0% found this document useful (0 votes)
20 views39 pages

Cracking Des and Rsa Enc

The document discusses cracking DES and RSA encryption. It provides an overview of DES and how it was cracked through distributed computing and custom hardware. It then discusses RSA encryption and how it works, and the difficulties in cracking it through integer factorization.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
20 views39 pages

Cracking Des and Rsa Enc

The document discusses cracking DES and RSA encryption. It provides an overview of DES and how it was cracked through distributed computing and custom hardware. It then discusses RSA encryption and how it works, and the difficulties in cracking it through integer factorization.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 39

Cracking DES and RSA Encryption

Philip Leong
The Chinese University of HK
[email protected]

http://www.cse.cuhk.edu.hk/~phwl/seminar.html
1
Overview

• Introduction
• Cracking DES
• Cracking RSA
• Weaknesses of cryptography based schemes
• Conclusions

2
DES
• Before DES, no standards • First standardized in 1976
for encryption – FIPS46-1, FIPS46-2, ANSI
– Interoperability between X3.92
organizations difficult
– retail and wholesale
• US National Bureau of
banking, Networks
Standards requested
– UNIX password encryption
proposals to solve this
problem uses a “broken DES”
– Chose Lucifer (Horst Feistel • Believed to be the most
of IBM) widely use cryptosystem
– Reduced key size from 128 to
56 bits
in the world
– Changed s-boxes

3
SSL - eCommerce
Netscape Navigator 4.74 (export version)

4
DES block diagram

5
One round of DES

6
Expansion permutation

7
S-boxes

8
Decryption

• Same as encryption but substitute K[i] for


K[17-i]

9
DES Cracking

• Search 256 (72,057,594,037,927,936) keys


– no better way has yet been found after 25 years
of research!
• Two successful approaches
– distributed computing
– custom DES hardware

10
Distributed computing approach
(1998)

• DES-II-1 is a competition from RSA labs to


decrypt a message encrypted with DES
• Monday, 23-Feb-1998 a solution was found
from a distributed computing effort
– took 39 days

11
Project statistics

• Start of contest: January 13, 1998


• End of Contest: February 23, 1998
• Size of keyspace: 72,057,594,037,927,936
• Approximate keys tested:
63,686,000,000,000,000
• Peak keys per second: 34,430,460,000

12
Equivalent computing power

• At the time, Distributed.net was equivalent


in processing power to:
– 11,264 DEC Alpha 21064 533s
– 15,316 Sun Ultra I 167s
– 22,393 Intel Pentium II 333s

13
“Deep crack” Hardware cracker

• Developed by the Electronic Frontier


Foundation
• Cost US$210,000
– $80,000 design
– $210,000 materials (chips, boards, chassis etc)

14
VLSI Chip

• Developed by Advanced Wireless


Technologies
– 24 search units per chip
– 40 MHz
– 16 cycles per encryption
– 2.5 million keys/s

15
Board

• Contains 64 chips

16
Cabinets

• 6 cabinets holding 29 boards

17
Deep crack system
• 90 billion keys/s
– 37,000 search units
– c.f. Distributed Net’s 34 billion keys/s
• Controlled by PC
– checks possible all ASCII candidate solutions
from the search units
• Solved RSA’s DES-III in 22 hours
– Jan 18 1999

18
Attacks on secret key systems
• Brute force search
– Most of the time not needed since it is much simpler to
use one of the below (chain is as strong as its weakest
link)
• Reduced search
– Dictionary
– Passwords chosen from lower case alphabetical
characters
• Plaintext password
– Log keyboard, monitor, network, Trojan horse

19
Encryption

- Cipher feedback (CFB) and output feedback (OFB)


modes also common
20
Alternatives

• Triple DES (ANSI X9.52)


• IDEA, Blowfish ... - optimized for software
• Internet task force recommends triple DES,
RC2 and RC4
• AES (advanced encryption standard)

21
Multiple Encryption

22
Public vs Secret Key
Cryptography
• Key distribution
– How do we share keys over the internet?
– Use a 1-way function (c.f. anyone can close a padlock, but
only the person with the key can open it)
– In public key cryptography, you make your “public key”
available to everyone. Anyone can send you a message,
but only you can decode it.
• Using this scheme, it is easy to develop key distribution protocols
• Digital signatures
– Only you can encrypt using your private key, others can
tell it was you via your public key

23
RSA Cryptography
• Invented in 1977 by
Rivest, Shamir and
Adleman p, q prime
• All major protocols for N=pq
secure internet transactions
(web browsers, OS etc) ED=1 mod (p-1)(q-1)
• Encryption, key exchange, C=ME mod N
authentication
• RSA Lab’s FAQ: M=CD mod N
Estimated installed base of
500 million

24
Example (not very secure)
• p=11,q=7 (secret)
• N=pq=77 & E=13 (public)
• Anyone can encrypt a message e.g. M=4
– 413 mod 77=53
• Decryption
– (p-1)(q-1)=60, 1337 mod 60=1 (D=37)
– 5337 mod 77 =
628358038363668332248635694548393830494073197
3668146791149026213 mod 77 = 4
25
Performance

• Hardware implementations
– DES 1Gbits/s
– 512 bit RSA 600Kbits/s (1500 times slower)

26
RSA Security

• The security of RSA hinges on the


difficulty of finding p,q from N (factoring)
– if we know p,q we can easily compute D
– for reasonable security, M > 512 bits
• Technically a lot more difficult than DES
(maths a lot more complicated - “number
field sieve”)

