First, while permuting the key with ciphertext would make the final text more diffused, because the Vigenere Cipher is not much more than basic modulo arithmetic, the diffusion added from the ciphertext can easily reversed by subtracting previous ciphertext from subsequent ciphertext. IE, if we know the ciphertext[16] was encrypted with key[0] + ciphertext[0], and we know ciphertext[0], we can simply subtract ciphertext[0] from ciphertext[16]. This will remove any diffusion gained from using ciphertext. Using ciphertext to add diffusion was foolish and naive ;).

The alternative is to use plaintext, as is done in the Autokey Cipher. However, plaintext is not random, and this will result in less-than-adequate diffusion in our ciphertext (albeit not subtraction-reversible diffusion). We want to stay away from using plaintext to continue to permute our key.

Because the IV is known, and is simply added to the key before encryption, it too is not very useful (for the same reasons that adding ciphertext was not useful). The fact of the matter is, besides a few extra steps and a little extra math, my previous cipher was not much more secure than the Vigenere Cipher. I smell a crypto challenge for haxathon.

We want to continue to permute the key (think LSFR) as we encode to lengthen our keystream, but we want to do it in a way that gives us the following properties:

• Without knowledge of the key, the permutation is not reversible (the ciphertext problem)
• Provides good diffusion of the ciphertext (the plaintext problem)

I propose the following solution:

An initialization value will be randomly generated with a length less than that of the key so that the IV and the key do not share a multiple which is less than or equal to the maximum allowed length of our ciphertext (ideally they should be coprime). If we have a key length of 16, the next largest number coprime to 16 is 15, so we will generate an IV of length 15 (I believe N and N-1 should always be coprime). Our message will begin with the IV encrypted with our key. Our IV has now become a secret between the two key holders. (We want our IV to be smaller than the key so that the key can completely cover the IV while encrypting it).

As we cipher our plaintext, we will use the characters from our key and our IV to generate the characters of the keystream. Given a key of “abc” and an IV of “de”, our resulting keystream would be:

s[0] = a + d
s[1] = b + e
s[2] = c + d
s[3] = a + e
s[4] = b + d
s[5] = c + 3

Because 2 and 3 do not share a multiple until 6, we can generate a non-repeating keystream of 6 characters with this key and IV.

This new method solves our previous problems and allows us to *securely* (you did read my warning on amateur crypto in the previous post, right?) transmit messages so long as the IV cannot be guessed. I have expanded the alphabet to 68 characters, and with an IV length of 15 there are a total of 68^15 IVs, or ~10^13.8 messages before we can expect an IV to be repeated. With a key length of 16 and an IV length of 15, we can encrypt 15*16 = 240 characters without repeating our keystream. This is sufficient for 140 character text messages. Technically, we could encrypt ~10^16 characters, or ~2^53 characters (14 petabytes if the text only uses our alphabet and we use 8 bits per character) before we would expect to see a repeated IV.

I have new ciph.py and ciphsms.py files to reflect these changes, and they are provided below:

ciph.py

alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "\'.,;'

def gen_key (stream) :
	stream = str(stream)
	key = ''
	i = 0
	for s in stream :
		key += alphabet[(ord(s) + i) % len(alphabet)]
		i += 1
	return key

def cipher (key, plaintext, iv=alphabet[0]) :
	ciphtext = ''
	i = 0
	for p in plaintext :
		if p not in alphabet :
			continue
		p = alphabet.index(p)
		k = (alphabet.index(key[i % len(key)]) + alphabet.index(iv[i % len(iv)])) % len(alphabet)
		i += 1
		ciphtext += alphabet[(k + p) % len(alphabet)]
	return ciphtext

def decipher (key, ciphtext, iv=alphabet[0]) :
	plaintext = ''
	i = 0
	for c in ciphtext :
		c = alphabet.index(c)
		k = (alphabet.index(key[i % len(key)]) + alphabet.index(iv[i % len(iv)])) % len(alphabet)
		i += 1
		if c - k < 0 :
			plaintext += alphabet[len(alphabet) + c - k]
		else :
			plaintext += alphabet1
	return plaintext

