Some weeks ago, I rented the 2007 adventure film National Treasure: Book of Secrets on DVD, in which treasure hunter Benjamin Franklin Gates (played by Nicholas Cage) looks to discover the truth behind the assassination of Abraham Lincoln. In the movie’s first scene, which takes place in a tavern in Washington, D.C. five days after the end of the Civil War, Ben Gates’ great-great-grandfather Thomas Gates is approached by John Wilkes Booth and another member of the Knights of the Golden Circle, who ask him to decipher a secret message, which has obviously been encrypted using the Playfair cipher and might lead them to a mythological city of gold called Cíbola.

As the Playfair cipher was state-of-the-art at the end of the Civil War in 1865, I wondered how someone (even if portrayed as a well-known puzzle solver) would be able to perform a successful ciphertext-only attack within just one or two hours, not having any frequency tables at hand and given a ciphertext consisting of only 22 digraphs (= pairs of letters). The following article will explain the basic concepts (encryption, decryption and cryptanalysis) of the Playfair cipher using the example from National Treasure: Book of Secrets.

Read the rest of this entry »

BitLocker Drive Encryption is a feature of Windows Vista Ultimate and Windows Server 2008, which offers full disk encryption on the level of logical volumes (e.g., C:). As it uses AES 128 by default and the only publicly known way to defeat programs like BitLocker or TrueCrypt (if properly configured) is the famous (but easily preventable) cold boot attack, I’d really recommend using it if you are not a follower of the “Microsoft is pure evil” cult. Needless to say, even the strongest disk encryption is only as good as the password or key mechanism you use. In the following, I will describe a little-known option which was introduced with Service Pack 1 for Vista and massively aggravates attacks based on keyloggers or stolen USB sticks.

Read the rest of this entry »

Sorry that there have been only two posts since the start of this blog on 8th August. I have neither lost interest only days after kickoff nor have I been kidnapped by some dark intelligence agency. On the contrary, I have been spending a lot of time on fixing numerous visible and invisible bugs, especially in the translated versions of this blog. Moreover, there is a whole bunch of new features available like a highly scalable FAQ and LaTeX support for posts and comments!

I am optimistic that the stage of initial installations and bug fixes has come to an end now, so that from this point on, I can exclusively focus on what this blog is really about: cryptology! On my desk, there are already some drafts about the Playfair cipher, which was extensively referred to in the blockbuster “National Treasure: Book of Secrets” (2007), and the Japanese code JN-25, which played a decisive role in WWII’s Battle for the Pacific. So please stay tuned for what’s to come in the near future!

Some days ago I decided to improve the security of my new Wordpress blog by using .htaccess and Basic Authentication to protect the wp-admin folder. This task was rather trivial as the whole procedure is well documented in the Apache manual and there are convenient online tools to create the necessary .htaccess and .htpasswd files (.htaccess generator & .htpasswd generator) for those who don’t have their own server and use shared hosting instead.

So far, so good. But when I tried to access wp-login.php, which is located in Wordpress’ base folder, I had to realize that it uses two CSS files from the folder wp-admin/css. As wp-login.php and the two CSS files should be accessible to any visitor of my blog, I needed to find a way to exclude the subfolder wp-admin/css from the Basic Authentication protecting wp-admin. Unluckily, it seems that there is no specific command for that purpose.

After crawling Google for approximately two hours I finally managed to find a solution, which needs only three lines of code to bypass the Basic Authentication of the parent directory. Simply create a new .htaccess file in the subfolder you want to exclude from the authentication and add the following lines:

1
2
3

Order Deny,Allow
Allow from all
Satisfy any

“Allow from all” will grant any IP address access to this folder. But the decisive line is ”Satisfy any”, which tells the server to require either a correct Basic Authentication or the satisfaction of the “Deny/Allow” properties (the standard is “Satisfy all”, which requires both). As “Allow from all” gives access to anyone, this effectively neutralizes the Basic Authentication inherited from the parent folder.

“Hello World!”

That’s how almost any beginner’s guide to programming starts, so it’s probably a good line to begin my first public blog with. Hopefully, you’ll find many useful facts and intersting stories about cryptography and relating topics at this place very soon. Please grant me some time to develop my personal “blogging style” and support me by making extensive use of the available rating and comment possibilities!

Have fun,
Matt