Last year we published some crypto challenges to keep you momentarily occupied from the festivities. This year, we’re doing the same. Whether you’re bored or just want to learn a bit more about the technologies that encrypt the internet, feel free to give these short cryptography quizzes a go.
We’re withholding answers until the start of the new year, to give you a chance to solve them without spoilers. Before we reveal the answers; if you manage to solve them, we’ll be giving the first 5 people to get the answers right some Cloudflare swag. Fill out your answers and details using this form so we know where to send it.
NOTE: Hints are below the questions, avoid scrolling too far if you want to avoid any spoilers.
Client says Hello
Client says hello, as follows:
Time-Based One-Time Password
A user has an authenticator device to generate one time passwords for logins to their banking website. The implementation contains a fatal flaw.
At the following times, the following codes are generated (all in GMT/UTC):
- Friday, 21 December 2018 16:29:28 – 084342
- Saturday, 22 December 2018 13:11:53 – 411907
- Tuesday, 25 December 2018 12:15:03 – 617041
What code will be generated at precisely midnight of the 1st of January 2019?
At Cloudflare, we just setup RPKI: we signed a few hundred prefixes in order to reduce route leaks. But some of the prefixes hide a secret message. Find the ROAs that look different, decode the word!
Client says Hello
This challenge has 3 hints, as follows:
- Challenge is based on a network capture
- What’s weird about the Frame?
The Time-Based One-Time Password Algorithm is described in RFC 6238, which was based of RFC4226 (providing an algorithm for HOTP). The TOTP algorithm requires input of two important parameters, the time and a shared secret – could one be missing?
The implementation used to generate the TOTP codes for the challenge uses SHA-1 as a digest algorithm.
This challenge has 4 hints, as follows:
- Hint #0: Four or six? Probably six.
- Hint #1: If only there was a way of listing only our IPs!
- Hint #2: What is the only part of the ROA where we can hide information into
- Hint #3: Subtract the reserve, the char will show itself
Interested in helping build a better internet and drive security online? Cloudflare is hiring.