Data Sources for DES Breaking
Given that we might embark upon this public demonstration of the fragility of single DES, what should we use for test data? If a lone Cypherpunk simply encrypts a file with DES-ECB, hides the key in a drawer, and publishes the cyphertext and plaintext for use in a distributed cracking effort, there will of course be the suggestion that the exercise was rigged, and any public policy implications will be lost in the endless "Was So/Was Not" quibbling which will undoubtedly take place after the crack is complete. Given that most of the people currently singing the praises of single DES live in the banking industry, which has so far resisted all reasonable suggestions that it is time for them to move to something stronger, it would seem almost obvious that this crack should be done on some form of live financial data, such as might be obtained if one were to capture bits passing over publicly accessible phone lines between various financial institutions, ATM machines, and centralized computer facilities. The ideal data would be replete with prepended fixed headers which could be used as a wedge for a known plaintext attack, and should be sufficiently sensitive that breaking it will result in scandalous tabloid headlines and numerous opportunities for Cypherpunks to promote their policy agenda in the media. DES is, after all, a prime example of the type of encryption one gets when the government, rather than the brightest minds in the private sector, are in charge of determining National Crypto Policy and mandating the use of "approved" techniques. I would suggest we obtain the test data for this exercise as soon as possible, and widely disseminate it on the Net. There is no need to wait until we have distributed cracking software ready to go before doing this, and having the actual data to play with while munging the code together may lead to some new insights as to efficient ways to attack the problem. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
This did not happen when cypherpunk Hal Finney posted a message and challenge; everyone saw that resources were assembled, and the key was cracked. What I see as more likely than 'did/did not' is the Netscape-style assertion that the computer time used cost N million dollars (Ok, NS claimed the compute cycles were worth $10,000.) As such, the analysis needs to be presented in light of the fact that 3des would take 3 times as long to encrypt, and take 2**56 times as many dollars worth of compute power to decrypt. To put that to scale, if the computer power to break des is one cent, the federal debt (5 trillion) wouldn't get you close to breaking 3des. Or IDEA takes roughly as long to encrypt, and is even stronger. And available to forigners, since it was invented, and patented, in the free world. Adam Mike Duvos wrote: | If a lone Cypherpunk simply encrypts a file with DES-ECB, hides | the key in a drawer, and publishes the cyphertext and plaintext | for use in a distributed cracking effort, there will of course | be the suggestion that the exercise was rigged, and any public | policy implications will be lost in the endless "Was So/Was Not" | quibbling which will undoubtedly take place after the crack is | complete. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Adam Shostack <adam@homeport.org> writes:
This did not happen when cypherpunk Hal Finney posted a message and challenge; everyone saw that resources were assembled, and the key was cracked.
I think an effort to crack DES differs somewhat from factoring RSA moduli or breaking 40 bit SSL in that tempting test data is not everywhere for the taking. It may therefore be somewhat more difficult for the typical reader to abstract a "what this means for my data" scenario from the results of such an effort, and we should expect at least a small amount of FUD from the American Banking Association, which will recoil in horror at any suggestion that what they are currently doing is not secure. If we were preparing to attack something with a very visible common application, like Unix Crypt(3), I would agree with you that everyone would understand and see what was happening, just as people were easily able to understand the notion of capturing data during an SSL handshake, and pounding on it with large numbers of CPU cycles.
What I see as more likely than 'did/did not' is the Netscape-style assertion that the computer time used cost N million dollars (Ok, NS claimed the compute cycles were worth $10,000.)
Netscape's attempts at damage control were sorely limited by the fact that the data used for the crack was captured during the normal operation of their software. Had Hal done some sort of known plaintext attack on 40 bit RC4 outside the context of a specific widely-used application, it is possible that a lot of time would have been wasted countering the inevitable "this doesn't apply to us" arguments from various software vendors, with the general public understanding none of the terminology used in the debate. This would definitely have softened the media impact of the accomplishment.
As such, the analysis needs to be presented in light of the fact that 3des would take 3 times as long to encrypt, and take 2**56 times as many dollars worth of compute power to decrypt. To put that to scale, if the computer power to break des is one cent, the federal debt (5 trillion) wouldn't get you close to breaking 3des.
Correct. But breaking a real-life example of single DES would be a nice rejoinder to those who continue to insist, in the face of strong grumbling by the cryptographic community, that single DES is a cipher with many more years of useful life left in it. If this speeds the adoption of second generation ciphers by major players in the national infrastructure, then it will have been a useful exercise. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
mpd@netcom.com (Mike Duvos) writes:
Given that we might embark upon this public demonstration of the fragility of single DES, what should we use for test data?
If the goal is to show that the 40bit key used in s/mime is totally insecure, then one could take some short plaintext likely to occur there and compute a lookup table, listing its encryption with all possible keys - and make it available on the internet. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
In article <199607242051.NAA13352@netcom5.netcom.com>, Mike Duvos <mpd@netcom.com> wrote:
Given that we might embark upon this public demonstration of the fragility of single DES, what should we use for test data?
How about a Kerberos packet? Kerberos is a time-honored system. There are a number of citations that can be provided to prove that it is in use (perhaps heavy use?) on Wall Street. Alternatively, how about a Netscape SSL packet encrypted with DES? I will volunteer to provide such a challenge if anyone is going to undertake a serious keysearch effort.
participants (4)
-
Adam Shostack -
daw@cs.berkeley.edu -
dlv@bwalk.dm.com -
mpd@netcom.com