Week 8: Time Management Reflection

This term has been a really busy term with having to balance work and assignments due after assignments. I feel that this course has a high workload because it involves lots of blogging. I have lagged behind my lectures and homework activities for this course. For the Something Awesome project, there were times where I wasn’t able to complete some week’s work on time however, I have managed to catch up on it on later weeks and submit it on time. 

One of the reasons why I lagged behind so much in this course is because most of my other courses mid-semester exams and assignments are due earlier than the Something Awesome project and Job Application and therefore I have to re-set my priority and spend my time doing those projects first. Nevertheless, I still managed to finish this course’s assignments on time.

Week 8: Something Awesome Demo Video 🔐

Week 3:

Under 3 minutes: https://www.youtube.com/watch?v=dJuz14ABdKo&list=UUmaBqDT-0YxTyii4a-G-MWg&index=15

Tutorial: https://youtu.be/vvf8l8vPyq8

Using aluminium can: https://www.youtube.com/watch?v=kRYhNS8JcTA&list=UUmaBqDT-0YxTyii4a-G-MWg&index=9

Week 4:

Under 3 minutes: https://www.youtube.com/watch?v=_gR4v62LARY

Tutorial: https://www.youtube.com/watch?v=EYVJzex85qE&t=48s

Using aluminium can: https://www.youtube.com/watch?v=4DeSAuOYNAg

Week 5:

Under 3 minutes: https://www.youtube.com/watch?v=YFdwo9VEUSY

Tutorial: https://www.youtube.com/watch?v=2D-_dza9u1Y&t=10s

Week 6:

Under 3 minutes: https://www.youtube.com/watch?v=m7v1WqK38dc

Tutorial: https://www.youtube.com/watch?v=ivUQ9ACoZNM

Additional lock: https://www.youtube.com/watch?v=rocmwMAJsdw

Week 7:

Under 3 minutes: https://www.youtube.com/watch?v=lmcJH_Zh9fQ

Tutorial: https://www.youtube.com/watch?v=Hgdgm1BbTso

Week 8:

SA Demo Video: https://www.youtube.com/watch?v=KrzlWQ-KRjM

**please tell me if the link doesn’t work. There were times where youtube delete the videos without my knowledge.

Week 8: Something Awesome Project 🔐

What I learned in the past 7 weeks:

After attempting to do this project weekly, I realized that it took me more time and work than I thought. Researching and familiarizing myself with the mechanism of each lock took me hours. Attempting to successfully lock-pick some locks took minutes to hours for the first time and I do not always successfully lock-pick the locks on each attempt. In addition, practising to lock-pick the locks under 3 minutes took some time too. This project has taught me a lot about patience and that locks are not as secure as I initially thought. For example, for the week 5 project I lock-picked my apartment door. I found out that it took seconds to rake open it and hence I need to change it to ones with higher security.

I also feel that single pin picking is harder than raking. I feel like raking doesn't require any skills or techniques as it is based more on luck and probabilities.

SA Demo Video:

Week 8: Security Everywhere

5G Security

The coming 5G networks have the potential to explode vertical industries, enabling the creation of a wide array of new services — all of which will demand new, varying levels of security.

For example, automated vehicles. The threat of automotive cyberattacks will rise as autonomous vehicles become more widespread. In the healthcare field, 5G capabilities will help with faster transfer of large patient files, remote surgery, and remote patient monitoring via IoT devices among other advances. However, those advances are tempered by the need for ever-stronger security. Creating risks that include medical identity theft, invasion of health privacy, and medical data management. In addition, growing IoT device use will make dealing with increasing cybersecurity risks more challenging.

Smart homes will require stronger methods of authentication, such as biometric identification, softwares that uses voice and face recognition, or the bevy of fingerprint-access door locks available at hardware stores. In general, IoT devices and sensors will demand more complex authentication to prevent unauthorized access.

Week 8: Case Study

Ghost

This week’s tutorial is about the Stargate ghost problem. The Stargate problem is when a group of military people standing outside a Stargate to another dimension. One of the brave young cadets volunteers to walk through the portal and ends up in this fantastic universe, full of beautiful, charismatic aliens. One of the aliens asks if he can join the cadet back into his universe. The cadet agrees. When they walk back into the Earth universe, the cadet disintegrates and becomes a ghost. The alien can, however, see and hear the ghost, but no living thing on Earth can either see or hear the ghost of the young cadet. The goal is to get a report from the cadet such as whether alien A is to be trusted and if there is anything urgent they should do based on the information the cadet obtained in his trip to the alien planet.

