Breaking%20Stuff:%20Cryptanalysis%20and%20Protocol%20Failures

1
Breaking Stuff Cryptanalysis and Protocol
Failures

• Wade Trappe

2
Lecture Overview

• We have covered basic cryptographic tools that
  will be useful for building things. But, before
  you can build, you need to know the structural
  weaknesses of your tools
• We will now talk about these weaknesses and the
  subjects of cryptanalysis and protocol failures
• DES
• Internet Challenges and EFF
• Multiple DES and Meet in the Middle attack
• RSA
• Low Exponent Attacks
• Protocol Failures Be careful, here be dragons!
• Hash Functions
• Birthday Attacks and Implications

3
DES Breaking DES

• DES is now considered a weak encryption algorithm
• Several attacks used against DES
• Differential and Linear Cryptanalysis
• Brute Force Attacks
• Brute force attacks are what ultimately broke DES
• History 1977 Diffie and Hellman (well see these
  guys again) proposed a strategy for breaking DES
  in under a day using a 20M machine (1977
  dollars)
• Different approaches to brute force attacks
• Distributed computing (the Internet attack)
• Custom-designed architecture for attacking DES
• Programmable logic arrays

4
Many hands make light work

• The distributed computing approach became very
  popular
• In 1997 the RSA Data Security company issued a
  challenge to find the key and crack a DES
  encrypted message
• Prize 10K
• 5 months later it was broken by Rocke Verner (who
  had written a program people ran on their
  machines during spare cycles)
• Secret Message Strong cryptography makes the
  world a safer place
• 1998 Similar challenge issued by RSA Data
  Security
• DES broken in 39 days.
• But worse was yet to come.

5
EFF Cracker

• Also in 1998 The Electronic Frontier Foundation
  developed a project called DES Cracker.
• Goal Use a specialized hardware platform (built
  using a budget of 200K) to break DES.
• DES Cracker consisted of three main components
• Personal Computer
• Software
• Collection of Specialized Chips
• The computer was connected to the array of chips
  and the software oversaw the tasking of each chip
• Software gave each chip the information necessary
  to start processing and waited until the chips
  returned candidate keys.
• Specialized hardware would eliminate the bulk of
  the key space

6
EFF Cracker, pg. 2

• Each chip in the DES Cracker consisted of 24
  search units
• A search unit would
• Take a key and two 64 bit blocks of ciphertext
  and attempt to decrypt the first 64 bit block.
• If the decrypted ciphertext looked interesting,
  then the search unit would decrypt the second.
• If both decrypted as interesting then the key
  would be returned to the control software to try
  on the full message.

DK(m1)
KK1
Is Interesting?
No
Yes
DK(m2)
Is Interesting?
No
Yes
Return Key
7
EFF Cracker, pg. 3, What is Interesting?

• EFF assumed that the plaintext was made using
  letters, numbers and punctuation
• Out of the 256 possibilities for ASCII, roughly
  69 of these are letters, numbers, space and
  punctuation
• A single byte would be interesting 69/256 (or
  roughly ¼) of the time.
• A full block (8 bytes) would be interesting with
  (1/4)8 1/65536 of the time
• Given a key K, there is a 1/65536 chance that
  this key would produce something interesting when
  trying to decrypt m1.
• But, 1/65536 does not cut down 256 that much, so
  we use the second block.
• The odds that both are decrypted as interesting
  is (1/232), thus reducing the key space to
  roughly 224.
• This can be easily handled by software.

8
EFF Cracker, pg. 4

• The final system
• A chip with 24 search units running at 40MHz
  would take roughly 38 years to crack DES
• So, to reduce further, EFF used
• 64 chips on a board
• 12 boards on a chassis
• 2 chassis connected to a PC
• In total, there were 1500 chips, and it took DES
  Cracker about 4.5 days to break DES.
• There are many ways to improve on this
• 40MHz was slow by 1998 standards!
• More chassis may be used

9
One Way to Fix DES MultipleDES

• People knew DES was weak before EFF, and multiple
  DES techniques were proposed to replace DES.
• The security of multiple DES is based upon the
  fact that DES is not a group (encrypting twice
  using two keys does not give another encryption
  with a different, single key)
• How many possible encryption functions are there
  from the space of 64 bit inputs to the space of
  64 bit outputs?
• Does DES cover all of these? No.
• It has been shown that DES is not a group (we
  will not show, but see the discussion in Chapter
  4)
• We will first look at Double DES (2DES).
• Never use 2DES!!!

