Cryptanalysis The Speaker Chuck Easttom ceasttom@cec-security.com www.CEC-Security.com What cryptanalysis is NOT It’s not fast It’s not guaranteed It’s not easy It’s not what you see in the movies Levels of Success Total break — the attacker deduces the secret key. Global deduction — the attacker discovers a functionally equivalent algorithm for encryption and decryption, but without learning the key. Instance (local) deduction — the attacker discovers additional plaintexts (or ciphertexts) not previously known. Information deduction — the attacker gains some Shannon information about plaintexts (or ciphertexts) not previously known. Distinguishing algorithm — the attacker can distinguish the cipher from a random permutation. Resources Time — the number of "primitive operations" which must be performed. This is quite loose; primitive operations could be basic computer instructions, such as addition, XOR, shift, and so forth, or entire encryption methods. Memory — the amount of storage required to perform the attack. Data — the quantity of plaintexts and ciphertexts required. Breaking Ciphers This means finding any method to decrypt the message that is more efficient than simple brute force attempts. Brute force is simply trying every possible key. If they algorithm uses a 128 bit key that means 2128 possible keys. In the decimal number system that is 3.402 * 1038 possible keys. If you are able to attempt 1 million keys every second it could still take as long as 10,790,283,070,806,014,188,970,529 years to break. Breaking Ciphers Cryptanalysis is using other techniques (other than brute force) to attempt to derive the key. In some cases cryptographic techniques are used to test the efficacy of a cryptographic algorithm. Such techniques are frequently used to test hash algorithms for collisions.You must keep in mind that any attempt to crack any non-trivial cryptographic algorithm is simply an ‘attempt’. There is no guarantee of any method working. And whether it works or not it will probably be a long and tedious process. This should make sense to you. If cracking encryption where a trivial process, then encryption would be useless. Frequency Analysis This is the basic tool for breaking most classical ciphers. In natural languages, certain letters of the alphabet appear more frequently than others. By examining those frequencies you can derive some information about the key that was used. This method is very effective against classic ciphers like Caesar, Vigenere, etc. It is far less effective against modern methods. In fact with modern methods, the most likely result is that you will simply get some basic information about the key, but you will not get the key. Remember in English the words’ the and and are the two most common three letter words. The most common single letter words are I and a. If you see two of the same letters together in a word, it is most likely ee or oo. Known Plain Text/ Chosen Plain Text In this attack the attacker obtains the ciphertexts corresponding to a set of plaintexts of his own choosing. This can allow the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key. This can be difficult but is not impossible. Cipher Text Only Ciphertext-only: The attacker only has access to a collection of cipher texts. This is much more likely than known plaintext, but also the most difficult. The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success. Related Key attack Related-key attack: Like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. This is actually a very useful attack if you can obtain the plain text and matching cipher text. Linear Cryptanalysis Linear cryptanalysis is based on finding affine approximations to the action of a cipher. It is commonly used on block ciphers. This technique was invented by Mitsarue Matsui. It is a known plaintext attack and uses a linear approximation to describe the behavior of the block cipher. Given enough pairs of plaintext and corresponding ciphertext, bits of information about the key can be obtained. Obviously the more pairs of plain text and cipher text one has, the greater the chance of success. Remember cryptanalysis is an attempt to crack cryptography. For example with the 56 bit DES key brute force could take up to 256 attempts. Linear cryptanalysis will take 243 known plaintexts. This is better than brute force, but still impractical for most situations. Linear Cryptanalysis With this method, a linear equation expresses the equality of two expressions which consist of binary variables XOR’d. For example, the following equation, XORs sum of the first and third plaintext bits and the first ciphertext bit is equal to the second bit of the key: You can use this method to slowly recreate the key that was used. Linear Cryptanalysis Now after doing this for each bit you will have an equation of the form we can then use Matsui's Algorithm 2, using known plaintextciphertext pairs, to guess at the values of the key bits involved in the approximation. For each set of values of the key bits on the right-hand side (referred to as a partial key), count how many times the approximation holds true over all the known plaintext-ciphertext pairs; call this count T. The partial key whose T has the greatest absolute difference from half the number of plaintext-ciphertext pairs is designated as the most likely set of values for those key bits Differential Cryptanalysis Differential cryptanalysis is a form of cryptanalysis applicable to symmetric key algorithms. This was invented by Elii Biham and Adi Shamir. Essentially it is the examination of differences in an input and how that affects the resultant difference in the output. It originally worked only with chosen plaintext. Could also work with known plaintext and ciphertext only. Differential Cryptanalysis By analyzing the changes in some chosen plaintexts, and the difference in the outputs resulting from encrypting each one, it is possible to recover some properties of the key. Differential Cryptanalysis Differential Cryptanalysis is a Chosen Plaintext attack. By analyzing the Cipher, Differential Characteristics are discovered and used to discover information about the key. This technique doesn’t recover the key, but it attempts to reduce the number of possible keys so that it is possible to find the key in a reasonable amount of time. Other methods Higher Order Differential Cryptanalysis Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Boomerang Attack Mod-n cryptanalysis Boomerang Attack Other Techniques • • • • Seeking clues Using other passwords Learning about the subject Tricking the person into giving you the password Questions ceasttom@cec-security.com www.CEC-Security.com