Archive

Archive for the ‘Conferences’ Category

DEF CON 16 Punch Card Puzzle

July 27, 2011 2 comments

Back in 2008, at DEF CON 16, G. Mark Hardy presented his second crypto challenge. I didn’t go to DC16, so I didn’t see the challenge (and even if I had, I wasn’t really tracking these at the time). But in 2010, at ShmooCon, he dusted the challenge off and handed it out again, as nobody had solved it yet. I’d managed, with a buddy, to solve the ShmooCon badge puzzle that year, and after I got home I started on the DC16 puzzle. It took me a few days, but I managed to beat it.

I’ve held off on writing this one up, because the original included a phone number, and I didn’t want to publish that without G. Mark’s approval. And though we’re in frequent contact, it wasn’t until recently that I remembered to ask him about it. At his request, I’ve modified the puzzle slightly, with a different phone number (which I’m sure you’ll recognize). The method to arrive at the solution is still the same as the original.

The puzzle was handed out in five pieces, each printed on old computer punch cards. Each card included some additional text and two lines of code. Here are the five cards (again, modified for a different endgame):

VFLASGGGGIUGAAGYBDAWHOEVHUUVLLHGJYOLGFGP
GHALGGGOAAGGJPLLHZIHBFMHWIHSRYOIFPMIFVTF

XBMGRMBULEMPBMSRGMEBYRGMGRGHFMAGNMRLRZOM
GXMJRMLNBMEMUAZEGNVSOSFCUMXDSLDPFFUMXDVY

BVQZWOOBPPUSAZJEAUBTMATDFAJTTAUIFDSAQPVI
PFTIBOPWAUFOFHFAAJBUGBQBBCNXLQJMBUJVQDGN

QRJRWGDNMCZQTGYRZGFWRLRJRUFRSYWWKARAGMLS
RRGSKGMWYZKGSREOAVSXAQRZWHDKEQICCVMVUSAQ

KCPNCEJPKPPAFFFZZKDKEPEPZZFXRCOKLAVDYDKO
XTXEJHKKPPEKECMSKKWAMCLAADOJDADZKSNXIJJQ

As always, if you’d like to try to solve this yourself, then STOP now, as the rest of this post is full of spoilers. The text above is all that you need to get started.

One of the first things I did was to try the simple attacks: ROT-13, for example. After those gained me nothing, I wrote a simple python script to output letter frequencies for each card. The results looked something like this:

A :    7     2     9     5     6   
B :    2     5     9     0     0   
C :    0     1     1     3     5   
D :    1     3     3     2     6   
E :    1     4     1     2     6   
F :    6     4     6     2     4   
G :   15     8     2     7     0   
H :    8     1     1     1     1   
I :    5     0     3     1     1   
J :    2     1     5     2     5   
K :    0     0     0     4    12   
L :    7     4     1     2     2   
M :    2    15     2     4     2   
N :    0     3     2     1     2   
O :    4     2     4     1     3   
P :    3     2     5     0     8   
Q :    0     0     5     5     1   
R :    1     7     0    12     1   
S :    2     4     2     6     2   
T :    1     0     5     1     1   
U :    3     4     6     2     0   
V :    4     2     3     3     1   
W :    2     0     2     6     1   
X :    0     4     1     1     4   
Y :    3     2     0     3     1   
Z :    1     2     2     4     5

So the five cards have distinctly different frequency distributions, but none of them are really flat. The first card had more Gs than any other letter, the second, slightly more Ms than Gs, etc. Pretty quickly I’d noticed a pattern: GMARK. I later saw this as a recurring theme in his puzzles, but this was the first time I’d seen it, and so I was kind of stoked. First, I tried shifting the letters back such that the most common letter was E, but that didn’t seem to look right. Remembering that he often uses Z for a space, I then shifted them back to Zs (G -> Z, M -> Z, etc.), and now my texts looked like this:

OYETLZZZZBNZTTZRUWTPAHXOANNOEEAZCRHEZYZI
ZATEZZZHTTZZCIEEASBAUYFAPBALKRHBYIFBYOMY

KOZTEZOHYRZCOZFETZROLETZTETUSZNTAZEYEMBZ
TKZWEZYAOZRZHNMRTAIFBFSPHZKQFYQCSSHZKQIL

AUPYVNNAOOTRZYIDZTASLZSCEZISSZTHECRZPOUH
OESHANOVZTENEGEZZIATFAPAABMWKPILATIUPCFM

YZRZEOLVUKHYBOGZHONEZTZRZCNZAGEESIZIOUTA
ZZOASOUEGHSOAZMWIDAFIYZHEPLSMYQKKDUDCAIY

ZRECRTYEZEEPUUUOOZSZTETEOOUMGRDZAPKSNSZD
MIMTYWZZEETZTRBHZZLPBRAPPSDYSPSOZHCMXYYF

But this still didn’t give me a cleartext. Some kind of wild guess made me think that I was dealing with a columnar transposition, which I’d never tried to break before. So I resolved to do this one, and to do it “by hand” (without resorting to brute-force computer programs). I tried some simple rearrangements of each card’s text, but got nowhere…

Then I realized, that I might be able to do an attack “in depth”: Since I had 5 different ciphertexts, if they were all encoded with the same key, then I could use bits of one to help solve another. I lined all the text up in five columns, and started trying to rearrange the rows such that words formed. For example, if I found a Q in the first column, I’d then look for another row with a U in the first column, and put them together. I did that for all the Qs I could find, then looked in the other columns to see if other obvious digraphs were being formed.

This way, I figured, I might start with “QUI” in one column, and notice “HIS” in another. Then I’d just have to put a row with “T” above HIS” and I’d have another word built. Repeat, and repeat, and eventually I’d solve all of them.

Except that this wasn’t how the puzzle worked. :(

As I realized that I was getting nowhere, I noticed that there were two rows which read “Z Y O U Z.” And for the first time, I saw the word “YOU” in the middle of two Zs. And realized that I was being an idiot.

I eliminated some spaces, to make it easier to read, and found the plaintext. [I was working vertically, but to save space I'll rotate it here, in two blocks. The first block is the 1st half of each card's shifted text, placed one on top of the next, the 2nd block is the same for the 2nd half of each card].

OYETLZZZZBNZTTZRUWTPAHXOANNOEEAZCRHEZYZI
KOZTEZOHYRZCOZFETZROLETZTETUSZNTAZEYEMBZ
AUPYVNNAOOTRZYIDZTASLZSCEZISSZTHECRZPOUH
YZRZEOLVUKHYBOGZHONEZTZRZCNZAGEESIZIOUTA
ZRECRTYEZEEPUUUOOZSZTETEOOUMGRDZAPKSNSZD

ZATEZZZHTTZZCIEEASBAUYFAPBALKRHBYIFBYOMY
TKZWEZYAOZRZHNMRTAIFBFSPHZKQFYQCSSHZKQIL
OESHANOVZTENEGEZZIATFAPAABMWKPILATIUPCFM
ZZOASOUEGHSOAZMWIDAFIYZHEPLSMYQKKDUDCAIY
MIMTYWZZEETZTRBHZZLPBRAPPSDYSPSOZHCMXYYF

Reading down each column in the 1st block, then continuing in the 2nd, we get:

OKAYZYOUZREZPRETTYZCLEVERZZNOTZONLYZHAVEZYOUZBROKE 
NZTHEZCRYPTOZBUTZYOUZFIGUREDZOUTZHOWZTOZTRANSPOSEZ 
ALLZTHEZTEXTSZTOZCREATEZONEZCONTINUOUSZMESSAGEZZGR 
ANTEDZTHEZCAESARZCIPHERZKEYZISZEPONYMOUSZBUTZIZHAD 
ZTOZMAKEZITZSOMEWHATZEASYZZNOWZYOUZHAVEZTOZGETZTHE 
ZRESTZZNOZCHEATINGZREMEMBERZWHATZIZSAIDZ

Or, cleaned up:

OKAY YOU RE PRETTY CLEVER  

NOT ONLY HAVE YOU BROKEN THE CRYPTO BUT YOU FIGURED OUT HOW 
TO TRANSPOSE ALL THE TEXTS TO CREATE ONE CONTINUOUS MESSAGE  

GRANTED THE CAESAR CIPHER KEY IS EPONYMOUS BUT I HAD TO MAKE 
IT SOMEWHAT EASY  

NOW YOU HAVE TO GET THE REST  

NO CHEATING REMEMBER WHAT I SAID

Woohoo! Of course, that’s not all. There’s still a block of text at the end that’s not right:

BAUYFAPBALKRHBYIFBYOMY
IFBFSPHZKQFYQCSSHZKQIL
ATFAPAABMWKPILATIUPCFM
AFIYZHEPLSMYQKKDUDCAIY
LPBRAPPSDYSPSOZHCMXYYF

So there’s more to decode. Fortunately, G. Mark gave us a big hint when he said “NO CHEATING.” That’s his clue, made clear in his Tales from the Crypto talk, that this stage requires the Playfair cipher. But what key? Well, for his Mardi Gras puzzle, he used the title of his talk, so what talk did he give at DEF CON 16? “A Hacker Looks Past Fifty.”

Plugging this into a friendly online Playfair decoder reveals the final cleartext:

TEXTTHEPHRASEFIFTYISNI
FTYTOSEVENTIMESSEVENFO
URTHREETIMESFOURTWOEIG
HTFIVEZERONINEANDTHEFI
RSTPERSONTOSOLVEWINSIT

Or, cleaned up:

TEXT THE PHRASE FIFTY IS NIFTY TO 
SEVEN TIMES SEVEN FOUR THREE TIMES FOUR TWO EIGHT FIVE ZERO NINE 
AND THE FIRST PERSON TO SOLVE WINS IT

Still not quite finished. So now we’ve got to do some math and number manipulation. At first, I thought it was several different multiplaction operations, somethng like:

7 * 7, 4, 3 * 4, 2, 8, 5, 0, 9 == 49 4 12 2 8 5 0 9 or 494-122-8509

I texted the phrase to that number, but got no response. After a while, I sent an email directly to G. Mark, who confirmed that I’d broken the cipher, but did the math wrong.

