Breaking%20Stuff:%20Cryptanalysis%20and%20Protocol%20Failures - PowerPoint PPT Presentation

About This Presentation



Breaking Stuff: Cryptanalysis and Protocol Failures. Wade Trappe. Lecture Overview ... Differential and Linear Cryptanalysis. Brute Force Attacks ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 27
Provided by: wade3


Transcript and Presenter's Notes

Title: Breaking%20Stuff:%20Cryptanalysis%20and%20Protocol%20Failures

Breaking Stuff Cryptanalysis and Protocol
  • Wade Trappe

Lecture Overview
  • We have covered basic cryptographic tools that
    will be useful for building things. But, before
    you can build, you need to know the structural
    weaknesses of your tools
  • We will now talk about these weaknesses and the
    subjects of cryptanalysis and protocol failures
  • DES
  • Internet Challenges and EFF
  • Multiple DES and Meet in the Middle attack
  • RSA
  • Low Exponent Attacks
  • Protocol Failures Be careful, here be dragons!
  • Hash Functions
  • Birthday Attacks and Implications

DES Breaking DES
  • DES is now considered a weak encryption algorithm
  • Several attacks used against DES
  • Differential and Linear Cryptanalysis
  • Brute Force Attacks
  • Brute force attacks are what ultimately broke DES
  • History 1977 Diffie and Hellman (well see these
    guys again) proposed a strategy for breaking DES
    in under a day using a 20M machine (1977
  • Different approaches to brute force attacks
  • Distributed computing (the Internet attack)
  • Custom-designed architecture for attacking DES
  • Programmable logic arrays

Many hands make light work
  • The distributed computing approach became very
  • In 1997 the RSA Data Security company issued a
    challenge to find the key and crack a DES
    encrypted message
  • Prize 10K
  • 5 months later it was broken by Rocke Verner (who
    had written a program people ran on their
    machines during spare cycles)
  • Secret Message Strong cryptography makes the
    world a safer place
  • 1998 Similar challenge issued by RSA Data
  • DES broken in 39 days.
  • But worse was yet to come.

EFF Cracker
  • Also in 1998 The Electronic Frontier Foundation
    developed a project called DES Cracker.
  • Goal Use a specialized hardware platform (built
    using a budget of 200K) to break DES.
  • DES Cracker consisted of three main components
  • Personal Computer
  • Software
  • Collection of Specialized Chips
  • The computer was connected to the array of chips
    and the software oversaw the tasking of each chip
  • Software gave each chip the information necessary
    to start processing and waited until the chips
    returned candidate keys.
  • Specialized hardware would eliminate the bulk of
    the key space

EFF Cracker, pg. 2
  • Each chip in the DES Cracker consisted of 24
    search units
  • A search unit would
  • Take a key and two 64 bit blocks of ciphertext
    and attempt to decrypt the first 64 bit block.
  • If the decrypted ciphertext looked interesting,
    then the search unit would decrypt the second.
  • If both decrypted as interesting then the key
    would be returned to the control software to try
    on the full message.

Is Interesting?
Is Interesting?
Return Key
EFF Cracker, pg. 3, What is Interesting?
  • EFF assumed that the plaintext was made using
    letters, numbers and punctuation
  • Out of the 256 possibilities for ASCII, roughly
    69 of these are letters, numbers, space and
  • A single byte would be interesting 69/256 (or
    roughly ¼) of the time.
  • A full block (8 bytes) would be interesting with
    (1/4)8 1/65536 of the time
  • Given a key K, there is a 1/65536 chance that
    this key would produce something interesting when
    trying to decrypt m1.
  • But, 1/65536 does not cut down 256 that much, so
    we use the second block.
  • The odds that both are decrypted as interesting
    is (1/232), thus reducing the key space to
    roughly 224.
  • This can be easily handled by software.

EFF Cracker, pg. 4
  • The final system
  • A chip with 24 search units running at 40MHz
    would take roughly 38 years to crack DES
  • So, to reduce further, EFF used
  • 64 chips on a board
  • 12 boards on a chassis
  • 2 chassis connected to a PC
  • In total, there were 1500 chips, and it took DES
    Cracker about 4.5 days to break DES.
  • There are many ways to improve on this
  • 40MHz was slow by 1998 standards!
  • More chassis may be used

One Way to Fix DES MultipleDES
  • People knew DES was weak before EFF, and multiple
    DES techniques were proposed to replace DES.
  • The security of multiple DES is based upon the
    fact that DES is not a group (encrypting twice
    using two keys does not give another encryption
    with a different, single key)
  • How many possible encryption functions are there
    from the space of 64 bit inputs to the space of
    64 bit outputs?
  • Does DES cover all of these? No.
  • It has been shown that DES is not a group (we
    will not show, but see the discussion in Chapter
  • We will first look at Double DES (2DES).
  • Never use 2DES!!!

