211 lines
11 KiB
Plaintext
211 lines
11 KiB
Plaintext
Newsgroups: sci.crypt
|
|
From: kaplan@bpavms.bpa.arizona.edu (Steve... friends don't let friends do DOS.)
|
|
Subject: Is DES breakable?
|
|
Keywords: DES breakability
|
|
Message-ID: <23MAR199319384593@bpavms.bpa.arizona.edu>
|
|
Date: 24 Mar 93 02:38:00 GMT
|
|
Organization: University of Arizona MIS Department
|
|
Lines: 201
|
|
|
|
Greetings sci.crypters
|
|
|
|
This is a lengthy posting born of my idea that one good turn deserves
|
|
another. Carl Ellison (cme@ellisun.sw.stratus.com) was kind enough to send
|
|
me the out dated, but still useful FAQ for this news group. So, I figure
|
|
that I should add to the positive karma of it by sharing some stuff. Not
|
|
new news - just restatement of what some have already said. Hope that it
|
|
is worthy of your time. If not - send me mail and complain! In other
|
|
groups I get flamed for not being able to find my butt in the dark with
|
|
both hands, so - sorry if I've violated and status quo of which I am not
|
|
aware!
|
|
|
|
RayK 8)
|
|
|
|
----
|
|
(Previously submitted for publication in Wynn Schwartau's Security Insider
|
|
newsletter: 1157 Grove St. N., Seminole, FL 34642, 813-393-6600 and the
|
|
Computer Security Institute's ALERT newsletter: 600 Harrison St., San
|
|
Franciscon, Ca. 94107, 415-905-2370)
|
|
|
|
Is DES breakable? Of course.
|
|
by Ray Kaplan
|
|
Copyright Ray Kaplan 1993 - All rights attempting to be reserved - At
|
|
least, please make the site correct if you use it!
|
|
|
|
Day two of the second annual RSA Data Security Data Security
|
|
Conference in Redwood City, CA (January 15, 1993) was packed
|
|
full of great sessions. Right out of the can in the
|
|
cryptographer's track was Dr. Martin Hellman presenting a talk
|
|
entitled DES Revisited. The Data Encryption Standard (DES) was
|
|
first approved in January 1977, so it is now 16 years old. NIST
|
|
did approve extending it at least once since then, but Rthe DESS
|
|
(as crypto insiders seem to refer to it) is due for a look-see.
|
|
|
|
Since Dr. Hellman has been involved with DES from its
|
|
beginning, I trust his critical academic appraisal - especially
|
|
since he and Whit Diffie were embattled with NBS over
|
|
questions of key size and the existence of trap doors when DES
|
|
was being introduced. In the question of DES breakability, I
|
|
like his approach. They designed an attack on DES that is based
|
|
on the most intensive cryptanalysis: exhaustive search. The
|
|
beauty of this theoretical DES solution machine is that is can be
|
|
used for plain text, ciphertext and chosen text attacks on the
|
|
algorithm. Solve the hardest problems first and the easy ones
|
|
follow quickly, I say.
|
|
|
|
He presented their 1976 design for an exhaustive DES solution
|
|
engine and updated it to 1993. Since the DES algorithm is
|
|
roughly equivalent to 6,000 gates, it is about the complexity of
|
|
a Z80 microprocessor to implement in silicon. DES uses a 64 bit
|
|
key with 8 bits reserved for parity and that means that there
|
|
are 2**56 (10**17) possible DES keys for any given DES
|
|
encoding. Building the exhaustive search machine in 1976
|
|
would have required 1,000,000 special DES search engine ICs
|
|
and would have cost $20 million. Today, this would be10,000
|
|
special DES search engine ICs since IC's are about 100x denser
|
|
than in 1976. Dr, Hellman points out that the $20M cost figure
|
|
has been criticized as optimistic and he indicates that his
|
|
estimate may have been a bit low. $50M is a safer figure and
|
|
doesn't change his basic argument about how you go about
|
|
breaking the DES.
