00:03:06,980 --> 00:03:09,319 key or the kitchen, it looks also like 81 00:03:09,320 --> 00:03:10,939 this is a property of the X Corporation. 82 00:03:10,940 --> 00:03:13,159 You take a nice plaintext and you what 83 00:03:13,160 --> 00:03:15,229 looks like noise, you also get something 84 00:03:15,230 --> 00:03:16,410 that looks like noise. 85 00:03:17,600 --> 00:03:19,789 Next, what can you do now? 86 00:03:19,790 --> 00:03:21,209 There is the ciphertext. 87 00:03:21,210 --> 00:03:23,389 It looks like noise. But if you saw it 88 00:03:23,390 --> 00:03:25,399 again with the same key stream, which is 89 00:03:25,400 --> 00:03:26,629 what, Bob, on the other side of the 90 00:03:26,630 --> 00:03:28,799 communication, we do get the plaintext 91 00:03:28,800 --> 00:03:29,839 back again. Why? 92 00:03:29,840 --> 00:03:31,549 Because this is another property of the X 93 00:03:31,550 --> 00:03:32,599 Corporation. 94 00:03:32,600 --> 00:03:35,029 If you X or something with the same 95 00:03:35,030 --> 00:03:37,579 element, whether it's nice or not nice, 96 00:03:37,580 --> 00:03:39,859 twice you get that element 97 00:03:39,860 --> 00:03:40,819 cancels itself out. 98 00:03:40,820 --> 00:03:43,069 You extra noise with noise again, 99 00:03:43,070 --> 00:03:44,869 the noise cancels itself out and you get 100 00:03:44,870 --> 00:03:46,039 that plaintext back again. 101 00:03:47,060 --> 00:03:48,060 So 102 00:03:49,670 --> 00:03:51,079 what's curious? 103 00:03:51,080 --> 00:03:53,299 Curious, astonishingly, it is when 104 00:03:53,300 --> 00:03:55,429 you reuse the same key string twice 105 00:03:55,430 --> 00:03:58,249 to encrypt to different plaintext. 106 00:03:58,250 --> 00:04:00,349 And as you can see it, lets take 107 00:04:00,350 --> 00:04:01,659 a certain key. 108 00:04:01,660 --> 00:04:04,129 This is the key and 109 00:04:04,130 --> 00:04:06,409 we xor the 110 00:04:06,410 --> 00:04:08,719 text with the first plaintext 111 00:04:08,720 --> 00:04:10,939 with the key and the second plaintext 112 00:04:10,940 --> 00:04:13,159 again with the same key and we get two 113 00:04:13,160 --> 00:04:14,329 bunches of noise. 114 00:04:14,330 --> 00:04:16,458 As we said earlier, if you exclude 115 00:04:16,459 --> 00:04:18,169 the noise, you get something that looks 116 00:04:18,170 --> 00:04:20,278 like noise unless you know the in advance 117 00:04:20,279 --> 00:04:21,559 generated the key stream. 118 00:04:21,560 --> 00:04:23,749 And now if it stands in the middle of the 119 00:04:23,750 --> 00:04:25,879 communication, she's eavesdropping on 120 00:04:25,880 --> 00:04:28,849 the communication and she gets this 121 00:04:28,850 --> 00:04:31,309 noise and this other noise and it 122 00:04:31,310 --> 00:04:32,539 all looks like moist air. 123 00:04:32,540 --> 00:04:34,079 And of course, she can't do anything. 124 00:04:34,080 --> 00:04:35,539 And there is no such thing as a curious 125 00:04:35,540 --> 00:04:37,489 vulnerability. You can get up on stage 126 00:04:37,490 --> 00:04:38,659 and go home. 127 00:04:38,660 --> 00:04:40,429 No, not really. 128 00:04:40,430 --> 00:04:42,199 This is what happens if you in two 129 00:04:42,200 --> 00:04:44,299 different plaintext with the same 130 00:04:44,300 --> 00:04:46,519 key. It is possible for you 131 00:04:46,520 --> 00:04:48,589 has access to both ciphertext 132 00:04:48,590 --> 00:04:51,199 to X or the two ciphertext. 133 00:04:51,200 --> 00:04:53,539 And what did we say earlier about having 134 00:04:53,540 --> 00:04:55,279 the same element twice in the next 135 00:04:55,280 --> 00:04:57,169 operation here? The key appears twice. 136 00:04:57,170 --> 00:04:58,929 You have the first plaintext X or the key 137 00:04:58,930 --> 00:05:01,069 in the second plaintext X or the key. 138 00:05:01,070 --> 00:05:03,299 And if you X or the two ciphertext 139 00:05:03,300 --> 00:05:05,479 that result of the key, cancel itself out 140 00:05:05,480 --> 00:05:07,759 and you get the first plaintext 141 00:05:07,760 --> 00:05:09,859 X or the second plaintext. 142 00:05:09,860 --> 00:05:11,869 This is not something that you want to 143 00:05:11,870 --> 00:05:13,289 enable. 144 00:05:13,290 --> 00:05:15,349 OK, I can see here it's 145 00:05:15,350 --> 00:05:17,419 very easy for you to take a look 146 00:05:17,420 --> 00:05:19,939 at this thing and 147 00:05:19,940 --> 00:05:21,259 have a very good idea of what the 148 00:05:21,260 --> 00:05:22,909 original plaintext were. 149 00:05:22,910 --> 00:05:25,009 Now, this is due to the redundancy in 150 00:05:25,010 --> 00:05:27,049 the two original plaintext. 151 00:05:27,050 --> 00:05:29,119 In our context, the context that 152 00:05:29,120 --> 00:05:31,189 we will be working with and mentioning at 153 00:05:31,190 --> 00:05:33,479 the moment, it's a bit more difficult 154 00:05:33,480 --> 00:05:35,389 than that. It's not so obvious. 155 00:05:35,390 --> 00:05:37,279 It doesn't just jump out at you like 156 00:05:37,280 --> 00:05:39,559 that. In fact, there's all the 157 00:05:39,560 --> 00:05:41,689 effort and the algorithms dedicated 158 00:05:41,690 --> 00:05:43,939 to extracting the original plaintext. 159 00:05:43,940 --> 00:05:44,839 But this is an example. 160 00:05:44,840 --> 00:05:46,189 You can look at it and see how horrible 161 00:05:46,190 --> 00:05:48,289 this vulnerability is if if 162 00:05:48,290 --> 00:05:51,169 it exists, it's not something very nice. 163 00:05:51,170 --> 00:05:52,170 So. 164 00:05:53,640 --> 00:05:54,749 What is it good for? 165 00:05:54,750 --> 00:05:56,819 Why do we want to Zekeria, here's 166 00:05:56,820 --> 00:05:58,649 the first example. This is a document for 167 00:05:58,650 --> 00:06:00,239 Devinn on a project of another project, 168 00:06:00,240 --> 00:06:02,369 ran for 40 years from the 1940s 169 00:06:02,370 --> 00:06:04,529 to the 1980s, initiated by 170 00:06:04,530 --> 00:06:06,269 the NSA to eavesdrop on Soviet 171 00:06:06,270 --> 00:06:07,169 communication. 172 00:06:07,170 --> 00:06:09,239 This was started before the NSA even 173 00:06:09,240 --> 00:06:10,469 existed. 174 00:06:10,470 --> 00:06:12,569 And the Soviets, 175 00:06:12,570 --> 00:06:14,819 they were using their systems at one 176 00:06:14,820 --> 00:06:15,989 time, at one time pad. 177 00:06:15,990 --> 00:06:17,669 When used correctly, it is an unbreakable 178 00:06:17,670 --> 00:06:19,679 cipher, but they were reusing their one 179 00:06:19,680 --> 00:06:19,889 thing. 180 00:06:19,890 --> 00:06:21,959 That's and what happened 181 00:06:21,960 --> 00:06:24,119 is that the vulnerability that 182 00:06:24,120 --> 00:06:26,219 we saw earlier arose because of 183 00:06:26,220 --> 00:06:28,139 that. And the U.S. 184 00:06:28,140 --> 00:06:31,079 intelligence was able to extract 185 00:06:31,080 --> 00:06:33,089 information from those encrypted messages 186 00:06:33,090 --> 00:06:34,979 for the following 40 years. 