Question

Encryption vs. Encoding/Obfuscation
Give a detailed paper discussing the differences between encryption and encoding. Expand upon the use of these in the execution of malware. Discuss the different forms of encryption, their history, and implementations.

Answer 1

First of all we understand the difference between Encoding and Encryption :-

ENCODING:-

The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it’s able to be properly consumed.

Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it.

Encoding is not used to protect or secure data because it is easy to reverse.

Examples: ascii, unicode, URL Encoding, base64

ENCRYPTION:-

The purpose of encryption is to transform data in order to keep it secret from others, e.g. sending someone a secret letter that only they should be able to read, or securely sending a password over the Internet. Rather than focusing on usability, the goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s).

Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. As such, the ciphertext, algorithm, and key are all required to return to the plaintext.

Encryption is used when data needs to be protected so those without the decryption keys cannot access the original data. When data is sent to a website over HTTPS it is encrypted using the public key type.

Examples: aes, blowfish, rsa

Now we understand how Encoding and Encryption executed the malware :-

Use of encryption in the execution of malware :-

Most people don’t want malware on their computers – obviously. As a result, individuals and organizations deploy antivirus, firewalls, and other cyber defense solutions in order to minimize the probability that they’ll be infected. While these solutions aren’t always effective, they work fairly effectively against many known threats.

This creates a high bar for malware authors, who not only need to get their malware into a target network but also need to be able to execute it on the target systems once it’s there. Malware is delivered in a variety of different ways, everything from phishing emails to infected USB drives to network worms that spread themselves by exploiting vulnerabilities in network-facing services.

Encryption plays a key role in the success of many malware variants trying to perform this initial step of delivery and execution. Most antiviruses work based off of signature matching, which attempts to identify certain bits of code or text in the malware sample. By encrypting the majority of the sample and leaving just enough code unencrypted to decrypt and run the code, malware authors can make their software that much harder to detect.

This behavior is extremely important when malware is attempting to evade the protections provided by Intrusion Detection Systems and similar cybersecurity solutions. The alerts provided by these systems and computer system logs are regularly monitored and reviewed by security teams as part of their detection strategy. By encrypting the malware as it moves to the machine (and its later communications), malware operators decrease the probability that useful data will be captured in these alerts or log files.

Use of encoding in the execution of malware :-

The most common technique attackers use to bypass these filters is encodings. The most common encoding format is the ASCII characters encoding, using 7-bit representation for each character. Different encodings, however, are supported by different environments, and are often required when embedding free text in parsed protocols. The two major types of encoding used by attackers to bypass security filters are URL encoding and Unicode/UTF8 encoding .

URL encoding is a technique for mapping 8-bit data to the subset of the US-ASCII character set allowed in a URL. Without proper validation, URL-encoded input can be used to disguise malicious code for use in a variety of attacks. URL encoding can be used by the attacker to pass parameters to the application, bypassing URL filtering in the Web server or intrusion detection systems. It can also fool the application, bypassing filtering mechanisms. URL encoding of a character is performed by taking the 8-bit hexadecimal value of a character and prefixing it with a ”%”. For example, the US-ASCII character set represents a space with decimal code 32, or hexadecimal 20. Thus its URL-encoded representation is %20. When the attacker sends an encoded URL, the Web server passes the request to the application (bypassing all the security filters) and the disguised malicious code is executed. This method can be used by attackers in a number of attacks such as Parameter Tampering , Directory Traversal , Source Code Disclosure and Cross-site Scripting .

Another encoding method that can be used to implement malicious encoding is the Unicode/UTF-8. Unicode is a method of referencing and storing characters with multiple bytes by providing a unique reference number for every character, regardless of the language or platform. It is designed to allow a Universal Character Set (UCS) to encompass most of the world’s writing systems. Unfortunately, the extended referencing system is not completely compatible with many old (albeit common) protocols and applications, and this has led to the development of a few UCS transformation formats (UTF) with varying characteristics. One of the most commonly formats, UTF-8, has the characteristic of preserving the full US-ASCII range. UTF-8 has multiple character mappings of UCS, so the same character can have several representations. For example, The UTF-8 sequence for the ”.” (dot) character represented as 2E, C0 AE, E0 80 AE, F0 80 80 AE, F8 80 80 80 AE, or FC 80 80 80 80 AE.

