Brute Force Cracking the DES pdf pdf
1 Working Late June 7, 997, :5 P.M
Largely as a result of the government’s ﬁat,DES was used to protect sensitive data stored on computers in banking, insurance, health care, and essentially every other industry in nearlyevery part of the world. Sanders installed DESCHALL, the quiet little com-puter was trying to ﬁnd the single key out of more than 72 quadrillion(72,000,000,000,000,000) that would unlock the secret message.
2 CHAPTER 1
Quite suddenly, just before midnight, the computer’s DESCHALL program came to a halt. When Sanders came to work at iNetZ the following morning, this unassuming computer was displaying an urgent message on its screen.
2 Keeping Secrets
Theprocess of encrypting and decrypting messages essentially consisted of taking a handwritten message, looking up the correct correspondingsymbol on a chart, and writing the symbol on the paper that would actually be delivered to the recipient, who would in turn look at thechart and convert the ciphertext back to the plaintext by hand, one letter at a time. The recipient will then need to know the keyboard layout used by the sender in order to recognize that theV in the message was created by striking the A key, and write “A” on a scratch pad.
3 Data Encryption Standard
S-boxes are the part of the algorithm that control how the data are permutated as theymove from step to step along the process of being converted from the readable message to the encrypted result (or vice-versa), much like therotors of Enigma. This, Hellman and Diﬃe responded, meant that the objection tothe feasibility of a brute-force attack on the basis of design and control Data Encryption Standard 17 Another matter of concern was the reliability of the computer—a more visible concern in the computing technology of the 1970s than it is today.
18 CHAPTER 3 purpose chip would dramatically increase the speed of the operation
(This works much like a scavenger hunt.Hiding twenty items—akin to encryption—is not signiﬁcantly harder than hiding ten items, though ﬁnding those twenty—akin to brute-forcedecryption—would take dramatically more time than ﬁnding ten.) The diﬀerence in the cost of operation of a 128-bit system and a 56-bitsystem was negligible, but the payoﬀ in terms of greater security was signiﬁcant. Building on top of the debates during the NBS DES standardization process over the hardware requirements for DES-key-cracking comput-ers, the published Diﬃe and Hellman design was estimated to cost $20 million to build, and would be able to break DES keys in roughly twelvehours each.
4 Key Length
Decryption of the message requires the recipient have exactly the same one-time pad (the same key) and that the keys remain in per-fect synchronization; if the sender starts to encrypt the next message with the thirteenth digit of the pad and the recipient starts to decryptthe message with the fourteenth digit of the pad, the result will be incomprehensible. The beauty of the Vernam Cipher is that when we ﬁnd the key— which we will, if we perform an exhaustive key search of all possibilities—we’ll have no way of knowing that it’s the same key that was used by the users of the system.
In an eﬀort to resist frequency analysis, I found that I could normal- ize frequency of letters and numbers appearing in ciphertext if insteadof creating a simple one-to-one relationship between plaintext and ci- phertext (e.g., where A is always written as M), a plaintext charactercould be mapped to a group (e.g., where A could be written as M or 1). My friends andI were able to use my systems to keep our secret plans to rendezvous at the library safe from the prying eyes of our “adversaries.” But theexperience was valuable and ultimately helped me to develop expertise in cryptography that would allow me to protect information from sig-niﬁcantly more sophisticated cryptanalysts than teachers and parents.
6 RSA Crypto Challenges
The ﬁrst contest was a$1000 prize for breaking a message protected by 40-bit RC5, a $5000 prize for the 48-bit RC5 contest, and a purse of $10,000 went to anyonefor decrypting the message in the other contests which ranged from 56-bit to 128-bit conﬁgurations of the RC5 cipher. If the computer did not ﬁnd the key by the time it had triedthe entire set (or “block”) given to it by the keyserver, the computer would report back to the server that it had tried all of the keys in the range that it had been given and ask for another range.
7 Congress Takes Note
Finally focusing on the most vocal part of the cryptography de- bate, Crowell said, “I would like to help clarify some of the frequently-repeated factual errors regarding encryption so we all can stand on ﬁrm ground during the formation of the nation’s encryption policies.” Crowell argued that basing long-term cryptographic policy on key size and brute-force attacks is shortsighted. If all the personal computers in the world, 260 million com- puters were put to work on a single PGP-encrypted message,it would still take an estimated 12 million times the age of the universe, on average, to break a single message (assuming thateach of those workstations had processing power similar to each of the Berkeley student’s workstations).