10
2DES

• The basic scheme is depicted to the left.
• It might seem that the equivalent keyspace for
  2DES would be 256112 bits.
• However, by employing an attack known as meet in
  the middle, it is possible to reduce the
  complexity of searching the key space to O(258),
  though at the cost of storage!

m
EK1
EK2
c
11
Breaking 2DES Meet in the Middle

• Suppose Alice and Bob have agreed on K1 and K2.
• Let Eve intercept m and EK2(EK1(m))c. Eve wants
  to find K1 and K2.
• To accomplish this, she calculates all possible
  encryptions and all possible decryptions and
  looks for matches.
• The matches are potential candidate key pairs.
  One is the correct key pair.

a D1(m) b D2(m) yj D3(m) y1
D2(56)-1(m) c D2(56)(m)
E1(m) y1 E2(m) y2 E3(m) y3
E2(56)-1(m) yj E2(56)(m) yh
12
Breaking 2DES Meet in the Middle, pg. 2

• This has seriously cut down the amount of
  possibilities, but we still have some left over
  to try.
• In practice, we often repeat this twice, making a
  list for two different plaintext-ciphertext
  pairs.
• When doing this, we need (2256)(2)(64) bits of
  storage 264.
• This is roughly 2 billion gigabytes.
• Its not unreasonable for a large company or a
  country to afford this amount of storage if it
  had to.
• How much computation? Basically its 258.
• This is much less than 2112.

13
3DES, a better fix.

• Triple DES (3DES) is a much better fix.
• There are two ways in which 3DES is used
• EEE mode
• EDE mode
• EDE with K1K3 is known as two-key triple
  encryption and is very popular.

m
m
EK1
EK1
DK2
EK2
EK3
EK3
c
c
14
RSA, Low Exponent Attacks

• Theorem Suppose p and q are primes with q lt p lt
  2q. Let npq, and choose e and d as in the RSA
  algorithm. If d lt (1/3)n1/4, then d can be
  calculated quickly.
• Proof
• Since qltplt2q, we have and
• Write ed 1k f(n), for some integer k. Since elt
  f(n), we have
• f(n)k lt ed lt (1/3) f(n)n1/4,
• Thus klt(1/3)n1/4.
• Therefore
• Also, since k(n- f(n)) -1 gt 0, we have kn-ed gt0.

15
RSA, Low Exponent Attacks, pg. 2

• Proof (continued)
• We may divide by dn to get
• Since 3dltn1/4, by assumption.
• Now, we satisfy a condition of the form
• This condition means that the fraction (k/d) will
  arise during the continued fraction expansion of
  x.
• In our case, k/d will arise from the continued
  fraction expansion of e/n.

16
RSA, Low Exponent Attacks, pg. 3

• Low Exponent Continued-Fraction Attack Suppose
  we have the conditions stated earlier, then Eve
  can do the following
• Compute the continued fraction of e/n. After each
  step, she has a fraction A/B.
• Eve uses kA, dB to compute C(ed-1)/k. (Since
  ed 1k f(n), this value of C is a candidate for
  f(n) ).
• If C is not an integer, continue to the next step
  of the continued fraction.
• If C is an integer, then find the roots of
  X2-(n-C1)Xn. Hopefully, this will be the same
  as X2 (n-f(n)1)X n. If the roots are
  integers then Eve has factored n. If not,
  continue with the algorithm
• The number of steps in the continued fraction of
  e/n is logarithmic in n, so we wont have to try
  too many steps.
• Remarks The continued fraction expansions
  alternate between larger and smaller than e/n. We
  dont need to consider k/d that are smaller than
  e/n since we had 0lt k/d e/n. So, we only need
  every other expansion!!!

17
Continued Fractions

• A procedure for approximating a real number x
  Let x be the greatest integer less than or
  equal to x.
• Let us define a0x and x0x. Then define
• We may approximate x by
• The sequence of rational numbers rk/sk give
  increasingly better accuracy.
• Theorem If for some integers r and s, then
  r/sri/si for some i in this procedure.

18
RSA, Low Exponent Attacks, Example

• Example Let n 1966981193543797 and e
  323815174542919. The continued fraction expansion
  for e/n is
• 0, 6, 13, 2, 3, 1, 3, 1, 9, 1, 36, 5, 2, 1, 6,
  1, 43, 13, 1, 10, 11, 2, 1, 9, 5
• The first fraction is 1/6, so we try k1, d6.
  Since d must be odd, this wont work.
• By the remark, we may skip the second expansion
  and go to third
• Again, d must be odd, so discard this.