Encryption algorithms:-

• AES is a symmetric block cipher chosen by the U.S. government to protect classified information; it is implemented in software and hardware throughout the world to encrypt sensitive data. NIST started development of AES in 1997 when it announced the need for a successor algorithm for the Data Encryption Standard (DES), which was starting to become vulnerable to brute-force attacks.
• DES is an outdated symmetric key method of data encryption. DES works by using the same key to encrypt and decrypt a message, so both the sender and the receiver must know and use the same private key. DES has been superseded by the more secure AES algorithm.
• RSA was first publicly described in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman of the Massachusetts Institute of Technology (MIT), though the 1973 creation of a public key algorithm by British mathematician Clifford Cocks was kept classified by the U.K.'s Government Communications Headquarters (GCHQ) until 1997. Many protocols, like Secure Shell (SSH), OpenPGP, Secure/Multipurpose Internet Mail Extensions (S/MIME) and Secure Sockets Layer (SSL)/TLS, rely on RSA for encryption and digital signature functions.

History of encryption:-

The word encryption comes from the Greek word kryptos, meaning hidden or secret. The use of encryption is nearly as old as the art of communication itself. As early as 1900 B.C., an Egyptian scribe used nonstandard hieroglyphs to hide the meaning of an inscription. In a time when most people couldn't read, simply writing a message was often enough, but encryption schemes soon developed to convert messages into unreadable groups of figures to protect the message's secrecy while it was carried from one place to another. The contents of a message were reordered (transposition) or replaced (substitution) with other characters, symbols, numbers or pictures in order to conceal its meaning.

In 700 B.C., the Spartans wrote sensitive messages on strips of leather wrapped around sticks. When the tape was unwound, the characters became meaningless, but with a stick of exactly the same diameter, the recipient could recreate (decipher) the message. Later, the Romans used what's known as the Caesar Shift Cipher, a monoalphabetic cipher in which each letter is shifted by an agreed number. So, for example, if the agreed number is three, then the message, "Be at the gates at six" would become "eh dw wkh jdwhv dw vla." At first glance, this may look difficult to decipher, but juxtaposing the start of the alphabet until the letters make sense doesn't take long. Also, the vowels and other commonly used letters, like t and s, can be quickly deduced using frequency analysis, and that information, in turn, can be used to decipher the rest of the message.

The Middle Ages saw the emergence of polyalphabetic substitution, which uses multiple substitution alphabets to limit the use of frequency analysis to crack a cipher. This method of encrypting messages remained popular despite many implementations that failed to adequately conceal when the substitution changed -- also known as key progression. Possibly the most famous implementation of a polyalphabetic substitution cipher is the Enigma electromechanical rotor cipher machine used by the Germans during World War II.

It was not until the mid-1970s that encryption took a major leap forward. Until this point, all encryption schemes used the same secret for encrypting and decrypting a message: a symmetric key.

Encryption was almost exclusively used only by governments and large enterprises until the late 1970s when the Diffie-Hellman key exchange and RSA algorithms were first published and the first PCs were introduced.

In 1976, Whitfield Diffie and Martin Hellman's paper, "New Directions in Cryptography," solved one of the fundamental problems of cryptography: how to securely distribute the encryption key to those who need it. This breakthrough was followed shortly afterward by RSA, an implementation of public key cryptography using asymmetric algorithms, which ushered in a new era of encryption. By the mid-1990s, both public key and private key encryption were being routinely deployed in web browsers and servers to protect sensitive data.

Implementation of DES encryption:-

# Hexadecimal to binary conversion
def hex2bin(s):
   mp = {'0' : "0000",
       '1' : "0001",
       '2' : "0010",
       '3' : "0011",
       '4' : "0100",
       '5' : "0101",
       '6' : "0110",
       '7' : "0111",
       '8' : "1000",
       '9' : "1001",
       'A' : "1010",
       'B' : "1011",
       'C' : "1100",
       'D' : "1101",
       'E' : "1110",
       'F' : "1111" }
   bin = ""
   for i in range(len(s)):
       bin = bin + mp[s[i]]
   return bin
  