def make_iv () :
	fh = open('/dev/urandom', 'r')
	random = fh.read(15)
	fh.close()
	iv = ''
	for r in random :
		iv += alphabet[ord(r) % len(alphabet)]
	return iv

ciphsms.py

import android
import ciph

droid = android.Android()
text = droid.getClipboard().result
key = droid.scanBarcode()[1]

droid.dialogCreateAlert("send/receive")
droid.dialogSetItems(['send', 'receive'])
droid.dialogShow()
response = droid.dialogGetResponse()

if response.result['item'] == 1 :
	pieces = text.split(':')
	ciphiv = pieces[1]
	msg = pieces[2]
	mode = "decipher"
else :
	msg = droid.dialogGetInput("message", "message to send")[1]
	iv = ciph.make_iv()
	mode = "cipher"

key = ciph.gen_key(key)

if mode == "cipher" :
	ciphiv = ciph.cipher(key, iv)
	ciphmsg = ciph.cipher(key, msg, iv)
	smsmsg = "vcs0:" + ciphiv + ":" + ciphmsg + ':'
	print smsmsg
	droid.setClipboard(smsmsg)
else :
	iv = ciph.decipher(key, ciphiv)
	plaintext = ciph.decipher(key, msg, iv)
	droid.dialogCreateAlert("plaintext", plaintext)
	droid.dialogShow()

And why blowfish? Why not go for something a bit more retro… a bit more 19th century. How about the Vignere Cipher with a few modifications to prevent us from being too-easy pwnsauce.

The Vignere Cipher is not a modern cipher. It is fallible. With enough cipher text, texts ciphered with the Vignere Cipher are subject to even the simple character frequency analysis. Repeating the use of our key, as done in the plain Vignere Cipher, also opens us to other attacks (read the Wikipedia page). To help combat these issues, we begin combining ciphertext with the key (once the key is exhausted) to generate additional characters for our keystream.

This also means with enough SMS messages, the first 16 characters (all keys are 16 characters long) will begin showing signs of weakness. We use an Initilization Vector to help us vary the key used to encrypt each individual message. Our IV is 16 random (/dev/urandom) characters from our 42 character alphabet, giving us ~2^86 different possible IVs (much better than, say, 2^24) and an average of ~10^13 different messages before we will reuse an IV.

Just to be clear, encryption algorithms such as twofish, blowfish and rijndael have gone under extensive review by people who live cryptology. This is just an exercise in amateur cryptology. There are zero guarantees of security, only my personal guarantee of awesomeness.

To use this script, you need Scripting Layer For Android with python installed. You can then scan the two following QR Codes with SL4A to get the code:

Now launch ciphsms.py and scan your key. You will be prompted to enter a message, and the resulting ciphered message, with a short header and IV, will be copied to the clipboard. You can then paste this where ever you wish (IE an SMS message) and send it. When you receive a message, copy it to the clipboard, run ciphsms.py and scan your key. It will detect the message on the clipboard, decipher it for you and display it.

The sourcecode is also available below for those who have not yet enriched their lives by purchasing a Droid. Yes, you can change the alphabet as you wish (perhaps uppercase characters are in order?), but everyone will need to have the same ciph.py.

ciph.py

alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789 "\'.,:'

def gen_key (stream) :
	stream = str(stream)
	key = ''
	i = 0
	for s in stream :
		key += alphabet[(ord(s) + i) % len(alphabet)]
		i += 1
	return key

def cipher (key, plaintext) :
	ciphtext = ''
	for p in plaintext :
		if p not in alphabet :
			continue
		p = alphabet.index(p)
		ki = len(ciphtext)
		if ki >= len(key) :
			k = (alphabet.index(ciphtext[ki - len(key)]) + alphabet.index(key[ki % len(key)])) % len(alphabet)
		else :
			k = alphabet.index(key[ki])
		ciphtext += alphabet[(k + p) % len(alphabet)]
	return ciphtext

def decipher (key, ciphtext) :
	plaintext = ''
	for c in ciphtext :
		c = alphabet.index(c)
		ki = len(plaintext)
		if ki >= len(key) :
			k = (alphabet.index(ciphtext[ki - len(key)]) + alphabet.index(key[ki % len(key)])) % len(alphabet)
		else :
			k = alphabet.index(key[ki])
		if c - k < 0 :
			plaintext += alphabet[len(alphabet) + c - k]
		else :
			plaintext += alphabet1
	return plaintext

