Lecture Overview • We have covered basic cryptographic tools that will be useful for building things. But, before you can build, you need to know the structural weaknesses of your tools… • We will now talk about these weaknesses… and the subjects of cryptanalysis and protocol failures • DES: • Internet Challenges and EFF • Multiple DES and Meet in the Middle attack • RSA: • Low Exponent Attacks • Protocol Failures… Be careful, here be dragons! • Hash Functions: • Birthday Attacks and Implications
DES: Breaking DES • DES is now considered a weak encryption algorithm • Several attacks used against DES: • Differential and Linear Cryptanalysis • Brute Force Attacks • Brute force attacks are what ultimately broke DES • History: 1977 Diffie and Hellman (we’ll see these guys again…) proposed a strategy for breaking DES in under a day using a $20M machine (1977 dollars) • Different approaches to brute force attacks: • Distributed computing (the Internet attack) • Custom-designed architecture for attacking DES • Programmable logic arrays
Many hands make light work… • The distributed computing approach became very popular • In 1997 the RSA Data Security company issued a challenge to find the key and crack a DES encrypted message • Prize: $10K • 5 months later it was broken by Rocke Verner (who had written a program people ran on their machines during spare cycles) • Secret Message “Strong cryptography makes the world a safer place” • 1998: Similar challenge issued by RSA Data Security • DES broken in 39 days. • But… worse was yet to come.
EFF Cracker • Also in 1998: The Electronic Frontier Foundation developed a project called DES Cracker. • Goal: Use a specialized hardware platform (built using a budget of $200K) to break DES. • DES Cracker consisted of three main components • Personal Computer • Software • Collection of Specialized Chips • The computer was connected to the array of chips and the software oversaw the tasking of each chip • Software gave each chip the information necessary to start processing and waited until the chips returned “candidate” keys. • Specialized hardware would eliminate the bulk of the key space
EFF Cracker, pg. 2 • Each chip in the DES Cracker consisted of 24 search units • A search unit would: • Take a key and two 64 bit blocks of ciphertext and attempt to decrypt the first 64 bit block. • If the decrypted ciphertext looked interesting, then the search unit would decrypt the second. • If both decrypted as “interesting” then the key would be returned to the control software to try on the full message. DK(m1) K=K+1 Is Interesting? No Yes DK(m2) Is Interesting? No Yes Return Key
EFF Cracker, pg. 3, What is Interesting? • EFF assumed that the plaintext was made using letters, numbers and punctuation • Out of the 256 possibilities for ASCII, roughly 69 of these are letters, numbers, space and punctuation • A single byte would be interesting 69/256 (or roughly ¼) of the time. • A full block (8 bytes) would be interesting with (1/4)8 = 1/65536 of the time • Given a key K, there is a 1/65536 chance that this key would produce something interesting when trying to decrypt m1. • But, 1/65536 does not cut down 256 that much, so we use the second block. • The odds that both are decrypted as interesting is (1/232), thus reducing the key space to roughly 224. • This can be easily handled by software.
EFF Cracker, pg. 4 • The final system… • A chip with 24 search units running at 40MHz would take roughly 38 years to crack DES • So, to reduce further, EFF used • 64 chips on a board • 12 boards on a chassis • 2 chassis connected to a PC • In total, there were 1500 chips, and it took DES Cracker about 4.5 days to break DES. • There are many ways to improve on this: • 40MHz was slow by 1998 standards! • More chassis may be used
One Way to “Fix” DES… MultipleDES • People knew DES was weak before EFF, and multiple DES techniques were proposed to replace DES. • The security of multiple DES is based upon the fact that DES is not a group (encrypting twice using two keys does not give another encryption with a different, single key) • How many possible encryption functions are there from the space of 64 bit inputs to the space of 64 bit outputs? • Does DES cover all of these? No. • It has been shown that DES is not a group (we will not show, but see the discussion in Chapter 4) • We will first look at Double DES (2DES). • Never use 2DES!!!