# Binary to hexadecimal conversion
def bin2hex(s):
   mp = {"0000" : '0',
       "0001" : '1',
       "0010" : '2',
       "0011" : '3',
       "0100" : '4',
       "0101" : '5',
       "0110" : '6',
       "0111" : '7',
       "1000" : '8',
       "1001" : '9',
       "1010" : 'A',
       "1011" : 'B',
       "1100" : 'C',
       "1101" : 'D',
       "1110" : 'E',
       "1111" : 'F' }
   hex = ""
   for i in range(0,len(s),4):
       ch = ""
       ch = ch + s[i]
       ch = ch + s[i + 1]
       ch = ch + s[i + 2]
       ch = ch + s[i + 3]
       hex = hex + mp[ch]
      
   return hex

# Binary to decimal conversion
def bin2dec(binary):
      
   binary1 = binary
   decimal, i, n = 0, 0, 0
   while(binary != 0):
       dec = binary % 10
       decimal = decimal + dec * pow(2, i)
       binary = binary//10
       i += 1
   return decimal

# Decimal to binary conversion
def dec2bin(num):
   res = bin(num).replace("0b", "")
   if(len(res)%4 != 0):
       div = len(res) / 4
       div = int(div)
       counter =(4 * (div + 1)) - len(res)
       for i in range(0, counter):
           res = '0' + res
   return res

# Permute function to rearrange the bits
def permute(k, arr, n):
   permutation = ""
   for i in range(0, n):
       permutation = permutation + k[arr[i] - 1]
   return permutation

# shifting the bits towards left by nth shifts
def shift_left(k, nth_shifts):
   s = ""
   for i in range(nth_shifts):
       for j in range(1,len(k)):
           s = s + k[j]
       s = s + k[0]
       k = s
       s = ""
   return k     

# calculating xow of two strings of binary number a and b
def xor(a, b):
   ans = ""
   for i in range(len(a)):
       if a[i] == b[i]:
           ans = ans + "0"
       else:
           ans = ans + "1"
   return ans

# Table of Position of 64 bits at initail level: Initial Permutation Table
initial_perm = [58, 50, 42, 34, 26, 18, 10, 2,
               60, 52, 44, 36, 28, 20, 12, 4,
               62, 54, 46, 38, 30, 22, 14, 6,
               64, 56, 48, 40, 32, 24, 16, 8,
               57, 49, 41, 33, 25, 17, 9, 1,
               59, 51, 43, 35, 27, 19, 11, 3,
               61, 53, 45, 37, 29, 21, 13, 5,
               63, 55, 47, 39, 31, 23, 15, 7]

# Expansion D-box Table
exp_d = [32, 1 , 2 , 3 , 4 , 5 , 4 , 5,
       6 , 7 , 8 , 9 , 8 , 9 , 10, 11,
       12, 13, 12, 13, 14, 15, 16, 17,
       16, 17, 18, 19, 20, 21, 20, 21,
       22, 23, 24, 25, 24, 25, 26, 27,
       28, 29, 28, 29, 30, 31, 32, 1 ]

# Straight Permutaion Table
per = [ 16, 7, 20, 21,
       29, 12, 28, 17,
       1, 15, 23, 26,
       5, 18, 31, 10,
       2, 8, 24, 14,
       32, 27, 3, 9,
       19, 13, 30, 6,
       22, 11, 4, 25 ]

# S-box Table
sbox = [[[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
       [ 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
       [ 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
       [15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 ]],
          
       [[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
           [3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
           [0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
       [13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 ]],
  
       [ [10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
       [13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
       [13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
           [1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 ]],
      
       [ [7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
       [13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9],
       [10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
           [3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14] ],
      
       [ [2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
       [14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
           [4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
       [11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 ]],
      
       [ [12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
       [10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
           [9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
           [4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13] ],
      
       [ [4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
       [13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
           [1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
           [6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12] ],
      
       [ [13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
           [1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
           [7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
           [2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11] ] ]
  