def prepare_key (key, iv) :
	return cipher (key, iv)

def make_iv () :
	fh = open('/dev/urandom', 'r')
	random = fh.read(16)
	fh.close()
	iv = ''
	for r in random :
		iv += alphabet[ord(r) % len(alphabet)]
	return iv

ciphsms.py

import android
import ciph
droid = android.Android()
text = droid.getClipboard().result
key = droid.scanBarcode()[1]
if text[:4] == 'vcs0' :
	pieces = text.split(':')
	iv = pieces[1]
	msg = pieces[2]
	mode = "decipher"
else :
	msg = droid.dialogGetInput("message", "message to send")[1]
	iv = ciph.make_iv()
	mode = "cipher"
key = ciph.gen_key(key)
key = ciph.prepare_key(key, iv)
if mode == "cipher" :
	ciphmsg = ciph.cipher(key, msg)
	smsmsg = "vcs0:" + iv + ":" + ciphmsg + ':'
	print smsmsg
	droid.setClipboard(smsmsg)
else :
	plaintext = ciph.decipher(key, msg)
	droid.dialogCreateAlert("plaintext", plaintext)
	droid.dialogShow()

The Android OS is built on top of linux. You are given a user account with restricted permissions. Rooting the phone involves a local privs escalation vulnerability to change permissions on /system/bin (Android’s /usr/bin convention), and copying over a su binary for the user to assume root.

After rooting the android, I played around for a bit. It’s an ARM based CPU (duh), and I’m running kernel 2.6.32. Android doesn’t come with a polished set of OS utilities, but a copy of busybox will do the trick. You can use a terminal application for Android, or grab the Android SDK and connect to your droid over usb with “adb shell”. Now that I had control over my droid, I was feeling a bit better. It was time to see how easily I could program this thing.

That’s when I came across SL4A, or Scripting Layer For Android. You can find the project here. The great people at SL4A have python, jruby (no metasploit for jruby yet :(), lua, perl, and a few other languages all running on the Android OS. However, here’s what’s really cool. They have taken a large portion of the Android API and created a high-level, scriptable interface to it. The folks over at SL4A are now my favorite people in the world.

I took a look over the API and decided, “Ok, I should be able to figure out a wireless scanner in about an hour.” An hour later and wa-la:

import android
import sys
import time
import os
droid = android.Android()
droid.startLocating()

while not droid.readLocation()[1].has_key('gps') :
	print "waiting on gps"
	time.sleep(1)

access_points = {}
try :
    while True :
        if not droid.wifiStartScan()[1] :
            time.sleep(1)
            continue
        location = droid.readLocation()[1]
        scan = droid.wifiGetScanResults()[1]
        for ap in scan :
            if not access_points.has_key(ap['bssid']) :
                print int(time.time()), 'new ap', ap['bssid'], ap['ssid']
                access_points[ap['bssid']] = {}
                access_points[ap['bssid']]['ssid'] = ap['ssid']
                access_points[ap['bssid']]['level'] = ap['level']
                access_points[ap['bssid']]['capabilities'] = ap['capabilities']
                access_points[ap['bssid']]['longitude'] = location['gps']['longitude']
                access_points[ap['bssid']]['latitude'] = location['gps']['latitude']
                access_points[ap['bssid']]['time'] = int(time.time())
            elif ap['level'] > access_points[ap['bssid']]['level'] :
                print int(time.time()), 'location update', ap['level'], ap['ssid'], ap['bssid']
                access_points[ap['bssid']]['level'] = ap['level']
                access_points[ap['bssid']]['latitude'] = location['gps']['latitude']
                access_points[ap['bssid']]['longitude'] = location['gps']['longitude']
                access_points[ap['bssid']]['time'] = int(time.time())
        time.sleep(1)
except KeyboardInterrupt :
    fh = open('/sdcard/scan-'+str(int(time.time()))+'.txt', 'w')
    for ap in access_points :
        fh.write(ap + '|' + access_points[ap]['ssid'] + '|')
        fh.write(str(access_points[ap]['level']) + '|')
        fh.write(access_points[ap]['capabilities'] + '|')
        fh.write(str(access_points[ap]['longitude']) + '|')
        fh.write(str(access_points[ap]['latitude']) + '|')
        fh.write(str(access_points[ap]['time']) + '\n')
    fh.close()