It wasn’t a bunch of separate operations, but a single operation, like this:

7 * 743 * 428509

Which yields the following (obviouly faked for this blog entry) phone number:

222 867 5309

This was a fun puzzle! I took some wrong turns, tried some new techniques, had some good luck, and made some stupid mistakes. A little of everything. Of course, tweaking the puzzle so I could (finally) publish the writeup was fun, too, especially factoring numbers to get them to fit into the ciphertext space available. Interesting bit of trivia: Turns out that 8675309 is a prime number. :)

Categories: Conferences, Cryptography, Puzzles

CarolinaCon Flag Puzzle

May 8, 2011 1 comment

About two weeks ago, G. Mark Hardy asked if I was planning to attend CarolinaCon at the end of April. He had a puzzle set to go and was even thinking of using me as a clue. I replied that I wouldn’t be at the con, but would love to see the puzzle. So he sent me a copy.

Here is what he sent me, which was printed on the conference badge:

Unfortunately, I was already busy with another puzzle — THOTCON — and was eyeing a third (the Verizon DBIR). Plus, the Easter weekend was fast approaching. So I didn’t really have the time to hit it full force. But I did eventually solve the puzzle.

As always, if you’d like to try to solve this yourself, then STOP now, as the rest of this post is full of spoilers. The image above is all that you need to get started.

The cipher text, then, is just this:

OOAI YELL MBOP QXTY EBPL JJHQ KIPW FWAL VPHW OHYC ELJU WQCV CAIL AIJJ
RHNK UCNP JIGY XYJD WNAU LJCY GAIL VSNB WMTH GCLX XPTJ CWQI WRHA
BLCA EQMN XRKM VVQS PJXE OWHE SVGP HTTH EKSA VQKH YCTB MVRV XWNQ
QGPL RACG RLRF EFMW ITFP KHFS TPTZ UUBX XFVB SRSI WHCD JHZB VVUM
AYDY LKBF FEOA NTYF LZWP YWMY MMLG DMFL VIGU WGNA MQBP

Beyond that, there wasn’t much to go on. During the con, G. Mark tweeted a couple of clues trying to focus people on the flag — and to lead them to Google searches on Confederate cryptography. He also tried to help people recognize the kind of cipher it likely was, and those it was not.

Of course I didn’t need any of those hints. Having written an extensive post about a Civil War message, I not only knew what kind of cipher the Confederacy used, I also knew the three keys they used most frequently.

Not wanting to make it too easy on myself, I chose to try a crib first. I guessed the message might start with CONGRATULATIONS, and after three letters, I knew what the key was. But for illustration, here’s a way that one could have tested a crib using an online tool (I already discussed a more manual approach in the Civil War post).

A site I frequently use for crypto tools (and suggested by G. Mark in one of his hints at the con) is Rumkin Cipher tools. Using the Vigenère tool, enter the ciphertext and select “decrypt.” Then, instead of the key, enter the start-of-message crib. In this case, I tried “CONGRAT” (to account for the possibility it was abbreviated). Doing this gives something like this for the start of the plaintext:

key: CONGRAT
MANC HESJ YOIY QERK RVYL QHTD ERPD DINF EPOU AUSL
ESHG JKLV JYUY URJQ PTAE DCUN VVAH XFHP JHJU SHOL

So the first 6 letters represent the key that would spell CONGRAT in the plaintext. Change the key to MANCHES and now we see this:

key: MANCHES
CONG RATZ MOMI MFHY RZIH RXHD IBLE TWNJ OLPK OUWV
ATXU JOVR KOIY YBFR FHAI NYVD JVER TGXD JLTQ TXCL

Now, if this were the whole key, then we’d see words pop out later in the output. There’s “D IBLE” in the first line, but nothing anywhere else. So start adding As to the end of the key, and eventually we find:

key: MANCHESAAAAAAAA
CONG RATL MBOP QXTM EONE FRHQ KIPW FWOL INAS WHYC
ELJU WECI ATET AIJJ RHNK ICAN CEOY XYJD WNAI LWAR

It looks like “OLINAS” on the first line, which must be “CAROLINAS,” so figure out which letters in the key correspond to the WFW just in front of it, and change them to CAR.

key: MANCHESAAAAACAR
CONG RATL MBOP OXCM EONE FRHQ KIPU FFOL INAS WHYC
ELHU FECI ATET AIJJ RFNT ICAN CEOY XYJD UNJI LWAR

The three characters in question are now UFF, so that’s the next key fragment. Replace CAR with UFF and look for another place to stretch the key out:

key: MANCHESAAAAAUFF
CONG RATL MBOP WSOM EONE FRHQ KIPC AROL INAS WHYC
ELPP RECI ATET AIJJ RNIF ICAN CEOY XYJD CIVI LWAR

We’re definitely on the right track, as line 2 now includes “CIVIL WAR.” In the second line is “IF ICAN CE,” which is probably SIGNIFICANCE. Do the same trick: replace the end of the AAA with SIG, see the corresponding plaintext letters change to RBL, and change the letters in the key from SIG to RBL, and now we see:

key: MANCHESAARBLUFF
CONG RATL MKNE WSOM EONE FRHQ THEC AROL INAS WHYL
DAPP RECI ATET AISI GNIF ICAN CEOY XHIS CIVI LWAR

Let’s reformat to maybe make it easier to find the missing words:

CONGRAT LM KNEW SOMEONE FJHQ THE CAROLINAS OHYLD
APPRECIATE LAI SIGNIFICANCE GYXHIS CIVI LWAR

We still have two letters left to guess in the key, and there’s a two-letter bit in the first line that looks like it should be “SI.” Insert SI into the key, retrieve “TE” from the plaintext, put those in place of SI, and bingo:

key: MANCHESTER BLUFF

CONGRATS I KNEW SOMEONE FROM THE CAROLINAS WOULD
APPRECIATE THE SIGNIFICANCE OF THIS CIVIL WAR
CIPHER CH RHHH TAET FWPS BLWD RFHN ZEYI LMVM MXFH
JVDQ IFFL KFGT YQBD HGRA ASZW EPZN TXHB ZTKR FDJZ
PVVG MOCT PENN LBVV XZAK YHSQ MLBG QDAM DAQP SEQB
SPJZ SGOH QQIM NWWU TRXO ETUV IHYS JSSX FSVX BSGB
RMSJ OEOB SPMP SLWD

And bingo! We’re — wait, what? Dammit.

At this point, I was stumped for a while. For one: do I use the “decrypted” output of the first stage? One other G. Mark puzzle worked that way, so it seemed reasonable. Plus, that would make the second stage dependent upon solving the first. Or, should I just find the original cipertext that corresponds to what didn’t decrypt and use that?

In the end, I tried both avenues with a variety of approaches. I tried the other two commonly-used Confederate keys, ruled out Playfair and simple Caesar shifts, and just tried lots of different keys. I also tried dragging a crib back and forth. This is essentially the same as what I described above, but I try the word (“THE” is what I tried) against every position in the ciphertext, and hope that I’ll see an obvious 3-letter sequencde pop out. None of these met with any success.

I was sure this was a Vigenère, based on the historical connection, so I kept plugging away. In addition to crib dragging, I tried various other tests to help guess a key size, and even started noodling with some new techniques of my own devising. But no luck. (Though I did learn a lot more about Civil War cryptography in the process.)

After a few days not getting far, I regrouped and tried simplifying (per G. Mark’s inevitable admonition that I’m making it too complicated.) Looking at the remaining text, I decide to try an “offset” key. Basically, I took COMPLETE VICTORY and just started rolling letters off the beginning and onto the end. When I hit TORYCOMPLETEVIC I found success.

UNFORTUNATELY BAD CRYPTO MAY HAVE LED TO THE DEFEAT OF LEE IN THE WAR OF
NORTHERN AGGRESSION BUT YOU CAN MAKE UP FOR IT

But even that didn’t get everything. There’s still a block of cipher text at the end. Of course, now I know what to do. I simply put the entire original cipher text into the online applet and use each of the three Confederate keys in sequence. The first decoded the first block, when replaced with the second it decoded a chunk in the middle, and when I replaced it with COME RETRIBUTION the last message was decrypted:

TO CLAIM THE PRIZE FOR SOLVING THIS YOU MUST TELL G MARK THIS WHOLE TEXT
BY THE END OF THE CON

In the end, a very simple, almost trivial, solution. Especially since all the keys were available in the Wikipedia article on Vigenère. But mashing all three texts together the way he did totally ruined my attempts at traditional cryptanalysis. If I’d known there were three parts to the puzzle, I might’ve figured out the trick earlier. Maybe. Now I’m just trying to figure out if there’s an easy way to “discover” such partitions in the cipher text or if you just have to guess or stumble upon them.

But this was all before the con even happened. Once it started, I periodically checked Twitter to see if anyone was working the puzzle, and if so, whether they were making any progress. Early on, I saw a couple of people post links to the image, or to a pastebin copy of just the text, but not much beyond that. One person did suggest “POTOMAC RIVER,” probably as a possible key, as the battle flag originally came from the Confederate Army of the Potomac.

Finally, late on Sunday, I started to see a few people make progress. Then about 3:45, a tweet from Korotos to G. Mark said, simply, “Solved.” So congratulations to Korotos! :)

Knowing the secret, being “on the inside,” was an interesting change for me. It was a different challenge having to keep my mouth shut….and I’m glad I did. Both because to say anything would’ve been wrong (it’s not my game, after all!), but also because the few times I did think about what to say, I realized hours later that I would have given away too much. There’s an art to giving hints that are Just Good Enough…

So speaking of hints, what ever happened to the bit about using me as a hint? About midday Sunday, G. Mark tweeted this:

Hint: on CTF network was file named “.notthis”; contents were: a8979e8b df88908a 939bdfbb 9e8d8b97 dfb18a93 93df9b90 c0ff

The file name was a hint as to how to decode the hint: logically invert (or NOT) all the bits. Or, XOR with 0xFF, which is functionally the same. Doing this reveals the hint he’d warned me he might use:

What would Darth Null do?

I don’t know if anyone ever decoded the hint. I do know that nobody viewed my Civil War blogpost during the entire con, so if anyone did decode it, they didn’t take the next step. Of course, the first key was right there in my blog…and even without the hint, a Google search for “G. Mark confederate crypto puzzle” lists my blog as the first hint — proving that sometimes, the direct attack actually is the best choice.

