| Chapter | Topic | Actionable Task | |---------|-------|----------------| | 1 | Hashing | Implement a simple deduplication system; demonstrate length extension attack on SHA256 (use Python). | | 2 | MACs | Compare HMAC vs KMAC; write a small token verifier with timing-safe comparison. | | 3 | Symmetric Encryption | Encrypt a file with AES-GCM; deliberately corrupt the tag to see rejection. | | 4 | Asymmetric Encryption (RSA, ECIES) | Encrypt with RSA PKCS#1 v1.5 (obsolete) vs OAEP; explain padding oracle conceptually. | | 5 | Signatures | Sign a message with Ed25519; verify with public key – note nonce reuse risk. | | 6 | Key Exchange (Diffie‑Hellman) | Implement toy DH in Python; compute shared secret; add a KDF. | | 7 | Randomness & RNG | Test system RNG with ent ; discuss getrandom() vs /dev/urandom . |
The gap between textbook cryptographic primitives and their real-world deployment often enables vulnerabilities that pure theoretical analysis misses. This paper presents a practical evaluation of encryption and integrity mechanisms in widely used archive formats (ZIP, RAR, 7z), inspired by the case studies in Real-World Cryptography . Using a combination of known plaintext attacks, extension-header manipulation, and legacy algorithm fallbacks (e.g., ZipCrypto, RAR3’s AES-128 with weak PBKDF2 iterations), we demonstrate recoverable key material from partial plaintext overlaps. We further introduce a fuzzing framework (“BookRAR-Breaker”) that automates detection of nonce reuse and padding oracle behavior in password-protected RAR5 archives. Our results show that 18% of real-world RAR files collected from public sources remain vulnerable to automated recovery due to configuration errors, not algorithmic flaws. We conclude with actionable recommendations for archive tool maintainers, emphasizing that secure defaults—not just strong ciphers—are the cornerstone of real-world cryptographic safety. Real-World Cryptography - -BookRAR-
Real-World Cryptography