Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

SpiderLabs Crypto Contest - Winner!

We have a winner! @TimoHirvonen

Congratulations Timo! His gift will be a Trustwave Spiderlabs goodie package which includes a Trustwave cinch pack, the latest Spiderlabs tshirt, several stickers, a Throwing Star LAN Tap, and an exclusive Spiderlabs challenge coin.

12336_e601268c-0843-4981-971e-dad6d8b8d835

There were many that came very close, and a few who quit JUST before they would have gotten the answer. I cringed every time I saw it happen. Timo was gracious enough to write up how he solved the cipher, it's pasted verbatim below:

On Monday I noticed the blog post with SpiderLabs Crypto Contest hints. I googled Triforce and found this image: http://en.wikipedia.org/wiki/File:Triforce.svg. I calculated the length of the ciphertext, and it turned out to be divisible by three (273=3*91). Moreover, 91 equals to 1 + 2 + … + 13 so it is possible to format the ciphertext into three triangles that have one character on the first row, two on the second, etc.

I split the ciphertext into three chunks and formatted each chunk into a triangle. The hints told tol ook for uniqueness after the transposition, and one of the tweets (https://twitter.com/atucom/status/289974039794040834) said "look for the side that is unlike the others". None of the sides were unique so I clearly did something wrong. However, I did realize that the length of the long side (2*13) conveniently equals the size of the English alphabet.

Then I noticed this tweet (https://twitter.com/atucom/status/290289441153626113): "left to right, top to bottom". I kept the top triangle but changed the bottom two: I put the 92nd letter to top of the bottom left triangle, 93rd to the top of the bottom right triangle, then94th&95th to left, 96th&97thto right, and so forth. This transposition had the uniqueness I was looking for: the left side of the large triangle was a permutation of the English alphabet (RICLDKGUQAWZXBEFPYHJMONSTV).

It was easy to guess that the permutation of the alphabet is most likely the key for the substitution cipher. So I replaced R with A, I with B, etc. The resulting plaintext was clearly English, I just replaced all occurrences of letter X with spaces to make it more readable.

Over the span of the contest I released several hints. They are below:

  • Blog Hint #1 It is both a transposition and substitution cipher at the same time.
  • Blog Hint #2 The name of the cipher is the only hint you should need.
  • Blog Hint #3 It's simple, I swear.
  • Blog Hint #4 It's called the Triforce Cipher, not Sierpinski's Triangle Cipher.
  • Blog Hint #5 I introduced transposition and substitution in the blog because that's what the cipher uses. More accurately, Transposition THEN substitution.
  • Blog Hint #6 Once you solve the transposition, look for uniqueness.
  • Blog not-so-hint #1 I said the cipher was simple, I didn't say it was easy ;)
  • Blog Hint #7 There are no spaces in the answer, just letters.
  • Blog Hint #8 Keep an eye on @atucomon twitter, I may release a couple more hints in the near future.
  • Twitter Hint #1 Once you transpose it correctly, look for the side that is unlike the others.
  • Twitter Hint #2 the transposition is inspired by normal English. Left to right, top to bottom.

Using these hints, most people can derive the following:

  1. You have to perform a transposition operation first, and then substitution
  2. The transposition cipher is somehow a Triforce
  3. The plaintext only contains letters, no spaces or numbers or fancy stuff.
  4. A certain "side" of the Triforce is special for some reason
  5. You arrange the transposition the same as English

This was the ciphertext I gave in the first blog post:

RISCCELBGYDRJHSKEBSHEGZOQBGSUJUDSKQYQHJSJYQKEAYCDSC

QFUDWYSDODYSCYDZRJDLSHDBLSRXJMCEXSJUDSCEBLEDNEFYLS

ZEPZNMJCYTYFJESEBSJNHQJJDYSRBLSTJEMZZSNQBSJUDSMFYQV

DHSSSSJUDSYODHJSQHSGRYIRGDSZWNARICQTIURZCHUAIZRHOS

MRAIZOQRIACZRWHABLZASTVSCVSZCQMVSICZVSCIAZVSQVMICVS

ZCVMSICAZVSMCIZRSRZZ

Using the ciphertext, you write it out into the shape of a Triforce:

9675_6673f311-f2b3-4a8c-b1ac-415c34361994

So now that we have transposed it properly, one of the sides is special somehow. Well, if you look at the sides of the Triforce, there is one side that is different than the rest. Can you see it?

