Blog

While interviewing for Canonical, I got to spend a bit of time with a very talented programmer name Seth Arnold.  As with (seemingly) everyone on the Canonical team, he was next-level-talented.  When I got the chance to ask questions, I asked him if he could give me a starting point to get from where I am to where he is.  His suggestion was

Advanced Programming in the Unix Environment.

So, I bought the book and found a free course hosted by Stevens Institute of Technology.  I will slowly work through the course and keep notes here.  For anyone who wants to follow along, Let’s get started!

Once you get yourself setup with NetBSD as instructed on the course page, you can attempt the first exercise.

#include <stdio.h>

int
main(int argc, char **argv) {
    printf("Welcome to CS631 Advanced Programming in the UNIX Environment, %s!\n", getlogin())
}

Our task is to find and debug the errors.

So, let’s compile our code

$ cc welcome.c -o welcome

Doing so will induce an error in our terminal stating:

welcome1.c:22:1: error: expected ';' before '}' token                                                    
 }                                                                                                       
 ^

Oh No! What happened?

Continue reading “Advanced Programming in the Unix Environment”

Whether it is mechanical, electrical, software, security, or otherwise, engineering is engineering is engineering.  It’s all just problem solving under various different constraints.  As an engineer, it is my job to know the best tools and techniques to overcome those different constraints.  Sometimes, it means making my own tools rather than using off the shelf solutions.  But at the end of the day, there is nothing inherently special about cybersecurity engineering than there is any other type of engineering out there.

For the last year or so, I’ve been working as a physical security engineer.  And, believe it or not, it was actually my educational background in cybersecurity that qualified me for the job.  Why?  Because security engineering for the physical world and security engineering in cyber space extremely similar.

In this post, I’ll enumerate many of those similarities

Continue reading “How physical security and cyber security are basically the same”

As part of the ongoing RSA series, I will be walking you through the basics of ANS.1 objects and their role in RSA. 

You will be using this online RSA key generator to generate keys so that you can follow along.

Upon visiting the online tool, you  should be greeted with the ability to choose a key length and generate an RSA key pair.  The output of such action will populate the public and private key boxes underneath.  This output should be recognizable as base64 encoded data.  If you followed along with my base64 article, you should have a tool that allows you to decode this data.  Otherwise, you will need to use an online tool like this.

Here’s an example:

Public Key: 
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJgTm6UbtISP6oy4P4sU/PfSI6+E9VJn
LXIGCZlDDhgYHMOlUAp/PEpbjyLxq2/dSUaqXle70/edfh9i2XnE/vMCAwEAAQ==

Private Key:
MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAmBObpRu0hI/qjLg/i
xT899Ijr4T1UmctcgYJmUMOGBgcw6VQCn88SluPIvGrb91JRqpeV7vT951+H2LZec
T+8wIDAQABAkBLhHEl7DwYF99BQb1MM3/rEE7oOf4YjWPj21uo38N/8rSJtkcG+1J
Yhq+u/KAtTxtf/HQDmFGheOAuNSQ5fisBAiEA2GTNlFiZfhbRBAdUrlUd1LpWmMhH
B6anfsGEElatRmUCIQCz6TQ8GBPcQG8Kj07WAnZjT/qBV/sMzjw28PWKGwTOdwIhA
NYCg6rWIR+pkxfH5EDx3ynXC/PYBx+S+44J9wNoA8BdAiBE5gg1A1uHu71Ko/sjBi
pkehqLMjBYhRqWR80gqJw8nQIgLL3uyV+nSiGgiozH7OYj427w7gG9ea2vJFRkgbV
QhaA=

Running each of these through a base64 decoder yields:

Public Key:
305c300d06092a864886f70d0101010500034b0030480241009
8139ba51bb4848fea8cb83f8b14fcf7d223af84f552672d7206
0999430e18181cc3a5500a7f3c4a5b8f22f1ab6fdd4946aa5e5
7bbd3f79d7e1f62d979c4fef30203010001

Private Key:
30820154020100300d06092a864886f70d01010105000482013e
3082013a02010002410098139ba51bb4848fea8cb83f8b14fcf7
d223af84f552672d72060999430e18181cc3a5500a7f3c4a5b8f
22f1ab6fdd4946aa5e57bbd3f79d7e1f62d979c4fef302030100
0102404b847125ec3c1817df4141bd4c337feb104ee839fe188d
63e3db5ba8dfc37ff2b489b64706fb525886afaefca02d4f1b5f
fc74039851a178e02e3524397e2b01022100d864cd9458997e16
d1040754ae551dd4ba5698c84707a6a77ec1841256ad46650221
00b3e9343c1813dc406f0a8f4ed60276634ffa8157fb0cce3c36
f0f58a1b04ce77022100d60283aad6211fa99317c7e440f1df29
d70bf3d8071f92fb8e09f7036803c05d022044e60835035b87bb
bd4aa3fb23062a647a1a8b323058851a9647cd20a89c3c9d0220
2cbdeec95fa74a21a08a8cc7ece623e36ef0ee01bd79adaf2454
6481b55085a0

If you are wondering what it is that you are looking at, this article is for you. Continue reading “ANS.1 Object parsing”

Real quick step away from the RSA series.  I just put in an application for Ubuntu and I want to make sure I have at least one something here about reversing in case they check out my site. ::prayer hands::

I like to use crackmes.one to get publicly available crack-mes.  This particular file can be found there and is called timotei crackme#1.  The solution you can find on the site is actually this solution.  It appears that I am, to date, the only one who has submitted an acceptable solution.

I expect this is because it uses a custom rolled hash function that clobbers information we need to actually reverse the algorithm used. Which leaves us with brute force or OSINT to obtain the answer.

On the other hand, there is a pin that needs to be obtained as well. And, despite it’s use of modulo division, there are several ways to crack it to obtain a valid pin

Python already includes a base64 library as part of the standard library.  So why write our own?

I can offer two reasons.  Writing your own will solidify your understanding of the base64 algorithm.  Also, if you write your own, you can add in extra functionality that might not exist in the standard library version.

Believe it or not, this post is actually part of the RSA series.  As per the requirements found in RFC 1421, PEM encoded keys need to be base64 encoded.  More accurately, their ANS.1 DER encoded objects need to be base64 encoded.  I’ll make a post about ANS.1 DER encoding at some point in the future.

For now, let’s look at base64 encoding.  It’s a pretty simple system and offers the ability to turn any data into printable data.  This is to say that, no matter what input you use, the encoded output will consist solely of the following 65 printable characters:

'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/',
'='

Some of you may be wondering why it is called base64 instead of base65 seeing as how there are a total of 65 possible characters.  This is because the ‘=’ character is actually just a padding character and will only ever show up at the end of a base64 string.  The code should help you understand how the padding is determined.

Continue reading “Base64 in python”

I was recently tasked with implementing RSA encryption through python. 

While I could have used an encryption library that was already written (and tested and verified to be secure..), the assignment was for the fun of it and not protecting any real world communication so I thought it would be fun to roll my own RSA encryption scheme and see how it shakes out.

If you, like me, feel as though the best way to understand something is to code it, then this post is for you.

Assumptions I make about you as the reader:

  • You already know and understand the basics of asymmetric encryption
  • You are familiar with object oriented programming
  • You can read and follow python code

If the first point doesn’t apply, you should check out this article and then come back and check out my coding solution.

Let’s Begin

Continue reading “Implementing RSA in pure python: Part 1”