  • The basic scheme is depicted to the left.
  • It might seem that the equivalent keyspace for
    2DES would be 256112 bits.
  • However, by employing an attack known as meet in
    the middle, it is possible to reduce the
    complexity of searching the key space to O(258),
    though at the cost of storage!

Breaking 2DES Meet in the Middle
  • Suppose Alice and Bob have agreed on K1 and K2.
  • Let Eve intercept m and EK2(EK1(m))c. Eve wants
    to find K1 and K2.
  • To accomplish this, she calculates all possible
    encryptions and all possible decryptions and
    looks for matches.
  • The matches are potential candidate key pairs.
    One is the correct key pair.

a D1(m) b D2(m) yj D3(m) y1
D2(56)-1(m) c D2(56)(m)
E1(m) y1 E2(m) y2 E3(m) y3
E2(56)-1(m) yj E2(56)(m) yh
Breaking 2DES Meet in the Middle, pg. 2
  • This has seriously cut down the amount of
    possibilities, but we still have some left over
    to try.
  • In practice, we often repeat this twice, making a
    list for two different plaintext-ciphertext
  • When doing this, we need (2256)(2)(64) bits of
    storage 264.
  • This is roughly 2 billion gigabytes.
  • Its not unreasonable for a large company or a
    country to afford this amount of storage if it
    had to.
  • How much computation? Basically its 258.
  • This is much less than 2112.

3DES, a better fix.
  • Triple DES (3DES) is a much better fix.
  • There are two ways in which 3DES is used
  • EEE mode
  • EDE mode
  • EDE with K1K3 is known as two-key triple
    encryption and is very popular.

RSA, Low Exponent Attacks
  • Theorem Suppose p and q are primes with q lt p lt
    2q. Let npq, and choose e and d as in the RSA
    algorithm. If d lt (1/3)n1/4, then d can be
    calculated quickly.
  • Proof
  • Since qltplt2q, we have and
  • Write ed 1k f(n), for some integer k. Since elt
    f(n), we have
  • f(n)k lt ed lt (1/3) f(n)n1/4,
  • Thus klt(1/3)n1/4.
  • Therefore
  • Also, since k(n- f(n)) -1 gt 0, we have kn-ed gt0.

RSA, Low Exponent Attacks, pg. 2
  • Proof (continued)
  • We may divide by dn to get
  • Since 3dltn1/4, by assumption.
  • Now, we satisfy a condition of the form
  • This condition means that the fraction (k/d) will
    arise during the continued fraction expansion of
  • In our case, k/d will arise from the continued
    fraction expansion of e/n.

RSA, Low Exponent Attacks, pg. 3
  • Low Exponent Continued-Fraction Attack Suppose
    we have the conditions stated earlier, then Eve
    can do the following
  • Compute the continued fraction of e/n. After each
    step, she has a fraction A/B.
  • Eve uses kA, dB to compute C(ed-1)/k. (Since
    ed 1k f(n), this value of C is a candidate for
    f(n) ).
  • If C is not an integer, continue to the next step
    of the continued fraction.
  • If C is an integer, then find the roots of
    X2-(n-C1)Xn. Hopefully, this will be the same
    as X2 (n-f(n)1)X n. If the roots are
    integers then Eve has factored n. If not,
    continue with the algorithm
  • The number of steps in the continued fraction of
    e/n is logarithmic in n, so we wont have to try
    too many steps.
  • Remarks The continued fraction expansions
    alternate between larger and smaller than e/n. We
    dont need to consider k/d that are smaller than
    e/n since we had 0lt k/d e/n. So, we only need
    every other expansion!!!

Continued Fractions
  • A procedure for approximating a real number x
    Let x be the greatest integer less than or
    equal to x.
  • Let us define a0x and x0x. Then define
  • We may approximate x by
  • The sequence of rational numbers rk/sk give
    increasingly better accuracy.
  • Theorem If for some integers r and s, then
    r/sri/si for some i in this procedure.

RSA, Low Exponent Attacks, Example
  • Example Let n 1966981193543797 and e
    323815174542919. The continued fraction expansion
    for e/n is
  • 0, 6, 13, 2, 3, 1, 3, 1, 9, 1, 36, 5, 2, 1, 6,
    1, 43, 13, 1, 10, 11, 2, 1, 9, 5
  • The first fraction is 1/6, so we try k1, d6.
    Since d must be odd, this wont work.
  • By the remark, we may skip the second expansion
    and go to third
  • Again, d must be odd, so discard this.

