Cryptanalysis

advertisement
Cryptanalysis
The Speaker

Chuck Easttom

ceasttom@cec-security.com

www.CEC-Security.com
What cryptanalysis is NOT
 It’s not fast
 It’s not guaranteed
It’s
not
easy

 It’s not what you see in
the movies
Levels of Success
Total break — the attacker deduces the secret key.
Global deduction — the attacker discovers a functionally equivalent
algorithm for encryption and decryption, but without learning the
key.
Instance (local) deduction — the attacker discovers additional
plaintexts (or ciphertexts) not previously known.
Information deduction — the attacker gains some Shannon
information about plaintexts (or ciphertexts) not previously known.
Distinguishing algorithm — the attacker can distinguish the cipher
from a random permutation.
Resources
Time — the number of "primitive operations"
which must be performed. This is quite loose;
primitive operations could be basic computer
instructions, such as addition, XOR, shift, and so
forth, or entire encryption methods.
Memory — the amount of storage required to
perform the attack.
Data — the quantity of plaintexts and ciphertexts
required.
Breaking Ciphers
This means finding any method to decrypt the
message that is more efficient than simple brute
force attempts. Brute force is simply trying every
possible key. If they algorithm uses a 128 bit key
that means 2128 possible keys. In the decimal
number system that is 3.402 * 1038 possible keys.
If you are able to attempt 1 million keys every
second it could still take as long as
10,790,283,070,806,014,188,970,529 years to
break.
Breaking Ciphers
Cryptanalysis is using other techniques (other
than brute force) to attempt to derive the key.
In some cases cryptographic techniques are
used to test the efficacy of a cryptographic
algorithm. Such techniques are frequently
used to test hash algorithms for collisions.You
must keep in mind that any attempt to crack
any non-trivial cryptographic algorithm is
simply an ‘attempt’. There is no guarantee of
any method working. And whether it works or
not it will probably be a long and tedious
process. This should make sense to you. If
cracking encryption where a trivial process,
then encryption would be useless.
Frequency Analysis
This is the basic tool for breaking most classical
ciphers. In natural languages, certain letters of the
alphabet appear more frequently than others. By
examining those frequencies you can derive some
information about the key that was used. This method
is very effective against classic ciphers like Caesar,
Vigenere, etc. It is far less effective against modern
methods. In fact with modern methods, the most
likely result is that you will simply get some basic
information about the key, but you will not get the
key. Remember in English the words’ the and and are
the two most common three letter words. The most
common single letter words are I and a. If you see
two of the same letters together in a word, it is most
likely ee or oo.
Known Plain Text/ Chosen Plain Text
In this attack the attacker obtains the ciphertexts
corresponding to a set of plaintexts of his own
choosing. This can allow the attacker to attempt to
derive the key used and thus decrypt other messages
encrypted with that key. This can be difficult but is not
impossible.
Cipher Text Only
Ciphertext-only: The attacker only has access to a collection of
cipher texts. This is much more likely than known plaintext,
but also the most difficult. The attack is completely successful
if the corresponding plaintexts can be deduced, or even better,
the key. The ability to obtain any information at all about the
underlying plaintext is still considered a success.
Related Key attack
Related-key attack: Like a chosen-plaintext attack, except the
attacker can obtain ciphertexts encrypted under two different
keys. This is actually a very useful attack if you can obtain the
plain text and matching cipher text.
Linear Cryptanalysis
Linear cryptanalysis is based on finding affine approximations
to the action of a cipher. It is commonly used on block
ciphers. This technique was invented by Mitsarue Matsui. It
is a known plaintext attack and uses a linear approximation
to describe the behavior of the block cipher. Given enough
pairs of plaintext and corresponding ciphertext, bits of
information about the key can be obtained. Obviously the
more pairs of plain text and cipher text one has, the greater
the chance of success.
Remember cryptanalysis is an attempt to crack cryptography.
For example with the 56 bit DES key brute force could take
up to 256 attempts. Linear cryptanalysis will take 243 known
plaintexts. This is better than brute force, but still impractical
for most situations.
Linear Cryptanalysis
With this method, a linear equation expresses the
equality of two expressions which consist of
binary variables XOR’d. For example, the following
equation, XORs sum of the first and third
plaintext bits and the first ciphertext bit is equal
to the second bit of the key:
You can use this method to slowly recreate the
key that was used.
Linear Cryptanalysis
Now after doing this for each bit you will have an equation of
the form
we can then use Matsui's Algorithm 2, using known plaintextciphertext pairs, to guess at the values of the key bits involved
in the approximation. For each set of values of the key bits on
the right-hand side (referred to as a partial key), count how
many times the approximation holds true over all the known
plaintext-ciphertext pairs; call this count T. The partial key
whose T has the greatest absolute difference from half the
number of plaintext-ciphertext pairs is designated as the most
likely set of values for those key bits
Differential Cryptanalysis
Differential cryptanalysis is a form of cryptanalysis applicable to
symmetric key algorithms. This was invented by Elii Biham and
Adi Shamir. Essentially it is the examination of differences in an
input and how that affects the resultant difference in the
output. It originally worked only with chosen plaintext. Could
also work with known plaintext and ciphertext only.
Differential Cryptanalysis
By analyzing the changes in some chosen
plaintexts, and the difference in the
outputs resulting from encrypting each
one, it is possible to recover some
properties of the key.
Differential Cryptanalysis
Differential Cryptanalysis is a Chosen Plaintext attack.
By analyzing the Cipher, Differential Characteristics are
discovered and used to discover information about the
key.
This technique doesn’t recover the key, but it attempts to
reduce the number of possible keys so that it is possible to
find the key in a reasonable amount of time.
Other methods
Higher Order Differential Cryptanalysis
Truncated Differential Cryptanalysis
Impossible Differential Cryptanalysis
Boomerang Attack
Mod-n cryptanalysis
Boomerang Attack
Other Techniques
•
•
•
•
Seeking clues
Using other passwords
Learning about the subject
Tricking the person into giving you the password
Questions
ceasttom@cec-security.com
www.CEC-Security.com
Download