187 00:06:34,980 --> 00:06:37,619 Isn't the case that the Soviets continue 188 00:06:37,620 --> 00:06:39,389 sending vulnerable information for 40 189 00:06:39,390 --> 00:06:41,429 years? It was only for four years and 190 00:06:41,430 --> 00:06:42,689 then they wised up. 191 00:06:42,690 --> 00:06:44,999 But for 40 years, the Americans continued 192 00:06:45,000 --> 00:06:46,679 working on this project, instructing them 193 00:06:46,680 --> 00:06:48,059 on more information. And they got all 194 00:06:48,060 --> 00:06:50,099 sorts of useful intelligence, including 195 00:06:50,100 --> 00:06:52,169 the names and identities of 196 00:06:52,170 --> 00:06:53,939 spy rings and such. 197 00:06:53,940 --> 00:06:55,319 So this is one use for it. 198 00:06:55,320 --> 00:06:57,479 If you can look at the traffic 199 00:06:57,480 --> 00:06:59,609 and say there's been 200 00:06:59,610 --> 00:07:02,159 curios here, that's helpful, 201 00:07:02,160 --> 00:07:04,199 you can then start to attack the traffic 202 00:07:04,200 --> 00:07:06,599 and look for information. 203 00:07:06,600 --> 00:07:08,039 This is another use. 204 00:07:08,040 --> 00:07:10,559 Now, I will be shamelessly promoting my 205 00:07:10,560 --> 00:07:12,569 tie because these are some NITI. 206 00:07:12,570 --> 00:07:14,939 And earlier this year we research 207 00:07:14,940 --> 00:07:17,369 a certain ransomware Verant 208 00:07:17,370 --> 00:07:18,599 called Decrypt. 209 00:07:18,600 --> 00:07:20,369 It's basically like a cryptococcal 210 00:07:20,370 --> 00:07:22,649 wannabee. It infects your computer and 211 00:07:22,650 --> 00:07:24,749 it starts encrypting your files. 212 00:07:24,750 --> 00:07:27,029 And unfortunately, 213 00:07:27,030 --> 00:07:29,279 as I dug deeper into the source 214 00:07:29,280 --> 00:07:31,859 code, it found that there Creped 215 00:07:31,860 --> 00:07:33,329 commits couriers. 216 00:07:33,330 --> 00:07:35,909 It basically it uses streamside 217 00:07:35,910 --> 00:07:37,349 four hours before. 218 00:07:37,350 --> 00:07:38,579 This is a good point to mention that 219 00:07:38,580 --> 00:07:40,439 everything I'm talking about right now 220 00:07:40,440 --> 00:07:42,809 applies only to stream ciphers 221 00:07:42,810 --> 00:07:44,619 and 110 pounds, which are like streamside 222 00:07:44,620 --> 00:07:46,709 for not block ciphers, like a yes 223 00:07:46,710 --> 00:07:48,750 and doesn't like and. 224 00:07:49,760 --> 00:07:51,829 And I found out that that's what happens. 225 00:07:53,220 --> 00:07:54,220 There's a. 226 00:07:55,970 --> 00:07:58,549 Every single file encrypted by Decrypt 227 00:07:58,550 --> 00:08:00,739 using our support 228 00:08:00,740 --> 00:08:02,179 uses the same key. 229 00:08:02,180 --> 00:08:04,249 It was a five letter key black 230 00:08:04,250 --> 00:08:06,319 in all lowercase, and this 231 00:08:06,320 --> 00:08:08,809 means that all encrypted files 232 00:08:08,810 --> 00:08:11,239 could theoretically be recovered 233 00:08:11,240 --> 00:08:13,549 using depending on redundancy 234 00:08:13,550 --> 00:08:14,659 in the plaintext. Anyway, it's not 235 00:08:14,660 --> 00:08:16,519 something that the malware offer planned 236 00:08:16,520 --> 00:08:18,739 on. Now, the funny thing is that 237 00:08:18,740 --> 00:08:20,479 we didn't even have to go that far 238 00:08:20,480 --> 00:08:22,579 because the our offer actually 239 00:08:22,580 --> 00:08:24,829 included the key in 240 00:08:24,830 --> 00:08:25,999 every file. 241 00:08:26,000 --> 00:08:27,919 We don't really know why. 242 00:08:27,920 --> 00:08:29,779 Probably it seemed like what they did to 243 00:08:29,780 --> 00:08:31,009 him at the time. 244 00:08:31,010 --> 00:08:33,259 And so 245 00:08:33,260 --> 00:08:35,538 unless the author 246 00:08:35,539 --> 00:08:37,849 had done this thing, 247 00:08:37,850 --> 00:08:40,189 we could have recovered that plaintext or 248 00:08:40,190 --> 00:08:42,558 a large part of the plaintext anyway, 249 00:08:42,559 --> 00:08:43,999 because this is mysterious. 250 00:08:44,000 --> 00:08:46,009 Now, if we had a way to look at the files 251 00:08:46,010 --> 00:08:47,629 and come to an epiphany, there's been 252 00:08:47,630 --> 00:08:49,729 curious here and I wouldn't have had to 253 00:08:49,730 --> 00:08:52,009 sit down in front of the screen looking 254 00:08:52,010 --> 00:08:54,559 at either pro and are 255 00:08:54,560 --> 00:08:56,269 there's tears of blood in his eyes for 256 00:08:56,270 --> 00:08:57,469 nights and nights on end. 257 00:08:57,470 --> 00:08:59,749 We could have just looked 258 00:08:59,750 --> 00:09:01,879 at the files and say, hey, there's a 259 00:09:01,880 --> 00:09:03,379 curious vulnerability here and proceeded 260 00:09:03,380 --> 00:09:04,639 from there and saved a lot of time and 261 00:09:04,640 --> 00:09:05,640 effort. 262 00:09:06,800 --> 00:09:08,179 This is something similar. 263 00:09:08,180 --> 00:09:09,769 This is traffic from the Romney campaign 264 00:09:09,770 --> 00:09:12,229 where Romney came out around 265 00:09:12,230 --> 00:09:13,129 2010. 266 00:09:13,130 --> 00:09:15,409 It still credentials introduced to commit 267 00:09:15,410 --> 00:09:17,779 financial fraud and 268 00:09:17,780 --> 00:09:20,419 Romney sends it strophic 269 00:09:20,420 --> 00:09:22,699 in a special homebrewed protocol over 270 00:09:22,700 --> 00:09:23,749 part four for free. 271 00:09:23,750 --> 00:09:24,949 It's not actually to celebrate. 272 00:09:24,950 --> 00:09:26,389 It's of for free. 273 00:09:26,390 --> 00:09:28,489 And this protocol contains 274 00:09:28,490 --> 00:09:29,929 blocks and some of the books can be 275 00:09:29,930 --> 00:09:31,069 encrypted. 276 00:09:31,070 --> 00:09:33,439 And every single book is encrypted 277 00:09:33,440 --> 00:09:35,119 with the same key, with the sort of 278 00:09:35,120 --> 00:09:36,919 random number generator generator 279 00:09:36,920 --> 00:09:38,629 restarted before of use. 280 00:09:38,630 --> 00:09:40,669 So basically here you have curios on the 281 00:09:40,670 --> 00:09:42,169 block level. Every single block is 282 00:09:42,170 --> 00:09:44,269 encrypted using the same key. 283 00:09:44,270 --> 00:09:46,429 So if we can look at this 284 00:09:46,430 --> 00:09:48,499 traffic and understand 285 00:09:48,500 --> 00:09:50,239 something, you look at it and say there's 286 00:09:50,240 --> 00:09:51,199 been key here. 287 00:09:51,200 --> 00:09:53,299 Again, that's useful because coming 288 00:09:53,300 --> 00:09:54,739 into this traffic, we don't even know 289 00:09:54,740 --> 00:09:55,769 anything about it. 290 00:09:55,770 --> 00:09:57,709 And now just if we're just looking at the 291 00:09:57,710 --> 00:09:59,359 traffic, say curios has been committed 292 00:09:59,360 --> 00:10:00,929 here, that's interesting. 