Day 3: Cryptography - Codes and Ciphers

CyberQuest Summer Camp - day deck

This is your hands-on companion to the main course deck. The main deck (Interactive_Slides.html) sends you to specific Parts here and to Modules in the notebook, then back. You can also run this deck on its own, top to bottom, with the Next arrow.

Morning Kickoff: Motivation & News (09:00 AM - 09:15 AM)

Case Profile: The 2023 MGM Resorts Vishing Attack. Threat actors called a corporate helpdesk, used social engineering to trick an operator into resetting authentication codes, and took down hotel systems for days. This shows why human psychological manipulation can bypass technical access controls.

Teaching Session I: Core Lecture (09:15 AM - 11:15 AM)

Cryptographic Data Transformations

Encoding: Converting data into a public, standardized format for reliable transport across different systems. It uses no secret keys and provides no security (e.g., Base64 formatting conversion).
Encryption: Transforming clear readable plain text into unreadable ciphertext using a mathematical algorithm and a secret key. It is fully reversible if you possess the proper matching decryption key.
Hashing: Running data through a one-way mathematical function to produce a unique, fixed-size string called a message digest. Hashing is completely irreversible; you cannot reconstruct the original data from the hash value. It is used to verify data integrity.
Digital Signatures: Cryptographic tokens produced by hashing a message and using the sender's private key to sign that hash. They provide verification of authenticity, message integrity, and non-repudiation (proving the sender cannot deny sending the message).

Social Engineering Vectors

Social engineering is the practice of manipulating people into performing actions or divulging confidential information. * Phishing: Broad, non-targeted deceptive emails sent to mass audiences to steal access credentials. * Spear Phishing: Highly customized, targeted phishing attacks tailored to a specific individual or organization using personal background details. * Vishing: Voice Phishing; using phone calls to impersonate authority figures and extract internal data details. * Smishing: SMS Phishing; sending malicious exploit download links or fraudulent alerts via text messages. * Pretexting: Creating a fabricated scenario or false identity to trick a target into disclosing sensitive information. * Baiting: Leaving malware-infected physical media (like USB drives) in public areas, waiting for targets to plug them into a corporate computer out of curiosity. * Tailgating / Piggybacking: Following an authorized employee through a secured physical entry door or turnstile without scanning a badge. * Quid Pro Quo: Offering a fake service or technical support assistance in exchange for user access passwords.

Identity Protection Controls

Password Security: Strength is determined by entropy metrics, which scale with length, character complexity, and avoiding dictionary terms.
Multi-Factor Authentication (MFA): Requiring multiple independent validation factors before granting access:
1. Something you know (e.g., a password or personal identification number PIN).
2. Something you have (e.g., a physical hardware token or authentication app code).
3. Something you are (e.g., biometric factors like fingerprints or facial scans).

Teaching Session II: Labs & Interactive Tools (11:45 AM - 01:45 PM)

Practical Interactive Tools for Today

dcode.fr: Analyze cipher patterns, calculate letter frequencies, and crack classic ciphers like Caesar and Vigenère.
CyberChef: Chain operations together to handle advanced data transformations, such as converting text to hex, encoding to Base64, and calculating SHA-256 hashes.

Recap & Tomorrow's Horizon (04:15 PM - 04:30 PM)

Summary: Today we mapped cryptographic differences, unpacked social engineering vectors, and analyzed multi-factor authentication.
Tomorrow Preview: We will focus on application layers, investigating SQL Injection web exploits, blockchain ledgers, and AI safety controls.

Your plan for today

6 parts. Press Next to move in order.

Part 1. Get oriented - 4 slides
Part 2. Learn the basics - 25 slides
Part 3. Code along - 1 slide
Part 4. Play the free tools - 3 slides
Part 5. Test yourself - 4 slides
Part 6. Wrap up - 1 slide

You just saw the big-picture overview. The Parts below take you from the basics to hands-on practice. When a slide says to run a notebook module or play a game, do it, then continue.

PART 1 OF 6

Get oriented

Objectives, key terms, a picture, and the news.

This part is 4 slides. Press Next to begin.

Learning objectives

Tell the difference between encoding, encryption, and hashing.
Encrypt and crack a Caesar cipher.
Build a decoding pipeline in CyberChef.

