Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that transforms the plaintext into ciphertext A decryption algorithm that reverses the process

Cracking DES Cryptosystem A good electronic cryptosystem should only be vulnerable to brute-force attacks that are computationally infeasible A given implementation, or other details not handled by the cryptosystem, may introduce weaknesses Can allow a more sophisticated variant of a brute-force algorithm

Overview of DES Cryptosystem DES is the US Federal Data Encryption Standard, dating from 1977 Developed by the NSA under the aegis of the NIST (NBS) 56-bit symmetric cipher, based on two parties (Alice and Bob) having a shared key

Outline of DES Cryptosystem The plaintext, a string of length 64 bits, is transformed with a fixed Initial Permutation 16 iterations (or rounds) of a function are computed. This involves parts of the transformed plaintext, parts of the secret (the shared key), other fixed functions (permutations and expansions), and the XOR operation The final string is given an Inverse Permutation

Outline of DES Cryptosystem The decryption process is the same as the encryption process, with all steps performed in reverse order The decryptor is, or should be, the only other possessor of the shared key Since the only mathematical operation is XOR, this is very fast in a dedicated hardware implementation

Details of DES Cryptosystem The heart of DES is the function performed for 16 iterations It contains a non-linear substitution algorithm, defined by eight fixed shift registers (S-boxes) The S-boxes juggle 6 XOR’ed bits from the permuted plaintext and the key for that round Changing one input bit changes at least two output bits

An S-Box: S1 Input String Binary RowBinary Column S-Box output value Dec:12 Bin: 1100 Input String Binary RowBinary Column S-Box output value Dec:6 Bin: 0110

That’s enough DES details Really Here’s a puppy

Greta

Difficulties in Cracking DES DES is a moderately strong cipher 2 56 possible keys Unsophisticated brute-force algorithm average case : 2 55 operations 36,028,797,018,963,968 operations Wouldn’t it be nice to be able to cheat?

Cracking DES There a few things that make a smart brute- force approach computationally feasible: Parallelizable Fast in hardware Plaintext recognizer circuitry These factors help weed out many keys quickly

Parallelizable Testing one candidate key does not depend on testing other keys Divide and Conquer – if you have n DES- cracking units, each unit gets 1/n of the potential key-space The time to crack also gets divided by n

Fast in hardware DES only consists of permutations, shifts, and XOR operations Speed of actual custom-built search unit – it can do one decryption in 16 clock cycles 2.5 million keys per second at 40 MHz

Plaintext recognizer An attacker needs to define criteria about the plaintext: This is what flags a candidate plaintext Configurable in controlling software ASCII text is easiest – you know the high bit of any given byte will always be zero

Details of a DeepCrack chip 24 search units on a chip Each search unit takes 2 8-byte blocks of ciphertext and a potential key If the first decrypted block is not “interesting”, the search unit increments the key and tries the block again If the first block is “interesting”, then the second block is tried with the same key

What’s “interesting?” Each chip is initialized with a plaintext recognizer: a lookup table defining which of 256 permutations of a byte are interesting A standard will be numbers, letters, and a few punctuation marks Easy for ASCII – may grow more difficult if Unicode sees more adoption

Controlling software The DES cracker is initialized and monitored by a standard PC It defines the plaintext lookup table, restarts search units after “interesting” results, and records the “interesting” values for further examination

Putting a DES cracker together 24 search units in a chip 64 chips on a VMEbus board 12 boards to a chassis Two chassis cost $210,000 as the first-run prototype built by the EFF in 1997 Could check 92,160,000,000 keys per second Average case: days

Securing against this attack This technique is dependent on the plaintext (ASCII, etc.) and on the speed of hardware It does not make any given n-bit encryption algorithm feasible– it just makes this one easier. Triple-DES is a 112-bit cipher – this machine can’t come close

Greta again

Bibliography Diffie, Whitfield. Privacy on the Line. Cambridge, Massachusetts: The MIT Press, 1998 Stinson, Douglas. Cryptography: Theory and Practice. New York: CRC Press, 1995 Electronic Frontier Foundation. Cracking DES. O’Reilly and Associates, Primarily a public domain publication