# Final Permutaion Table
final_perm = [ 40, 8, 48, 16, 56, 24, 64, 32,
           39, 7, 47, 15, 55, 23, 63, 31,
           38, 6, 46, 14, 54, 22, 62, 30,
           37, 5, 45, 13, 53, 21, 61, 29,
           36, 4, 44, 12, 52, 20, 60, 28,
           35, 3, 43, 11, 51, 19, 59, 27,
           34, 2, 42, 10, 50, 18, 58, 26,
           33, 1, 41, 9, 49, 17, 57, 25 ]

def encrypt(pt, rkb, rk):
   pt = hex2bin(pt)
  
   # Initial Permutation
   pt = permute(pt, initial_perm, 64)
   print("After inital permutation", bin2hex(pt))
  
   # Splitting
   left = pt[0:32]
   right = pt[32:64]
   for i in range(0, 16):
       # Expansion D-box: Expanding the 32 bits data into 48 bits
       right_expanded = permute(right, exp_d, 48)
      
       # XOR RoundKey[i] and right_expanded
       xor_x = xor(right_expanded, rkb[i])

       # S-boxex: substituting the value from s-box table by calculating row and column
       sbox_str = ""
       for j in range(0, 8):
           row = bin2dec(int(xor_x[j * 6] + xor_x[j * 6 + 5]))
           col = bin2dec(int(xor_x[j * 6 + 1] + xor_x[j * 6 + 2] + xor_x[j * 6 + 3] + xor_x[j * 6 + 4]))
           val = sbox[j][row][col]
           sbox_str = sbox_str + dec2bin(val)
          
       # Straight D-box: After substituting rearranging the bits
       sbox_str = permute(sbox_str, per, 32)
      
       # XOR left and sbox_str
       result = xor(left, sbox_str)
       left = result
      
       # Swapper
       if(i != 15):
           left, right = right, left
       print("Round ", i + 1, " ", bin2hex(left), " ", bin2hex(right), " ", rk[i])
  
   # Combination
   combine = left + right
  
   # Final permutaion: final rearranging of bits to get cipher text
   cipher_text = permute(combine, final_perm, 64)
   return cipher_text

pt = "123456ABCD132536"
key = "AABB09182736CCDD"

# Key generation
# --hex to binary
key = hex2bin(key)

# --parity bit drop table
keyp = [57, 49, 41, 33, 25, 17, 9,
       1, 58, 50, 42, 34, 26, 18,
       10, 2, 59, 51, 43, 35, 27,
       19, 11, 3, 60, 52, 44, 36,
       63, 55, 47, 39, 31, 23, 15,
       7, 62, 54, 46, 38, 30, 22,
       14, 6, 61, 53, 45, 37, 29,
       21, 13, 5, 28, 20, 12, 4 ]

# getting 56 bit key from 64 bit using the parity bits
key = permute(key, keyp, 56)

# Number of bit shifts
shift_table = [1, 1, 2, 2,
               2, 2, 2, 2,
               1, 2, 2, 2,
               2, 2, 2, 1 ]

# Key- Compression Table : Compression of key from 56 bits to 48 bits
key_comp = [14, 17, 11, 24, 1, 5,
           3, 28, 15, 6, 21, 10,
           23, 19, 12, 4, 26, 8,
           16, 7, 27, 20, 13, 2,
           41, 52, 31, 37, 47, 55,
           30, 40, 51, 45, 33, 48,
           44, 49, 39, 56, 34, 53,
           46, 42, 50, 36, 29, 32 ]

# Splitting
left = key[0:28] # rkb for RoundKeys in binary
right = key[28:56] # rk for RoundKeys in hexadecimal

rkb = []
rk = []
for i in range(0, 16):
   # Shifting the bits by nth shifts by checking from shift table
   left = shift_left(left, shift_table[i])
   right = shift_left(right, shift_table[i])
  
   # Combination of left and right string
   combine_str = left + right
  
   # Compression of key from 56 to 48 bits
   round_key = permute(combine_str, key_comp, 48)

   rkb.append(round_key)
   rk.append(bin2hex(round_key))

print("Encryption")
cipher_text = bin2hex(encrypt(pt, rkb, rk))
print("Cipher Text : ",cipher_text)

print("Decryption")
rkb_rev = rkb[::-1]
rk_rev = rk[::-1]
text = bin2hex(encrypt(cipher_text, rkb_rev, rk_rev))
print("Plain Text : ",text)