Vocabulary (acronyms expanded and defined)

CTF = Capture The Flag: a cybersecurity game where you solve puzzles to find hidden text called flags.
ASCII = American Standard Code for Information Interchange: numbers that represent letters (A is 65).
Base64: a way to write data using 64 safe characters; it is encoding, not secrecy.
XOR = eXclusive OR: a bitwise operation; apply the same key twice to undo it.
AES = Advanced Encryption Standard: the strong encryption that protects real data today.
RSA = Rivest-Shamir-Adleman: a famous encryption method named after its three inventors.
Hash: a one-way fingerprint of data; you cannot turn it back into the original.

Picture it

  Encoding   : message  -> reformatted (anyone can reverse)     Base64
  Encryption : message + KEY -> scrambled (need key to reverse) AES
  Hashing    : message  -> fingerprint (cannot reverse)         SHA-256

In the news (real and verifiable)

During World War Two, the German military used the Enigma machine to encrypt messages. A team at Bletchley Park, including the mathematician Alan Turing, built machines to break it. Historians estimate this codebreaking helped shorten the war. Cryptography is still one of the most important fields in security today.

PART 2 OF 6

Learn the basics

Now go deeper: the core ideas step by step, with quick knowledge checks.

This part is 25 slides. Press Next to begin.

Three ideas, do not mix them

Encoding vs encryption vs hashing

Encoding: reformatting anyone can reverse (Base64).
Encryption: scrambling that needs a secret key (AES).
Hashing: a one-way fingerprint you cannot reverse (SHA-256).

Knowledge check

Base64 is...

The Caesar cipher

A 2000-year-old code

Shift every letter by a fixed amount. Shift 3 turns A into D.

HELLO  (shift 3)  ->  KHOOR

Only 25 useful shifts, so a computer cracks it instantly.

Knowledge check

Why is the Caesar cipher weak?

Hashing is one-way

Fingerprints for data

A hash turns any input into a fixed fingerprint. Change one letter and the whole fingerprint changes, and you cannot reverse it.

password   -> 5e88489...
Password   -> e7cf3ef...   (totally different)

Knowledge check

A hash is special because...

Why hide information?

The goals of cryptography

Cryptography protects three things: confidentiality (keep it secret), integrity (detect tampering), and authenticity (prove who sent it). The same math powers HTTPS, messaging apps, and payments.

Three ideas side by side

Never mix them up

Type	Needs a key?	Reversible?	Use for
Encoding (Base64)	No	Yes, by anyone	transport
Encryption (AES)	Yes	only with key	secrecy
Hashing (SHA-256)	No	No	integrity

The Caesar shift

Illustration

Only 25 shifts exist, so a computer breaks it instantly by trying them all.

Frequency analysis

Breaking a cipher without the key

In English, E is the most common letter, then T and A. Counting letters in a scrambled message hints at the shift or substitution. This 1000-year-old technique is built into tools like CyberChef.

The Vigenere cipher

A stronger classic cipher

Vigenere uses a keyword to vary the shift for each letter, which defeats simple frequency analysis. It held up for centuries but is still breakable with enough text. Try it on dcode.fr.

Base64

Encoding, not secrecy

Base64 rewrites any data using 64 safe characters so it survives email and URLs. It is fully reversible by anyone, so it protects nothing. You will spot it by the trailing = signs.

meet at noon  ->  bWVldCBhdCBub29u

XOR

The building block of stream ciphers

XOR combines data with a key one bit at a time. Its magic property: applying the same key twice returns the original. Real stream ciphers generate a long, unpredictable keystream to XOR with.

Knowledge check

A string ends with == and uses letters and digits. What is it likely?

The avalanche effect

Illustration

One changed letter flips the entire fingerprint. That sensitivity detects tampering.

Hashing in the real world

Where you meet hashes

Hashes verify downloads (compare the published hash), store passwords safely (salted), and underpin digital signatures and blockchains. If even one byte changes, the hash changes.

Symmetric vs public-key

Illustration

Symmetric shares one key; public-key uses a pair, solving safe key sharing.

AES

The workhorse of encryption

The Advanced Encryption Standard is fast, trusted symmetric encryption used everywhere from HTTPS to disk encryption. With a strong key it is considered unbreakable by brute force today.

RSA

Public-key math

RSA builds a public and private key from two large primes. Encrypting is easy; reversing it requires factoring a huge number, which is practically impossible. You ran a tiny version in the notebook.

Digital signatures

Ch 2 §2.11 — authentication and non-repudiation

Proving who sent it

Signing hashes a message and uses the sender's private key to produce a signature over that hash. Anyone with the sender's public key can verify the signature, confirming the message is authentic and unchanged.