11430_b8ad547d-1821-45d6-a23c-908417e741b8

How is it different than all of the other sides? It's the only side with one instance of every letter. No duplicates at all on that side. Why does that matter? Well, if you count how many letters there are, you would count 26 letters. Guess what else has 26 letters? The English Alphabet.

If you paid attention to the explanation of substitution ciphers, you would see that they typically have a 1:1 ratio of letters. Knowing this, you can see how this unique 26 letter string has a high probability of being a key. So then lets lay it out:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

RICLDKGUQAWZXBEFPYHJMONSTV

If you take that key, you can start translating everything else that's not the key (the data), which results in:

XCONGRATSXONXSOLVINGXTHEXFIRSTXTRIFORCEXCIPHERXEVERXCREATED

XSENDXATUCOMXTHEXCODEWORDXLOLWUTCRYPTOXONXTWITTERXANDX

YOULLXWINXTHEXPRIZESXXXXTHEXRESTXISXGARBAGEXLKJABCIYBHALCSH

JBLASVUAJBLVIABJCLAKSJNDLJXZXCZXLCIUZXBCLZXCBJLZXIUBCZXLCZUXBC

JLZXUCBLAXAL

Lets make this easier to read:

XCONGRATSXONXSOLVINGXTHEXFIRSTXTRIFORCEXCIPHERXEVERXCREATED

XSENDXATUCOMXTHEXCODEWORDXLOLWUTCRYPTOXONXTWITTERXANDX

YOULLXWINXTHEXPRIZESXXXXTHEXRESTXISXGARBAGEXLKJABCIYBHALC

SHJBLASVUAJBLVIABJCLAKSJNDLJXZXCZXLCIUZXBCLZXCBJLZXIUBCZXLCZUXBC

JLZXUCBLAXAL

There you have it. To win, you needed to send me the phrase "LOLWUTCRYPTO" on twitter.

Now lets go into my favorite part, the cryptanalysis…

The Triforce Cipher Cryptanalysis

This isn't the worst cipher in the world, but it really isn't that great. There are several limitations that we shall go into.

Data Limit:

Being that the cipher must conform to the shape of a Triforce, this imposes a restriction on the size of data it can contain. The Triforce is a equilateral triangle, which means all sides must be the same length, and if one of the sides is the key, than the total data size is limited by how long your key is. This relationship between how long your key length is to how much data you can store can be calculated using the following equation:

Where S is the data size and n is the key length.

11587_c08701a0-4a1f-4a35-8729-d3eaf6728c03
Or this excel formula to make it easier:

B1=3*(((A1/2)*((A1/2)+1))/2)-A1

This means that if you have a 26 letter key, you can contain247 characters of data, which comes out to a total ciphertext length of 273characters.

Key Length

Data Length

Total Length

4

5

9

6

12

18

8

22

30

10

35

45

12

51

63

14

70

84

16

92

108

18

117

135

20

145

165

22

176

198

24

210

234

26

247

273

28

287

315

30

330

360

So if you decided to write the ciphertext using the hexadecimal character set instead of the English alphabet, you could store 92characters of data.

Using the table above, you can easily figure out how long the key is based on the total length (you can also just count how many different characters there are, but this is easier)

The Wall Of Secrecy Is Very Short

Another issue with this cipher is the fact that the key to decrypt the ciphertext is easily compromised once it's understood that this is a Triforce Cipher. This essentially places it on the same level of strength asa Caesar cipher. If you know what encryption algorithm you are dealing with, it's game over.

Further Challenges:

The next Spiderlabs Crypto Contest will be a modified book code I'm working on.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More