Suppose you are the friendly Major M from the base who can see the alien A but who cannot see the invisible man X.

Q: What would you M do to get from X his report on the Alien's (A's) planet?

There are a lot of inconsistent variables in this scenario. We have to take into account whether the alien A is to be trusted or not.

There is a chance that the alien is bad and will give out false information. However, there is also a chance that the alien is good and will give true information. We have to find a way to ensure that X can communicate legitimately through alien A with the people of Earth. We have to create a method where alien A will convey the correct message whether it is good or bad. This can be done using the encryption and decryption using an OTP. This makes it impossible for A to alter.

Week 8: Homeworks

Week 8: Activities

Google Yourself 😱😱😱😱😱😱😱😱😱😱😱😱😱😱

I picked Facebook and downloaded my data. Information that I got are:

Posts - Posts I’ve shared on Facebook, posts that are hidden from my timeline and polls I have created, my photos and videos, my comments, all my likes and reactions, my friends, my stories that I’ve shared, my following and followers, my messages, groups, events I went or interested, my profile, pages, marketplace, payment history, saved items and collections, my places, my apps and websites and other activity.

In addition, it also contains ads which contain ads topic that is most relevant to me that are submitted to advertisers. It also contains my search history, location, about me and security and login information.

In the about me, it contains face recognition data, friends peer group data and my address books. The address books contain all of the phone numbers contacts from my veeeeery old phone which is very surprising because I don’t remember connecting my phone book with Facebook. I don’t know where they get these data from. In the login activity, it contains the time, IP address and browser of from what devices I used to log in to my Fb account.

I am terror-strickenly shocked at how much of my personal data Facebook has collected, they have all my data since the first time I created Facebook, which is a long long time ago. I didn’t know Facebook has that much data of me and I don’t remember giving out this much information. With these data, I believe it is very easy for bad people to steal my identity and use it for bad purposes. From this activity, it has made me reflect and to think twice before posting or using Facebook or any other media. It also made me realise the danger and how easy it is for social media like Facebook to get your personal information without your awareness. 😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱

Week 8: Lecture

In this week lectures we learned a few things:

Root cause analysis:

Blame everything on the last person to touch it

Culture

The whole system

Human weaknesses

Error

Cassandra syndrome

Chekhov's Gun

Week 7: Something Awesome Project 🔐

Week 7: This week’s lock is a wafer lock.

Aim: Trying to pick-lock a wafer lock and understand its mechanism.

Mechanism:

A wafer tumbler lock is a type of lock that uses a set of flat wafers to prevent the lock from opening unless the correct key is inserted. This type of lock is similar to the pin tumbler lock and works on a similar principle. However, unlike the pin tumbler lock, the wafer is a single piece.

In a cylindrical wafer tumbler lock, a series of flat wafers (red) holds a cylindrical plug (yellow) in place. The wafers are fitted into vertical slots in the plug, and are spring-loaded, causing them to protrude into diametrically opposed wide grooves in the outer casing of the lock (green). As long as any of the wafers protrude into one of the wide grooves, rotation of the plug is blocked, as would be the case if there was no key, or if an improperly bitted key were inserted.

A rectangular hole is cut into the centre of each wafer. The vertical position of the holes in the wafers vary, so a key must have notches corresponding to the height of the hole in each wafer, so that each wafer is pulled in to the point where the wafer edges are flush with the plug, clearing the way for the plug to rotate, thus rotating opening the lock. If any wafer is insufficiently raised or raised too high, the wafer edge will be in one of the grooves, blocking rotation.

Instruments used to lock pick

To open this lock, I used a tension wrench and a rake pick.

How to lock pick it?

How to unlock this lock is similar to unlocking the practice /pin tumbler lock.

1. Firstly, insert the tension wrench into the bottom part of the keyway. This is to pressurize the cylinder and keep the wafers in place until all are free. Since I’m right-handed, I like to hold the lock with my left hand and keep the tension wrench with my left ring finger for convenience.