HTTPS

Crypto you use every day

The padlock in your browser means HTTPS: your traffic is encrypted with TLS, which combines public-key crypto to exchange a key and symmetric crypto for speed. Eavesdroppers see only scrambled bytes.

Knowledge check

Which can you safely share with anyone?

A short history

From Caesar to today

Ciphers evolved from Caesar (ancient Rome) to Vigenere (Renaissance) to the Enigma machine (World War Two, broken at Bletchley Park) to modern AES and RSA. Each break pushed the field forward.

Modular arithmetic

Clock math behind ciphers

Ciphers wrap around like a clock. The % operator gives the remainder, so (25 + 3) % 26 wraps Z back to C. This wrap-around is what keeps shifted letters inside the alphabet.

Crypto in your pocket

Everyday encryption

Messaging apps, web logins, app stores, and payment cards all rely on the ciphers and hashes you studied today. You use cryptography dozens of times a day without noticing.

Frequency analysis: breaking Caesar

Ch 2 §2.2 — why classical ciphers fail

In English, the letter E appears ~12.7% of the time. Caesar just shifts the whole alphabet, so the frequency pattern is preserved — just shifted.

ciphertext = "KHOOR ZRUOG"   # Caesar shift 3
# count letter frequencies, find the most common letter
# most common in ciphertext is probably the shifted E
# if X is most common, key = (ord(X) - ord('E')) % 26

from collections import Counter
text = "KHOOR ZRUOG"
freq = Counter(c for c in text if c.isalpha())
most_common, _ = freq.most_common(1)[0]
key = (ord(most_common) - ord('E')) % 26
print("Guessed key:", key)   # 10... try all 26 to be sure

This is why modern ciphers are designed to produce uniform-looking output regardless of the plaintext pattern.

One-time pad: perfect secrecy

Ch 2 §2.3 — perfect secrecy and XOR

The unbreakable cipher — and its catch

XOR every plaintext bit with a truly random key bit of equal length. If the key is secret and never reused, it is mathematically unbreakable.

msg = b"HELLO"
key = b"XMCKL"   # random, same length, never reused
ct  = bytes(m ^ k for m, k in zip(msg, key))
pt  = bytes(c ^ k for c, k in zip(ct,  key))
print(pt)  # b'HELLO'

Pro	Con
Information-theoretically secure	Key must be as long as the message
Simple to implement	Key can never be reused (two-time pad attack)
No math to attack	Distributing the key is as hard as the message

Randomness quality matters

Ch 2 §2.4

Source	Predictable?	Safe for crypto?	Use for
`random.random()`	Yes — seeded by clock	No	Games, simulations
`secrets.token_bytes()`	No — OS entropy pool	Yes	Keys, tokens, passwords
`/dev/urandom` (Linux)	No — hardware events	Yes	Same as secrets

import random, secrets

# DO NOT use this for passwords
print(random.randint(0, 2**32))  # predictable if seed known

# Use this instead
print(secrets.token_hex(16))     # 32 random hex chars, safe

In 2006, a Debian OpenSSL bug caused it to seed with only the process ID — effectively 15 bits. All keys generated during that period were compromised.

AES and block cipher modes

Ch 2 §2.5 — ECB vs CBC

AES encrypts 128-bit blocks. The mode of operation determines how blocks relate to each other.

ECB mode (broken)
Each block encrypted independently.
Same plaintext block → same ciphertext block.
Patterns in the data are visible.

CBC mode (use this)
Each block XORed with previous ciphertext before encryption.
Same plaintext → different ciphertext (due to IV).
No patterns visible.

The classic demo: encrypt a bitmap image (like a penguin) with ECB and you can still see the shape — the pattern leaks. CBC produces uniform noise.

The birthday paradox and hash collisions

Ch 2 §2.7 — why MD5 is broken

In a group of 23 people, there is a 50% chance two share a birthday. With hashes the same math applies: you do not need to find a specific collision, just any two inputs with the same output.

Hash	Output bits	Collision resistance	Status
MD5	128	2⁶⁴ operations	Broken (2004)
SHA-1	160	2⁸⁰ operations	Broken (2017)
SHA-256	256	2¹²⁸ operations	Secure

In 2004, Xiaoyun Wang found two different 128-byte messages with the same MD5 hash. In practice, do not use MD5 for security — use SHA-256 or SHA-3.