2DES • The basic scheme is depicted to the left. • It might seem that the equivalent keyspace for 2DES would be 2*56=112 bits. • However, by employing an attack known as “meet in the middle”, it is possible to reduce the complexity of searching the key space to O(258), though at the cost of storage! m EK1 EK2 c
Breaking 2DES: Meet in the Middle • Suppose Alice and Bob have agreed on K1 and K2. • Let Eve intercept m and EK2(EK1(m))=c. Eve wants to find K1 and K2. • To accomplish this, she calculates all possible encryptions and all possible decryptions and looks for matches. • The matches are potential candidate key pairs. One is the correct key pair. a = D1(m) b = D2(m) yj = D3(m) … … y1 = D2^(56)-1(m) c = D2^(56)(m) E1(m) = y1 E2(m) = y2 E3(m) = y3 … … E2^(56)-1(m) = yj E2^(56)(m) = yh
Breaking 2DES: Meet in the Middle, pg. 2 • This has seriously cut down the amount of possibilities, but we still have some left over to try. • In practice, we often repeat this twice, making a list for two different plaintext-ciphertext pairs. • When doing this, we need (2*256)(2)(64) bits of storage = 264. • This is roughly 2 billion gigabytes. • Its not unreasonable for a large company or a country to afford this amount of storage if it had to. • How much computation? Basically its 258. • This is much less than 2112.
3DES, a better fix. • Triple DES (3DES) is a much better fix. • There are two ways in which 3DES is used: • EEE mode • EDE mode • EDE with K1=K3 is known as two-key triple encryption and is very popular. m m EK1 EK1 EK2 DK2 EK3 EK3 c c
RSA, Low Exponent Attacks Theorem: Suppose p and q are primes with q < p < 2q. Let n=pq, and choose e and d as in the RSA algorithm. If d < (1/3)n1/4, then d can be calculated quickly. • Proof: Since q<p<2q, we have and Write ed ≡ 1+k φ(n), for some integer k. Since e< φ(n), we have φ(n)k < ed < (1/3) φ(n)n1/4, Thus k<(1/3)n1/4. Therefore Also, since k(n- φ(n)) -1 > 0, we have kn-ed >0.
RSA, Low Exponent Attacks, pg. 2 • Proof (continued): We may divide by dn to get: Since 3d<n1/4, by assumption. Now, we satisfy a condition of the form: This condition means that the fraction (k/d) will arise during the continued fraction expansion of x. In our case, k/d will arise from the continued fraction expansion of e/n.
RSA, Low Exponent Attacks, pg. 3 Low Exponent Continued-Fraction Attack: Suppose we have the conditions stated earlier, then Eve can do the following: • Compute the continued fraction of e/n. After each step, she has a fraction A/B. • Eve uses k=A, d=B to compute C=(ed-1)/k. (Since ed = 1+k φ(n), this value of C is a candidate for φ(n) ). • If C is not an integer, continue to the next step of the continued fraction. • If C is an integer, then find the roots of X2-(n-C+1)X+n. Hopefully, this will be the same as X2 – (n-φ(n)+1)X + n. If the roots are integers then Eve has factored n. If not, continue with the algorithm The number of steps in the continued fraction of e/n is logarithmic in n, so we won’t have to try too many steps. Remarks: The continued fraction expansions alternate between larger and smaller than e/n. We don’t need to consider k/d that are smaller than e/n since we had 0< k/d – e/n. So, we only need every other expansion!!!
Continued Fractions A procedure for approximating a real number x: Let [x] be the greatest integer less than or equal to x. Let us define a0=[x] and x0=x. Then define We may approximate x by The sequence of rational numbers rk/sk give increasingly better accuracy. Theorem: If for some integers r and s, then r/s=ri/si for some i in this procedure.
RSA, Low Exponent Attacks, Example Example: Let n = 1966981193543797 and e = 323815174542919. The continued fraction expansion for e/n is [0, 6, 13, 2, 3, 1, 3, 1, 9, 1, 36, 5, 2, 1, 6, 1, 43, 13, 1, 10, 11, 2, 1, 9, 5] The first fraction is 1/6, so we try k=1, d=6. Since d must be odd, this won’t work. By the remark, we may skip the second expansion and go to third: Again, d must be odd, so discard this.
