-
Now that we understand how DES works, let's look at a few attacks on DES,
-
and we're going to start with an attack called exhaustive search.
-
So our goal here is basically that given a few input-output pairs, (mi, ci),
-
our goal is to find the key that maps these m's to the c's.
-
In other words, our goal is to find the key that maps m1, m2, m3 into c1, c2, c3,
-
and as I said, our goal is to find the key that does this mapping.
-
The first question is, how do we know that this key is unique?
-
And so, let's do a little bit of analysis to show that in fact
-
just one pair is enough to completely constrain a DES key,
-
and that's why this question makes sense.
-
OK, so let's see. So we're going to prove this simple lemma.
-
Now let's assume that DES is what's called an ideal cipher.
-
So what is an ideal cipher? Basically we're going to pretend like DES is made up of
-
random invertible functions. In other words, for every key, DES implements a random invertible function.
-
Since there are 2^56 keys in DES, we're going to pretend like DES really is a collection
-
of 2^56 functions that are invertible from {0,1}^64 to {0,1}^64. OK? So of course,
-
DES is not a collection of 2^56 random functions, but we can idealize about the cipher and pretend
-
that it is such a collection. Then what can we say?
-
Then in fact it turns out that just given one message and ciphertext, you just give me
-
one pair, message and ciphertext, there's already only one key that maps this message to that ciphertext.
-
So already just given one pair m and c, I can ask you, find me the key that maps m to c,
-
and the solution is very likely to be unique. In fact it's going to be unique with probability roughly 99.5%.
-
I should say that this statement is true for all m and c, and the probability is just over the choice
-
of the random permutations that make up the cipher.
-
So let's write a proof. This is fairly straightforward. So what we're basically asking is,
-
what's the probability that there exists some key that's not equal to k such that,
-
well, c we know is equal to DES(k, m) by defintion of c and m, but we're asking how likely is it
-
that there's this other key, k-prime, that also satisfies this equality?
-
You realize that if this is true, if such a key k-prime exists, then just given m and c,
-
you can't decide whether the right key is k or k-prime, because both of them work. OK?
-
But I want to argue that this happens with low probability.
-
Well, so what does it mean that there exists a key k-prime that satisfies this relation?
-
Well, we're asking, what's the probability that the first key, the all-zero key, satisfies it?
-
Or, the second key satisfies it. Or, the third key satisfies it. And so on and so forth.
-
So by the union bound, we can bound this probability by the sum over all keys k-prime,
-
over all 56-bit keys, of the probability that DES(k,m) is equal to DES(k-prime, m).
-
OK? So we're asking, basically, what is this probability, for a fixed key k-prime,
-
that it happens to collide with the key k at the message m? Well, let's think about this for a second.
-
Let's fix this value, let's suppose it's some fixed value. And then we're asking,
-
how likely is it that a random permutation, pi k-prime, at the point m,
-
happens to produce exactly the same output as the key k at the point m?
-
Well, it's not difficult to answer and see that in fact this is, for a single key k-prime,
-
the probability is at most one over 2^64. Right? There are 2^64 possible outputs for the permutation,
-
what's the probability that it lands exactly on this output, well, it's one over 2^64.
-
And we're summing over all 2^56 keys, so we just multiply the two,
-
we get one over 2^8, which is basically one over 256. OK? So the probability
-
that the key is not unique is one over 256, therefore the probability that it is unique
-
is one minus that, which is 99.5%. OK? So already, if you give me one plaintext-ciphertext pair,
-
the key is completely determined. There's only one key that will map that plaintext
-
to that ciphertext, and the question is just, can you find that key?
-
Now it turns out in fact if you give me two pairs, so you give me m1 and m2,
-
and their corresponding outputs, c1 and c2, the probability basically
-
—just do exactly the same analysis, the probability basically becomes one.
-
That there's only one such key. OK, essentially, this is very, very, very close to 1,
-
and basically it says given two pairs, it's very very likely that only one key
-
will map this pair of messages to this pair of ciphertexts, and as a result again,
-
we can ask, well, find me that unique key. And by the way, the same is true for AES,
-
if you look at AES-128, again, just given two input-output pairs,
-
there's going to be only one key with very high probability. So essentially now
-
we can ask this exhaustive search problem, I give you two or three pairs, and I ask you,
-
well, find me the key. So how are you going to do it? Well, you're going to do it by exhaustive search,
-
essentially by trying all possible keys, one by one, until you find the right one.