RSA, Low Exponent Attacks, Example, pg 2
  • The fifth fraction is 121/735, which gives
    C(e735-1)/121. This is not an integer! So
    discard it!
  • The seventh fraction is 578/3511. This gives
    C1966981103495136 as a candidate for f(n).
  • The roots for
  • Are 37264873 and 52783789. Try these out and we
  • n 37264873 52783789
  • We have factored n.

RSA, Short Plaintext Attack
  • RSA is commonly used to transmit keys used for
    DES and AES.
  • The key size of DES and AES are much smaller than
    the bit length used in a secure RSA (on the order
    of 500-1000 bits).
  • A DES key is a number m on the order of 1017.
    When we encrypt with RSA to get cme (mod n), we
    will get a c that is most likely full length
    (say, roughly 10200).
  • Eve may conduct a Meet in the Middle-type
    attack. She makes two lists
  • cx-e (mod n) for all x with
  • ye (mod n) for all y with
  • She looks for a match between two lists
  • So mxy.
  • Note This will not always find a match!

RSA, Short Plaintext Attack, pg. 2
  • This attack is very feasible. (Note not every m
    will be able to be expressed as xy but most
  • More efficient than trying all 1017
  • We need 2109 computations.
  • How to prevent this attack? Use Padding!
  • A simple strategy, add some random bits to the
    beginning and end of m.
  • More complicated (and stronger) strategy is to
    use Optimal Asymmetric Encryption Padding (OAEP).

Birthday Attacks
  • A generalization of the short plaintext attack
    described earlier is the Birthday Attack.
  • The Birthday Attack is based upon the Birthday
    Paradox If there are 23 people in a room, there
    is a 50 chance that two people share the same
  • Explanation
  • Fix the first persons birthday.
  • Probability the second person has a different
    birthday is
  • Probability the third person has a different
    birthday is
  • And so on giving the probability everyone has
    different birthdays as
  • Hence, the probability of a shared birthday is 1
    - 0.493 0.507

Birthday Attacks, pg. 2
  • Suppose we have N objects, and r people. Each
    person chooses an object. The probability there
    is a match is
  • For large N. Here l is a parameter that is
    determined from the problem statement (for
    example, if lln 2 then we have ½ probability of
    a match)
  • Generalized Birthday Paradox Suppose we have N
    objects and there are two groups of r people.
    Each person chooses an object. Whats the
    probability that someone from first group chose
    the same object as someone from the second group?
  • Answer Here
  • Example Look at the birthday problem again. Here
    N365, and let r30. Then and gives
    that there is a 91.5 probability that there is a
    shared birthday

Birthday Attacks, pg. 3
  • Now back to cryptography The birthday paradox is
    can be used to create an attack to find
    collisions in hash functions.
  • Let h(x) be an n-bit hash function.
  • There are N2n possible outputs.
  • Make a list for hashes with randomly
    selected (but different) x.
  • We now have so l1/2 and thus a 1-e-1/2
    (roughly a 40) chance of having two values x1
    and x2 with the same hash.
  • Try a slightly longer list, like r102n/2 and we
    get over a 99 chance there is a collision.

Birthday Attacks on Digital Signatures
  • Alice will sign a document for Eve using digital
    signatures with a 50-bit hash.
  • The probability of a second document having the
    same hash is (1/2)50.
  • Eve, however, may take an original document and
    find places where she can make changes. For
    example, we may add a space, or some such simple
  • If Eve has 30 of these locations, she has 230
    possible acceptable documents she can create.
    Eve now calculates the hash of each of these 230
    documents. Alice would accept any of these as
  • Eve also makes 230 fraudulent versions
    (changing numbers, or words, etc.).
  • We now have a generalized birthday problem, with
    r230 and N250. We now have a case where
    and l1024, so the probability of a match is
    about 1-e-1024 , roughly 1!

Defense for Birthday Attacks on Digital Signatures
  • So, Eve can find a collision and make a
    fraudulent document that will have the same
    signature as another document.
  • Eve will get Alice to sign the good document, and
    then swap the good document with the fraudulent
  • They will have the same hash, and hence same
  • What can Alice do?
  • Rather than sign the good document, she alters
    the good document (perhaps by removing a comma)
    and signs that.
  • Eve no longer has the match, and instead must try
    to find a specific collision this is very
Write a Comment
User Comments (0)