293 00:10:00,930 --> 00:10:03,109 Not we don't expect 294 00:10:03,110 --> 00:10:05,240 Cuba to use in a regular traffic. 295 00:10:07,700 --> 00:10:09,829 And this is our last example. 296 00:10:09,830 --> 00:10:11,569 Lest you think that only malware authors 297 00:10:11,570 --> 00:10:13,609 and shady characters commit use, 298 00:10:13,610 --> 00:10:16,399 Microsoft committed in the 299 00:10:16,400 --> 00:10:18,709 2003 version of office 300 00:10:18,710 --> 00:10:20,509 and in their document encryption 301 00:10:20,510 --> 00:10:22,519 function, basically. 302 00:10:27,030 --> 00:10:29,359 Every time you saved 303 00:10:29,360 --> 00:10:31,549 the file, you modify the file and 304 00:10:31,550 --> 00:10:32,959 you saved it again, it was encrypted 305 00:10:32,960 --> 00:10:33,859 again with the same key. 306 00:10:33,860 --> 00:10:35,119 The key was bound to file. 307 00:10:35,120 --> 00:10:36,559 It was a single key every time. 308 00:10:36,560 --> 00:10:38,719 And someone monitored your directory over 309 00:10:38,720 --> 00:10:40,789 a long time, could look at the files 310 00:10:40,790 --> 00:10:42,859 again and again and see as the 311 00:10:42,860 --> 00:10:44,219 basically different plaintext. 312 00:10:44,220 --> 00:10:45,829 Different files are encrypted again and 313 00:10:45,830 --> 00:10:47,779 again with the same string. 314 00:10:47,780 --> 00:10:49,829 And this enables a curious attack. 315 00:10:49,830 --> 00:10:52,099 So it took time for people to 316 00:10:52,100 --> 00:10:53,869 catch on to this. If we could only look 317 00:10:53,870 --> 00:10:55,459 at the files and come again to an 318 00:10:55,460 --> 00:10:57,289 epiphany. Oh, wow. There's curious here. 319 00:10:57,290 --> 00:10:58,970 It could have been detected much earlier. 320 00:11:01,180 --> 00:11:04,209 So how do we 321 00:11:04,210 --> 00:11:05,969 manage to actually do this thing, and I 322 00:11:05,970 --> 00:11:07,389 spent four slides explaining how 323 00:11:07,390 --> 00:11:08,889 wonderful it would be if we could just 324 00:11:08,890 --> 00:11:11,139 look at the heap of bytes and 325 00:11:11,140 --> 00:11:13,599 understand there's been curious here. 326 00:11:13,600 --> 00:11:15,669 That's nice. But how do we actually pull 327 00:11:15,670 --> 00:11:16,670 this off? 328 00:11:17,290 --> 00:11:19,479 Well, do you remember 329 00:11:19,480 --> 00:11:21,459 has any one of you ever got stuck in one 330 00:11:21,460 --> 00:11:23,319 of those early 90s quests, like someone 331 00:11:23,320 --> 00:11:25,479 the saucer on Monkey Island, 332 00:11:25,480 --> 00:11:26,889 when you are completely stuck and you 333 00:11:26,890 --> 00:11:28,269 have no more ideas of what to do, what 334 00:11:28,270 --> 00:11:29,289 you do? That's right. 335 00:11:29,290 --> 00:11:31,029 You try everything on everything else 336 00:11:31,030 --> 00:11:32,349 until something works. 337 00:11:32,350 --> 00:11:34,569 So this is 338 00:11:34,570 --> 00:11:35,739 what we're going to do here. 339 00:11:35,740 --> 00:11:38,349 Basically, if we take every byte 340 00:11:38,350 --> 00:11:40,839 from our original input and 341 00:11:40,840 --> 00:11:43,419 it with every other byte, 342 00:11:43,420 --> 00:11:45,729 we're going to get this space 343 00:11:45,730 --> 00:11:47,139 where, again, everybody's excited. 344 00:11:47,140 --> 00:11:49,899 Every everybody, for example, this 345 00:11:49,900 --> 00:11:52,029 square will be the result of X on the 346 00:11:52,030 --> 00:11:53,949 R with the R, and it's going to be an all 347 00:11:53,950 --> 00:11:56,019 back because I think X itself 348 00:11:56,020 --> 00:11:58,509 is an object and 349 00:11:58,510 --> 00:12:00,579 every square, every tile in this 350 00:12:00,580 --> 00:12:02,649 space is going to be basically the X of 351 00:12:02,650 --> 00:12:04,539 the character from each column and the 352 00:12:04,540 --> 00:12:05,379 character from it. 353 00:12:05,380 --> 00:12:07,089 So what is this good for? 354 00:12:07,090 --> 00:12:08,619 I'm going to see in a moment. 355 00:12:08,620 --> 00:12:10,089 First of all, this is what it looks like. 356 00:12:10,090 --> 00:12:11,439 As you can see along the diagonal, 357 00:12:11,440 --> 00:12:13,629 everything is now light, 358 00:12:13,630 --> 00:12:13,929 right? 359 00:12:13,930 --> 00:12:16,239 Because it's a character itself. 360 00:12:17,650 --> 00:12:18,650 So 361 00:12:19,750 --> 00:12:22,359 what's our game plan based on the above 362 00:12:22,360 --> 00:12:24,789 that if we take our input, let's 363 00:12:24,790 --> 00:12:26,979 look at a typical 364 00:12:26,980 --> 00:12:29,409 input that we might want to operate on 365 00:12:29,410 --> 00:12:31,389 and find something interesting. 366 00:12:31,390 --> 00:12:33,129 Let's take this input. 367 00:12:33,130 --> 00:12:34,449 There's all sorts of noise in here 368 00:12:34,450 --> 00:12:36,039 somewhere in here. 369 00:12:36,040 --> 00:12:38,839 Are you going to ciphertext each 370 00:12:38,840 --> 00:12:40,839 encrypted? Jutras There are both two 371 00:12:40,840 --> 00:12:42,309 different plaintext encrypted with the 372 00:12:42,310 --> 00:12:42,729 same key. 373 00:12:42,730 --> 00:12:44,289 This is the thing that we are about to 374 00:12:44,290 --> 00:12:46,479 find out. And if we x every 375 00:12:46,480 --> 00:12:48,579 bytes with every other byte somewhere 376 00:12:48,580 --> 00:12:49,809 in here. Right. 377 00:12:49,810 --> 00:12:52,569 This is the first bite of this ciphertext 378 00:12:52,570 --> 00:12:53,919 except with the first bite of this 379 00:12:53,920 --> 00:12:54,920 ciphertext. 380 00:12:58,250 --> 00:12:59,389 Why do we care? 381 00:12:59,390 --> 00:13:00,769 Because of the phenomenon that we saw 382 00:13:00,770 --> 00:13:02,959 earlier, if we 383 00:13:02,960 --> 00:13:05,599 saw the first bite 384 00:13:05,600 --> 00:13:07,759 of the two ciphertext, the key 385 00:13:07,760 --> 00:13:09,259 bite cancels itself out. 386 00:13:09,260 --> 00:13:11,599 And the same applies 387 00:13:11,600 --> 00:13:13,549 if we exclude the second bites of the two 388 00:13:13,550 --> 00:13:15,679 ciphertext and along 389 00:13:15,680 --> 00:13:17,509 this diagonal, right. 390 00:13:17,510 --> 00:13:19,999 If you go up one 391 00:13:20,000 --> 00:13:21,979 unit and to the right one unit, we 392 00:13:21,980 --> 00:13:24,049 basically advance to the next character 393 00:13:24,050 --> 00:13:26,689 in both, uh, strings. 