RSA step by step

Ch 2 §2.10 — numeric worked example

Step	Formula	Value (p=17, q=23)
Choose primes	p, q	p=17, q=23
Modulus	n = p × q	n = 391
Totient	phi = (p-1)(q-1)	phi = 352
Public exponent	e: gcd(e, phi) = 1	e = 3
Private exponent	d: e×d ≡ 1 (mod phi)	d = 235
Encrypt m=5	c = m^e mod n	c = 5³ mod 391 = 125
Decrypt	m = c^d mod n	m = 125²³⁵ mod 391 = 5

m, e, d, n = 5, 3, 235, 391
c = pow(m, e, n)    # encrypt: 125
m2 = pow(c, d, n)   # decrypt: 5
print(c, m2)        # 125 5

Digital signatures

Ch 2 §2.11 — authentication and non-repudiation

Proving who sent what

The TLS handshake

Ch 2 §2.14 — how HTTPS works

#	Message	What it does
1	Client Hello	Browser says: "I support these cipher suites and TLS versions"
2	Server Hello + Certificate	Server picks cipher, sends its X.509 certificate (signed by a CA)
3	Browser verifies certificate	Checks CA signature, expiry, hostname match
4	Key exchange	Both sides derive the same session key (Diffie-Hellman or similar)
5	Finished	Both send a MAC over the handshake — tampering would break this

After step 5, all data is encrypted with AES using the shared session key. This takes under 0.1 seconds on a modern connection.

Knowledge check

Why is ECB mode dangerous for encrypting images?

PART 3 OF 6

Code along

Run Modules 1 to 4 in the notebook.

This part is 1 slide. Press Next to begin.

Code along: open the notebook

Open Day3.ipynb (upload to Google Colab at colab.research.google.com, or open in Jupyter) and run Modules 1 to 4 with Shift + Enter.

The main course deck (Interactive_Slides.html) will also tell you exactly when to run each module. After the notebook, return to the main deck.

PART 4 OF 6

Play the free tools

Practice for real on two free, fun sites.

This part is 3 slides. Press Next to begin.

Play the free tools

Today you use dcode.fr and CyberChef. Follow the steps on the next slides.

Activity 1: dcode.fr

Open https://www.dcode.fr/ - Use the cipher identifier: paste a scrambled message and let it suggest the cipher. - Try the Caesar cipher tool and the Vigenere tool.

Activity 2: CyberChef

Open https://cyberchef.org/ - Drag the operation From Base64 into the recipe, paste an encoded string, and watch it decode. - Add ROT13 after it to build a two-step pipeline. CyberChef is nicknamed the cyber Swiss-army knife.

PART 5 OF 6

Test yourself

Numericals, multiple choice, and the knowledge bank. Answer key included.

This part is 4 slides. Press Next to begin.

Numericals (do these in the notebook)

Caesar shift of 3: what letter does X become?
How many possible Caesar shifts are useful (not counting shift 0)?
In ASCII, A is 65. What number is D?

Multiple choice (MCQ)

Base64 is: a) strong encryption b) encoding anyone can reverse c) a hashing algorithm
A hash is special because: a) it is one-way and cannot be reversed b) it hides files c) it speeds up the internet
The Caesar cipher is weak because: a) it is too slow b) there are only 25 shifts to try c) it needs the internet

Knowledge Evaluation Bank (Embedded Assessments)

Multiple-Choice Questions (MCQ)

An employee receives an email that addresses them by their full name and references their specific department project, urging them to click a review link. What attack method is this?
- A) Mass Phishing
- B) Spear Phishing
- C) Baiting
- Answer Key: B. Targeted phishing tailored to a specific individual is classified as spear phishing.
Which cryptographic process converts data through a one-way function, making it computationally infeasible to reverse or decode into the original text?
- A) Symmetric Encryption
- B) Encoding
- C) Cryptographic Hashing
- Answer Key: C. Hashing functions map inputs to irreversible digests to verify data integrity.

Numerical Exercise

A standard English alphabet contains 26 characters (L=26). Calculate the total unique keyspace variations possible for a password with an exact length of 5 characters (N=5) under two different conditions: 1. The password uses only lowercase alphabet characters. 2. The password expands its character set to include 10 digits (0-9), bringing the total character pool to 36 options (L=36). * Solution Steps: * Keyspace 1 = 26⁵ = 11,881,376 variations * Keyspace 2 = 36⁵ = 60,466,176 variations

Answer key

Answer key. Numericals: 1) A (X+3 wraps around), 2) 25, 3) 68. MCQ: 1-b, 2-a, 3-b.

PART 6 OF 6

Wrap up

Recap what you learned and reflect.

This part is 1 slide. Press Next to begin.

Reflection and homework

Write the difference between encoding, encryption, and hashing in one sentence each.