Increasing the number of computers looking for the key is one way to increase the eﬃciency of the search, but two other important optionsare available to the cryptanalyst who wants to use a brute-force attack. If a program was generated by a compiler, its speed is nowhere near what it would be if the programmer with the skill took the extra timeto write the program in a language that the computer can understand.
9 Organizing DESCHALL
Not wanting to break the law on cryptographic software export,Johnson developed a system that would allow his software to be dis- tributed after providing notice that the software is subject to exportrestrictions and getting some veriﬁcation that the user is allowed to download the software. The problem withthis approach was that it would simply take too long to prepare soft- ware for publishing, to have the printing and shipping done, and forthe recipients to run the paper through the necessary optical charac- ter recognition software needed to turn the printed source code intoworking software.
10 Needle in a Haystack
Looking for the right key out of all possible DES keys is a big job, basically the equivalent searching for a needle in a haystack of 72quadrillion strands. After crunching the numbers we see that ourhaystack is roughly two and a half miles wide and over a mile high.” Dolske hit the “send” button and shot a copy of his observation to the DESCHALL mailing list for other participants to see.
76 CHAPTER 10
Assuming that such keys are two inches long, if you laid them end to end, you’d have a line of keys longenough to circle the sun 3894 times. To try so many possible keys, our DES key-cracking systemwas going to need a lot more clients, since they would be doing the real work of the DESCHALL project.
11 Spreading the Word
Shortly thereafter, my call was returned, and the bank represen-tative and I engaged in an interesting discussion about cryptography, to share details of how DES was used in the banking industry, he was willing to verify for the record certain vague statements like “DES isheavily used in the ﬁnancial sector.” He expressed serious interest in the project, wished us success, and said that he would be watching ourprogress from “a safe distance.”Tuesday, April 8, 7:22 A. Once the release was put onmy Web site and posted to the DESCHALL mailing list, participants began calling local media, pitching a story about the project, witha connection that would be of interest to local news organizations— someone from the immediate community participating in a nation-wideeﬀort.
12 The Race Is On
Most of our processing power was coming from universities—not really a surprise, given the kind of cultural diﬀerences between corporationsthat wanted to reduce complexity on their production systems and the comparatively freewheeling universities where people often run pro-grams for no other reason than that they could. Students at Worcester Polytechnic Institute (WPI) in Massachusetts managed to work their way to second place in the per-domain rankingsby running the DESCHALL clients on their own personal computers in the middle of March.
25 Rochester Institute of Technology
40 Worcester Polytechnic Institute
Having seen theimpact of these machines on the project overall and the role they played in taking Oregon State to ﬁrst place, lab management started approach-ing other lab administrators and trying to drum up more support for the project and for Oregon State’s ranking. Theend result would be that people who needed to use the computer would not need to share any of their system’s resources with a piece of soft-ware like DESCHALL, and that when these computers were not being used, their spare CPU cycles could contribute large amounts of eﬀort Friday, April 11Megasoft Online, Columbus, OhioI looked over our statistics to see just how much progress we were making.
13 Clients Those statistics showed us that we had come a long way since March
A complementary key is like a photographic “negative.” Although the colors are backward, the ﬁrstfew steps in identifying the subject of the photo (ﬁnding the outlines) will be the same for both the photographic print and the negative. Originally written in 1973 at AT&T Bell Laboratories by Brian Kernighan (pro-nounced “Kern-ih-han”) and Dennis Ritchie for the purpose of building the Unix operating system, the language had two important propertiesthat mattered to Verser: it was fast and it was portable, meaning that its code would be able to require very little eﬀort to build on diﬀerentcomputer types.
As Rocke Verser originallydesigned the DESCHALL system, there were only two components: the key-testing client software that project participants would run on theircomputers and the keyserver that would keep the clients coordinated, making sure that each DES key was being tested—and tested only once. So, Trei created his DESKR software and made itavailable for people to run if they chose, but he had no “project” to manage and no way to know how much work was being done by DESKRclients that people were running.