2. Secondly, we can open this using single wafer picking or the raking method. With the single wafer picking, using a rocking motion, I hold the hook pick with my right hand and use the tip to lift the wafers, one at a time. We want to make the wafers the same height as the cylindrical plug, not too high and not too low. If it is too high or too low, the wafer edge will be in one of the grooves, blocking the plug from rotating. With the raking method, insert the rake pick into the keyhole and move it in and out at varying speeds and at varying angles while gently increasing and decreasing the tension.

3. Once I have lifted all wafer to the desired height, we push keylock in a clockwise direction using hand to open the lock, and push it back in an anti-clockwise direction to lock the lock.

Time taken to open the lock

It took me a long time around 5++ minutes to open it with the single wafer picking method, but using the raking method took me less than a minute

Challenges and difficulties in opening this lock

This is a new type of lock that I haven’t pick in the previous week. The challenge is trying to find and understand its mechanism from Google. In addition, it is not transparent so we can’t see the inside mechanism of the lock. We do not know the height and numbers of the wafers. I find it hard trying to pick the wafers at the right height.

How I feel about this week’s lock(level of difficulty, fun/interesting/too hard?), implications of safety to daily lives

In my opinion, as a beginner this lock is hard to single pick but easy to rake. I believe this kind of lock security is enough to be used to lock drawers, furniture or cabinets.

EXTENSION/ADDITIONAL:

Video of me trying to lock pick it under 3 minutes:

Tutorial video to open this week’s lock using the lock pick set:

Week 7: Security Everywhere

E-commerce failures

At the beginning of March 2014, the C2C giant had noticed an unsolicited database session in their main servers, scanning password files. It was later officially announced that an undisclosed slice of the +120 million users have been compromised for credentials and personal information.

E-Bay themselves has acknowledged that one of their own has succumbed to a behavioural engineering trick known as Phishing, where the attacker would ask the password from someone who knows it, either pretending to be the original site or another, completely irrelevant, site but relying on the fact that most of us use the same password everywhere.

The goal of the perpetrators was to obtain e-Bay staff credentials and with that, to access their database and steal user personal information. From there, they could either collapse the entire e-Bay operation, by using the commandeered user accounts to wreak havoc on the site or, more probably, use that info for personal Phishing attacks (presenting themselves as e-Bay to the user, proving that with valid secret information and then asking for credit card numbers).

E-bay neglected two crucial security principals:

Two-factor authentication for staff. Staff cannot log in unless they know the password but they are also in possession of a physical device such as an asymmetric public key generator or a USB key.

Constant training protocol. Had the staff been made aware of the trickery behind Phishing, they would most likely never use a common password and they would have been aware of what’s a legitimate e-Bay page and what is a Phishing attempt.

Unfortunately, in the aftermath of this is not only the time spent on damage control and a few rolling heads at the IT department but also a critical hit to eBay's reputation, amid rising competition from other similar websites. No significant malicious use has been performed with the stolen data but eBay's shares have lost great value.

Week 7: Case Study

Snoop

Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. The question is, should the government or government agencies collect and have access to your data for good purposes, or should citizens, e.g. you, have a right to privacy which stops them?

Support:

Citizen’s data has all sorts of applications. The government could use these to find tax cheaters by comparing data brokers' estimates of income and net worth with what's reported on tax returns, to compiling a list of gun owners from Web browsing habits, instant messaging conversations, and locations -- did you have your iPhone turned on when you visited a gun store?

By collecting citizen’s data, the government no longer needs to collect photographs. An example is the Facebook database of tagged photographs is surprisingly effective at identifying people. As more places follow Disney's lead in fingerprinting people at its theme parks, the government will be able to use that to identify people as well. This is good for the government to prevent terrorist attacks or catch criminals.

Government access should be allowed access to data, but with transparency. It could be used to fight cybercrimes and track terrorists. However, there should be a formal policy and transparency on what they do, how they look at it and who sees it.

Governments should be able to govern, they have the right to protect their citizens. Tech companies have been sprawling without regulation. They host tons of data on citizens that they directly or indirectly, knowingly or unknowingly, trade for profit. There needs to be a mechanism allowing representatives of people to access citizen data to perform basic functions like defending their citizens.