394 00:13:26,690 --> 00:13:28,669 So along this white line, you can 395 00:13:28,670 --> 00:13:31,009 basically you will be able to see 396 00:13:31,010 --> 00:13:33,979 the two ciphertext with the 397 00:13:33,980 --> 00:13:35,569 extraordinary charvat, basically the two 398 00:13:35,570 --> 00:13:37,219 different ciphertext, actually, which can 399 00:13:37,220 --> 00:13:39,359 be read along these diagonal. 400 00:13:39,360 --> 00:13:40,819 And why do we care again? 401 00:13:40,820 --> 00:13:42,679 Because we saw earlier what happens if 402 00:13:42,680 --> 00:13:44,119 you do that? The key concerns itself out. 403 00:13:44,120 --> 00:13:46,039 You could actually see the smiley face 404 00:13:46,040 --> 00:13:48,199 and send a message here. 405 00:13:48,200 --> 00:13:50,299 It's not going to be so obvious, 406 00:13:50,300 --> 00:13:52,609 but it's still 407 00:13:52,610 --> 00:13:55,639 a step that helps us see 408 00:13:55,640 --> 00:13:56,539 what we need to do. 409 00:13:56,540 --> 00:13:57,679 Why? 410 00:13:57,680 --> 00:13:59,899 Because when you take, 411 00:13:59,900 --> 00:14:02,059 uh, we come into this 412 00:14:02,060 --> 00:14:04,129 whole thing, assuming something about the 413 00:14:04,130 --> 00:14:05,689 plaintext distribution that we are going 414 00:14:05,690 --> 00:14:07,759 to see. PlainText is different from 415 00:14:07,760 --> 00:14:09,089 random characters, right? 416 00:14:09,090 --> 00:14:10,639 You expect letters, you expect 417 00:14:10,640 --> 00:14:13,669 punctuation. You expect at any rate, 418 00:14:13,670 --> 00:14:15,379 the distribution is different as opposed 419 00:14:15,380 --> 00:14:17,089 to random characters that are distributed 420 00:14:17,090 --> 00:14:18,259 evenly. 421 00:14:18,260 --> 00:14:19,849 The this is not the plaintext 422 00:14:19,850 --> 00:14:21,709 distribution. This is the actual 423 00:14:21,710 --> 00:14:23,389 distribution. This is the distribution 424 00:14:23,390 --> 00:14:23,779 that you get. 425 00:14:23,780 --> 00:14:25,879 If you pick a random plaintext, uh, 426 00:14:25,880 --> 00:14:27,679 character from diplomatic distribution 427 00:14:27,680 --> 00:14:29,989 and then a number, uh, another, 428 00:14:29,990 --> 00:14:31,669 uh, random character from diplomatics 429 00:14:31,670 --> 00:14:33,439 distribution and you exclude the two of 430 00:14:33,440 --> 00:14:35,569 them, you get another distribution 431 00:14:35,570 --> 00:14:35,659 in. 432 00:14:35,660 --> 00:14:37,489 This distribution is again different from 433 00:14:37,490 --> 00:14:38,749 the random distribution. 434 00:14:38,750 --> 00:14:40,939 So it looks 435 00:14:40,940 --> 00:14:42,109 to us differently. Right. 436 00:14:42,110 --> 00:14:44,509 If we look at the byte that came 437 00:14:44,510 --> 00:14:46,759 from two different plaintext 438 00:14:46,760 --> 00:14:49,129 characters being accurate, it's going to 439 00:14:49,130 --> 00:14:51,319 appear different to us from just 440 00:14:51,320 --> 00:14:53,059 a random byte in the long run. 441 00:14:55,630 --> 00:14:56,740 So what are we going to do? 442 00:14:57,850 --> 00:15:00,129 We're going to scan this space 443 00:15:00,130 --> 00:15:01,659 that I mentioned earlier, we're going to 444 00:15:01,660 --> 00:15:03,399 construct it and we're going to scan it. 445 00:15:03,400 --> 00:15:05,109 They're going to they're going to fashion 446 00:15:05,110 --> 00:15:07,719 because the damning evidence 447 00:15:07,720 --> 00:15:08,709 is like a crime scene. 448 00:15:08,710 --> 00:15:11,109 And the damning evidence were all the 449 00:15:11,110 --> 00:15:13,449 are going to look suspicious, 450 00:15:13,450 --> 00:15:15,129 look like they came out of a different 451 00:15:15,130 --> 00:15:17,469 distribution of the random distribution. 452 00:15:17,470 --> 00:15:19,479 There are going to appear along a 453 00:15:19,480 --> 00:15:21,099 diagonal such as this. 454 00:15:21,100 --> 00:15:23,379 Of course, we don't have all those 455 00:15:23,380 --> 00:15:24,279 colors and all this. 456 00:15:24,280 --> 00:15:26,259 All right. When we come into this, all we 457 00:15:26,260 --> 00:15:27,879 have is the input. But we know that if we 458 00:15:27,880 --> 00:15:29,919 scan this diagonally and it just so 459 00:15:29,920 --> 00:15:31,599 happens that there's curios here 460 00:15:31,600 --> 00:15:33,639 somewhere, we're going to come across 461 00:15:33,640 --> 00:15:36,399 this diagonal eventually and 462 00:15:36,400 --> 00:15:38,169 we're going to look basically each byte 463 00:15:38,170 --> 00:15:40,359 is like a little piece of evidence 464 00:15:40,360 --> 00:15:42,429 that may be pointing in the 465 00:15:42,430 --> 00:15:44,559 direction that there's been curious here. 466 00:15:44,560 --> 00:15:46,719 And we are right now looking at two 467 00:15:46,720 --> 00:15:49,509 ciphertext that had been in sync 468 00:15:49,510 --> 00:15:50,529 with each other. 469 00:15:50,530 --> 00:15:52,599 And we are going to walk along 470 00:15:52,600 --> 00:15:54,069 the diagonals and each time we come 471 00:15:54,070 --> 00:15:55,359 across a map, we're going to pick it up 472 00:15:55,360 --> 00:15:57,639 and look at it and say, hmm, 473 00:15:57,640 --> 00:15:59,799 this looks like evidence for 474 00:15:59,800 --> 00:16:01,659 our hypothesis and maybe it gets hard 475 00:16:01,660 --> 00:16:03,759 parts of this. And if we walk along 476 00:16:03,760 --> 00:16:06,139 a diagonal and we found 477 00:16:06,140 --> 00:16:08,409 we find an overwhelming amount, 478 00:16:08,410 --> 00:16:10,059 a sufficient amount of evidence that 479 00:16:10,060 --> 00:16:12,189 supports our our hypothesis that there 480 00:16:12,190 --> 00:16:14,319 has been curios here, then 481 00:16:14,320 --> 00:16:16,539 we raise the alarm and we say this 482 00:16:16,540 --> 00:16:17,559 is enough evidence. 483 00:16:17,560 --> 00:16:19,289 There's no way this was a coincidence. 484 00:16:19,290 --> 00:16:21,519 There's been Chirinos here and 485 00:16:21,520 --> 00:16:23,589 the vulnerable ciphertext to the 486 00:16:23,590 --> 00:16:25,869 curious expecting attack are 487 00:16:25,870 --> 00:16:27,639 in this offset and this offset. 488 00:16:27,640 --> 00:16:29,229 And the length is so and so. 489 00:16:33,270 --> 00:16:35,369 This is the formula I warned you 490 00:16:35,370 --> 00:16:37,470 about Eternia and 491 00:16:38,790 --> 00:16:40,829 this this is the failure of the math 492 00:16:40,830 --> 00:16:42,899 involved, basically I said look 493 00:16:42,900 --> 00:16:44,699 at the evidence, look at the evidence. 