98 CHAPTER 14
This was a lot like being on vacationand sending a letter to a friend back home: you know what you’re going to write (“Having a great time! Wish you were here!”) but you have todecide whether you prefer the economy and convenience of a postcard over the cost and reliability of certiﬁed mail. ,” and “Stop working.” Though the messageswere important, Verser decided that it was best to use UDP and then to have the DESCHALL client software simply wait for a few minutesafter sending a message; if no response came back, the software would just repeat the send-and-wait procedure until it did get a response.
When a discussion on the DESCHALL mailing list turned to what the client would report once it had found the right key, Woodbury wroteabout what he had done and posted a copy of the source code for his software to search the logs, thinking that perhaps someone else wouldﬁnd the software useful. Verser could, for example, conﬁgure the keyserver to check the version of the client software that a user had, and if itwas particularly old or needed to be replaced for some reason, send an informational message back to the client encouraging the user toupgrade to the latest version of the client software.
CHAPTER 14 COMMAND or CMD), which was essentially the same as the old DOS com-
Since the system was not connected to the Internet all the time, it had to wait for Gilchrist to connect to his ISP via dial-up modem. When it saw the “Key not found” messagefollowed by a message that the keyserver could not be reached because the network was down, it would run a program to get the machineconnected to the Internet.
CHAPTER 14 Other OS/2 users began making use of Korte’s program, thus mak-
After the U2T system was running, the users would then start theirDESCHALL clients, but instead of telling the clients to use the realDESCHALL keyserver—to which the ﬁrewall would block access—the user would tell the DESCHALL client that the U2T server was thekeyserver. The U2T server would receive the message in a UDP datagram from client and put exactly the same message in the form of an HTTPmessage, which would get put into a TCP packet, which would get put into an IP packet, and then sent to the ﬁrewall with an ultimatedestination of one of the three T2U servers that Justin Dolske and I ran at Ohio State and Megasoft, respectively.
CHAPTER 14 The T2U server would listen for HTTP messages inside of TCP
Just as the participant’s U2T server took the client request out of the UDP datagram and put it into an HTTPmessage, the T2U server would take the client request out of the HTTP message, create a new UDP datagram, put the client request into thatdatagram, and then send that datagram to the keyserver. Adding the T2U servers to the architecture and distributing U2T software that participants would run behind their ﬁrewalls satisﬁed allof our requirements: DESCHALL could work safely through ﬁrewalls without requiring any changes to be made in the ﬁrewalls, the DES-CHALL clients, or the keyserver.
Even so, RSA’s DES Challengewas a bit like a scavenger hunt where after there was a winner, a prize would be shared with everyone: any team ﬁnding the right key wouldhasten the development of a stronger standard to replace DES—a prize for everyone—but we were all hoping to be the one that found the key. That confusion led some peo- ple who heard about DESCHALL to go to the site to download the Progress 117 client and pick up the ﬁrst DES Challenge client in the alphabetical list—which was for the DES Violation Group.
CHAPTER 15 should be directed to DES Violation Group, rather than DESCHALL. The DESCHALL keyserver had been online since January and clients
Using the graphs to show past progress and to project future rates, we could see that despite the tremendous amount of work that re-mained, there was light at the end of the tunnel. In fact, if we could sustain our exponential growth, we would have have half of the keystested after eighty-seven days of work (only ﬁfteen days away!), and the entire keyspace tested in ninety-six days, about the end of the ﬁrstweek of June.
As he thought about what summer wouldbring, he realized that many students who were participating in DES-CHALL might not be able to be involved in the project over the sum- mer, particularly if they didn’t have ready access to the Internet orlarge numbers of more powerful computers. Others, including Brian Osman, a student helping to coordinateDESCHALL participation at RPI (Rensselaer Polytechnic Institute), pointed out how much of the total key testing was being done onstudent-owned machines that would almost certainly need to use in- convenient dial-up connections and compete for time on the telephoneline with other family members.
