GCHQ _Can you crack it?

blindcyclistsunion blindcyclistsunion at gmail.com
Thu Dec 15 17:04:38 GMT 2011 

On 12 Dec 2011, at 06:34, James Firth wrote:

> The competition, reportedly a recruitment drive, at canyoucrackit.co.uk was
> meant to close at midnight last night.
> 
> Did anyone try solve it?  Turns out not crypto knowledge required - but a
> lot of computer science/software engineering is involved:

<delurk, with apols for O/T>

Tried, and indeed succeeded. And what fun it was! However, as I come
to write bits of it up, I'm looking at a bit of the disassembly listing
from the first stage, which for the most part looks exactly like an RC4
stream cipher implementation, but for just one thing :

80480c3: inc    al				;; i = ( i+1 )     
80480c5: add    bl,BYTE PTR [esi+eax*1]  	;; j = ( j + S[i] )
80480c8: mov    dl,BYTE PTR [esi+eax*1]  	;; 
80480cb: mov    dh,BYTE PTR [esi+ebx*1]  	;; swap S[i] and S[j]
80480ce: mov    BYTE PTR [esi+eax*1],dh	        ;;
80480d1: mov    BYTE PTR [esi+ebx*1],dl  	;;
80480d4: add    dl,dh				;; t = (S[i]+S[j])
80480d6: xor    dh,dh
80480d8: mov    bl,BYTE PTR [esi+edx*1]  	;; Should be : K = S[t]
						;; Actually  : j = S[t]
						;; Since S[t] is stored
						;; in bl which is used
						;; as j above.
80480db: mov    dl,BYTE PTR [edi]		
80480dd: xor    dl,bl    	            	;; xor to get plain
80480df: mov    BYTE PTR [edi],dl		;; write plain text byte
80480e1: inc    edi
80480e2: dec    ecx
80480e3: jne    80480c3 <main+0x6b>

( also at https://gist.github.com/1481580)

Key scheduling is per the description given in Applied Cryptography, but in the
actual stream part, j seems to be set equal to K at the end of each iteration.

Most likely, this program was hand coded in assembler, so it may well be a mistake.

Unfortunately, my 'mad crypto skillz' don't quite yet stretch to working out what, 
if any, deleterious effect this will have on the resulting stream, other than to 
render it different to reference implementations of RC4.  Certainly once we have
run through a single iteration, we then know what j is at the top of the algo,
but past they I am, as yet, a bit stumped.

Certainly appreciate any comments from crypto boffins, even (perhaps especially)
if it's just : "it's just broken, now stop playing with it and do something useful".

BTW, on the off chance that this does introduce a weakness, I'd appreciate it if no
one  tells me what it actually is, rather spoils the fun :-)

@blindcyclists

More information about the ukcrypto mailing list