494 00:16:44,700 --> 00:16:46,499 I'm going to have to mention what I mean 495 00:16:46,500 --> 00:16:46,889 by that. 496 00:16:46,890 --> 00:16:47,890 Basically, there's 497 00:16:48,960 --> 00:16:51,059 a quantifier rubric 498 00:16:51,060 --> 00:16:53,759 for deciding how much 499 00:16:53,760 --> 00:16:56,639 bite a piece of evidence influences 500 00:16:56,640 --> 00:16:58,769 our hypothesis and makes it things that 501 00:16:58,770 --> 00:17:00,689 makes us think that the hypothesis is 502 00:17:00,690 --> 00:17:02,069 more likely. 503 00:17:02,070 --> 00:17:04,529 This is basically a computation involving 504 00:17:04,530 --> 00:17:06,449 the disparity between the probability 505 00:17:06,450 --> 00:17:08,608 that this might will arise from 506 00:17:08,609 --> 00:17:10,709 the cortex, the distribution in blue 507 00:17:10,710 --> 00:17:12,419 that you saw earlier and 508 00:17:13,530 --> 00:17:15,809 the probability that it would arise 509 00:17:15,810 --> 00:17:16,810 randomly. 510 00:17:17,520 --> 00:17:18,868 I'm not going to actually go into the 511 00:17:18,869 --> 00:17:21,118 formula, but anyway, uh, 512 00:17:21,119 --> 00:17:21,809 it's important. 513 00:17:21,810 --> 00:17:24,059 And, uh, regarding the question 514 00:17:24,060 --> 00:17:25,439 of how much evidence is enough, this is 515 00:17:25,440 --> 00:17:26,639 an important question. You can set the 516 00:17:26,640 --> 00:17:28,859 bar high, we can set the bar low, and 517 00:17:28,860 --> 00:17:30,869 we for the sake of the proof of concept, 518 00:17:30,870 --> 00:17:33,209 we set the bar such that, uh, one 519 00:17:33,210 --> 00:17:35,279 false positive is what we're willing 520 00:17:35,280 --> 00:17:35,819 to live with. 521 00:17:35,820 --> 00:17:37,919 Of course, you can send, uh, set it 522 00:17:37,920 --> 00:17:39,659 to, uh, lower chance. 523 00:17:39,660 --> 00:17:41,369 It depends on the context where you're 524 00:17:41,370 --> 00:17:43,199 going to use this thing. 525 00:17:43,200 --> 00:17:45,329 And the question is, if we 526 00:17:45,330 --> 00:17:46,859 set the bar of evidence that I can 527 00:17:46,860 --> 00:17:49,289 actually detect something, uh, 528 00:17:49,290 --> 00:17:50,290 because 529 00:17:51,420 --> 00:17:52,889 it may well be the case that if we're 530 00:17:52,890 --> 00:17:55,499 just demanding when we come across 531 00:17:55,500 --> 00:17:57,719 the actual thing that we're looking 532 00:17:57,720 --> 00:17:59,249 for, the two excellent ciphertext, we're 533 00:17:59,250 --> 00:18:00,899 not going to be able to find them because 534 00:18:00,900 --> 00:18:02,679 there won't be enough evidence. 535 00:18:02,680 --> 00:18:04,769 Uh, but as it turns 536 00:18:04,770 --> 00:18:06,719 out, there's this one, right? 537 00:18:06,720 --> 00:18:09,209 Uh, we found it using 538 00:18:09,210 --> 00:18:11,159 what's called the trebuchets inequality. 539 00:18:11,160 --> 00:18:13,349 The long and short of it is basically 540 00:18:13,350 --> 00:18:15,689 that as long as the string, 541 00:18:15,690 --> 00:18:18,029 the ciphertext, uh, that 542 00:18:18,030 --> 00:18:20,219 we are looking for is long enough, 543 00:18:20,220 --> 00:18:22,019 everybody is going to give us some amount 544 00:18:22,020 --> 00:18:24,779 of evidence, uh, positive evidence 545 00:18:24,780 --> 00:18:26,939 that, uh, tells us this may be 546 00:18:26,940 --> 00:18:28,229 the real thing. 547 00:18:28,230 --> 00:18:30,419 And basically, 548 00:18:30,420 --> 00:18:32,339 if the string is long enough, we're going 549 00:18:32,340 --> 00:18:33,329 to have enough evidence. 550 00:18:33,330 --> 00:18:35,249 The only question is it's a numbers game 551 00:18:35,250 --> 00:18:37,109 of what is the chance that we're going to 552 00:18:37,110 --> 00:18:39,329 fail anyway, even though the string was 553 00:18:39,330 --> 00:18:41,069 long enough in theory and we expected it 554 00:18:41,070 --> 00:18:43,289 to work, this is what the inequality 555 00:18:43,290 --> 00:18:45,629 is for it to bounce from above 556 00:18:45,630 --> 00:18:47,189 the probability that something unlikely 557 00:18:47,190 --> 00:18:47,639 will happen. 558 00:18:47,640 --> 00:18:49,709 So if the string is long enough and if 559 00:18:49,710 --> 00:18:51,779 you look at the formula, you 560 00:18:51,780 --> 00:18:53,060 will be able to infer that 561 00:18:54,090 --> 00:18:56,189 there long enough is logarithmic in 562 00:18:56,190 --> 00:18:57,719 the length of the input, which is good. 563 00:18:57,720 --> 00:18:59,669 If we double the input, we just need one 564 00:18:59,670 --> 00:19:01,919 more Corktown to ciphertext for alarm 565 00:19:01,920 --> 00:19:03,029 to ring. 566 00:19:03,030 --> 00:19:04,030 And 567 00:19:05,550 --> 00:19:07,829 basically this is what it is. 568 00:19:07,830 --> 00:19:10,409 We will look at the formula and 569 00:19:10,410 --> 00:19:13,019 I, I don't really expect, 570 00:19:13,020 --> 00:19:15,149 uh, anyone here to 571 00:19:15,150 --> 00:19:16,650 just, you know, look at it and 572 00:19:17,670 --> 00:19:19,409 realize how the hell we came up with this 573 00:19:19,410 --> 00:19:21,509 thing. But it's just proof that we 574 00:19:21,510 --> 00:19:23,069 looked into it. This algorithm should 575 00:19:23,070 --> 00:19:25,229 work in theory. No, uh, that's 576 00:19:25,230 --> 00:19:27,159 all nice and good. 577 00:19:27,160 --> 00:19:29,289 But we're going to have 578 00:19:29,290 --> 00:19:31,449 to actually show 579 00:19:31,450 --> 00:19:33,909 how it works in practice, because 580 00:19:33,910 --> 00:19:35,379 I don't think looking at the formula 581 00:19:35,380 --> 00:19:37,389 convinced anyone here very much. 582 00:19:37,390 --> 00:19:39,609 And basically 583 00:19:39,610 --> 00:19:41,709 we're going to look at 584 00:19:41,710 --> 00:19:43,869 sort of heightmap, uh, 585 00:19:43,870 --> 00:19:45,549 you're going to see what the algorithm 586 00:19:45,550 --> 00:19:47,709 sees when it operates, when 587 00:19:47,710 --> 00:19:49,809 the algorithm iterates over, the space 588 00:19:49,810 --> 00:19:51,309 is reconstructed. 589 00:19:51,310 --> 00:19:52,809 It's going to look at different bytes and 590 00:19:52,810 --> 00:19:54,609 each byte is going to look like more 591 00:19:54,610 --> 00:19:57,369 evidence or less evidence for 592 00:19:57,370 --> 00:19:59,589 the, uh, hypothesis that we're looking 593 00:19:59,590 --> 00:20:01,749 at, the case of key areas 594 00:20:01,750 --> 00:20:04,089 and the areas, 595 00:20:04,090 --> 00:20:06,189 the bites that are that 596 00:20:06,190 --> 00:20:07,989 contribute more evidence are going to be 597 00:20:07,990 --> 00:20:09,849 in red and the biases contribute less 598 00:20:09,850 --> 00:20:11,739 evidence are going to be in blue. 599 00:20:11,740 --> 00:20:13,959 And the algorithm looks 600 00:20:13,960 --> 00:20:15,489 for diagonals that are basically 601 00:20:15,490 --> 00:20:17,649 streak's. There are lots and lots of, uh, 602 00:20:17,650 --> 00:20:20,139 evidence for our hypothesis. 