Categories: Conferences, Cryptography, Puzzles

ShmooCon 2011 Badge Contest

February 9, 2011 3 comments

Ah, ShmooCon 2011. This time we’re in a new building, The Washington Hilton, and a little earlier than usual: the last weekend of January. But aside from that, it’s still ShmooCon. And it wouldn’t be a ShmooCon without something fun on the badges. For the third year in a row, the puzzle came from the subtle and devious mind of G. Mark Hardy.

This time, I was actually helping out at the con. I’d been a little concerned about whether I’d be able to fairly compete for the puzzle, since I might get exposed to the badges, or programs, or other material, before anyone else is. Heidi did her best to ensure that I didn’t learn anything unfairly — to the point that the Wednesday before the con, when I was helping with some of the check-in code and at the bag stuffing party, she repeatedly told everyone that “David’s not allowed to see inside the programs!” She’s so helpful.

Though I have to admit, it was certainly frustrating being surrounded by 1500 copies of the puzzle, and not being able to do anything about it.

Adding to the stress was the fact that I’d won (or shared winning) this contest in 2009 and 2010. The fact that this drive to keep winning was purely internal didn’t make it less real. And being somewhat not-100%, physically (more on that later) certainly didn’t help. More than once I’d wished I’d simply opted out of the contest at the beginning.

So anyway, the con started, I got my badge, my buddies got theirs, and we were off!

As always, if you’d like to try to solve this yourself, then STOP now, as the rest of this post is full of spoilers. If you’d like a copy of just the raw data (ciphertexts and other clues revealed during the contest), click here.

Pretty quickly we decided that there were probably five badges total: one for staff, one for speakers, and three for attendees. Each badge was made to look like a school hall pass, and had fields for the “student”‘s name, the reason they were issued the hall pass, and the teacher who issued it. The names were all amusing, but didn’t really pertain — the important parts were the lines the names were written on. Two of the lines weren’t really lines, but were finely drawn Morse code.

Being hungry, we went off to lunch and, while waiting, decoded all five badges. We ended up with this (first line is hall pass reason, second line is the authorization, right column is the decoded text):

Badge Text Morse Code Badge Type
A Room With a Moose 2 YESTERDAY Attendee
Mr. Shmoo 3 TELEGRAPH
F5 Fingers 0 MOGADISHU Attendee
Anon E. Moose 1 ARMADILLO
I Haz Barcodes 4 HYPNOTIST Attendee
Bullwinkle 5 EUCALYPTI
Lost Voice on Alcan 8 ORANGE CAB Speaker
A Noony Moose 9 STIMULATE
Yearly Migration 6 MICROBREW Staff/Security
Dr. Doc Doctor, MD 7 OBJECTIVE

It seemed pretty obvious that they needed to be put in numerical order. This gave us:

0 MOGADISHU
1 ARMADILLO
2 YESTERDAY
3 TELEGRAPH
4 HYPNOTIST
5 EUCALYPTI
6 MICROBREW
7 OBJECTIVE
8 ORANGECAB
9 STIMULATE

Almost immediately we noticed “MAY THE MOOSE BE WITH YOU” read down the first column and up the last. So, that’s one part done. What other parts were there to the puzzle?

On the bottom of several pages were individual letters in a large font. Taken together, these spelled out:

RJWUD TKOOA EGPAD CRLUS

Obviously some ciphertext. I tried basic attacks (various Caesar shifts, “obvioius” Vigenère keys, etc.) but didn’t get anywhere.

On page 6 of the program was some base-64 data. I quickly entered that into an online tool and decided it was binary data, likely encrypted output from OpenSSL, and therefore almost certainly not part of G. Mark’s puzzle.

Page 12 had a section titled “Crypto Contest” with the following block of text:

CRYPTOCONTEST
MWHFGYBBXQBJA
OXIHADLIDWXVW
OUXGHIPCSAPHI
SZHWHPGMAXGNI
EYTKNSIYMJPJD

This one I just left alone for the time being. On page 27, we found a word search game:

0 1 2 3 4 5 6 7 8 9 
S A V E H I M O M G 
S E X H I B I T O M 
D E C I M A L D P A 
B A R R O R M A K R 
F U R W E I N T O K 
P C P T N T B O O M 
G V M U H O C A R K 
W I S E A N D O D I 
I O R V S E U T D K 
N O T H E R E L I E 
N O T T H E R E L I

It didn’t take long for us to start finding words and names in the square. Popping out at us were SAVE, HI MOM, EXHIBIT, DECIMAL, and NOT HERE. Also the names G MARK, WINN, GOD MINUS ON(e), and amusingly enough, DARTH NULL. Also, SECRET CODE. And some others. How many of the words we found were deliberate, and how many were accidents of the encoding? That wasn’t a purely academic question, as we figured that whatever letters were left over (not part of words) would themselves constitute a ciphertext.

Finally, the back of the schedule card had the following:

  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 
A S H M O O C O N A B D E F G I J K L P Q R T U V W X Y Z L 
B H M O O C O N A B D E F G I J K L P Q R T U V W X Y Z S E 
C M O O C O N A B D E F G I J K L P Q R T U V W X Y Z S H S 
D O O C O N A B D E F G I J K L P Q R T U V W X Y Z S H M S 
E O C O N A B D E F G I J K L P Q R T U V W X Y Z S H M O M 
F C O N A B D E F G I J K L P Q R T U V W X Y Z S H M O O O 
G O N A B D E F G I J K L P Q R T U V W X Y Z S H M O O C O 
H N A B D E F G I J K L P Q R T U V W X Y Z S H M O O C O S 
I A B D E F G I J K L P Q R T U V W X Y Z S H M O O C O N E 
J B D E F G I J K L P Q R T U V W X Y Z S H M O O C O N A T 
K D E F G I J K L P Q R T U V W X Y Z S H M O O C O N A B H 
L E F G I J K L P Q R T U V W X Y Z S H M O O C O N A B D A 
M F G I J K L P Q R T U V W X Y Z S H M O O C O N A B D E N 
N G I J K L P Q R T U V W X Y Z S H M O O C O N A B D E F E 
O I J K L P Q R T U V W X Y Z S H M O O C O N A B D E F G V 
P J K L P Q R T U V W X Y Z S H M O O C O N A B D E F G I E 
Q K L P Q R T U V W X Y Z S H M O O C O N A B D E F G I J R 
R L P Q R T U V W X Y Z S H M O O C O N A B D E F G I J K G 
S P Q R T U V W X Y Z S H M O O C O N A B D E F G I J K L M 
T Q R T U V W X Y Z S H M O O C O N A B D E F G I J K L P A 
U R T U V W X Y Z S H M O O C O N A B D E F G I J K L P Q R 
V T U V W X Y Z S H M O O C O N A B D E F G I J K L P Q R K 
W U V W X Y Z S H M O O C O N A B D E F G I J K L P Q R T M 
X V W X Y Z S H M O O C O N A B D E F G I J K L P Q R T U M 
Y X Y Z S H M O O C O N A B D E F G I J K L P Q R T U V W X 
Z Y Z S H M O O C O N A B D E F G I J K L P Q R T U V W X I 
  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 

"Thanks to Gary Phillips for providing the Jim Sanborn font"

The little attribution was clearly to help people unfamilar with the image to narrow their google search a little bit. Jim Sanborn is the artist who created a sculpture at CIA Headquarters called Kryptos. Half of the sculpture is ciphertext, the other half is a keyed Vigenère tableau. The image on the schedule card was likewise a keyed Vigenère, though not properly constructed. I figured this would be used to decode the last part of the puzzle, and didn’t think much more of it. (There’s also a little easter egg in the rightmost column. “LESS MOOSE THAN EVER GMARK MMXI”).

So by now, we’re done with lunch, and have found a place to sit for the opening ceremonies. I didn’t really play too much with the puzzle then, but near the end, I started again. I first tried some of the usual suspects against the code on page 12 (Vigenère, mostly), but didn’t see anything pop out at me. Then I looked a little more closely at it.

The first row “CRYPTOCONTEST” was obviously just a header. What I didn’t notice right away was that the first column also spells something. MOOSE. I had a hunch, tried it, and was quickly rewarded. The key for each of the five rows is the first letter in that row. That is, the first row (after the header) starts with the M in MOOSE, so that row is a Caeser cipher shifted by M (or, in this particular case, what’s commonly called ROT-13). The next two rows were shifted by 15 letters (O), etc. So, about 4:00 on Friday, I’d decoded it:

JUST LOOK DOWN
ITS LOW TO HIGH
FIRST AND LAST
GO DOWN THEN UP
TO FIND THE KEY

This was to be the last progress I made for nearly 24 hours. And even this wasn’t much progress, since we’d already “looked down” (at the badges) and found the key (“MAY THE MOOSE BE WITH YOU.”)

On the other hand, now I know what I’m supposed to do with that phrase. And now that I’m thinking about it, the key has 20 letters, and the text on the bottom of the pages has 20 letters. Woohoo! Let’s just add one to the other, and….er…nothing. Okay, subtract. Subtract the other way? Start with 1 instead of 0? No? Shoot. After about 20 minutes, I give up (plus, the room was getting warm) so we get up to stretch our legs. I played with it a little more during the Keynote, but again, got nowhere.

After the con closed down for the evening, and we’d made (and changed and changed again) reservations for dinner, I ran into G. Mark. I told him a little about what we’d done so far, and mostly tried to get a feel for whether we had the right approach on the word search bit. Naturally, I didn’t get much help.

The next morning, when I woke up, I had a bit of a medical scare. See, I’d slipped on ice a little over a week before and banged my right knee pretty badly. It was still a little swollen, but I was making do. Well, when I got out of bed, I saw huge bruises all over my foot — which hadn’t been injured at all when I fell. Naturally, this Freaked Me Out. I ended up spending most of the morning going to, being at, and returning from, the local urgent care clinic. Fortunately, I checked out fine — the diagnosis was that invisible bruises got exacerbated by all the walking at the con, and also that extended use of Motrin and Alleve made the bruising appear much worse. Relieved, I returned to the con, and to the talks.

