In the middle of Stockholm’s archipelago lies a conference facility just like any other, but this week, it had a few special guests. That’s because there’s a cybersecurity training week going on, with the purpose of picking out a team of young people to represent Sweden in the European championship in cyber defence. I arrived at the conference facility early, eager to participate in the training session focused on cryptography, its building blocks, and weaknesses.
Sitting in the lobby watching as random people walked in and out, my eyes spotted a person wearing a red t-shirt with the large white Greek symbol Pi (π) printed on the front of the whole shirt. When he moved closer through the lobby, I could see that the big Pi (π) was in fact printed on the shirt using the decimals of PI (π) itself. By then I knew without a doubt that this was the cryptography lecturer of the day. All the nerdy fibers in my body felt like this was going to be a great day!
Not long after, the team of selected trainees moved through the front doors. I’m not a fan of placing people into stereotypes – especially not the stereotype of programmers where I myself fit in, wearing black clothes, preferably a hoodie or an oversised t-shirt, headphones, and with a computer close at hand. Though when quite a homogenous group walked into the lobby, I knew that this was the team of Sweden’s brightest young minds participating in the cyber security training and tryouts. After greeting the teacher and the organisers, I followed the group of young cyber security experts into the classroom in which they had been training for the past few days (and would be for a few more days to come). A free seat was available next to three guys around the age of 15.
These are people you won’t meet in traffic, since they are too young to have a driver’s license. However, as far as internet traffics goes, these people are the king of the road! The young people in this room, with ages ranging up to 25 years old, are the best in all of Sweden on the broad subject of cyber security. How cool is that!
I studied cyber security at The Royal Institute of Technology for five years and those younglings could hack me in a minute… Oh, do I dare to open my computer in this room, I thought to myself? Should I put my phone into airplane mode? I felt digitally exposed and uncomfortable. In my head, connecting my laptop to the cyber security training Wi-Fi network was like jumping into a swimming pool of pitch-black water without knowing if someone would come up from below, watching you from a distance, or if it’s all in your head.
To calm my nerves, I started talking to the boys next to me. They were just your regular high school boys. I asked them if I could shadow them while they worked on the first exercise given by the teacher. Ok, one of them said, and started to explain his trail of thought. Just like a detective or an engineer, he started to classify the problem at hand. The teacher had given us a cipher to crack. In a split second, my tablemate had identified the kind of ciphertext and then started telling me about all the ways we could go about cracking the ciphertext and extract the password used in the encryption. Extracting the password was the goal of the challenge. After listing a few options for me, he ended by saying: “But why reinvent the wheel, when we can go online and paste the ciphertext on this website and get the password back within the blink of an eye?” And just like that, he had identified the problem at hand, picked the most efficient tool for the job, and executed it showing me the password on the screen.
The first assignments were simple in the roam of cryptography, so they went pretty quick. I talked to one of my other tablemates. He and his brother were very humble, and without lifting their eyes from the screen while continuously typing away, said they really can’t believe that they are the top of the top in Sweden within this area. “I feel like I know nothing; I have learned so much during this week,” one of them said. He barely had time to finish his sentence before we heard a happy sounding ping from his PC stating that he had successfully completed yet another challenge given to the contestants from the bootcamp organisers.
After talking to my tablemates for a while, I felt a little bit embarrassed about the fact that I had even thinking that I was scared to open my laptop. I guess prejudice takes many forms and that no one is immune! After opening the computer, I got to try a few tasks myself. The theme was cryptography, which I had my major in, so I knew my way around the area. I picked one of the challenges that sounded interesting, multi-byte XOR encryption. The assignment was to find the hidden password used to encrypt the secret message.
Before letting all of us in the conference room loose on these assignments, we got a crash course in different cryptos, how to hack them and some tips and tricks. With the help of my notes, I was able to find a little loose end to start investigating. The loose end was finding repeating patterns, and after a bit of analysis I could safely say that the password was consisting of two bytes (two letters). Now this password is indeed a bad password since the password can then only be one of 65 536 possible combinations. That might sound like a lot to a human, but for a computer it will take only seconds to try all the possible values and present the correct password on the screen. If this was a hacking competition, brute forcing all the possibilities would be the way win the challenge, but I wanted to torture myself a bit more and grabbed a pen and paper and started doing a few calculations by hand. While that was fun and all to revive lost knowledge from university, I ended up writing a simple computer programme to make a very naïve guess on the password. On the first try, it managed to guess the first letter correctly, but the second letter was not quite correct. I could see that the guess was in the correct ballpark but not quite a bullseye. After a bit of more calculations by hand I was able to see the error in the code and fix it. And on the screen the encrypted message appeared. The journey started at:
00 17 06 0E 0C 06 0C 03 0B 62 16 12 04 01 00 62 01 07 03 0B 0B 07 01 62 07 1B 65 0B 0B 06 00 12 00 0C 01 07 0B 16 65 0E 0C 0C 00 03 17 62 06 0D 0B 11 11 10 04 0B 0B 16 16 62 16 12 00 01 0C 04 1C 0B 0B 05 65 16 0D 03 11
And finally, the concluding message: “Euclidian space defined by independent linear constraints specifying that …”
Maybe you can find the password if you know how XOR works?
The whole day had now passed, and the clock was approaching five in the afternoon. For me that meant heading back home. “What are on your agenda now?” I asked the boys sitting next to me. One of them told me that half of the gang would probably go for a swim and play some games outside, while the other half would continue to solve challenges until late evening. “I am one of those who will stay,” he said. “Why?” I asked. “I just love programming and hacking – it’s as simple as that,” he said.
I could recognise myself in those words, and even though I don’t have the broad cyber security skills those youths have, I still share the love for programming and hacking. That is why I, before I left, downloaded a few more of the cryptography challenges handed out by the lecturer. And that is why, when I’m going to bed that night, there will be an empty jar of snacks, an empty can of mountain dew and a lot of cracked ciphers on my desk.
Thank you so much for giving me the opportunity to participate and solve cryptos and – the best part of it all – meet Sweden’s youngest and sharpest minds in IT security.
The European Cyber Security Challenge is an initiative from the EU’s Agency for Cybersecurity (ENISA). The aim is to bring together young talent from Europe to have fun and compete in cyber security.
SEB is one of the main sponsors, and the purpose of this initiative is that we hope to spark an interest among young people to choose this career and thereby help create solutions to our society’s digitalisation challenges.