NEOISF Puzzle Solution

A few people emailed me with the solution to the puzzle I posted, but I figured I’d post the solution for those that wanted it.

In the puzzle, Van Helsing is attempting to break the crypto that Dracula is using to try and find him. Fortunately for Van Helsing, the program is free and he can download it to see if he can crack it. He ran the program and typed in “vampire_vampire_vampire” and got back “R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw=”. 

Anyone who has done any type of network analysis, or looked at a raw SMTP message, should recognize the output as base64 encoded. Base64 is an algorithm that converts binary data to ASCII so it can be transferred over protocols that do not natively allow binary (e.g. SMTP). It does this by converting every 3 bytes of data to 4 bytes of ASCII. The “=” character is used as padding in case more characters are needed and is often a give-away.

Base64 can be converted using many methods, but since Van Helsing is awesome he is using Linux and uses the base64 command to do so.

$ echo -n R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw= | base64 -d –

NOTE: Van Helsing really should have redirected the output to a file since the characters could have been binary.

The base64 decoding produced a string that has 2 interesting qualities.

First, the base64 decoded string is the same length as the string he entered. This means that whatever algorithm the encryption program is using may be doing a 1-for-1 character encryption. In other words, the characters in his plaintext is being encrypted one at a time.

Second, there is a pattern of “GYTGXJ\h”. The pattern is 8 characters long, which just happens to be the length of “vampire_”. Coincidence? Probably not. 

The type of encryption that immediately popped into Van Helsing’s head that can have these properties is XOR encryption. XOR is a boolean logic function that can be applied in encryption. This is done by taking a key and XOR’ing each of its bytes against the characters in the plaintext. 

One property of XOR encryption is that if you take the plaintext and XOR it with the ciphertext, it will reveal the key! Van Helsing knew this and XOR’d his plaintext against the ciphertext he got. (He wrote a quick Python script to do so):

$ python GYTGXJ\hGYTGXJ\hGYTGXJ\ vampire_vampire_vampire


Voila! XOR’ing each byte of his plaintext with the ciphertext he received returned a pattern of “1897”, which must be the key!

Taking that as the key, he then base64 decoded Dracula’s message and applied the key of 1897 to get:

I will be at the Ohio Information Security Summit.

Now Van Helsing knew where he would be and could destroy the fiend!

For those in the know, the key does have some significance. 🙂

*** This is a Security Bloggers Network syndicated blog from The Security Shoggoth authored by Tyler. Read the original post at: