Breaking Stuff Cryptanalysis and Protocol

Failures

- Wade Trappe

Lecture Overview

- We have covered basic cryptographic tools that

will be useful for building things. But, before

you can build, you need to know the structural

weaknesses of your tools - We will now talk about these weaknesses and the

subjects of cryptanalysis and protocol failures - DES
- Internet Challenges and EFF
- Multiple DES and Meet in the Middle attack
- RSA
- Low Exponent Attacks
- Protocol Failures Be careful, here be dragons!
- Hash Functions
- Birthday Attacks and Implications

DES Breaking DES

- DES is now considered a weak encryption algorithm
- Several attacks used against DES
- Differential and Linear Cryptanalysis
- Brute Force Attacks
- Brute force attacks are what ultimately broke DES
- History 1977 Diffie and Hellman (well see these

guys again) proposed a strategy for breaking DES

in under a day using a 20M machine (1977

dollars) - Different approaches to brute force attacks
- Distributed computing (the Internet attack)
- Custom-designed architecture for attacking DES
- Programmable logic arrays

Many hands make light work

- The distributed computing approach became very

popular - In 1997 the RSA Data Security company issued a

challenge to find the key and crack a DES

encrypted message - Prize 10K
- 5 months later it was broken by Rocke Verner (who

had written a program people ran on their

machines during spare cycles) - Secret Message Strong cryptography makes the

world a safer place - 1998 Similar challenge issued by RSA Data

Security - DES broken in 39 days.
- But worse was yet to come.

EFF Cracker

- Also in 1998 The Electronic Frontier Foundation

developed a project called DES Cracker. - Goal Use a specialized hardware platform (built

using a budget of 200K) to break DES. - DES Cracker consisted of three main components
- Personal Computer
- Software
- Collection of Specialized Chips
- The computer was connected to the array of chips

and the software oversaw the tasking of each chip - Software gave each chip the information necessary

to start processing and waited until the chips

returned candidate keys. - Specialized hardware would eliminate the bulk of

the key space

EFF Cracker, pg. 2

- Each chip in the DES Cracker consisted of 24

search units - A search unit would
- Take a key and two 64 bit blocks of ciphertext

and attempt to decrypt the first 64 bit block. - If the decrypted ciphertext looked interesting,

then the search unit would decrypt the second. - If both decrypted as interesting then the key

would be returned to the control software to try

on the full message.

DK(m1)

KK1

Is Interesting?

No

Yes

DK(m2)

Is Interesting?

No

Yes

Return Key

EFF Cracker, pg. 3, What is Interesting?

- EFF assumed that the plaintext was made using

letters, numbers and punctuation - Out of the 256 possibilities for ASCII, roughly

69 of these are letters, numbers, space and

punctuation - A single byte would be interesting 69/256 (or

roughly ¼) of the time. - A full block (8 bytes) would be interesting with

(1/4)8 1/65536 of the time - Given a key K, there is a 1/65536 chance that

this key would produce something interesting when

trying to decrypt m1. - But, 1/65536 does not cut down 256 that much, so

we use the second block. - The odds that both are decrypted as interesting

is (1/232), thus reducing the key space to

roughly 224. - This can be easily handled by software.

EFF Cracker, pg. 4

- The final system
- A chip with 24 search units running at 40MHz

would take roughly 38 years to crack DES - So, to reduce further, EFF used
- 64 chips on a board
- 12 boards on a chassis
- 2 chassis connected to a PC
- In total, there were 1500 chips, and it took DES

Cracker about 4.5 days to break DES. - There are many ways to improve on this
- 40MHz was slow by 1998 standards!
- More chassis may be used

One Way to Fix DES MultipleDES

- People knew DES was weak before EFF, and multiple

DES techniques were proposed to replace DES. - The security of multiple DES is based upon the

fact that DES is not a group (encrypting twice

using two keys does not give another encryption

with a different, single key) - How many possible encryption functions are there

from the space of 64 bit inputs to the space of

64 bit outputs? - Does DES cover all of these? No.
- It has been shown that DES is not a group (we

will not show, but see the discussion in Chapter

4) - We will first look at Double DES (2DES).
- Never use 2DES!!!

2DES

- The basic scheme is depicted to the left.
- It might seem that the equivalent keyspace for

2DES would be 256112 bits. - However, by employing an attack known as meet in

the middle, it is possible to reduce the

complexity of searching the key space to O(258),

though at the cost of storage!

m

EK1

EK2

c

Breaking 2DES Meet in the Middle

- Suppose Alice and Bob have agreed on K1 and K2.
- Let Eve intercept m and EK2(EK1(m))c. Eve wants

to find K1 and K2. - To accomplish this, she calculates all possible

encryptions and all possible decryptions and

looks for matches. - The matches are potential candidate key pairs.

One is the correct key pair.

a D1(m) b D2(m) yj D3(m) y1

D2(56)-1(m) c D2(56)(m)

E1(m) y1 E2(m) y2 E3(m) y3

E2(56)-1(m) yj E2(56)(m) yh

Breaking 2DES Meet in the Middle, pg. 2

- This has seriously cut down the amount of

possibilities, but we still have some left over

to try. - In practice, we often repeat this twice, making a

list for two different plaintext-ciphertext

pairs. - When doing this, we need (2256)(2)(64) bits of

storage 264. - This is roughly 2 billion gigabytes.
- Its not unreasonable for a large company or a

country to afford this amount of storage if it

had to. - How much computation? Basically its 258.
- This is much less than 2112.

3DES, a better fix.

- Triple DES (3DES) is a much better fix.
- There are two ways in which 3DES is used
- EEE mode
- EDE mode
- EDE with K1K3 is known as two-key triple

encryption and is very popular.

m

m

EK1

EK1

DK2

EK2

EK3

EK3

c

c

RSA, Low Exponent Attacks

- Theorem Suppose p and q are primes with q lt p lt

2q. Let npq, and choose e and d as in the RSA

algorithm. If d lt (1/3)n1/4, then d can be

calculated quickly. - Proof
- Since qltplt2q, we have and
- Write ed 1k f(n), for some integer k. Since elt

f(n), we have - f(n)k lt ed lt (1/3) f(n)n1/4,
- Thus klt(1/3)n1/4.
- Therefore
- Also, since k(n- f(n)) -1 gt 0, we have kn-ed gt0.

RSA, Low Exponent Attacks, pg. 2

- Proof (continued)
- We may divide by dn to get
- Since 3dltn1/4, by assumption.
- Now, we satisfy a condition of the form
- This condition means that the fraction (k/d) will

arise during the continued fraction expansion of

x. - In our case, k/d will arise from the continued

fraction expansion of e/n.

RSA, Low Exponent Attacks, pg. 3

- Low Exponent Continued-Fraction Attack Suppose

we have the conditions stated earlier, then Eve

can do the following - Compute the continued fraction of e/n. After each

step, she has a fraction A/B. - Eve uses kA, dB to compute C(ed-1)/k. (Since

ed 1k f(n), this value of C is a candidate for

f(n) ). - If C is not an integer, continue to the next step

of the continued fraction. - If C is an integer, then find the roots of

X2-(n-C1)Xn. Hopefully, this will be the same

as X2 (n-f(n)1)X n. If the roots are

integers then Eve has factored n. If not,

continue with the algorithm - The number of steps in the continued fraction of

e/n is logarithmic in n, so we wont have to try

too many steps. - Remarks The continued fraction expansions

alternate between larger and smaller than e/n. We

dont need to consider k/d that are smaller than

e/n since we had 0lt k/d e/n. So, we only need

every other expansion!!!

Continued Fractions

- A procedure for approximating a real number x

Let x be the greatest integer less than or

equal to x. - Let us define a0x and x0x. Then define
- We may approximate x by
- The sequence of rational numbers rk/sk give

increasingly better accuracy. - Theorem If for some integers r and s, then

r/sri/si for some i in this procedure.

RSA, Low Exponent Attacks, Example

- Example Let n 1966981193543797 and e

323815174542919. The continued fraction expansion

for e/n is - 0, 6, 13, 2, 3, 1, 3, 1, 9, 1, 36, 5, 2, 1, 6,

1, 43, 13, 1, 10, 11, 2, 1, 9, 5 - The first fraction is 1/6, so we try k1, d6.

Since d must be odd, this wont work. - By the remark, we may skip the second expansion

and go to third - Again, d must be odd, so discard this.

RSA, Low Exponent Attacks, Example, pg 2

- The fifth fraction is 121/735, which gives

C(e735-1)/121. This is not an integer! So

discard it! - The seventh fraction is 578/3511. This gives

C1966981103495136 as a candidate for f(n). - The roots for
- Are 37264873 and 52783789. Try these out and we

find - n 37264873 52783789
- We have factored n.

RSA, Short Plaintext Attack

- RSA is commonly used to transmit keys used for

DES and AES. - The key size of DES and AES are much smaller than

the bit length used in a secure RSA (on the order

of 500-1000 bits). - A DES key is a number m on the order of 1017.

When we encrypt with RSA to get cme (mod n), we

will get a c that is most likely full length

(say, roughly 10200). - Eve may conduct a Meet in the Middle-type

attack. She makes two lists - cx-e (mod n) for all x with
- ye (mod n) for all y with
- She looks for a match between two lists
- So mxy.
- Note This will not always find a match!

RSA, Short Plaintext Attack, pg. 2

- This attack is very feasible. (Note not every m

will be able to be expressed as xy but most

will). - More efficient than trying all 1017

possibilities. - We need 2109 computations.
- How to prevent this attack? Use Padding!
- A simple strategy, add some random bits to the

beginning and end of m. - More complicated (and stronger) strategy is to

use Optimal Asymmetric Encryption Padding (OAEP).

Birthday Attacks

- A generalization of the short plaintext attack

described earlier is the Birthday Attack. - The Birthday Attack is based upon the Birthday

Paradox If there are 23 people in a room, there

is a 50 chance that two people share the same

birthday. - Explanation
- Fix the first persons birthday.
- Probability the second person has a different

birthday is - Probability the third person has a different

birthday is - And so on giving the probability everyone has

different birthdays as - Hence, the probability of a shared birthday is 1

- 0.493 0.507

Birthday Attacks, pg. 2

- Suppose we have N objects, and r people. Each

person chooses an object. The probability there

is a match is - For large N. Here l is a parameter that is

determined from the problem statement (for

example, if lln 2 then we have ½ probability of

a match) - Generalized Birthday Paradox Suppose we have N

objects and there are two groups of r people.

Each person chooses an object. Whats the

probability that someone from first group chose

the same object as someone from the second group? - Answer Here
- Example Look at the birthday problem again. Here

N365, and let r30. Then and gives

that there is a 91.5 probability that there is a

shared birthday

Birthday Attacks, pg. 3

- Now back to cryptography The birthday paradox is

can be used to create an attack to find

collisions in hash functions. - Let h(x) be an n-bit hash function.
- There are N2n possible outputs.
- Make a list for hashes with randomly

selected (but different) x. - We now have so l1/2 and thus a 1-e-1/2

(roughly a 40) chance of having two values x1

and x2 with the same hash. - Try a slightly longer list, like r102n/2 and we

get over a 99 chance there is a collision.

Birthday Attacks on Digital Signatures

- Alice will sign a document for Eve using digital

signatures with a 50-bit hash. - The probability of a second document having the

same hash is (1/2)50. - Eve, however, may take an original document and

find places where she can make changes. For

example, we may add a space, or some such simple

modification. - If Eve has 30 of these locations, she has 230

possible acceptable documents she can create.

Eve now calculates the hash of each of these 230

documents. Alice would accept any of these as

good. - Eve also makes 230 fraudulent versions

(changing numbers, or words, etc.). - We now have a generalized birthday problem, with

r230 and N250. We now have a case where

and l1024, so the probability of a match is

about 1-e-1024 , roughly 1!

Defense for Birthday Attacks on Digital Signatures

- So, Eve can find a collision and make a

fraudulent document that will have the same

signature as another document. - Eve will get Alice to sign the good document, and

then swap the good document with the fraudulent

document. - They will have the same hash, and hence same

signature. - What can Alice do?
- Rather than sign the good document, she alters

the good document (perhaps by removing a comma)

and signs that. - Eve no longer has the match, and instead must try

to find a specific collision this is very

unlikely!