19
RSA, Low Exponent Attacks, Example, pg 2

• The fifth fraction is 121/735, which gives
  C(e735-1)/121. This is not an integer! So
  discard it!
• The seventh fraction is 578/3511. This gives
  C1966981103495136 as a candidate for f(n).
• The roots for
• Are 37264873 and 52783789. Try these out and we
  find
• n 37264873 52783789
• We have factored n.

20
RSA, Short Plaintext Attack

• RSA is commonly used to transmit keys used for
  DES and AES.
• The key size of DES and AES are much smaller than
  the bit length used in a secure RSA (on the order
  of 500-1000 bits).
• A DES key is a number m on the order of 1017.
  When we encrypt with RSA to get cme (mod n), we
  will get a c that is most likely full length
  (say, roughly 10200).
• Eve may conduct a Meet in the Middle-type
  attack. She makes two lists
• cx-e (mod n) for all x with
• ye (mod n) for all y with
• She looks for a match between two lists
• So mxy.
• Note This will not always find a match!

21
RSA, Short Plaintext Attack, pg. 2

• This attack is very feasible. (Note not every m
  will be able to be expressed as xy but most
  will).
• More efficient than trying all 1017
  possibilities.
• We need 2109 computations.
• How to prevent this attack? Use Padding!
• A simple strategy, add some random bits to the
  beginning and end of m.
• More complicated (and stronger) strategy is to
  use Optimal Asymmetric Encryption Padding (OAEP).

22
Birthday Attacks

• A generalization of the short plaintext attack
  described earlier is the Birthday Attack.
• The Birthday Attack is based upon the Birthday
  Paradox If there are 23 people in a room, there
  is a 50 chance that two people share the same
  birthday.
• Explanation
• Fix the first persons birthday.
• Probability the second person has a different
  birthday is
• Probability the third person has a different
  birthday is
• And so on giving the probability everyone has
  different birthdays as
• Hence, the probability of a shared birthday is 1
  - 0.493 0.507

23
Birthday Attacks, pg. 2

• Suppose we have N objects, and r people. Each
  person chooses an object. The probability there
  is a match is
• For large N. Here l is a parameter that is
  determined from the problem statement (for
  example, if lln 2 then we have ½ probability of
  a match)
• Generalized Birthday Paradox Suppose we have N
  objects and there are two groups of r people.
  Each person chooses an object. Whats the
  probability that someone from first group chose
  the same object as someone from the second group?
• Answer Here
• Example Look at the birthday problem again. Here
  N365, and let r30. Then and gives
  that there is a 91.5 probability that there is a
  shared birthday

24
Birthday Attacks, pg. 3

• Now back to cryptography The birthday paradox is
  can be used to create an attack to find
  collisions in hash functions.
• Let h(x) be an n-bit hash function.
• There are N2n possible outputs.
• Make a list for hashes with randomly
  selected (but different) x.
• We now have so l1/2 and thus a 1-e-1/2
  (roughly a 40) chance of having two values x1
  and x2 with the same hash.
• Try a slightly longer list, like r102n/2 and we
  get over a 99 chance there is a collision.

25
Birthday Attacks on Digital Signatures

• Alice will sign a document for Eve using digital
  signatures with a 50-bit hash.
• The probability of a second document having the
  same hash is (1/2)50.
• Eve, however, may take an original document and
  find places where she can make changes. For
  example, we may add a space, or some such simple
  modification.
• If Eve has 30 of these locations, she has 230
  possible acceptable documents she can create.
  Eve now calculates the hash of each of these 230
  documents. Alice would accept any of these as
  good.
• Eve also makes 230 fraudulent versions
  (changing numbers, or words, etc.).
• We now have a generalized birthday problem, with
  r230 and N250. We now have a case where
  and l1024, so the probability of a match is
  about 1-e-1024 , roughly 1!

26
Defense for Birthday Attacks on Digital Signatures

• So, Eve can find a collision and make a
  fraudulent document that will have the same
  signature as another document.
• Eve will get Alice to sign the good document, and
  then swap the good document with the fraudulent
  document.
• They will have the same hash, and hence same
  signature.
• What can Alice do?
• Rather than sign the good document, she alters
  the good document (perhaps by removing a comma)
  and signs that.
• Eve no longer has the match, and instead must try
  to find a specific collision this is very
  unlikely!