-
So this is what's known as the DES challenge. So let me explain how the DES challenge worked.
-
The challenge was issued by a company called RSA, and what they did is basically,
-
they published a number of ciphertexts, but three of the ciphertexts had known plaintexts.
-
So in particular, what they did is they took the message here: The unknown message is, colon,
-
and you can see they broke it up into blocks. If you look at these, these are basically
-
eight-byte blocks. Eight bytes, as you know, is 64 bits, right, so each of these is 64 bits.
-
And then they encrypted them using a secret key. They encrypted them all using the same
-
secret key to get three ciphertexts. So this gives us three plaintext-ciphertext pairs,
-
and then they gave us a whole bunch of other ciphertexts, you know, c4, c5, c6,
-
and the challenge was, decrypt these guys using the key that you found
-
from an exhaustive search over the first three pairs that you were given.
-
OK. So that was called the DES challenge, and let me tell you a little bit
-
about how long it took to solve it. So interestingly, in 1997, using an Internet search,
-
using distributed.net, basically, they were able to search through enough of the keyspace
-
to find the correct key in about three months. You realize the keyspace has size 2^56,
-
but on average you only have to search through half the keyspace to find the key,
-
and so it took them three months. Then, kind of a miraculous thing happened.
-
The EFF actually contracted Paul Kocher to build special-purpose hardware to break DES.
-
This was a machine called Deep Crack. It cost about 250,000 dollars, and it broke
-
the next DES challenge in only three days. Interestingly, by the way, RSA said that
-
they would pay ten thousand dollars for each solution of a challenge, so you can see
-
that this is not quite economical. They spent 250K, they got ten thousand dollars
-
for solving the challenge. The next thing that happened is in 1999,
-
RSA issued another challenge, and they said, well, I'm gonna solve it in half the time
-
of the previous solution, and so using both Deep Crack and the Internet search together,
-
they were able to break DES in 22 hours.
-
So the bottom line here is, essentially, DES is completely dead.
-
Essentially, if you forget, or you lose your DES 56-bit key, don't worry—
-
within 22 hours, you can actually recover it and in fact, anyone can recover it, and so
-
DES essentially is dead and no longer secure. And just kind of a final nail in the coffin,
-
as hardware technology improved, there was another project called COPACABANA that used FPGAs,
-
just off-the-shelf FPGAs, only 120 FPGAs. It only cost 10,000 dollars. And they were able to break,
-
to do an exhaustive key search in about seven days. So very, very cheap hardware, just off the shelf,
-
you can break DES already very quickly. So the lesson from all this is essentially,
-
56-bit ciphers are totally, totally dead. And so the question is what to do.
-
People really liked DES, it was deployed in a lot of places, there were a lot of implementations,
-
there was a lot of hardware support for it, so the question was what to do.
-
And so the first thing that came to mind is, well maybe we can take DES
-
and we can kind of artificially expand the key size, so we strengthen it against
-
this exhaustive search attack. And the first idea that comes to mind is basically,
-
well, let's iterate the block cipher a couple of times. And this is what's called Triple DES.
-
So Triple DES is a general construction. Basically it says the following.
-
Suppose you gave me a block cipher E. So here, it has a keyspace K,
-
it has a message space M, and an output space of course M as well.
-
Let's define the triple construction, which now uses three keys, and it's defined as follows,
-
basically, here, the triple construction uses three independent keys, encrypts the same
-
message block as before, and what it does is, it will encrpyt using the key k3,
-
then it will decrypt using the key k2, then it will encrypt again using the key k1.
-
OK so basically encrpyting three times, using three independent keys.
-
You might be wondering, why is it doing E, D, E, why not just do E, E, E?
-
Why do we have to have a D in the middle? Well, that's just for, uh, kind of a hack.