|
|
|
|
In 1976, their solution machine yielded one DES solution per
|
|
day at a cost of $10,000 each. Updating this to 1993 costs and
|
|
computing speeds, the capital cost of such an exhaustive search
|
|
DES solution machine that would yield one DES solution per day
|
|
would be between $1 and $10 million dollars. This nets a cost
|
|
per DES solution of only $100. Dr. Hellman points out that the
|
|
$10M figure is a relatively safe one that includes the design
|
|
cost. The $1M figure is optimistic if it includes design cost, but
|
|
is safe if it is the replication cost after design. This, should one
|
|
want to build more than one machine - quite possible
|
|
depending on who one is and how many messages he would
|
|
like to read. He also indicated the replication cost might go as
|
|
low as $100k per machine. The $100 figure per solution was
|
|
an order of magnitude estimate. It could be as high as $1,000
|
|
(using the $10M figure) or as low as $10 (using the $100k
|
|
figure).
|
|
|
|
Such a special DES search engine ICs would be about as complex
|
|
as a modern 386 microprocessor and cost about as much as a
|
|
Z80 to design. The whole machine has 10,000 such search
|
|
chips. The reason: the 1976 design (comparable to a Z80) is
|
|
replicated 128 times on the chip, but only needs to be designed
|
|
once. Using 128 search engines per IC (plus spares) and a
|
|
common data bus (considering the very low I/O level), the DES
|
|
solution machine has only about 10,000 ICs.
|
|
|
|
Past the fascinating technical details of his machine were his
|
|
summary comments about DES. It has many honors: world's
|
|
most widely used, cheapest and public cryptosystem. Despite
|
|
major incentives, it has not been publicly broken. For those
|
|
who remember him as a combatant 15 years ago, it might be
|
|
helpful to mention that he indicated that he has recognized that
|
|
in the heat of previous battle, he tended to overlook arguments
|
|
that supported NSA/NBS and was trying now, with the benefit
|
|
of age and a relative peace, to summarize the pros and cons in
|
|
a more unbiased fashion.
|
|
|
|
His concerns: 1) the 56 bit key size allows exhaustive searches
|
|
by dedicated opponents at a capital cost of between $1 and $10
|
|
million, 2) Biham and Shamir's differential cryptanalysis can
|
|
break an 8 round DES implementation and 3) DES's design
|
|
principals are secret (despite the fact that the algorithm itself
|
|
is public) and may allow trap doors. His conclusions: there is
|
|
probably no trap door in DES, but the 56 bit key size and
|
|
decades of experience in production cryptanalysis probably
|
|
give the NSA and its foreign counterparts a crude trap door.
|
|
According to Dr. Hellman, this needs a bit of explanation since
|
|
these two ideas two sound counter to one another. He
|
|
indicated that, while he was very concerned about a possible
|
|
trap door in the 70's, direct denial of NSA pressure on S-box
|
|
design from relevant IBM personnel caused him to doubt their
|
|
presence for some time. However, he says he could be wrong,
|
|
hence the "may allow" in his statement about possible trap
|
|
doors. The key appears to be that it is all speculation since the
|
|
design principals of DES (not the algorithm itself) are carefully
|
|
guarded.
|
|
|
|
In summary: DES protected data is probably secure against all
|
|
commercial attacks today, but is almost surely vulnerable to
|
|
attack by a major power. DES will continue to dominate the
|
|
market for a decade. He recommends immediate triple
|
|
encryption (the use of a 48 round algorithm - Rstandard DESS
|
|
uses a 16 round algorithm.) to defeat differential cryptanalysis.
|
|
Continued federal support of DES is critical to vendors and
|
|
users.