Against:

Giving the government’s access to citizen’s data causes structural problem involving the way people are treated by government institutions. Moreover, it creates a power imbalance between individuals and the government.

If governments are classifying their own information, citizens should get privacy too as there are no reasons why citizens should not also have an expected right to privacy as well.

Insecure communications could suppress citizens' rights. Privacy should be a fundamental right of free people. It is naive to think that opening some part of all software systems or encryption algorithms will only be used by the Five Eyes governments and not malicious parties. This will inherently make communications less secure around the world, which could lead to the suppression of free speech.

Week 7: Activities

Block Cipher Modes

Terms:

Confusion: each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two. In the application to encryption, confusion means that the process drastically changes data from the input to the output, for example, by translating the data through a non-linear table created from the key.

Diffusion: if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then approximately one-half of the plaintext bits should change. Since a bit can have only two states, when they are all re-evaluated and changed from one seemingly random position to another, half of the bits will have changed state. In the application to encryption, diffusion means that changing a single character of the input will change many characters of the output.

Avalanche Effect: In cryptography, the avalanche effect is the desirable property of cryptographic algorithms, typically block ciphers and cryptographic hash functions, wherein if an input is changed slightly (for example, flipping a single bit), the output changes significantly (e.g., half the output bits flip). In the case of high-quality block ciphers, such a small change in either the key or the plaintext should cause a drastic change in the ciphertext.

SP Boxes: The S-boxes and P-boxes transform (sub-)blocks of input bits into output bits. An S-box substitutes a small block of bits (the input of the S-box) by another block of bits (the output of the S-box). This substitution should be one-to-one, to ensure invertibility (hence decryption). In particular, the length of the output should be the same as the length of the input (the picture on the right has S-boxes with 4 input and 4 output bits), which is different from S-boxes in general that could also change the length, as in DES(Data Encryption Standard), for example. An S-box is usually not simply a permutation of the bits. Rather, a good S-box will have the property that changing one input bit will change about half of the output bits (or an avalanche effect). It will also have the property that each output bit will depend on every input bit. A P-box is a permutation of all the bits: it takes the outputs of all the S-boxes of one round, permutes the bits, and feeds them into the S-boxes of the next round. A good P-box has the property that the output bits of any S-box are distributed to as many S-box inputs as possible.

Fiestal Networks: A symmetric structure used in the construction of block ciphers

Block Ciphers: an encryption method that applies a deterministic algorithm along with a symmetric key to encrypt a block of text, rather than encrypting one bit at a time as in stream ciphers.

Stream Ciphers: A symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream.

Cipher 1 is using ECB

Cipher 2 is using CM

Cipher 3 is using CBC

Cipher 4 is using CBC

Cipher 5 is using ECB

Week 7: Lecture

In this week’s lecture, we learned about:

- Vulnerabilities

- Canary

- NOP sled

- OWASP Top 10

- Security engineering - Assets

- PKI Weakmesses

- Bug bounties

- Penetration Testing

Week 6: Something Awesome Project 🔐

This week’s lock is the cam lock. Cam locks are one of the most common and simplest locks to use. They are used to secure doors, lockers, windows, cabinets, drawers and many other items. The cam lock was invented in 1985 by Volker Guelck from Ontario, Canada. The lock consists of a metal plate, which is called a cam, that is attached to the core of the locking device and rotates as the key is inserted and turned. The cam rotates between 90 to 180 degrees locking and unlocking. There are two basic types of cam locks: flat key cam lock and tubular cam lock. The type of cam lock used today will be the flat key wafer tumbler cam lock.

Aim: Trying to pick-lock a cam lock and understand its mechanism.

Mechanism:

This cam lock uses the same mechanism as a pin tumbler. It has a cylindrical hole in which the plug is housed. To open the lock, the pins must align on the shear line and the plug must rotate. The plug has a straight-shaped slot known as the keyway at one end to allow the key to enter the plug and is connected to the cam which can rotate from 90 to 180 degrees depending on the lock. The keyway often has protruding ledges that serve to prevent the key pins from falling into the plug.

Instruments used to lock pick

To open this lock, I used a tension wrench and a hook pick.

How to lock pick it?

How to unlock this lock is similar to unlocking the practice /pin tumbler lock. I put a white mark on the lock to differentiate between the starting and ending position as the cam can rotate 180 degrees. Both white marks present like in the picture below represents the starting position.