CHAPTER 16 Wednesday, April 16 Yale University, New Haven, Connecticut
“It probably also voids our warranty with HP to run programs like this because it is an undue strain on the processor.”Harris could not believe his ears: he knew perfectly well that whether the computer was sitting idle or performing the world’s biggest com-putation was irrelevant to the processor. “Tell them that if they can make a nice client that doesn’t run the processor too hard, we’d be happy to help.”Harris knew that not much could be done with someone who was both nice enough to look at the problem and to oﬀer help if someaccommodations could be made but clueless enough to think that the processors could ‘wear out.’ He walked away, shaking his head.
This had a lot to do with the number of keys beingtested toward the end of the project, which was the highest part of the end of the exponential curve. The users of these marginalized systems often sought oppor- tunities to contradict the myth of Windows ubiquity, and any study orproject that would rank participation by platform provided the kind of 132 CHAPTER 17 data that the enthusiasts needed to show that their platforms were a force to be reckoned with.
Sunday, April 20Columbus, OhioJustin Dolske and I put the “T2U” (TCP to UDP) gateways into pro- duction and released the corresponding “U2T” (UDP to TCP) proxysoftware that would allow people to participate in DESCHALL by run- ning clients from behind ﬁrewalls. This was an important requirement for gateway software, since participants on corporate networks could have any kind of sys-tems in use and we could not put the same kind of eﬀort into build- ing and maintaining gateway software that we put into the key-testingclients.
CHAPTER 18 After seeing that Dolske’s U2T software wouldn’t work on his Windows
Since the Dolske gateway code was already released in the form of source code (the human-readable version of a program), thus showingvery clearly how the internal gateway needed to communicate with the external gateways that Dolske and I were running, I assumed thatother contributions of gateways would simply be replacements for the internal (U2T) proxy, making use of the T2U servers that Dolske andI had in production for the whole project. When Corey Betka at the University of Illinois at Urbana-Champaign approached a sys-tem administrator who had charge of over 150 machines, the system administrator explained that she’d be happy to run the clients on allof the machines in her care, if he was willing to help on a “project” of hers.
People working on our project—and competing projects—understood that we were not just trying to ﬁnd a needle in a haystack, but that wewere attempting to complete a huge computation—maybe the world’s largest to date. With 1997’s growth, that could mean that just in the time that the service provider waited for a circuit, the number of users wouldhave increased anywhere from just under ten percent to twenty-ﬁve percent.
CHAPTER 19 While the network providers struggled to accomodate the ever-
In most cases, the outage wasn’t a problem with the DESCHALL keyserver oreven its connection to the Internet but simply due to ISPs having more traﬃc on the network than the infrastructure could support. If your ISP hung up on you while you were reading a Web page, whenyou clicked a hyperlink, you’d need to wait for your system to dial up again, hope that you didn’t get a busy signal, and then wait for theconnection to be reestablished.
Weage had just heard about the DESCHALL project and decided that he wanted to help, so he went to the North American CryptographyArchive to download a client for his personal Pentium machine. He then decided to run the DESCHALL client software on one of Michi-gan Tech’s Sun machines running the Solaris operating environment on a SPARC processor.
CHAPTER 20 Having made the same mistake himself, Harris immediately recog-
Two dif- ferent testing mechanisms were used: one based on the domain namesystem (DNS) that maps computer system names to IP addresses and the other based on the data from the registrars that manage domainnames. This was a good test, because it would mean that two diﬀerent sets of networkmanagers (those who manage IP address space, and those who manage the domain name space) either agreed on the name and IP addressof a system or independently delegated naming authority to the same person, which would also mean that person could name the machineswhatever he wanted.
CHAPTER 20 software and answer “yes” to all three questions on the questionnaire. Dolske’s software would perform its DNS lookups and see that Ren´ee’s
Ifyou believe you have received this message in error, please mail us a note containing: The time and day you received this denial (so that we may Being clever (and somewhat naughty, as network administrators frequently are), Ren´ee might decide that Dolske’s DESCHALL clientarchive software could tell she was coming from France based on the mapping of IP addresses to domain names, and that she could workaround that since she had authority to change the address-to-name mappings. Ren´ee would be denied access a second time, seeing the same message with a diﬀerenterror code: “Export check 2 failed.” The only way that Ren´ee would be able to get around this system would be to ﬁnd someone in the U.