|
|
|
|
In the end, he admonished NIST/NSA to stop dragging their
|
|
feet on a public key exchange standard but suggests that
|
|
perhaps a de facto standard is better (in which case it doesn't
|
|
matter if NIST/NSA do anything since RSA and Diffie-Hellman
|
|
are filling this de facto role). Adding some humor, he softened
|
|
the harsh "dragging their feet" in his talk by noting that NIST's
|
|
Dennis Branstad credited his ruckuses for two promotions and
|
|
indicated that Branstad had asked him to help him with a third.
|
|
|
|
As is usually the case, the hallway conversations were best.
|
|
We speculated on cheap DES solution machine technology. The
|
|
fact is that for about $5,000 you can buy a gate array
|
|
programmer and at a cost of about $250 per part, you could
|
|
build your own DES solution machine without the cost and
|
|
complexity of a custom silicon implementation. Scary, huh?
|
|
Yes. But, the higher higher cost per part translates into a
|
|
higher cost per solution so you'd have to check the speed,
|
|
density, etc. and see what the associated cost would be.
|
|
|
|
I asked Hellman how in the hell a layman could possibly keep
|
|
up with this crypto technology and come to trust it. His answer
|
|
was revealing: read and study it - get politically involved and,
|
|
it will yield to your efforts. He suggests that you contact your
|
|
congressional rep and let them know you are unhappy at DoD
|
|
(NSA) messing around with your personal privacy (e.g. medical
|
|
records are protected by DES) when Commerce is supposed to
|
|
be setting standards with regard to commercial and individual
|
|
needs, rather than NSA's needs. He said that a reasonably
|
|
trained EE or CS type can understand the technical details and
|
|
you have a responsibility to help keep the technology on track
|
|
and to help answer some of the hard questions surrounding its
|
|
use. Go find a trusted member of the community to talk with
|
|
about these important issues.
|
|
|
|
We also had a spirited discussion of Dr. Hellman's involvement
|
|
with the Russian Institute for Problems of Information
|
|
Transmission (IPPI after the Russian name Institut Problem
|
|
Peredachi Informatsii) in his efforts to help some old friends of
|
|
his and help the budding democratic movement in the former
|
|
Soviet Union. I agree with him that we need to help them. I
|
|
was comforted to find that this world-class crypotgrapher is
|
|
quite a humanitarian. I agree that we do have a responsibility
|
|
to help - lest we see our technology (such as cryptography)
|
|
protect and nurture backward and barbaric customs. Consider
|
|
that white supremacist groups such as the KKK and the Aryan
|
|
Nation are a similar threat to our humanity right here in our
|
|
own back yard. Heady stuff. The IPPI is interested in hard
|
|
currency (e.g.: dollar vs. ruble) contracts for work. They are
|
|
reported to be quite a bit less expensive that other
|
|
alternatives. If you are interested in hiring them, you can
|
|
contact Deputy Director Dr. Josef Ovseyevitch at IPPI via Email
|
|
at ovseev@ippi.msk.su. They are interested in error
|
|
correcting/detecting codes, data compression, crypto, signal
|
|
processing, computer and communications networks,
|
|
computational linguistics and machine translation, and
|
|
experimental data processing.
|
|
|
|
My thanks to Dr. Hellman for help in writing up this account of
|
|
his talk and to Jim Bidzos from RSA for inviting Dr. Hellman to
|
|
speak at the RSA Data Security Conference.
|
|
|
|
Ray Kaplan is a principle in the Tucson, Arizona-based
|
|
independent consulting firm Kaplan, Kovara and Associates.
|
|
They specialize in systems and network management, and
|
|
security with an emphasis on Open VMS, UNIX, DECnet and
|
|
TCP/IP. They are currently producing a series of audio
|
|
teleconferences on contemporary security-related topics. For a
|
|
catalog of their offerings, contact them at P.O. Box 42650 -
|
|
Tucson, AZ 85733 - FAX (602) 791-3325 - (602) 885-2807.
|
|
They'll be conducting live audio teleconferences on encryption
|
|
and authentication which will include a live interviews and
|
|
Q/A sessions with Dr. Hellman and other experts on April 7 and
|
|
8, 1992.
|