603 00:20:20,140 --> 00:20:21,579 And we're going to appear in red. 604 00:20:21,580 --> 00:20:23,409 We're not going to look at the heat map 605 00:20:23,410 --> 00:20:25,239 of the evidence heat map of the Romney 606 00:20:25,240 --> 00:20:27,039 communication that I mentioned earlier. 607 00:20:29,710 --> 00:20:30,710 Well. 608 00:20:32,280 --> 00:20:34,269 First of all, there's this, ignore this, 609 00:20:34,270 --> 00:20:36,569 this is the main diagonal. 610 00:20:36,570 --> 00:20:39,059 This is the diagonal where the 611 00:20:39,060 --> 00:20:40,469 input is itself. 612 00:20:40,470 --> 00:20:41,369 It's on nailbiter. 613 00:20:41,370 --> 00:20:43,349 So, of course, it looks suspicious to the 614 00:20:43,350 --> 00:20:45,779 algorithm. It doesn't look random at all. 615 00:20:45,780 --> 00:20:48,599 But if you look a bit further 616 00:20:48,600 --> 00:20:50,789 and you said here it is, 617 00:20:50,790 --> 00:20:53,759 this is the long diagonal, 618 00:20:53,760 --> 00:20:56,309 unique diagonal of where the algorithm 619 00:20:56,310 --> 00:20:58,049 is going to detect the curious because 620 00:20:58,050 --> 00:21:00,659 there is a streak of evidence here 621 00:21:00,660 --> 00:21:01,709 along these diagonal. 622 00:21:05,720 --> 00:21:07,819 You know, you can see this is 623 00:21:07,820 --> 00:21:10,429 actually elliptic for anyone, 624 00:21:10,430 --> 00:21:12,139 for some reason, fancy laser pointers, 625 00:21:12,140 --> 00:21:13,789 and this is 626 00:21:15,380 --> 00:21:17,779 this is the map for the second case, 627 00:21:17,780 --> 00:21:19,049 it's a bit more difficult. 628 00:21:19,050 --> 00:21:20,519 I don't know if anyone can see it here, 629 00:21:20,520 --> 00:21:22,999 but again, you have the main diagonal and 630 00:21:23,000 --> 00:21:25,429 it's trivial. But this is the heat map of 631 00:21:25,430 --> 00:21:27,499 two fires encrypted by 632 00:21:27,500 --> 00:21:29,869 the decrypt malware 633 00:21:29,870 --> 00:21:31,939 that I talked about earlier. 634 00:21:31,940 --> 00:21:33,769 And the two files were 635 00:21:34,910 --> 00:21:37,309 the two files were encrypted using 636 00:21:37,310 --> 00:21:38,629 the same key stream. 637 00:21:38,630 --> 00:21:40,999 So we should be able to see 638 00:21:41,000 --> 00:21:42,169 the key areas. 639 00:21:42,170 --> 00:21:43,939 If we look at this, it's going to appear 640 00:21:43,940 --> 00:21:46,819 as a red diagonal somewhere here and 641 00:21:46,820 --> 00:21:48,980 it's here, right. 642 00:21:50,730 --> 00:21:52,489 They're going to be over the war in 643 00:21:52,490 --> 00:21:54,409 Angola, where everybody basically looks 644 00:21:54,410 --> 00:21:56,569 like looks suspicious, looks more or less 645 00:21:56,570 --> 00:21:58,699 like it came out, not out, 646 00:21:58,700 --> 00:22:00,739 not out of a random distribution, but out 647 00:22:00,740 --> 00:22:03,529 of a distribution of plaintext 648 00:22:03,530 --> 00:22:06,019 by its exorbitant exploits. 649 00:22:06,020 --> 00:22:06,619 Right. 650 00:22:06,620 --> 00:22:08,719 Uh, so I 651 00:22:08,720 --> 00:22:10,039 don't know if you noticed, but basically 652 00:22:10,040 --> 00:22:12,709 we have succeeded in our plan. 653 00:22:12,710 --> 00:22:14,869 We have managed to just take the 654 00:22:14,870 --> 00:22:17,509 input, not knowing anything about it 655 00:22:17,510 --> 00:22:19,039 beforehand and 656 00:22:20,180 --> 00:22:22,879 computed all sorts of, uh, 657 00:22:22,880 --> 00:22:25,099 properties regarding the exodus 658 00:22:25,100 --> 00:22:26,179 of different whites. 659 00:22:26,180 --> 00:22:28,369 And the other thing is that just 660 00:22:28,370 --> 00:22:29,599 like you are able to look at this 661 00:22:29,600 --> 00:22:31,789 diagonal and automatically 662 00:22:31,790 --> 00:22:34,399 detect where the killer uses so 663 00:22:34,400 --> 00:22:35,400 and the algorithm, 664 00:22:37,610 --> 00:22:40,699 let's see if we have time for the 665 00:22:40,700 --> 00:22:41,700 demo. 666 00:22:48,890 --> 00:22:51,109 I see the other demo 667 00:22:51,110 --> 00:22:53,200 isn't working for some reason. 668 00:23:00,070 --> 00:23:01,969 Well, never mind, the other demo wasn't 669 00:23:01,970 --> 00:23:04,099 as exciting as this one, because it 670 00:23:04,100 --> 00:23:06,739 basically it showed you a script running 671 00:23:06,740 --> 00:23:08,239 the script that generates this 672 00:23:09,500 --> 00:23:10,579 basically the. 673 00:23:13,470 --> 00:23:15,929 Romney's, uh, my that 674 00:23:15,930 --> 00:23:18,659 we saw earlier, since this communication 675 00:23:18,660 --> 00:23:20,189 in the script iterates over this and 676 00:23:20,190 --> 00:23:22,469 eventually the script ran across to 677 00:23:22,470 --> 00:23:24,509 actually see the script running across 678 00:23:24,510 --> 00:23:26,909 this, uh, diagonal 679 00:23:26,910 --> 00:23:29,009 and accumulating evidence and says, I see 680 00:23:29,010 --> 00:23:31,079 this amount of positive evidence, this 681 00:23:31,080 --> 00:23:32,849 amount of positive evidence, and it grows 682 00:23:32,850 --> 00:23:33,329 and grows. 683 00:23:33,330 --> 00:23:35,279 Eventually it terminates because it runs 684 00:23:35,280 --> 00:23:37,319 across the end of the input. 685 00:23:37,320 --> 00:23:39,469 And then it says, aha, I found it 686 00:23:39,470 --> 00:23:41,559 and I found the cure, isn't 687 00:23:41,560 --> 00:23:44,099 it? Output's the two offsets. 688 00:23:44,100 --> 00:23:46,019 So actually, this is the more exciting 689 00:23:46,020 --> 00:23:47,020 thing. 690 00:23:47,700 --> 00:23:49,169 There's no need to look at the demo to 691 00:23:49,170 --> 00:23:51,710 understand what's going on here, uh, 692 00:23:53,030 --> 00:23:55,679 that we have succeeded, uh, 693 00:23:55,680 --> 00:23:57,989 in our plan, uh, by 694 00:23:59,850 --> 00:24:02,069 using that game plan that I outlined 695 00:24:02,070 --> 00:24:03,089 earlier. 696 00:24:03,090 --> 00:24:05,339 And I really hope that, 697 00:24:05,340 --> 00:24:07,439 uh, this thing will be useful. 698 00:24:07,440 --> 00:24:08,969 I plan on, uh, uploading it. 699 00:24:08,970 --> 00:24:11,159 And at the moment 700 00:24:11,160 --> 00:24:12,539 that I can actually get the code to a 701 00:24:12,540 --> 00:24:14,399 state where I can actually give it to 702 00:24:14,400 --> 00:24:16,199 someone to look at and then later look 703 00:24:16,200 --> 00:24:17,099 them in the eye. 704 00:24:17,100 --> 00:24:19,769 This is going to be, uh, uploaded, 705 00:24:19,770 --> 00:24:21,569 uh, for the sake of anyone who wants to 706 00:24:21,570 --> 00:24:23,069 take a look at it. 707 00:24:23,070 --> 00:24:25,319 And, uh, this 708 00:24:25,320 --> 00:24:28,229 is basically I, uh, hope 709 00:24:28,230 --> 00:24:30,929 that you now understand better 710 00:24:30,930 --> 00:24:33,209 what Chirinos is and how we 711 00:24:33,210 --> 00:24:36,299 detect it using this method. 