-
You notice what happens if you set up k1 equals k2 equals k3? What happens if all three keys
-
are the same? Well, basically, what will happen is, one E and one D would cancel,
-
and you would just get normal DES out. So it's just a hack so that if you have a hardware implementation
-
of Triple DES, you can set all three keys to be the same, and you'll get a hardware implementation
-
of single DES. Of course it'll be three times as slow as a regular impelmentation of single DES,
-
but nevertheless, it's still an option. OK, so for Triple DES now we get a key size
-
that's 3 times 56, which is 168 bits; this is, 168 bits is way too long to do an exhaustive search on.
-
That will take time 2^168, which is more than all the machines on earth working for ten years
-
would be able to do. Unfortunately, of course, the cipher is three times slower than DES.
-
So this is a real problem with Triple DES. Now I want to mention that in fact you might think
-
Triple DES has security 2^168, but in fact, there is a simple attack that runs in time 2^118,
-
and I want to show you how that attack works. OK? So— but in fact 2^118 is still a large number.
-
In fact, anything that's, kind of, bigger than 2^90 is considered sufficiently secure.
-
2^118 is definitely sufficiently secure against exhaustive search,
-
and generally is considered a high enough level of security.
-
So clearly Triple DES is three times as slow as DES. So the question is,
-
why did they repeat the cipher three times? Why not repeat the cipher just two times,
-
or in particular, the question is, what's wrong with double DES?
-
So here we have double DES. Basically you see it uses only two keys, and it uses only
-
two applications of the block cipher, and as a result it's only going to be twice as slow as DES,
-
not three times as slow as DES. Well, the key length for double DES is 2 times 56, which is
-
112 bits, and in fact doing exhaustive search on a space of 112 bits is too much.
-
2^112 is too big of a number to do exhaustive search over such a large space.
-
So the question is, what's wrong with this construction. Well, it turns out
-
this construction is completely insecure, and I want to show you an attack.
-
So, suppose I'm given a bunch of inputs, say m1 to m10, and I'm given the corresponding outputs
-
c1 to c10. What's my goal? Well, my goal is basically to find keys, you know, a pair of keys k1, k2,
-
such that if I encrypt the message M using these keys, in other words if I do this encryption,
-
this double DES encryption, then I get the ciphertext vector that was given to me.
-
OK, so our goal is to solve this equation here. Now you stare at this equation a little bit,
-
and you realize, hey wait a minute, I can rewrite it in kind of an interesting way;
-
I can apply the decryption algorithm, and then what I'll get is that I'm really looking for
-
keys k1, k2 that satisfy this equation here, where basically all I did is I applied
-
the decryption algorithm using k1 to both sides. OK, now whenever you see an equation like this,
-
what just happened here is that we separated our variables into two sides,
-
the variables now appear on independent sides of the equation, and that usually means
-
that there is a faster attack than exhaustive search, and in fact this attack is called
-
a meet-in-the-middle attack, where really the meet-in-the-middle is going to somehow
-
attack this particular point in the construction. OK, so we're going to try and find a key
-
that maps m to a particular value here, and maps c to the same value.
-
OK, so let me show you how the attack works. So the first thing we're going to do is
-
we're going to build a table. Here, let me clear up some space here.
-
The first step is to build a table that for all possible values of k2,
-
encrypts m under that value. OK, so here we have this table, so you notice
-
these are all 2^56 Single DES keys, OK, so the table has 2^56 entries,
-
and what we do is basically, for each entry, we compute the encryption of m
-
under the appropriate key. So this is the encryption of m under the all-zero key,
-
the encryption of m under the one key, and at the bottom, we have the encryption of m
-
under the all-one key. OK, so there are 2^56 entries, and we sort this table based on the second column.
-
OK, so far, so good. So by the way this takes time—to build this table takes time 2^56,
-
and I guess we also want to sort, sorting takes n log n time, so it's 2^56 times log 2^56. OK.
-
So now that we have this table, we've essentially built all possible values
-
in the forward direction for this point.
-
Now what we're going to do is this meet-in-the-middle attack,
-
where now we try to go in the reverse direction with all possible keys k.
-
Essentially we compute the decryption of c under all possible keys k1.