27
Factoring Facts
• Problem: given n=pq, find p and q
• For any (odd) n, if N=pq then it can be expressed in the form
n=(x-y)(x+y)=x2-y2
(with x=(p+q)/2 and y=(p-q)/2. p and q must be odd.)
• If we can find (x,y) s.t. n=x2-y2 we have solved the problem
(Fermat 1601-1665)
• Instead look for “random” (x, y) s.t. nx2-y2 (mod n). Does not
solve the problem but n divides x2-y2 and have 50% chance
GCD(n, x-y) is a nontrivial factor of n (Kraitchik 1882-1957)
• Modern large number factoring methods use this idea & try to
find (x,y)

28
Dixon’s Algorithm
• Let factor base (fb) p1,p2,…,pm be the first m primes
• Randomly choose an integer r
• Let g(r)=rr mod n and factorize g(r) wrt fb. If no
factors, choose another r.
g(r)= p1a1  p2a2  …  pmam
• Let v(r)=(a1,a2,…,am) if all ai are even, g(r) is a perfect
square and we have found g(r)r2 (mod n) (but not
likely to happen)
• Do the above for many r and construct many vectors
w(r)=(b1,b2,…,bm) where bi=ai mod 2
29
Dixon’s Algorithm
(Gaussian Elimination)
• Collect many such w(ri) (binary vectors with
elements mostly 0)
• Perform Gaussian elimination modulo 2 on these
vectors to find a subset of ri’s for which the
corresponding g(ri)’s are a perfect square
g(r1)  g(r2)  …  g(rt)  r12  r22  …  rt2 (mod n)
• Both sides are perfect squares and have 50%
chance this yields a factor of n

30
Example: factorize 119
• Factor base 2,3,5 111
• r1=60, g(r1)=60*60 mod 119 =
30
011
30=213151, v1=(1,1,1), 100
w1=(1,1,1) • Adding all the rows mod 2
• r2=82, g(r2)=82*82 mod 119 = we get 0 0 0
60
213151 .223151 .213050
60=223151, v2=(2,1,1),
602.822.112 mod 119
w2=(0,1,1)
i.e. 602  54120 2 mod 119
• r3=11, g(r3)=11*11 mod 119 = 2
gcd(54120-60,119) = 17
2=213050, v3=(1,0,0), w3=(1,0,0)
so 119 = 177
31
Number Field Sieve
• Attempts to construct a – Congruences are found by
solution to sieving all primes in factor
– x2y2 (mod N) base over a long sieve interval
– Then GCD(x-y, n) is a factor of • Step 2: Look for a set of
n these congruences which
• Step 1: factor many when multiplied gives
comgruences of form squares on both sides
– C  D mod N where there is a – Done by solving a large set of
special relation between C and linear equations
D • Step 1 takes most of the
– C, D factors wrt a fixed set of
time but can be parallelized,
primes called factor base ci =
di mod N where ci, di in factor
step 2 difficult to parallelize
base

32
Historic Factoring Records

33
512 bit RSA
• RSA-512
– Aug 1999: factored in 3.7 months, 35.7 CPU years,
approx 300 computers + a Cray 916
– Montgomery
– Number field sieve
• Simon Singh: The Code Book
– October 2000: factored by a team of students at the
Royal Institute of Technology, Sweden
– Used same code as above

34
Timing Attacks
• RSA: M=CD mod N (D • If Dk=1 need to do
private key) multiplication which
• Exponentiation algorithm: takes longer than if Dk=0
Let s0 = 1.
 we can deduce if Dk=1
For k = 0 upto w-1:
If (bit k of D) is 1 then • If we have a lot of
Let Rk = (sk · C) mod n. different (C, timing)
Else pairs, can deduce D
Let Rk = sk. (signal detection
Let sk+1 = Rk2 mod n. problem)
EndFor.
• Paul Kocher (22 yr
Return (Rw-1).  
biology student)

35
Side Channel attacks
• Applicable to any
algorithm which has
different timing (or
e.g. power) for
different inputs

36
(Easier) Ways to get passwords
• Crack cryptography • Trojan horse
– Weak algorithm (e.g. Enigma) – WWW based (PayPaI.com)
– Short keys (Netscape export
40 bits) – Public terminals
• Sniffer attacks • Backdoors
– Look at plaintext passwords – Microsoft Internet Server
sent by ftp, telnet etc “weenies”
– Keyboard tapping
• Stored passwords
• Poor Implementations
– Netscape SSL 1.1 PRNG seed • Social engineering
easily guessed
– Buffer overflow

37
Conclusion
• DES and RSA can be cracked but probably not
worth the effort
– 3-DES and 1024 RSA probably will not be cracked in
the next 10 years
• Computer security is only as strong as its weakest
link
– Don’t worry too much about the DES and RSA
cryptographic algorithms
– But worry about the implementations and protocols!

38
References
• B. Schneier, “Applied Cryptography”, 2nd Edition, Wiley 1996
• A. Menezes, P. Van Oorschot (Editor), Scott A. Vanstone (Editor),
“Handbook of Applied Cryptography”, CRC Press Series on Discrete
Mathematics and Its Applications, 1996
• http://www.eff.org/descracker.html
• J. Gilmore (Editor), “Cracking DES: Secrets of Encryption Research,
Wiretap Politics & Chip Design”, Electronic Frontier Foundation, 1998
• D. Knuth, “The Art of Computer Programming”, Volume 2
Seminumerical Algorithms, 3rd Edition, Addison-Wesley, 1997
• www.rsa.com
• D.M. Bressoud, “Factorization and Primality Testing”, Springer, 1989

39

You might also like