I kept playing with the codes, off and on, over the afternoon, but made no progress. In the meantime, G. Mark tweeted a few hints, but they don’t help me much. At 3:51, he tweets that “The tools you received in the challenge will work best without unauthorized modificaions.” What the hell is that supposed to mean? Tools? I can’t think straight, and decide to go upstairs to take a quick nap. On the way to the elevator, I get another tweet from G. Mark: “Serious breakthrough for one of the teams! Competition get hot or eat thier bits!” Great, so now I’m tired, AND bummed out.

Once in my room, I pull out the swag bag and begin going through it. I try opening all the pens, to see if perhaps there’s a clue hidden inside something, but have no luck. Then I look at the schedule card. I look at the tableau on the back. The one that was made incorrectly. I shake my head and quietly muter “No. No, you didn’t.” And then I start copying the tableau onto the computer so it’ll be easier to trace out (the font he used didn’t really line up into nice columns).

Basically, this kind of Vigenère tableau uses a different base alphabet. In the traditional cipher, the key simply switches among different Caesar shifts for each letter in the plaintext. A keyed tableau mixes up the alphabet itself, making it even harder to break. Of course, even in a keyed alphabet, the alphabet can only have 26 letters. It CERTAINLY can’t have the letter O appear three times, as it did in this table. I’d tried using a keyed Vigenère with the “MAY THE MOOSE BE WITH YOU” key many times, with many variants, but got nowhere, because I was always constructing the keyed alphabet correctly.

Here’s what G. Mark’s alphabet looks like:

SHMOOCONABDEFGIJKLPQRTUVWXYZ

and here’s what it should have looked like:

SHMOCNABDEFGIJKLPQRTUVWXYZ

Those extra Os mess everything up. But how bad does it really make it? Well, let’s take the table, and the key we got from the badges, and start decoding. First, take the first letter of the key “M” and find the row that starts with M. Then, I go over to the first letter of the ciphertext “R” and straight up to the header row to find the letter “I.” This is the first letter of the plaintext.

The next key letter is A, with ciphertext J, looking straight up I get P. So now I’ve got “IP.” I keep at this for a while, and eventually turn the ciphertext (top) into plaintext (bottom): 

RJWUD TKOOA EGPAD CRLUS

IPADD RE??S HMOOC ONVII

Only two letters, both of which are key letter O paired with cipher letter O, are ambiguous. Each could be R, S, or U. It’s pretty easy to see what the right decryption is just by looking at the context. So the letters at the bottom of the page decrypt to:

IP ADDRESS SHMOOCON VII.

Woohoo! Finally! Progress! Now I just need to open a browser…and…er…hm.

Okay, maybe it’s telling me to get the ip address for the shmoocon.org site and surf to that by IP, not by name. This will almost certainly give me different data that way. But then what do I do with the VII? Also, since I’ve been helping out with the ticket sales system, I know a little bit about how the ShmooCon server is configured. And one bit of knowledge worries me — the address on the webserver itself is not the same as the address that browsers go to, because there’s a load balancer in between the server and the world. So I’m wondering — did they account for this when they set it up?

I sent a note to G. Mark mentioning I had a concern, and went back down to the conference. Not long after getting there, he walks by, and we talk for a bit. Not to worry, he tells me, everything is working fine. Cool. He asks me what parts I have left, and I told him the only piece of the puzzle I haven’t used is the word search, and talk again about how to get a ciphertext out of the puzzle by eliminating words, etc. He looks at me and tells me “back off.” I’m not sure if this means “back off asking questions, I won’t tell you anything” or “back off from that approach, it’s wrong.” Either way, I know that’s where I need to go next, so I run over to the Intrepidus Group table and pull out the program.

But how am I supposed to get an IP address out of the puzzle, using “SHMOOCON VII” as the key? S appears in the first column twice, and also once in column 2. There are 3 Hs in column number 4, and it appears twice in column 3. Maybe it’s the column with the most of each letter? No, there are 2 Ms in both columns 6 and 9. Maybe the total number of occurrences of each letter? That probably wouldn’t work either, ’cause then you’d have 3 digits forced to the same number, which seems unlikely.

After a little while, I remember that the table has 11 rows, which had struck me as a little odd, not for any particular reason, but just that there must be a reason for 11 rows. This little bit of trivia had been completely forgotten until this moment. “SHMOOCON VII” has 11 letters. One letter per row?

Let’s see… There is only one S in the first row, and it’s under column 0. Hm. One H in the second row, under 3. Only one M in the third row, and it’s beginning to look like I’m on to something, though the number still seems weird. In the end, I get this:

03448155389

Heh. Tricky. IP addresses are just big 32-bit numbers, but we typically split them into four 1-byte blocks for easy readability. For human convenience. However, many applications don’t care and can take a single big number just as easily as a dotted-quad address. However, I’m not 100% sure about the iPhone browser. And when I try entering that number, sure enough, it doesn’t work. So I convert it to hex and get CD86ACFD. Converting each pair of digits to decimal, I get 205, 134, 172, and 253. So the address I need to surf to is:

http://205.134.172.253/

Now I’m getting excited. I get back a simple web page, with the title “Well done!”, and the following text:

Good things come in threes.
Add this to the other plaintexts.
Tell that person you solved it.

KVATY DBKZA BZICB USYWO

Cool. Okay. So…there are 20 characters there, and I’ve got two other 20 character strings. So I need to get this plaintext and add them all together. Again, I try the usual suspects, and get nowhere. Then I stop and think for a moment. And realize that I’m being an idiot. Of course I can’t take three English strings, add them together, and get English again. (I mean, maybe, but it’d be tough to arrange). I need to add the new ciphertext to the two plaintexts. Basically:

MAYTH EMOOS EBEWI THYOU
IPADD RESSS HMOOC ONVII
KVATY DBKZA BZICB USYWO

Now there are a few different ways you can “add” letters together. First, you can simply number them starting with 1 (so A + A = B, because 1 + 1 = 2). Or you can number them starting at zero (so A + A = A, A + B = B, but B + B = C). The latter is actually an easy way to implement the Vigenère cipher, and since I’ve have some favorite tools to do that online, that’s what I do — enter the first string as the key, and the second string as the plaintext, hit encrypt, and I get the “sum” of the strings. Do it again with that sum as the key and the 3rd string as plaintext, and I get:

EKYPI YRQFK MMAML BMRSQ

Damn. Nothing. Well, let’s assume that it’s been encoded itself, again trying the standby Vigenère, and I’ll use GMARK as the key. Now I get:

YYYYY SFQOA GAAVB VARBG

Oooh! Oooh! That’s important! That pretty much tells me that the string starts with GMARK. So instead of GMARK as the key, I just enter “Y”, and out pops:

GMARK ATSHM OOCON DOTUS

It turns out if I’d used the other way to add, it would have been a lot easier – the “shift by Y” decode kind of undoes the offsets I’d introduced using what was supposed to be a shortcut. If you number M as the 13th letter, I as the 9th, and K as the 11th, you get 13+9+11 = 33. Subtract 26, and you get 7. The 7th letter is G. Similarly, 1 (A) + 16 (P) + 22 (V) = 39, 39 – 26 = 13 (M). And so forth. So, once again, I apparently took the long way around.

Anyway, the instructions said to “tell that person you solved it,” so I quickly sent an email to gmark at shmoocon.us. I also sent him a direct message saying “Check your .us email account.” This was at 6:21 on Saturday. At 6:28, I got a response saying I’d won, and two minutes later he announced it to the world on Twitter.

Whew! My winning streak is safe!

At the closing ceremonies, G. Mark again explained the puzzle and how it worked, which is always great fun. For one, it verified that I’d taken the wrong approach for the final plaintext addition step. It’s also great to see the responses of the crowd as things are revealed. What was really priceless for me, though, was hearing groans and “Not again!” comments from people around me as my name was announced as the winner.

I’m still amazed by my ability to overcomplicate matters, even after solving so many of G. Mark’s puzzles. In this case, I spent a good deal of time trying to determine which words were “real” in the word search puzzle, trying to build a ciphertext out of the puzzle, when really, literally 90% of the letters in that block were fluff.

Also, I’d interpreted the Vigenère table as a hint, telling me what technique to use at some critical stage of the game. In fact, it was not really a hint, so much as the actual method and half the key. G. Mark has made mistakes in his puzzles before, but those mistakes are almost always very minor and had no real impact on solving the puzzle. In this case, I tacitly assumed that the tableau was wrong, and it was wrong simply because he was having fun. What I should have assumed was that it was right, and to use it exactly as provided. Had I really thought more clearly about all that, I might’ve solved the puzzle 24 hours earlier.

In the end, though, it was another great puzzle. I was glad to see him follow somewhat the pattern he took with ToorCon, where each stage tells you where to go next and hints at the method and key to use. It wasn’t quite exactly like that, but you could see some similarities. And it’s also great that there was a stage that wasn’t pure classical cryptography, and a stage that was classical crypto, but with an unexpected twist. Being forced to think outside of the box is the best feature of any puzzle, and once again, I was not disappointed.

Categories: Conferences, Cryptography, Puzzles

ToorCon 12 Badge Puzzle

December 6, 2010 5 comments

In the middle of October, G. Mark Hardy emailed to ask if I or my puzzle-busting buddy would be making it to ToorCon, in San Diego, as he had a puzzle on which he was putting the finishing touches. I told him no, but that I’d love to play along at home for “bragging rights instead of prizes.”

The weekend of the conference I was actually at a cousin’s wedding. So I didn’t expect to have much time to play. However, I did bring along some gear, and spent some time Friday night and Saturday afternoon playing with the little information that had leaked out from the Con.

In particular, someone tweeted a very good picture of the badge. Unfortunately I forget who it was, and the picture isn’t showing up in a search any longer. But it was a great picture, and immediately got me thinking.

As always, if you’d like to try to solve this yourself, then STOP now, as the rest of this post is full of spoilers. If you’d like a copy of just the raw data (ciphertexts and other clues revealed during the contest), click here.

The times listed all around the perimeter of the badge really grabbed my attention right at the beginning. G. Mark was giving the keynote at the con, entitled “Pwning Time,” and so this was clearly part of the puzzle. He’s also had a history of using different symobologies in past puzzles — Naval signal flags at QuahogCon, and Morse Code and barcodes at ShmooCon. And knowing that he’s a retired Navy Captain — well, I almost immediately decided the times had to be Naval Semaphore code.