A bit messy in parts, but very functional. I drove around for a bit and this was the output:

00:23:69:5f:4d:a0|Nehlsen|-99|[WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP][WPS]|-79.8384736167|36.0860829667|1293937798
00:1f:c4:7a:ec:80|Luxury Nails & Spa|-65|[WEP]|-79.8368718|36.0874654|1293937876
00:23:69:f6:7f:cc|Private 99|-78|[WPA2-PSK-CCMP][WPS]|-79.8382854333|36.08849805|1293937912
00:1e:e5:38:19:09|linksys|-92|[WPS][WEP]|-79.83854785|36.0865177167|1293938008
00:20:a6:63:ad:75|Friendly Center WiFi|-59||-79.83658615|36.0866975|1293937859
00:24:c8:bb:9c:50|5673 4230|-85|[WEP]|-79.8365965833|36.0869798167|1293937861
00:20:a6:63:f1:15|Friendly Center WiFi|-67||-79.8365993167|36.0860543|1293937848
00:0f:cc:2f:63:a4|U b33n haxx0r3d|-90||-79.8383513667|36.0863390667|1293937810
00:20:a6:63:e4:95|Friendly Center WiFi|-89||-79.8369346333|36.0860972667|1293937836
2e:24:81:b6:d5:a3|hpsetup|-77|[IBSS]|-79.8386071833|36.0886041333|1293937914
00:17:3f:be:e2:6b|Belkin_N_Wireless_BEE26B|-97||-79.8386309333|36.08620435|1293938014
00:1f:c4:0c:20:00|frogs|-72|[WPA-PSK-TKIP][WPA2-PSK-CCMP]|-79.8386071833|36.0886041333|1293937914
00:15:70:ce:46:ec|1809|-98|[WPA-PSK-TKIP]|-79.8365965833|36.0869798167|1293937861
00:24:c8:82:b4:80|Red Mango - Friendly Center|-71||-79.8386071833|36.0886041333|1293937914
00:15:70:ce:41:11|1809a|-97|[WPA-EAP-TKIP][WPA2-EAP-TKIP+CCMP]|-79.8369346333|36.0860972667|1293937833
00:19:e0:63:ef:2a|SniderWLN|-94|[WEP]|-79.8384736167|36.0860829667|1293937798
00:15:70:ce:46:ee|Anthro Guest WiFi|-98||-79.83658615|36.0866975|1293937859
00:15:70:ce:46:ed|1809a|-99|[WPA-EAP-TKIP][WPA2-EAP-TKIP+CCMP]|-79.83658615|36.0866975|1293937859
00:0f:cc:d8:0d:84|6600 1110|-100|[WEP]|-79.8396444333|36.0879791333|1293937948
00:24:c8:83:de:b0|Swoozies|-92|[WEP]|-79.8390215|36.0874697833|1293937967
00:17:c5:66:2c:30|Bravo057|-80||-79.8383513667|36.0863390667|1293937808
00:1e:52:79:8c:1d|Wired|-90|[WPA-PSK-TKIP][WPA2-PSK-TKIP+CCMP]|-79.8384736167|36.0860829667|1293937798
00:18:ba:c9:08:d1|PRUDENTIAL NETWORK|-77|[WPA-PSK-TKIP]|-79.8390188833|36.0882263333|1293937933
00:23:69:58:56:34|Complete Nutrition|-86|[WPA2-PSK-CCMP][WPS]|-79.8389459833|36.0884986667|1293937922

I haven’t taken a good look at the SDK or any of the underlying hardware. However, the ability to hack out some useful code, utilizing the hardware of my phone, in a language I enjoy has me hooked. Knowing there’s a linux OS under the hood, and being able to access it directly on the phone makes me comfortable. Now it’s time to see if I can get libpcap and libdnet on this device, as well as setting up a cross-compiling toolchain for ARM.

Droid 2, one of the coolest devices I have ever owned.