-
OK, so now for each potential decryption, remember the table holds all possible values
-
in the midpoint, so then for each possible decrpytion, we check, hey, is the decryption in the table,
-
in the second column in the table? If it is in the table, then aha, we found the match,
-
and then what do we know? We know that essentially, well, we found the match, so we know that
-
say for example a decryption using a particular key k1 happened to match this entry in the table,
-
say, k2 or more generally ki, then we know that the encryption of m under ki
-
is equal to the decryption of c under k. OK, so we kind of build this meet-in-the-middle,
-
where the two sides, you know, the encryption of m under ki and the decryption of c under k,
-
collided, but if they collided, then we know that in fact this pair, ki and k, is equal to
-
the pair that we're looking for. And so we've just solved our challenge.
-
So now let's look at what's the running time of this? Well, we had to build a table,
-
and sort it, and then for all possible decryptions, we had to do a search through the table.
-
So there were 2^56 possible decryptions, each search in a sorted table takes log(2^56) time,
-
if you just work it out this turns out to be 2^63, which is way, way, way, way, way smaller
-
than 2^112. OK, so this is a serious attack, it's probably doable today, that runs in a total time
-
of 2^63, which is about the same time as the exhaustive search attack on DES.
-
So really, double DES really didn't solve the exhaustive search problem,
-
because, well, there's an attack on it that runs in about the same time
-
as exhaustive search on single DES. Now someone might complain
-
that in fact this algorithm, well, we have to store this big table,
-
so it takes up a lot of space, but you know, so be it. Nevertheless, the running time
-
is still quite small or significantly smaller than 2^112.
-
Now you notice, by the way, this same attack applies to Triple DES.
-
What you would do is you would implement the meet-in-the-middle attack against this point,
-
you would build a table of size 2^56 of all possible encryptions of m,
-
and then you would try to decrypt with all 2^112 keys until you find a collision,
-
and when you find a collision, you have basically found k1, k2, k3.
-
OK, so even Triple DES has an attack that basically explores only 2^112 possible keys.
-
But 2^112 is a large enough number, so Triple DES in fact, as far as we know,
-
is sufficiently secure. I should mention that Triple DES is actually a NIST standard,
-
and so Triple DES is actually used quite a bit, and in fact DES should never ever ever be used,
-
if for some reason you're forced to use some version of DES, use Triple DES, not DES.
-
OK, I want to mention one more method for strengthening DES against exhaustive search attacks.
-
This method actually is not standardized by NIST, because it doesn't defend against
-
more subtle attacks on DES, but nevertheless if all you're worried about is exhaustive search,
-
and you don't want to pay the performance penalties of Triple DES, then this is an interesting idea.
-
So let me show you how it works. So let E be a block cipher that operates on n-bit blocks.
-
We're going to define the EX construction, and for DES we're going to get DESX, to be the following.
-
So we use three keys, k1, k2, k3, and then basically before encrpytion, we XOR with k3,
-
then we encrypt using k2, and then after encryption we XOR with k1. That's it.
-
That's the whole construction. So basically, you'll notice it doesn't slow the block cipher much,
-
because all we did is we applied the cipher plus two additional XORs, which are super fast.
-
The key length for this is in fact, well, we got two keys that are as long as the block size,
-
and we got one key that's as long as the key size, so the total is 184 bits.
-
Now, it turns out actually the best attack that's known is actually an attack that takes time 2^120,
-
and this is actually fairly simple. So it's a generic attack on EX, it will always take time basically
-
block size plus the key size, and it's a simple homework problem
-
for you to try to figure out this attack. I think this is a good exercise.
-
OK, in fact there is some analysis to show that there is no exhaustive search attack
-
on this type of construction, so it's a fine construction against exhaustive search,
-
but there are more subtle attacks on DES that we'll talk about in the next segment,
-
that basically this construction will not prevent.
-
One thing that I want to point out, unfortunately I found this mistake in a number of products,
-
is if you just decide to XOR on the outside, or if you just decide to XOR on the inside,
-
as opposed to XOR-ing on both sides, which is what DESX does,
-
you notice DESX XORs both on the outside and on the inside,
-
If you just do one of them, then basically this construction does nothing
-
to secure your cipher. It'll still be as vulnerable to exhaustive search
-
as the original block cipher E. OK, so this is another homework problem,
-
and actually you'll see that as part of our homeworks. OK.
-
So this basically concludes our discussion of exhaustive search attacks,
-
and next we'll talk about more sophisticated attacks on DES.