Unfortunately, a closer inspection showed that this would be problematic. Nearly half of the codes had the same “hour,” which seemed really unlikely for just about any simple substituion cipher. I played with the times for a while, trying all kinds of crazy sequences, counting tricks, etc., but just couldn’t get anything useful out of it. As it turns out, those were part of a totally different contest, and not even related to G. Mark’s puzzle.

About that time I also received word that there were multiple stages, requiring more than just the badge picture. The conference program apparently had several clues, and also a T-Shirt had some kind of ciphertext. So there was absolutely nothing I could do right away….which was good, since it was time to go to the wedding.

Of course, I still had my phone with me, and it buzzed multiple times that night and the next day with hints and information from @g_mark (all times given in Eastern, as that’s where I was):

10/23/2010 18:00 TOORCON crypto puzzle first hint – Start on the edge!

10/23/2010 20:33 TOORCON – I’ve asked if they would post images of badge, t-shirt, and program to website. Remember – start on the edge … But of what? ;)

10/24/2010 13:40 TOORCON – Each crypto clue contains a riddle, a pointer to the next clue, and the encryption key. Follow the chain to the final answer.

10/24/2010 17:22 Your TOORCON badge is not a clock if you want to check the time. Could a clock face tell more than time? Could it send a signal?

10/24/2010 18:15 TOORCON if you have trouble getting started, .-.. — — -.- ..-. — .-. -.-. — -.. .

Interesting. So even in the middle of the afternoon on the last day of the con, he’s still giving pretty early hints. I wonder how many people were playing… And that definitely leaves the field wide open for me to snatch victory! :) Also, one of those clues (clock sending a signal) certainly reinforced my thoughts about semaphores.

Late Sunday night, I got some additional information from G. Mark, including a not-for-redistribution copy of the program and the text from the back of the con t-shirt (THANKS!!). So I sort of started my “official” clock at 11:00 that night. Not long after, I saw a final tweet:

10/24/2010 23:13 TOORCON thanks to players who purchased clues and raised $172 for Toorcon foundation. Farthest progress = stage 5 of 6. Thanks for pla …

So people could BUY clues? Hm. New wrinkle. And still nobody solved it, although some people came close (though I wasn’t sure if this meant the farthest people were “at” stage 5, or had “solved” stage 5).

Anyway, I’m now looking through the program, and seeing clocks on nearly every page. With a different time displayed on each clock. And they’re analog clocks. So the hands really do look like semaphores. Always nice when a gut feeling turns out to be right.

However, his first hint said to “start at the edge,” and another tweet (in Morse code) said “LOOK FOR CODE.” So I pull myself away from the clocks and find some Morse code printed right on the edge of the last page (the dots were about cut in half — it bled right off the edge).

.-.. — — -.- .- – – …. . – .. — . -….- .. – .—-. … .—- …– — .—-. -.-. .-.. — -.-. -.-

Ah, that’s more like it. Pretty quickly I decoded “LOOK AT THE TIME” and moved on to the next phase, the clocks. Later, G. Mark mentioned something about “13 O’Clock” having confused some people, which in itself confused me — I had no idea what he was talking about. Then I realized — while reading the code, zoomed in on an iPad, I’d only seen (and decoded) the top half. I’d missed a whole half of the clue! The 2nd half was a hint that the text from the clocks was ROT-13 encrypted, which I’d sort of guessed automatically anyway. The full text from the Morse code was:

LOOK AT THE TIME – IT’S 13 O’CLOCK.

But I digress. The clocks, finally getting to try my semaphore idea. Using the Wikipedia page as a key, I converted the clock faces to text.

PURPXL SBEFVK BFRXRL SSASGR

which, ROT-13 decoded, gave me:

CHECKY FURSIX USEKEY FFNFTE

Obviously, there was something wrong, and I eventually decided that it
was supposed to be:

CHECK YOUR SIX USE KEY OF NOTE

Apparently a few of the clocks got messed up when the program graphics were created. “Check your six” is military jargon. Six being short for 6 o’clock, which basically means behind or back. So “Check your six” is telling me to check my back. Back of the T-Shirt. So now I need the T-Shirt code, and use a key that’s somehow related to the keynote address. Here’s the ciphertext:

U FIDO YFAENY ETZVR
MT JZKQD FP RUGYD
YA UJO EAUI CQULC
DU SAZX OZSZQNF

LFYQ UNJSJQ
OW DNQ BRMQ OOMOX
IHVX EAU KBE
KOL GOXL USYOOMOX

ZEN CKORVDY EHFGKP
TYOXQ SFYT IICV HQ
IW IUG DVMUPE
NSZT KVI UR C

But what’s the key? It should be related to the Keynote, somehow. So I tried several words — KEYNOTE, TIME, PWNING, PWNINGTIME, GMARK, etc., and got nowhere. I also tried more direct attacks using online Vigenère apps, but also got nowhere. Because of a transcription error of my own, even after correcting the result of the clock phase I also got stuck down another blind alley for a bit. Finally, the next morning, I again tried the old standby — “GMARK.” Only instead of being a shift to Z as he’s used in the past (using Z as a space), it was a classicial Vigenère cipher. I know I tried that before, but must’ve messed something up. The result was:

O TIME STANDS STILL
AT SPEED OF LIGHT
SO USE YOUR SKILL
TO GAIN INSIGHT

LOOK INSIDE
OF THE BACK COVER
WHEN YOU TRY
YOU WILL DISCOVER

NEW SECRETS SHOWED
THERE SOON WILL BE
IF YOU DECODE
WITH KEY OF C

Now I’m getting somewhere. The inside back cover of the program had a big ciphertext string.

OCRUG HUCOW OUUGO WJZAN JYEQD  KGHFO YSNNX RLARZ XTXOE CUPAL
OMTXL GAXZQ IAEKN TPVJH MNBTI  YSWTB IOVCS KUKZH NHSQA PYFMZ
KOAQZ CHGJU OHUPV XBORZ AGZFD  WHIJV WJDUB SEYON UQMYX FDOPS
RUFGC DNBUU MCHVD WTIVG ZUCSJ  HCCUB NEAVE CBXSL IHZMX NQHBV
IKDJK VDDXK VEDSU CEJLN RMEAM

VHXWC ESQLP RNGBS DPRII ESBXR  BXNZX AIGPR BEOWX SOLTG FTFUN
GEZMA MFCNG L

INCVI STYAL OVEMN SFXRW UEVJT  VCGJA HSEMD ALPBF RONLO LWMAN
AXWVE WRLDT EZKNB UANAP GNHWA  IWWBE BFTDJ OKCDX RYWTO QSBYO
OFEYS BIPNU XISXY WRDTI PJBMW  OBRBW NCGVS AOBTZ LJBQT VSCBV
PJHEP LMLRV UXSHO MZTWO CPVOG  SIHSL KVPCR YHPLD MOPOJ WWCNJ
NFTWO RQOWP HKAOZ IQDFA RBXFB  VKXTK CPKQO YQIBU PZXSO LUWWC
AZHGB RLPCZ FPVEL HVQDH LQJTE  DUNUX MRIRL PKJUB ESGAF CBAOF
ZOZJY RSYYY IMLRC KDNSF KJVKA  WTFNE UFZGS PMXYJ VLKTH WCJNJ
VZLSH IAWKV TQAYE TQFYH KJMHP  ISGTL BQRIS OYYLA XXFLI GHTCC
OVXNZ DULNO MKEXT SHLIY LCVVO  TIUIB KSBMF XLYTE BAQLB UOMIK
IFWGV SXAOV WZOZY NOVOM UQMMF  RFTLZ VH

NPFAY KYCMT XUSWT ZAYVW TSTWC  PAHPS TRSFV EBHKR WQWAD DZDSG
DNXLK UEBHY DNDZR KNUVX RBQPD  WRNBI DAWRB PYVSL QRYQX AF

I played with this for a while, trying all kinds of things. Obviously, the speed of light (represented in scientific notation by a capital C) must play into it somehow (unless he’s going for a musical key), so variations of “two nine nine…” and “one eight six…” (speed of light in meters/second and miles/second) are tried without success. I also numbered the alphabet from 0 (or from 1) to convert the speed to cjjhjcefi, etc. The previous page in the program included a list of people to whom the conference was expressing gratitude — including Kernighan and Ritchie. Hm. K&R are the “fathers” of the C programming language. But that also got me nowhere. I even tried cribbing text — basically, assuming that the sequence “GMARK” will show up somewhere, and brute-forcing solutions that make that happen. If it works in one place, then I try that key fragment elsewhere to see if other words pop out, and if so, that means I’ll have part of the key figured out. It’s a classical attack, that I’ve never tried before, but it was totally useless here. Damn.

However, I’m convinced that there’s a polyalphabetic cipher at play here, and not a columnar transposition (though “Key of C” also made me check out at least a few columnar attacks, what with the word column starting with C). As a possible variant of that, I even tried sliding rows and columns back and forth based on the digits in C (kind of like his ShmooCon 2009 puzzle). Ultimately, though, none of these worked. And because the frequency distribution of the letters is very flat, it really almost has to be a polyalphabetic cipher.

Finally, after about a day of running a bunch of crazy attacks, and even some drawn-out brute force and dictionary attacks, I put it aside.

Then late on the 28th (or early the 29th, I forget), G. Mark pokes me with a sharp stick, surprised that I hadn’t made any more progress. So I pull the ciphertext out again and keep trying. He confirmed for me that the frequency distribution is “designed to be very flat.” Then he asks me what I think the key is. “299792458,” I respond (the speed of light in meters / second). That’s the right key, he tells me. Now how do I use that? Don’t change it at all, “Use it AS IS,” I’m told. Less than 10 minutes later, I was writing “c…o..n…g…r…” on a post it, and reached for the computer.