1. Firstly, insert the tension wrench into the bottom part of the keyway. This is to pressurize the cylinder and keep the wafers in place until all are free. Since I’m right-handed, I like to hold the lock with my left hand and keep the tension wrench with my left ring finger for convenience.

2. Secondly, using a rocking motion, I hold the hook pick with my right hand and use the tip to lift the pins, one at a time. We want to make the pins to be on the shear line, not too high and not too low. If it is too high or too low, the plug won't rotate

3. Once I have lifted all the pins to the desired height, I push the tension wrench in a clockwise direction to rotate and open the lock and push it back in an anti-clockwise direction to lock the lock.

Time taken to open the lock

It took me around one minute to open it for the first time, but after getting used with the lock, it took me around 20-30 seconds.

Challenges and difficulties in opening this lock

This is a new type of lock that I haven't pick in the previous week. The challenge is trying to find and understand its mechanism from the google. In addition, it is not transparent so we can't see the inside mechanism of the lock. We do not know the height and numbers of the wafers. I find it hard trying to pick the wafers at the right height.

How I feel about this week’s lock(level of difficulty, fun/interesting/too hard?), implications of safety to daily lives

In my opinion, this lock is not too hard to pick since the locking mechanism is similar to a normal pin tumbler lock, but not too easy either since it is not transparent. I believe this kind of lock security is enough to be used to lock drawers, furniture or cabinets.

EXTENSION/ADDITIONAL:

Video of me trying to lock pick it under 3 minutes:

Tutorial video to open this week’s lock using the lock pick set:

Video of me picking another lock (Mailbox):

My mailbox uses cam lock.

Week 6: Security Everywhere

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks.

Below are the security risks reported in the OWASP Top 10 2017 report:

1. Injection

Injection attacks happen when untrusted data is sent to a code interpreter through a form input or some other data submission to a web application. For example, an attacker could enter SQL database code into a form that expects a plaintext username. If that form input is not properly secured, this would result in that SQL code being executed. This is known as an SQL injection attack.

Prevention/mitigation: Validating and/or sanitizing user-submitted data. (Validation means rejecting suspicious-looking data, while sanitization refers to cleaning up the suspicious-looking parts of the data.) In addition, a database admin can set controls to minimize the amount of information an injection attack can expose.

2. Broken Authentication

Vulnerabilities in authentication (login) systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account. For example, an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.

Prevention/mitigation: Requiring 2-factor authentication (2FA) as well as limiting or delaying repeated login attempts using rate-limiting.

3. Sensitive Data Exposure

If web applications don’t protect sensitive data such as financial information and passwords, attackers can gain access to that data and sellor utilize it for nefarious purposes. One popular method for stealing sensitive information is using a man-in-the-middle attack.

Prevention/mitigation: Encrypting all sensitive data as well as disabling the caching of any sensitive information. Additionally, web application developers should take care to ensure that they are not unnecessarily storing any sensitive data.

4. XML External Entities (XEE)

This is an attack against a web application that parses XML* input. This input can reference an external entity, attempting to exploit a vulnerability in the parser. An ‘external entity’ in this context refers to a storage unit, such as a hard drive. An XML parser can be duped into sending data to an unauthorized external entity, which can pass sensitive data directly to an attacker.

Prevention/mitigation: Have web applications accept a less complex type of data, such as JSON.

5. Broken Access Control

Access control refers to a system that controls access to information or functionality. Broken access controls allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example, a web application could allow a user to change which account they are logged in as simply by changing part of a URL, without any other verification.

Prevention/mitigation: Ensuring that a web application uses authorization tokens* and sets tight controls on them.

6. Security Misconfiguration

Security misconfiguration is the most common vulnerability on the list and is often the result of using default configurations or displaying excessively verbose errors. For instance, an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application.

Prevention/mitigation: Removing any unused features in the code and ensuring that error messages are more general.

7. Cross-Site Scripting

Cross-site scripting vulnerabilities occur when web applications allow users to add custom code into a URL path or onto a website that will be seen by other users. This vulnerability can be exploited to run malicious JavaScript code on a victim’s browser. For example, an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank’s website. This link could have some malicious JavaScript code tagged onto the end of the URL. If the bank’s site is not properly protected against cross-site scripting, then that malicious code will be run in the victim’s web browser when they click on the link.