712 00:24:36,300 --> 00:24:37,739 OK, and. 713 00:24:50,140 --> 00:24:52,099 Now, any questions at all? 714 00:24:52,100 --> 00:24:53,100 OK. 715 00:24:56,620 --> 00:24:58,279 The heat map, 716 00:24:59,810 --> 00:25:00,810 this one. 717 00:25:15,510 --> 00:25:17,999 Test, I was wondering 718 00:25:18,000 --> 00:25:19,829 about that totally not suspicious aren't 719 00:25:19,830 --> 00:25:20,669 on the line at the. 720 00:25:20,670 --> 00:25:22,409 Yeah. The horizontal lines, they are 721 00:25:22,410 --> 00:25:24,539 probably the artifact 722 00:25:24,540 --> 00:25:26,099 basically. What's the horizontal line? 723 00:25:26,100 --> 00:25:28,529 This is a specific 724 00:25:28,530 --> 00:25:31,139 character from one of the 725 00:25:31,140 --> 00:25:33,419 from the plaintext episode with the 726 00:25:33,420 --> 00:25:36,029 rest of the deciphered text. 727 00:25:36,030 --> 00:25:38,099 It's basically it doesn't 728 00:25:38,100 --> 00:25:39,209 have an application to what we were 729 00:25:39,210 --> 00:25:40,199 talking about earlier, because 730 00:25:40,200 --> 00:25:41,549 specifically, when you are two 731 00:25:41,550 --> 00:25:43,259 ciphertext, it's going to appear along 732 00:25:43,260 --> 00:25:44,249 the diagonal. 733 00:25:44,250 --> 00:25:46,499 Um, probably 734 00:25:46,500 --> 00:25:48,929 it's one specific part of the ciphertext 735 00:25:48,930 --> 00:25:51,089 when X would be itself produced, some 736 00:25:51,090 --> 00:25:52,509 sort of anomaly. 737 00:25:52,510 --> 00:25:54,719 Uh, thankfully, it doesn't appear along 738 00:25:54,720 --> 00:25:56,099 the diagonal. So we're not going to 739 00:25:56,100 --> 00:25:58,289 suffer any false positives because of it. 740 00:25:58,290 --> 00:25:59,290 OK, thanks. 741 00:26:03,270 --> 00:26:05,459 OK, and once 742 00:26:05,460 --> 00:26:07,709 the segments 743 00:26:07,710 --> 00:26:10,229 where the same stream 744 00:26:10,230 --> 00:26:12,479 stream says the safest reading, the key 745 00:26:12,480 --> 00:26:14,639 stream is used, reused, 746 00:26:14,640 --> 00:26:17,039 once you identify the segments, 747 00:26:17,040 --> 00:26:19,319 which amount of manual 748 00:26:19,320 --> 00:26:21,449 decryption, you need to recall that the 749 00:26:21,450 --> 00:26:23,759 plaintext, uh, 750 00:26:23,760 --> 00:26:26,579 actually, uh, I so, uh, 751 00:26:26,580 --> 00:26:29,039 and so published exactly on this, 752 00:26:29,040 --> 00:26:32,309 there's Phanatic methods for extracting 753 00:26:32,310 --> 00:26:34,199 the plain text in this case where you 754 00:26:34,200 --> 00:26:36,179 already have two ciphertext that you know 755 00:26:36,180 --> 00:26:37,859 are vulnerable to the attack. 756 00:26:37,860 --> 00:26:40,109 It doesn't work 100 percent of the cases. 757 00:26:40,110 --> 00:26:42,209 But I saw this applied to the 758 00:26:42,210 --> 00:26:44,549 actual case of war 2003 encryption, 759 00:26:44,550 --> 00:26:46,699 and it works pretty nicely 760 00:26:46,700 --> 00:26:49,049 if you don't have to use a manual 761 00:26:49,050 --> 00:26:51,419 work in order to decrypt deserves 762 00:26:51,420 --> 00:26:53,690 automatic, uh, methods for doing that. 763 00:26:57,280 --> 00:26:58,079 Yes. 764 00:26:58,080 --> 00:27:00,519 Uh, so you need to know 765 00:27:00,520 --> 00:27:02,589 the distribution 766 00:27:02,590 --> 00:27:03,639 of the plaintext. 767 00:27:03,640 --> 00:27:04,579 Yes, yes. 768 00:27:04,580 --> 00:27:05,739 Yes, that's right. You need to. 769 00:27:05,740 --> 00:27:07,869 And actually these estimates were 770 00:27:07,870 --> 00:27:10,029 generated with, uh, I guess 771 00:27:10,030 --> 00:27:11,889 we came in with the guess of what 772 00:27:11,890 --> 00:27:14,649 plaintext more or less looks like. 773 00:27:14,650 --> 00:27:17,409 Uh, you're going to have some uppercase 774 00:27:17,410 --> 00:27:19,029 letters and lowercase letters and 775 00:27:19,030 --> 00:27:20,259 characters and such. 776 00:27:20,260 --> 00:27:22,419 And hopefully this 777 00:27:22,420 --> 00:27:24,549 August is going to be close enough to any 778 00:27:24,550 --> 00:27:25,809 case of actual plaintext. 779 00:27:25,810 --> 00:27:27,549 That is the alarm is going to raise 780 00:27:27,550 --> 00:27:29,109 regardless of the actual precise 781 00:27:29,110 --> 00:27:30,549 distribution. 782 00:27:30,550 --> 00:27:32,439 There's one question for accuracy. 783 00:27:32,440 --> 00:27:33,879 Yes, thanks. 784 00:27:33,880 --> 00:27:35,709 The question from the Internet, are the 785 00:27:35,710 --> 00:27:37,059 docs somewhere available? 786 00:27:37,060 --> 00:27:38,060 You refer to 787 00:27:39,640 --> 00:27:41,829 the documents available somehow? 788 00:27:41,830 --> 00:27:43,609 Uh, the documents? 789 00:27:43,610 --> 00:27:44,829 Uh, no, they're not. 790 00:27:44,830 --> 00:27:46,629 But, uh, as I said, I'm planning to, uh, 791 00:27:46,630 --> 00:27:48,369 work this out and, uh, upload this and, 792 00:27:48,370 --> 00:27:50,559 uh, I will put out the notices, uh, 793 00:27:50,560 --> 00:27:52,420 the moment that this will be available 794 00:27:53,830 --> 00:27:56,079 to Travnik. 795 00:27:56,080 --> 00:27:58,119 Um, thanks for showing this for your 796 00:27:58,120 --> 00:28:00,729 ability to stream service, um, 797 00:28:00,730 --> 00:28:01,839 in general today. 798 00:28:01,840 --> 00:28:04,029 I think for anyone 799 00:28:04,030 --> 00:28:06,219 the recommendation is not to use 800 00:28:06,220 --> 00:28:08,289 streamside force at all. 801 00:28:08,290 --> 00:28:10,569 So I think if anyone, including 802 00:28:10,570 --> 00:28:12,729 Magwood designers, want 803 00:28:12,730 --> 00:28:14,979 to design their own krypto system, 804 00:28:14,980 --> 00:28:17,409 which is obviously a stupid idea, 805 00:28:17,410 --> 00:28:19,629 then they should better be used to 806 00:28:19,630 --> 00:28:21,789 be using these 807 00:28:21,790 --> 00:28:24,069 deciphers authenticating 808 00:28:24,070 --> 00:28:26,199 encryption ciphers. 