Start with the key “299792458.” Begin at the beginning of the ciphertext. Go to the 2nd character, in this case, “C,” and write that down. Then go over 9 characters (“rughucowO”) and write down “O.” Then over another 9 (uugowjzaN). “N.” Over 7 (G). Over 9 (R). And so forth. Here’s the final plaintext:

CONGRATULATIONS YOU HAVE FOUND THE HIDDEN MESSAGE ONE LAST CHALLENGE FOR YOU TO SOLVE LOOK DOWN WHAT YOU ARE HERE FOR IS KEY WHAT THIS LOOKS LIKE IS YOUR PASSPHRASE HURRY X

I wasn’t quite sure how to handle it when I reached the end of the text and wrapped back to the beginning, and so I played a little with the script to see if there was more — but once you reach the end, that’s it. All the rest of the letters are noise. In fact, G. Mark told me they came from a site using, literally, atmospheric radio noise to generate random letters. Hence the very flat frequency distribution.

What’s next, then? Well, “LOOK DOWN” could mean for you to see your badge. That’s the next ciphertext. He talks about “KEY” and “PASSPHRASE” as two different items, which immediately makes me think about a keyed Vigenère, as used on the Kryptos sculpture. KEY might then be “TOORCON,” or “CONFERENCE,” or “TALKS” or somesuch. But what does “WHAT THIS LOOKS LIKE” refer to? The badge itself? Gear, or sprocket, or clock? Or something else?

Another prod from G. Mark makes me look at the last ciphertext itself (the big block of text). What does that look like? “Good luck googling THAT :) ” he says. He also tells me it’ll be an “AHA! Moment” when I get it. So I try to relax and just let the answer come to me.

I think about rows of text…prose…paragraphs. Squinting, I can almost imagine it’s marching soldiers — so I play with rank and file and other such words. Then I set it aside again, knowing this isn’t something I can force.  About an hour later, it hits me — the Kryptos sculpture. It’s rows and rows of letters, broken up into four blocks (not visually, but there are four different sections to the puzzle).

Finally, I’ve broken the last code. The ciphertext on the badge:

EJGNE EBKJY LEPNS LFQSO UBSNN TIOAC YQRRL KJNYO CRRGG RLPOO TRRML NSGGY IVRTE PYEC

is a keyed Vigenère cipher, using “TOORCONTWELVE” as the alphabet key, and
“KRYPTOS” as the passphrase. This gives me the following plaintext:

IHIDE WITHT HEMAN WHOST OPPED THEMO TOROF THEWO RLDDI ALMEB YNAME ANDIW ILLAN SWER

Or, reformatted for easier reading:

I hide with the man who stopped the motor of the world. Dial me by name and I will answer.

ARRRGH! Not only is it Atlas Shrugged again, just like the DEFCON 18 puzzle, but it’s also another BLOODY PHONE NUMBER SNIPE HUNT! Grr. I fight with it off and on over the afternoon, thinking of phone numbers based on characters in the story, looking them up in Google, and finding that most of them have either non-existent area codes or (after I tried calling) are disconnected or local businesses.

Later that evening, though, literally as I was putting my oldest child to bed, it hit me. Quite annoyed that I’d missed it earlier that afternoon, I texted the right answer to G. Mark. (At his request, I won’t post it here — he doesn’t want me to keep burning his various Google Voice numbers :) ).

So, went from zero to the big ciphertext in just a few hours (there was sleep in there somewhere), then put it aside for a few days, then once I went back at it had the whole thing solved in another 12 hours. Not bad. Granted, I was getting some helpful hints from G. Mark, but then anyone at TOORCON would’ve had that as well. In fact, it appears that G. Mark was even selling hints for charity at the con. I don’t know what hints he sold (and would be curious to see them), but I imagine the help I received wasn’t significantly different from they got.

To summarize the various stages of the puzzle:

Stage Ciphertext Cipher Key
1 Morse Code n/a n/a
2 Semaphores Naval semaphore code ROT-13
3 T-Shirt Vigenère GMARK
4 Back Cover Multiple Skip 299792458
5 Badge Keyed Vigenère TOORCONTWELVE / KRYPTOS
6 Final Riddle n/a n/a

The most intriguing part of this puzzle, for me, was the encipherment of the back cover text. The “multi-skip” cipher (I’ve no idea if there’s a name for this, so I just made that up) was really interesting, especially with the use of the noise to give the overall ciphertext a very flat frequency distribution. That distribution could easily send an attaker into a polyalphabetic rabbit hole, exactly as happened with me.

Another interesting thought I had about this cipher: You could easily fit a second message in the noise, using a different key. Perhaps additionally hidden with ROT-13 or something else, or perhaps simply hiding in plain sight alongside the more “obvious” primary message. (I’ve already searched, and found no additional messages here. Which doesn’t mean there aren’t any, only that I didn’t find one.)

But is there a way to cryptanalyze this? G. Mark himself gave me a suggestion in that respect — he said that if you looked at a histogram “with period 55,” you’d see spikes corresponding to the digits of the key.

Naturally, I had to write a script to do exactly that. Not being entirely sure what the best approach was, I ended up with something that worked like this:

  • Select an overall period of repetition (this works out to the sum of all the digits in the key)
  • Sort the ciphertext into that many bins
  • See if any of those bins contain an odd distribution of characters

Really, it’s just reformatting the text into X columns, and seeing how the distribution of letters looks for any given column.

The theory here is that for any period, you’d get a mix of hidden plaintext characters and the random filler noise, until you hit on exactly the right period, in which case some number of bins (containing only plaintext, but no noise) would have markedly different frequency distributions.  Of course, this tool would have to be simple, fast, and the results easy to scan. Something that made me actually look at full-alphabet distribution graphs for each bin for each period tested — well, that simply wouldn’t work. So I came up with a simple scoring method.

Using the frequencies of letters in the English language, I assigned each letter in each bin a score. “A” shows up 8.17% of the time, so any “A” in a bin is worth 8.17 points. “B” shows up 1.49%, so those are worth 1.49 points, and so forth. I add ‘em all up for a bin, then divide by the size of the bin, and that gives me the average frequency of the letters in the bin. More or less.

Next, running this script against the ciphertext, I had to figure out what the appropriate threshold would be. Too high a threshold would only show me periods with bins containing only very common letters, and since even the uncommon letters happen occasionally, that wouldn’t work. Too low a threshold and I’d have too many things to look at. Because of the way the cipher worked, I’d at least be able to throw out any potential key where the last bin in the period wasn’t over the threshold (if the period didn’t end with a key-recovered plaintext letter, then that “key” would really have a shorter period, and so it’d be invalid) (it’s hard to describe, just trust me on this, or better, try it yourself.)

So, running the script with the threshold set at 3 (so the average frequency of the letters in each bin is at least 3%), I get the following: [and note that for all these outputs, I only show the first five lines -- they go on for hundreds of lines]

Threshold: 3
4 [1, 1, 1, 1] [4, 3, 4, 3]
5 [1, 1, 1, 1, 1] [4, 4, 3, 3, 4]
6 [1, 1, 1, 1, 1, 1] [3, 3, 4, 3, 4, 3]
7 [1, 1, 1, 1, 1, 1, 1] [3, 3, 3, 4, 3, 4, 4]
8 [1, 1, 1, 1, 1, 1, 1, 1] [4, 3, 4, 4, 3, 3, 4, 3]

Clearly, this isn’t the right cutoff. Virtually every period (the first number on each line) is a candidate. The “keys” generated (the first bracketed sequence, ‘[1, 1, 1, 1, 1]‘) are pretty useless. In the case of ’1 1 1 1 1′ as a key, that’d just be the ciphertext repeated back, in order, with no skipping at all. Have too many 1s and 2s in the key and the solution might be viewable just by looking at the ciphertext and squinting. Finally, the peaks themselves (the second bracketed sequence) don’t look interesting. Increasing the threshold to 4%, we reduce the output somewhat:

Threshold: 4
11 [2, 1, 2, 4, 2] [4, 4, 4, 4, 5]
14 [1, 2, 2, 2, 2, 2, 2, 1] [4, 4, 4, 4, 4, 5, 4, 4]
15 [1, 1, 3, 1, 1, 5, 3] [4, 4, 5, 4, 4, 4, 4]
20 [1, 1, 1, 2, 6, 1, 3, 2, 2, 1] [4, 4, 4, 4, 4, 4, 4, 4, 4, 4]
21 [1, 1, 2, 2, 3, 2, 1, 1, 1, 7] [4, 4, 4, 4, 4, 5, 4, 4, 4, 4]

But there are still far too many candidate solutions. And, again, the keys and peak frequencies look, well, uninspiring. Finally, putting the threshold at 5% generates something interesting:

Threshold: 5
55 [2, 9, 9, 7, 9, 2, 4, 5, 8] [5, 8, 6, 5, 5, 5, 6, 6, 6]
56 [7, 10, 16, 3, 3, 12, 2, 2, 1] [5, 5, 5, 5, 5, 5, 5, 5, 5]
67 [12, 8, 3, 2, 6, 17, 13, 1, 1, 4] [5, 5, 5, 5, 6, 6, 5, 5, 5, 5]
77 [11, 2, 12, 4, 2, 7, 4, 2, 5, 11, 17] [5, 5, 5, 5, 5, 6, 5, 5, 5, 5, 6]
79 [3, 6, 2, 4, 4, 5, 1, 13, 20, 4, 1, 2, 14] [5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5]

Almost all the candidates on this run look interesting, at least from looking at the keys. The first candidate, at key period 55, looks really interesting. Over half of its bins meeting the threshold are actually above the threshold — there are 4 5′s, 4 6′s, and even one at 8%. Finally, the key itself should appear familiar — it’s the speed of light in meters/second. Clearly, this is the answer. Adding in a line to decrypt using each candidate key as it’s derived, we see the plaintext jump right out:

Threshold: 5 (with decryption)
55 [2, 9, 9, 7, 9, 2, 4, 5, 8] [5, 8, 6, 5, 5, 5, 6, 6, 6]
CONGRATULATIONSYOUHAVEFOUNDTHEHIDDENMESSAGEONELASTCHALLENGEFORYOUTO…

56 [7, 10, 16, 3, 3, 12, 2, 2, 1] [5, 5, 5, 5, 5, 5, 5, 5, 5]
UJNRROTLGEBZHAHJOHRJXORHDTIJEIJDLREAEDIRONEMAIOCAEOWANRATODOESBSBTJT…

67 [12, 8, 3, 2, 6, 17, 13, 1, 1, 4] [5, 5, 5, 5, 6, 6, 5, 5, 5, 5]
UNEDYPIAEPTUHHFVIJVUFGNUDEXNQIDRAVSXEOWLANITEANLOAEANWESUXIWRATLSHI…

77 [11, 2, 12, 4, 2, 7, 4, 2, 5, 11, 17] [5, 5, 5, 5, 5, 6, 5, 5, 5, 5, 6]
OUDFYATOAQSKHOCGVRAWEGDTUAEHNHDSEPIARETFNAIEEDWAWTNUGFYUIMRWOLBC…

79 [3, 6, 2, 4, 4, 5, 1, 13, 20, 4, 1, 2, 14] [5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5]
ROOOAQDAXAENTOKHQFAQBEUQYBMTVCCEANCNRENSEBXABENAEMSAEBROAVENCYWO…

It almost appears that I’ve developed a pretty simple tool for detecting, and decrypting, occurrences of this nifty multi-skip cipher. Even if it doesn’t always find the answer right off, it might be a good tool to narrow down to a few ideas to test. So how could G. Mark have prevented this kind of attack? The use of atmospheric noise to make a very random set of filler letters seems, at first, to be pure genius. But because the distribution of the noise is totally unlike the distribution of the plaintext, a script made by a crypto-kiddie like me can (theoretically) bust it open.