RSA, Low Exponent Attacks, Example, pg 2 The fifth fraction is 121/735, which gives C=(e*735-1)/121. This is not an integer! So discard it! The seventh fraction is 578/3511. This gives C=1966981103495136 as a candidate for φ(n). The roots for Are 37264873 and 52783789. Try these out and we find n = 37264873 × 52783789 We have factored n.
RSA, Short Plaintext Attack • RSA is commonly used to transmit keys used for DES and AES. • The key size of DES and AES are much smaller than the bit length used in a secure RSA (on the order of 500-1000 bits). • A DES key is a number m on the order of 1017. When we encrypt with RSA to get c=me (mod n), we will get a c that is most likely full length (say, roughly 10200). • Eve may conduct a “Meet in the Middle”-type attack. She makes two lists: • cx-e (mod n) for all x with • ye (mod n) for all y with She looks for a match between two lists So m=xy. Note: This will not always find a match!
RSA, Short Plaintext Attack, pg. 2 • This attack is very feasible. (Note: not every m will be able to be expressed as xy… but most will). • More efficient than trying all 1017 possibilities. • We need 2*109 computations. • How to prevent this attack? Use Padding! • A simple strategy, add some random bits to the beginning and end of m. • More complicated (and stronger) strategy is to use Optimal Asymmetric Encryption Padding (OAEP).
Birthday Attacks • A generalization of the short plaintext attack described earlier is the Birthday Attack. • The Birthday Attack is based upon the Birthday Paradox: If there are 23 people in a room, there is a 50% chance that two people share the same birthday. • Explanation: • Fix the first person’s birthday. • Probability the second person has a different birthday is: • Probability the third person has a different birthday is: • And so on… giving the probability everyone has different birthdays as: • Hence, the probability of a shared birthday is 1 - 0.493 = 0.507
Birthday Attacks, pg. 2 • Suppose we have N objects, and r people. Each person chooses an object. The probability there is a match is • For large N. Here l is a parameter that is determined from the problem statement (for example, if l=ln 2 then we have ½ probability of a match) • Generalized Birthday Paradox: Suppose we have N objects and there are two groups of r people. Each person chooses an object. What’s the probability that someone from first group chose the same object as someone from the second group? • Answer: Here • Example: Look at the birthday problem again. Here N=365, and let r=30. Then and gives that there is a 91.5% probability that there is a shared birthday
Birthday Attacks, pg. 3 • Now back to cryptography… The birthday paradox is can be used to create an attack to find collisions in hash functions. • Let h(x) be an n-bit hash function. • There are N=2n possible outputs. • Make a list for hashes with randomly selected (but different) x. • We now have so l=1/2 and thus a 1-e-1/2 (roughly a 40%) chance of having two values x1 and x2 with the same hash. • Try a slightly longer list, like r=10*2n/2 and we get over a 99% chance there is a collision.
Birthday Attacks on Digital Signatures • Alice will sign a document for Eve using digital signatures with a 50-bit hash. • The probability of a second document having the same hash is (1/2)50. • Eve, however, may take an original document and find places where she can make changes. For example, we may add a space, or some such simple modification. • If Eve has 30 of these locations, she has 230 possible “acceptable” documents she can create. Eve now calculates the hash of each of these 230 documents. Alice would accept any of these as “good”. • Eve also makes 230 “fraudulent” versions (changing numbers, or words, etc.). • We now have a generalized birthday problem, with r=230 and N=250. We now have a case where and l=1024, so the probability of a match is about 1-e-1024 , roughly 1!
Defense for Birthday Attacks on Digital Signatures • So, Eve can find a collision and make a fraudulent document that will have the same signature as another document. • Eve will get Alice to sign the good document, and then swap the good document with the fraudulent document. • They will have the same hash, and hence same signature. • What can Alice do? • Rather than sign the good document, she alters the good document (perhaps by removing a comma) and signs that. • Eve no longer has the match, and instead must try to find a specific collision… this is very unlikely!