BSidesDC 2016 Kids Crypto Challenge

And lessons learned

First Puzzle

• They were given this card and told that in order to read the message they would need to find Jack Daniel and exchange a pass phrase (similar to the one used by James Bond in From Russia With Love https://www.youtube.com/watch?v=cFhWdiDXt4w)

• The back of the card had the following text

• They were told their clue was ‘todays date’ (10/22/16)• This was a simple cesarian shift cipher

• Hey got any grapes?• We only have lemonade would you like a glass• I will pass

• Jack would then give them a red filter* There was an error and the first line was also the third line, this did not prohibit any children from getting the filter

Good morning 008. While 007 is away on vacation you will need to take his place on this mission.

On the other side of this card is a hidden message, to read it you will need to get the decoder from our contact working at the conference. Our contact is easy to recognize but you cannot just walk up to him and say you’re are a secret agent, you will need to give him a passphrase.

You must decode the passphrase firstThe pass phrase is “Roi qyd kxi qbkzoc?”He should respond “Sa kjhu dwra haikjwza skqhz ukq hega w chwoo”You should respond “Xuo wej qdo whqfui”*

• With the red filter they could then read the

message

HTTPS://TWITTER.COM/ANDREWSHUMATE/STATUS/

789291570440855552

FIND THE CLUE AT 156408

• If they opened the image in a hex editor and went to decimal offset 156408 they would be told to find the clue on their wristband (The Kids badges this year were USB Slap Bracelets)

Second Puzzle

• When they began the challenge I put a file on their wristband with the following string

R28gYmFjayB0byB3aGVyZSB5b3UgYmVnYW4gYW5kIGFzayBmb3IgeW91ciBtYWls

• It is a base64 encoded string which when decoded reads

Go back to where you began and ask for your mail

Third Puzzle

Fourth Puzzle

• When they were handed this card they were told the key was sailor

• The message on the back was the following

008, You are doing quite well, but you haven’t completed the mission yet.

Again you will need to decode the pass phrase

Go find the challenge creatorThe pass phrase is “Akj iud fl xqnpl ifqvyai jkvqnpl”He will respond “Jsz kbu wm dfjeoei kwocfj mwbs qwjeoei”You respond “Diooex dund to loe insu nl npau dnyaoc”

• This was a keyed cesarian cipher

• They would then be given a blue filter

The pass phrase is “Red sky at night sailors delight”He will respond “Red sky at morning sailor take warning”You respond “Smooth seas do not make an able sailor

Fifth and final Puzzle

• The blue filter would reveal the following URL

https://www.youtube.com/watch?v=6hIPlB3awv0

• Which is morse code that readsCongratulations Agent 008, you have completed the crypto challenge! Return to where

you started the challenge for your prize.

Lessons Learned• Better QA could have been done prior to sending materials to

press• While some support from parents is expected, there were

reports that there were several adults helping, this is a Black Badge challenge and as such should have a sufficient level of difficulty, there is a balance on how much adult support there should be and I will work on that for 2017

• 2017 will be based on points with tie breaker challenges rather than a race to the end

• While my social media (Twitter and Youtube) is generally PG, going forward the challenge should have it’s own social media accounts.

• All participants seemed to have been challenged and enjoyed participating