So here is what I believe to be an “improved” version of the back cover ciphertext:

ECRRT IREYS OASHT TRFWN NHHUE MGYEA ECLOR RAADV CTANH EULAS 
ORKML KATOE ONNEH TSBHO AHWWI OSBTN OOEYM ASHEH NASRE HYNBT 
ROVTR OTRAU SHTON RHAUS AHTHK TNFOV SAUTH TEAWO OKSEA FYOCR 
RUEMT TNEHE YOUID NTACH IACLB HNNNY AWSOE LANRV THODW OAEFE 
IODVO RDOTT OEOED SAIIN PMIGH

ELHON EOARY OTHUS TNABE ASRHY UREUD AEGEY HEHDU TOILU PYGSN 
YEWEO RTRDO L

KHRNM AAEAS HNRRN SSSRS GTANT OCIOI HYHOV ALHNE RIHLE LENKE 
INEUE UOHOK SEUNO HIAAN GIGIR TWANE RFSRU OSHUO RNMHC AIWYF 
OELWI UIOTU IASHG SESTE AOROT OGMNO EEYUS TOOST LTOEA VBWYV 
TSAEN LFGEE FEIAO DEWTO ROHOH YOENC KPEAE ONHYD YOGSD WFORT 
NYAOA OSEWA HSYFL EPRUA BDHGL SLVTH AFLRU YPEEE TCTEO IUTON 
AAESH ROHAF WFHEE HENEU GODAE HRGKN OAARH TOVRV EGOAG OTCEF 
TOSOR RDUTE IKYIS ALRSW KNNSM OSTTE ANSSV STSYN DUNOE WOGVA 
SAMEH TAOIT TSEIE TUETL NGOHL INFTO TSYNS HFSEN YHRLT KNTSA 
OSWER TBHNO YKSAK SUNTB LRVOH MVIIH KSTNO YEAWE SLOTR ALYIE 
OLTSO SUETI SHIDY OORSS UVETT RVFOA NAVPO AYYES TOTTS HGSAE 
DLISH HSDSR PAHHH EAAYH LRONH AGUOE SVRIS CIAEA HYAYY ELSEU 
DDHAE UTWRI ESGRM RYLVE DTYLY YXYIR TRATO GRASF CVKSL YUUHG 
RTEHT ARREE ONEE

ARIYS HTNEE AOTFR OENNA AOMON ONOTE TYHUD VXTHD TENAT UVGIO 
YTAEE SLEDL EKCVE EBLHG HTYOU EHLFO TAETT TNNEO OOSAI EX

In this case, the filler data is random letters taken from the plaintext itself. So the filler has exactly the same frequency distribution as the plaintext. Which means that my silly little cryptanalysis script is rendered completely worthless. Every key generated, for every key length, is simply “1 1 1 1…..” Anyone attacking this new ciphertext will probably get sucked down into a different rabbit hole (this time, a transposition cipher rabbit hole).

Is it really better? I don’t know. It might be, but then again, I’m just a beginner here. I could be missing something important.

Anyway, the bottom line is that this was yet another fun puzzle from G. Mark. I’m glad he was able to share with me the details of the puzzle after the con completed, so that I could have the thrill of solving the challenge. And finding a totally new crypto scheme (and possibly even improving upon it) definitely made this a memorable victory.

Thanks again, G. Mark!

UPDATE: For fun, I tweaked the “improved” back cover ciphertext. Sharp-eyed readers may notice that it’s a little bit longer than the original. There’s now a second message embedded in the noise… I’ll even give you a hint: Counting begins at position 4, not 1 (to avoid crashing into the original hidden text). And the key is in this page’s URL.

Categories: Conferences, Cryptography, Puzzles

THOTCON Pre-Sale Code Puzzle

November 22, 2010 Leave a comment

THOTCON is an information security conference in Chicago. And they did a puzzle last year, that I solved, and got a really cool Sake decanter as a prize. The guy who did the puzzle, Sak3bomb, did another puzzle for the next THOTCON — this one for a pre-sale prize in advance of next spring’s conference.

Problem is, the puzzle came out while I was at the beach. When I was supposed to be resting. At 1:30 in the afternoon, on September 17th. Of course, I didn’t see it until about 9:00 in the evening. When I was supposed to be resting.

Naturally, I couldn’t leave it alone, so I started to work. First, the puzzle tweet:

[9/17/2010 1:29pm @thotcon] Pre-Sale Puzzle -> FAW2GlImKsT3BL8yKQF= zf-c75-sb-j 60max #thotcon #hacking #infosec #security

As always, if you’d like to solve this yourself, stop now. The rest is
full of spoilers. The big challenge is just that string, you’ll know when
you have it cracked, and then you can come back here to see how the rest of
the game played out. [though you might also want to check out the first couple
of hints below...]

Okay, so we’ve got a base-64 string. What’s the zf-c75-sb-j bit? A subsequent tweet cleared that up:

[9/17/2010 3:12pm @thotcon] Looking for pre-sale puzzle hints? follow @sak3bomb, @jaku, @c7five, and @zfasel now!!!

By the time I started, there were already two hints posted:

[9/17/2010 3:00pm @thotcon] I was born on April 5th. #thotcon0x2

[9/17/2010 3:33pm @Sak3bomb] What do you mean I was part of the Reichstag zu Worms? #thotcon0x2

Okay. Well, first, what’s the Reichstag zu Worms? It sounded vaguely familiar, and a quick trip through Wikipedia explained it to me. Better known to English speakers as The Diet of Worms, a meeting of leaders of the Holy Roman Empire. The Diet of 1521 was famous as the trial of Martin Luther. But which of the attendees are we supposed to be focusing on? Again, to Wikipedia, for a list of people born on April 5, sometime in the 20 years or so before the Diet of Worms (which happened in 1521). Wow! Blaise de Vigenère was born on April 5! But 1521. Hm. Wait, there were several Diets (meetings) at Worms, so he just wasn’t at Martin Luther’s particular meeting.

This is important. This means something. So, alright, there’s a Vigenère cipher in play here. Let’s decode the base-64 string and see if we can guess the key. Unfortunately, the decoder gives me random-looking binary data. And there’s no way I can run that through this cipher — it sort of pre-dates binary codes (well, ASCII at least).

I did, however, notice one interesting thing: The decoded binary string had 14 bytes. THOTCON has 7 characters. It’s not a requirement that a Vigenère ciphertext be a multiple of its key length, but it seemed like an interesting coincidence.

I played with it for a while….trying to force a Vigenère cipher to work with the binary data, basically by using a full 256 characers (8 bits) as the alphabet, instead of simply the letters A-Z. That didn’t get me anything interesting. I also tried doing some bitwise exclusive or (XOR) approaches, again using THOTCON as the key, but again I got nowhere.

I even considered that maybe we were supposed to block out the bits differently — turning 14 8-bit blocks into 16 7-bit blocks, or arrange it into a square and read vertically, or other crazy things. Nothing seemed to help. Finally, I put out a call for help:

[09/17/2010 10:34pm @schuetzdj] Dammit. Another puzzle. Figured out the first two clues and stuck again. :( #thotcon

and about 20 minutes later I struck up a conversation with @c7five:

[09/17/2010 10:57pm @c7five] @schuetzdj where are you stuck?

[09/17/2010 10:59pm @schuetzdj] @c7five Applying cipher to b64 output. Can’t get anything useful. Tho get leading @ a couple ways, which was intriguing.

[09/17/2010 11:01pm @c7five] @schuetzdj hint: the base64 you see needs to be deciphered before it is useful. Follow the clues. You have the algo and key.

[09/17/2010 11:03pm @schuetzdj] @c7five As in, decipher THEN b64 decode? considered that, didn’t explore too long.

[09/17/2010 11:03pm @c7five] @schuetzdj yup.

Cool! That should help! As I said in the tweet, I’d briefly considered that the base-64 string wasn’t really base-64, but was itself enciphered to only look like base-64, but again I was stuck on the problem of a larger-than-normal Vigenère alphabet. However, this hint told me that was the right way to go, after all, and so with renewed enthusiasm I returned to the puzzle, even as those around me started heading off to bed.

I reviewed how the Vigenère cipher worked, and verified that my program was actually doing the decryption properly. But I still got stuff that, once sent through the base-64 decoder, looked like binary gibberish. I wasn’t any closer. Just to be sure, I wrote a simple program to generate a partial Vigenère tableau, saving just the bits that interested me:

alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

print alpha
for x in alpha:
    i = alpha.find(x)
    o = alpha[i:64] + alpha[0:i]
    if x in ('T', 'H', 'O', 'C', 'N'):

Traditionally, the tableau would be written such that the keyword goes across the top of the paper. But because I didn’t want to deal with 64 character columns, I did it horizontally instead. The script only prints out rows corresponding to the characters in the keyword, and then I’d manually move the rows into the right places in a text editor. The result was this:


ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

TUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRS
HIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFG
OPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMN
TUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRS
CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AB
OPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMN
NOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLM

I also made a tableau with the traditional 26-character alphabet, to be sure I really had the method down properly. The way the cipher works is like this. First, take the ciphertext:

FAW2GlImKsT3BL8yKQF=

We’ll ignore the = at the end — that’s a padding character for the base-64 decoding that comes in step 2. Start with the first letter, F, and the first character of the key, T. Find the alphabet starting with “T” in the table, go right over to the capital F, and move up to the header row at the top. You get ‘y’. So the first letter of the plaintext is ‘y’.