Implementation of RSA encryption:-

from decimal import Decimal

def gcd(a,b):
   if b==0:
       return a
   else:
       return gcd(b,a%b)
p = int(input('Enter the value of p = '))
q = int(input('Enter the value of q = '))
no = int(input('Enter the value of text = '))
n = p*q
t = (p-1)*(q-1)

for e in range(2,t):
   if gcd(e,t)== 1:
       break

for i in range(1,10):
   x = 1 + i*t
   if x % e == 0:
       d = int(x/e)
       break
ctt = Decimal(0)
ctt =pow(no,e)
ct = ctt % n

dtt = Decimal(0)
dtt = pow(ct,d)
dt = dtt % n

print('n = '+str(n)+' e = '+str(e)+' t = '+str(t)+' d = '+str(d)+' cipher text = '+str(ct)+' decrypted text = '+str(dt))

Implementation of AES encryption:-

func encrypt(state, expkey []uint32, rounds int) {

keyi := 0

addRoundKey(state, expkey[keyi:keyi+4])

keyi += 4

for i := 0; i < rounds; i++ {

subBytes(state)

shiftRows(state)

mixColumns(state)

addRoundKey(state, expkey[keyi:keyi+4])

keyi += 4

}

subBytes(state)

shiftRows(state)

addRoundKey(state, expkey[keyi:keyi+4])

}

input[i] = sbox[input[i]] // i = 0, 1, ..., 15

input := []uint32{0x8e9ff1c6, 0x4ddce1c7, 0xa158d1c8, 0xbc9dc1c9}

expected := []uint32{0x19dba1b4, 0xe386f8c6, 0x326a3ee8, 0x655e78dd}

func shiftRows(state []uint32) {

for i := 1; i < 4; i++ {

// rotate word left by specified number of bytes

state[i] = rotWordLeft(state[i], i)

}

}

input := []uint32{

0x8e9f01c6, 0x4ddc01c6,

0xa15801c6,

0xbc9d01c6}

expected := []uint32{

0x8e9f01c6,

0xdc01c64d,

0x01c6a158,

0xc6bc9d01}

// a0-3 represent the bytes of a column from top to bottom

// r0-3 are the transformed bytes

func calcMixCols(a0, a1, a2, a3 byte) (r0, r1, r2, r3 byte) {

// r0 = 2*a0 + 3*a1 + a2 + a3

// r1 = a0 + 2*a1 + 3*a2 + a3

// r2 = a0 + a1 + 2*a2 + 3*a3

// r3 = 3*a0 + a1 + a2 + 2*a3

r0 = gMulBy2[a0] ^ gMulBy3[a1] ^ a2 ^ a3

r1 = a0 ^ gMulBy2[a1] ^ gMulBy3[a2] ^ a3

r2 = a0 ^ a1 ^ gMulBy2[a2] ^ gMulBy3[a3]

r3 = gMulBy3[a0] ^ a1 ^ a2 ^ gMulBy2[a3]

return

}

func calcInvMixCols(a0, a1, a2, a3 byte) (r0, r1, r2, r3 byte) {

// r0 = 14*a0 + 11*a1 + 13*a2 + 9*a3

// r1 = 9*a0 + 14*a1 + 11*a2 + 13*a3

// r2 = 13*a0 + 9*a1 + 14*a2 + 11*a3

// r3 = 11*a0 + 13*a1 + 9*a2 + 14*a3

r0 = gMulBy14[a0]^gMulBy11[a1]^gMulBy13[a2]^gMulBy9[a3]

r1 = gMulBy9[a0] ^gMulBy14[a1]^gMulBy11[a2]^gMulBy13[a3]

r2 = gMulBy13[a0]^gMulBy9[a1] ^gMulBy14[a2]^gMulBy11[a3]

r3 = gMulBy11[a0]^gMulBy13[a1]^gMulBy9[a2] ^gMulBy14[a3]

return

}

input := []uint32{

0xdbf201c6, 0x130a01c6,

0x532201c6,

0x455c01c6}

expected := []uint32{

0x8e9f01c6,

0x4ddc01c6,

0xa15801c6,

0xbc9d01c6}

func addRoundKey(state, key []uint32) {

for i := 0; i < 4; i++ {

state[i] = state[i] ^ key[i]

}

}