809 00:28:26,200 --> 00:28:28,269 Yeah, this is true then, because 810 00:28:28,270 --> 00:28:30,459 not only because what 811 00:28:30,460 --> 00:28:32,739 you didn't mention was 812 00:28:32,740 --> 00:28:34,899 just encrypting the data 813 00:28:34,900 --> 00:28:36,549 in the way you did alone is not 814 00:28:36,550 --> 00:28:37,579 sufficient. You also need 815 00:28:38,620 --> 00:28:40,959 to keep messages along with it 816 00:28:40,960 --> 00:28:43,089 and which to which these new asifa 817 00:28:43,090 --> 00:28:44,469 would actually bring in. And that's the 818 00:28:44,470 --> 00:28:46,549 reason why in the new version of our 819 00:28:46,550 --> 00:28:48,129 transportation security that's being 820 00:28:48,130 --> 00:28:50,469 worked on, you don't find any of these 821 00:28:50,470 --> 00:28:52,389 ciphers anymore because they're insecure. 822 00:28:52,390 --> 00:28:53,469 Yeah, this is true. 823 00:28:53,470 --> 00:28:55,719 Actually, the malware 824 00:28:55,720 --> 00:28:57,849 malware is often used to suffer because 825 00:28:57,850 --> 00:28:59,109 they're easy to implement. 826 00:28:59,110 --> 00:29:00,519 Our software, for example, is very 827 00:29:00,520 --> 00:29:02,799 popular because it's easy to implement. 828 00:29:02,800 --> 00:29:04,569 And this is why you see it. 829 00:29:04,570 --> 00:29:06,819 As you can understand, achieving 830 00:29:06,820 --> 00:29:08,949 actual security, good security is 831 00:29:08,950 --> 00:29:10,959 not the first thing on their minds. 832 00:29:10,960 --> 00:29:12,459 I don't know what Microsoft is thinking 833 00:29:12,460 --> 00:29:14,799 to themselves, but the malware for 834 00:29:14,800 --> 00:29:16,329 doing this, basically, they said to 835 00:29:16,330 --> 00:29:17,409 themselves, OK, I'm going to use 836 00:29:17,410 --> 00:29:19,509 encryption. But apparently he 837 00:29:19,510 --> 00:29:21,190 didn't go much further than that. 838 00:29:22,540 --> 00:29:23,769 Yeah. To three. 839 00:29:24,970 --> 00:29:27,909 So just a quick question about here. 840 00:29:27,910 --> 00:29:29,469 Just a quick question about the 841 00:29:29,470 --> 00:29:30,939 visualization part. 842 00:29:30,940 --> 00:29:33,489 So are you doing like 843 00:29:33,490 --> 00:29:34,989 just a bit for bit? 844 00:29:34,990 --> 00:29:36,789 Because this is like two colors, right? 845 00:29:36,790 --> 00:29:39,039 Or is more colors? 846 00:29:39,040 --> 00:29:41,259 Are you the color you basically I looked 847 00:29:41,260 --> 00:29:43,659 at random distribution 848 00:29:43,660 --> 00:29:45,759 of RGV volumes from red to 849 00:29:45,760 --> 00:29:48,129 blue and I computed it standard deviation 850 00:29:48,130 --> 00:29:49,509 and its main, which is of course, in the 851 00:29:49,510 --> 00:29:51,609 middle. And then basically I 852 00:29:51,610 --> 00:29:53,889 looked at the distribution of evidence 853 00:29:53,890 --> 00:29:56,169 along this, the values 854 00:29:56,170 --> 00:29:57,489 of evidence of appear here. 855 00:29:57,490 --> 00:29:59,709 And I use the matching function from 856 00:29:59,710 --> 00:30:01,809 the first min 857 00:30:01,810 --> 00:30:03,909 from the evidence to the mean of the 858 00:30:03,910 --> 00:30:06,189 columns. And I 859 00:30:06,190 --> 00:30:08,319 computed the calibrated 860 00:30:08,320 --> 00:30:09,399 grades right. 861 00:30:09,400 --> 00:30:11,469 Uh, of 862 00:30:11,470 --> 00:30:13,989 the value of the evidence values 863 00:30:13,990 --> 00:30:15,939 relative to the meaning of the evidence 864 00:30:15,940 --> 00:30:18,579 and divided by the standard deviation. 865 00:30:18,580 --> 00:30:20,619 Uh, to come up with this is quite four 866 00:30:20,620 --> 00:30:21,609 bytes. Four bytes. 867 00:30:21,610 --> 00:30:23,469 Yes. I say about four bytes. 868 00:30:23,470 --> 00:30:24,470 Right. 869 00:30:28,120 --> 00:30:30,479 You said that this is streamside 870 00:30:30,480 --> 00:30:32,709 of like I'll see for Windber 871 00:30:32,710 --> 00:30:34,779 to this problem, but 872 00:30:34,780 --> 00:30:38,109 what about when you 873 00:30:38,110 --> 00:30:40,449 use your eyes and see 874 00:30:40,450 --> 00:30:42,519 mode or mode or something 875 00:30:42,520 --> 00:30:44,859 like this? What's so 876 00:30:44,860 --> 00:30:46,869 vulnerable to this problem? 877 00:30:46,870 --> 00:30:49,089 I think when you did, I just explain 878 00:30:49,090 --> 00:30:51,219 the class of cyphers vulnerable to 879 00:30:51,220 --> 00:30:54,069 this problem is every cipher 880 00:30:54,070 --> 00:30:56,229 where you come up with 881 00:30:56,230 --> 00:30:58,119 a key stream of some sort. 882 00:30:58,120 --> 00:30:59,859 Basically, there's a random key and you 883 00:30:59,860 --> 00:31:02,269 get the ciphertext by ring 884 00:31:02,270 --> 00:31:04,299 the plaintext. 885 00:31:04,300 --> 00:31:06,159 If this goes through any other kind of 886 00:31:06,160 --> 00:31:08,829 cipher, as I said earlier, block cipher 887 00:31:08,830 --> 00:31:10,479 or anything like that is not vulnerable 888 00:31:10,480 --> 00:31:11,480 to this kind of attack. 889 00:31:12,590 --> 00:31:15,069 But what happens when you use 890 00:31:15,070 --> 00:31:18,139 the countdown mode and you use the nouns, 891 00:31:18,140 --> 00:31:20,299 the I don't I don't understand, can 892 00:31:20,300 --> 00:31:22,609 you please repeat the question when 893 00:31:22,610 --> 00:31:24,769 you say countdown mode and we use 894 00:31:24,770 --> 00:31:26,029 the nouns from 895 00:31:27,410 --> 00:31:29,779 I think that's what this reside 896 00:31:29,780 --> 00:31:31,130 in, the same problem. 897 00:31:32,540 --> 00:31:34,879 I think when 898 00:31:34,880 --> 00:31:37,249 you, uh, when you use 899 00:31:37,250 --> 00:31:37,879 a yes. 900 00:31:37,880 --> 00:31:38,659 And the count. 901 00:31:38,660 --> 00:31:40,369 Yes. No, no, no. 902 00:31:40,370 --> 00:31:42,679 Not because you mean because there's X 903 00:31:42,680 --> 00:31:44,659 ring somewhere within the operation of 904 00:31:44,660 --> 00:31:45,679 the cipher. 905 00:31:45,680 --> 00:31:47,899 No, this is really, really a specific 906 00:31:47,900 --> 00:31:49,759 artifact of the fact that you do a linear 907 00:31:49,760 --> 00:31:51,649 operation. The ciphertext is a linear 908 00:31:51,650 --> 00:31:54,139 function of the plaintext 909 00:31:54,140 --> 00:31:56,239 and the random key, the 910 00:31:56,240 --> 00:31:58,339 moment that your encryption 911 00:31:58,340 --> 00:32:00,529 operation involves X or operation, 912 00:32:00,530 --> 00:32:02,059 but it isn't wholly linear. 913 00:32:02,060 --> 00:32:03,949 There are stages of it that make sure 914 00:32:03,950 --> 00:32:05,659 that it is not vinyard and the result is 915 00:32:05,660 --> 00:32:07,039 not vulnerable to this kind of attack 916 00:32:07,040 --> 00:32:07,699 anymore. 917 00:32:07,700 --> 00:32:08,700 OK, thanks. 918 00:32:10,280 --> 00:32:12,409 Well, uh, I guess we're done. 919 00:32:12,410 --> 00:32:13,639 So thank you, Ben, again.