The next letter, ‘A’, will have been encrypted with the 2nd letter of the key, so we go to the H alphabet, over to A, and up to 5. Carrying on, we eventually get y5IjEX7TDeA1z+pr89D. Which is exactly what my program produced. So my coding isn’t to blame — I’m simply still not doing it right. And it’s getting late. The next day I’m going to be really busy (last day at the beach and all), and I was going to spend all day Sunday travelling home, and then Sunday night flying out for a week-long business trip. So I really didn’t know when I was going to get to play again, which was pretty annoying. :( I expressed my disappointment to c7five:

[09/17/2010 11:44pm @schuetzdj] @c7five Getting nowhere. Hard to decide on proper alphabet. THINK I’m doing it right, but must have wrong key (output still ugly binary).

[09/17/2010 11:45pm @schuetzdj] @c7five Gonna have to quit soon. Not sure I’ll get to play tomorrow, and spending all day Sunday traveling. :(

and he took pity on me, verifying the key for me:

[09/17/2010 11:46pm @c7five] @schuetzdj THOTCON0X2

So I didn’t have the right key. Though I was pretty close. Hey, look at that — the key was even in the original tweet from @thotcon. Tricky. Let’s plug the correct key in, and…. y5IjEX7yz2Awz46k9cu. Dammit. I should have realized that — the result would be identical up until about halfway through the decryption, and even with the 2nd half being totally different, the base-64 decode would still largely have to be messed up binary. I’m obviously missing something. More back-and-forth tweets ensue.

[09/17/2010 11:49pm @schuetzdj] @c7five I get “y5IjEX….” Output of that (decoded) still ugly binary. Obviously, not doing cipher stage properly.

[09/17/2010 11:51pm @c7five] @schuetzdj you doing Vigenere?

[09/17/2010 11:52pm @schuetzdj] @c7five Yup. But that uses a 26-character alphabet, not 64-character. So improvising. Poorly, it seems. :)

[09/17/2010 11:53pm @c7five] @schuetzdj use: http://j.mp/aQVE3y

[09/17/2010 11:54pm @schuetzdj] @c7five You’re kidding. That’s my go-to cipher tools site. Never even tried. Hang on.

Funny how I never used my standard toolbox on this problem. But that’s not designed to work with a 64-character alphabet, how could it possibly work here? Nevertheless, I’m not going to argue, so I plug the ciphertext and key into the applet, and I get back: MTI2NjUzNzM3NS8wWDI. Plugging this into my favorite online base-64 decoder, I get stage 2:

1266537375/0X2

Clearly, that’s the right answer. But what do I do with that? Again, I’m muttering words like “sneaky,” “evil,” and “bastard” under my breath as I simply paste the result into Chrome’s URL bar, and it takes me to the last step of the puzzle.

How’d that happen? The number 1266537375 was treated as a single 32-bit integer, and broken up into 4 8-bit chunks…which, incidentally, is exactly how IP addresses work. You can do it manually with a little math: Take the big number, divide it by 256^3 (256*256*256), and that’s the first part of the address, the first “octet” (for 8 bits). Then you take the remainder (If you’re using a calculator, take the fractional part and multiply by 256^3. If you’re doing it longhand, just take whatever was left over once you hit the decimal point). Divide that by 256^2, and that’s the 2nd octet. Repeat for 256^1, and finally for 256^0 (dividing, in that last stage, by 1 — just leaving it be). The result is this:

75.125.211.159

You can check it like this: 75*256^3 + 125*256^2 + 211*256 + 159 == 1266537375. W^5. (“Which Was What We Wanted.”) (Blame Fred Whipple, my 12th grade physics teacher, for that little joke).

Anyway, all that magic happens automatically in some browsers (on my Mac, it seems to work in Chrome, but not Safari or Firefox), and it takes you to http://75.125.211.159/0X2. (incidentally, the same magic happens on some command line programs, which is why, in the early 90′s, I constantly cursed myself for naming a bunch of machines after movie titles, ’cause it was impossible to “telnet 2001″. But I’m digressing.)

The browser takes me to a page with what looks a lot like the “640K ought to be enough for everybody” quote from Bill Gates, translated into Russian. And another quote I can’t quite recognize. And a link to the THOTCON ticket sales page. And, finaly, three steampunky / sci-fi-ish pictures. Damn, am I going to have to deal with steganography again, like his last puzzle?

First, let’s make sure there aren’t any hidden images or anything. View the source to the webpage, and — wait. There’s some random text for the alt and title tags on each photo. “VEHPVE,” “NPTJB4M,” and “I0YMDEX,” respectively. Maybe all three together is the code. “VEHPVENPTJB4MI0YMDEX” I jumped to the ticket page, entered the code, and sure enough — it worked. Yay! At just after midnight, I’ve completed the puzzle. And now it’s time for bed.

But first…hm…should I buy a ticket? I’m not sure I’m even going to be able to go — not sure whether work would pay for a small con like that. And it’s not a huge discount, so I’ll wait until I get back to the office and ask. If others have snapped up all the discount tickets, that’s not really a huge deal.

I let c7five know that I’ve solved the puzzle, thank him for the challenge, and go to bed.

[09/17/2010 11:58pm @schuetzdj] @c7five Interesting. I wonder how it’s doing that? Looks like upper/lowercase are automatically mixed in a single alphabet, and ignores nums

[09/18/2010 12:06am @schuetzdj] @c7five Okay, got the code. Cool. Not sure I’m even gonna buy a ticket (not sure company will pay for trip), but thanks for the puzzle!

[09/18/2010 12:07am @schuetzdj] @c7five I really have to figure out how that cipher got implemented. Didn’t seem “pure” enough — I was trying a real 64-char vig table….

[09/18/2010 12:08am @schuetzdj] And, boom, I’ve got the #thotcon0x2 pre-sale code discovered. Fun puzzle, though I’m still a little confused on some of the mechanics. Thx!

So, what did I think of this one?

First off, I both liked and hated the fact that the ciphertext only *looked* like Base-64, but wasn’t quite exactly that. Evil, evil, evil. On the other hand, I really didn’t like that it wasn’t strictly a Vigenère, either. I took sort of a purist approach, modifying the cipher to work with the alphabet before me. But the puzzle took a different shortcut. Essentially, the trick was to take a standard tableau, and ignore (but preserve) case while decrypting. That is, if you (or your app of choice) treated a capital A the same as a lowercase A, but made sure the output was the same case as the input, then you’d be good to go. Provided you also just copied the numbers over, in place, unchanged.

ABCDEFGHIJKLMNOPQRSTUVWXYZ

TUVWXYZABCDEFGHIJKLMNOPQRS
HIJKLMNOPQRSTUVWXYZABCDEFG
OPQRSTUVWXYZABCDEFGHIJKLMN
TUVWXYZABCDEFGHIJKLMNOPQRS
CDEFGHIJKLMNOPQRSTUVWXYZAB
OPQRSTUVWXYZABCDEFGHIJKLMN
NOPQRSTUVWXYZABCDEFGHIJKLM
XYZABCDEFGHIJKLMNOPQRSTUVW

FAW2GlImKsT3BL8yKQF

becomes:

MTI2NjUzNzM3NS8wWDI

Of course, will this really work with all tools? Or will some recognize the extended alphabet and try to go the route I took? Or will some simply fold everything into uppercase and continue from there? (which is really what I’d expected everything to do). It wasn’t until nearly a week later that I finally had a chance to try the ciphertext in several other online tools. The first three were tools I’ve used a lot in the past (and the 1st two I use frequently):

Site Output Comment
Rumkin Cipher Tools MTI2NjUzNzM3NS8wWDI Correct, and what c7five pointed me to.
UCSD MTINJUZNZMNSWWDI Stripped numbers, converted all to uppercase
Sharky’s Vigenere Cipher MTI2NjUzNzM3NS8wWDI Correct
Simon Singh ERROR Told to remove numbers.
Central Edu mtinjuznzmnswwdi Numbers stripped, converted all to lowercase
Oregon State mti*exvjnna*ns*kxni Numbers stripped, key got out of sync and rest totally wrong

So out of a totally unscientific survey of 6 online applets (taken from the first couple pages of Google hits for “vigenere cipher applet”), I have correct answers from only two. As I write this, I believe about half of the ticketshave been spoken for — so fewer than 30 people have solved the puzzle. (well, perhaps more than that, if there are more people like me who solved it but haven’t bought tickets). I don’t know if that’s a good number or not, but somehow I expected more people would get it faster.

I guess since a fair number of people *have* solved it, that proves that the puzzle isn’t too terrible. But I still wonder how many people used the “wrong” online tool and gave up in frustration, or worse, followed a purist’s path like I did and got really annoyed when the “obviously right” approach didn’t work.

The Vigenère ciphertext masquarading as base-64 data was a neat trick. Without a little hint up front, it might be a bit…evil…but I have to admit I like the idea of it. Just not sure whether it’s entirely “fair.” I suppose I’d feel better about it if the decryption were easier than it was….

And the last bit, with the flat number pasted into the browser — very slick as well. Not many people know that’ll work, but I’m betting those who did know and made the leap were quite happy with themselves for knowing that particular bit of IPv4 arcana.

So, all in all, what’s my verdict? I like the puzzle. I’m not thrilled with the Vigenère portion of it, as I’ve said, but the rest was great. Now I’m just wondering with Sak3bomb will come up with for the THOTCON itself, and whether I’ll get a chance to play along at home (or if I’m gonna have to convince my boss to send me to the con).

As always, thanks for the puzzle, everybody!

Categories: Conferences, Cryptography, Puzzles
Follow

Get every new post delivered to your Inbox.