Concise Christmas Cryptography Challenges 2019

Concise Christmas Cryptography Challenges 2019

Last year we published some crypto challenges to keep you momentarily occupied from the festivities. This year, we're doing the same. Whether you're bored or just want to learn a bit more about the technologies that encrypt the internet, feel free to give these short cryptography quizzes a go.

We're withholding answers until the start of the new year, to give you a chance to solve them without spoilers. Before we reveal the answers; if you manage to solve them, we'll be giving the first 5 people to get the answers right some Cloudflare swag. Fill out your answers and details using this form so we know where to send it.

Have fun!

NOTE: Hints are below the questions, avoid scrolling too far if you want to avoid any spoilers.

Concise Christmas Cryptography Challenges 2019


Client says Hello

Client says hello, as follows:


[Raw puzzle without text wrap]

Time-Based One-Time Password

A user has an authenticator device to generate one time passwords for logins to their banking website. The implementation contains a fatal flaw.

At the following times, the following codes are generated (all in GMT/UTC):

  • Friday, 21 December 2018 16:29:28 - 084342
  • Saturday, 22 December 2018 13:11:53 - 411907
  • Tuesday, 25 December 2018 12:15:03 - 617041

What code will be generated at precisely midnight of the 1st of January 2019?


At Cloudflare, we just setup RPKI: we signed a few hundred prefixes in order to reduce route leaks. But some of the prefixes hide a secret message. Find the ROAs that look different, decode the word!


Client says Hello

This challenge has 3 hints, as follows:


The Time-Based One-Time Password Algorithm is described in RFC 6238, which was based of RFC4226 (providing an algorithm for HOTP). The TOTP algorithm requires input of two important parameters, the time and a shared secret - could one be missing?

The implementation used to generate the TOTP codes for the challenge uses SHA-1 as a digest algorithm.


This challenge has 4 hints, as follows:

  • Hint #0: Four or six? Probably six.
  • Hint #1: If only there was a way of listing only our IPs!
  • Hint #2: What is the only part of the ROA where we can hide information into
  • Hint #3: Subtract the reserve, the char will show itself


Stay tuned!

Interested in helping build a better internet and drive security online? Cloudflare is hiring.