Prevention/mitigation: Escaping untrusted HTTP requests as well as validating and/or sanitizing user-generated content. Using modern web development frameworks like ReactJS and Ruby on Rails also provides some built-in cross-site scripting protection.

8. Insecure Deserialization

This threat targets the many web applications which frequently serialize and deserialize data. Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use. Serialization is sort of like packing furniture away into boxes before a move, and deserialization is like unpacking the boxes and assembling the furniture after the move. An insecure deserialization attack is like having the movers tamper with the contents of the boxes before they are unpacked.

An insecure deserialization exploit is the result of deserializing data from untrusted sources and can result in serious consequences like DDoS attacks and remote code execution attacks.

Prevention/mitigation: Prohibit the deserialization of data from untrusted sources.

9. Using Components With Known Vulnerabilities

Many modern web developers use components such as libraries and frameworks in their web applications. These components are pieces of software that help developers avoid redundant work and provide needed functionality; a common example includes front-end frameworks like React and smaller libraries that used to add share icons or a/b testing. Some attackers look for vulnerabilities in these components which they can then use to orchestrate attacks. Some of the more popular components are used on hundreds of thousands of websites; an attacker finding a security hole in one of these components could leave hundreds of thousands of sites vulnerable to exploit.

Component developers often offer security patches and updates to plug up known vulnerabilities, but web application developers don’t always have the patched or most-recent versions of components running on their applications.

Prevention/mitigation: Developers should remove unused components from their projects, as well as ensuring that they are receiving components from a trusted source and ensuring they are up to date.

10. Insufficient Logging And Monitoring

Many web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response.

Prevention/mitigation: OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.

Week 6: Case Study

Suppose we are thrust into a war with a superpower such as Russia. List what sorts of computer and internet related attacks might we suffer?

Types of attacks that we might suffer:

Distributed denial of service (DDoS)

Main in the middle (MitM)

Phishing

Drive-by attack

SQL injection

Cross-site scripting (XSS) Eavesdropping attack

Birthday attack

Malware attack

Week 6: Activities

One-Time Pads

Rising to popularity in the War, the One Time Pad is considered one of the only forms of cryptography with what is described by Claude Shannon as "perfect secrecy". That is if done correctly, the code in uncrackable.

The One Time Pad requires a key which is completely random, and at least as long as the message to be encoded. Each letter of the plain text is combined with the corresponding letter of the key using modular arithmetic - ie letter C + key B results in E.

Plain text + key  mod 26 = cipher text

The absolute security of the One Time Pad was proven by Claude Shannon in the 1940s, but depended on a few things...

The pad must be generated from truly random numbers. If the pad is not generated from a perfectly random source, than it is possible to predict values from the pad and  thus crack the code.

The pad must be as long as the message

The pad must never be reused

Activity - Cribb Dragging

Cribb Dragging involves XORing two cipher texts, XOR of cipher texts = XOR of plaintext

Looking at the text given, I am guessing the ‘Lpa’ in the first, fourth and fifth line is the word ‘The’. T (20) + x mod 26 = L (12), 8 + x mod 26 = 16, 5 + x mod 26 = 1. We then can find the first 3 key numbers x: 18, 8 and 22 respectively. We use these key numbers to turn the messages of the first three letters for the second and third line and get:

Message 1: The

Message 2: Eve

Message 3: Can

Message 4: The

Message 5: The

Then, I tried ‘Every’ for the second line which produces key numbers 14 and 23 and get:

Message 1: These

Message 2: Every

Message 3: Canyo

Message 4: Themo

Message 5: Thepr

Then, I tried ‘You’ for message 3, ‘Everyone’ for Message 2, ‘Please’ for Message 3 and repeat the guessing and calculation for the rest of the message and get:

Message 1: The Secret To Winning Eurovision Is Excellent Hair

Message 2: Everyone Deserves A Hippopotamus When They’re Sad

Message 3: Can You Please Help Oliver Find The Flux Capacitor

Message 4: The Most Important Person In The World Is Me Myself

Message 5: The Price Of Bitcoin Is Too Damn High Given The Data