Cracking DES and RSA Encryption

Philip Leong
The Chinese University of HK
phwl@cse.cuhk.edu.hk

http://www.cse.cuhk.edu.hk/~phwl/seminar.html
1
 Overview

• Introduction
• Cracking DES
• Cracking RSA
• Weaknesses of cryptography based schemes
• Conclusions

2

• Before DES, no standards
for encryption
– Interoperability between
organizations difficult
• US National Bureau of
Standards requested
proposals to solve this
problem
– Chose Lucifer (Horst Feistel
of IBM)
– Reduced key size from 128 to
56 bits
– Changed s-boxes
DES
• First standardized in 1976
– FIPS46-1, FIPS46-2, ANSI
X3.92
– retail and wholesale
banking, Networks
– UNIX password encryption
uses a “broken DES”
• Believed to be the most
widely use cryptosystem
in the world
3
 SSL - eCommerce
Netscape Navigator 4.74 (export version)

4
DES block diagram

5
One round of DES

6
Expansion permutation

7
S-boxes

8
 Decryption

• Same as encryption but substitute K[i] for

K[17-i]

9
 DES Cracking

• Search 256 (72,057,594,037,927,936) keys

– no better way has yet been found after 25 years
of research!
• Two successful approaches
– distributed computing
– custom DES hardware

10
 Distributed computing approach
(1998)

• DES-II-1 is a competition from RSA labs to

decrypt a message encrypted with DES
• Monday, 23-Feb-1998 a solution was found
from a distributed computing effort
– took 39 days

11
 Project statistics

• Start of contest: January 13, 1998

• End of Contest: February 23, 1998
• Size of keyspace: 72,057,594,037,927,936
• Approximate keys tested:
63,686,000,000,000,000
• Peak keys per second: 34,430,460,000

12
 Equivalent computing power

• At the time, Distributed.net was equivalent

in processing power to:
– 11,264 DEC Alpha 21064 533s
– 15,316 Sun Ultra I 167s
– 22,393 Intel Pentium II 333s

13
“Deep crack” Hardware cracker

• Developed by the Electronic Frontier

Foundation
• Cost US$210,000
– $80,000 design
– $210,000 materials (chips, boards, chassis etc)

14
 VLSI Chip

• Developed by Advanced Wireless

Technologies
– 24 search units per chip
– 40 MHz
– 16 cycles per encryption
– 2.5 million keys/s

15
 Board

• Contains 64 chips

16
 Cabinets

• 6 cabinets holding 29 boards

17
 Deep crack system
• 90 billion keys/s
– 37,000 search units
– c.f. Distributed Net’s 34 billion keys/s
• Controlled by PC
– checks possible all ASCII candidate solutions
from the search units
• Solved RSA’s DES-III in 22 hours
– Jan 18 1999

18
 Attacks on secret key systems
• Brute force search
– Most of the time not needed since it is much simpler to
use one of the below (chain is as strong as its weakest
link)
• Reduced search
– Dictionary
– Passwords chosen from lower case alphabetical
characters
• Plaintext password
– Log keyboard, monitor, network, Trojan horse

19
 Encryption

- Cipher feedback (CFB) and output feedback (OFB)

modes also common
20
 Alternatives

• Triple DES (ANSI X9.52)

• IDEA, Blowfish ... - optimized for software
• Internet task force recommends triple DES,
RC2 and RC4
• AES (advanced encryption standard)

21
Multiple Encryption

22
 Public vs Secret Key
Cryptography
• Key distribution
– How do we share keys over the internet?
– Use a 1-way function (c.f. anyone can close a padlock, but
only the person with the key can open it)
– In public key cryptography, you make your “public key”
available to everyone. Anyone can send you a message,
but only you can decode it.
• Using this scheme, it is easy to develop key distribution protocols
• Digital signatures
– Only you can encrypt using your private key, others can
tell it was you via your public key

23
 RSA Cryptography
• Invented in 1977 by
Rivest, Shamir and
Adleman p, q prime
• All major protocols for N=pq
secure internet transactions
(web browsers, OS etc) ED=1 mod (p-1)(q-1)
• Encryption, key exchange, C=ME mod N
authentication
• RSA Lab’s FAQ: M=CD mod N
Estimated installed base of
500 million

24
 Example (not very secure)
• p=11,q=7 (secret)
• N=pq=77 & E=13 (public)
• Anyone can encrypt a message e.g. M=4
– 413 mod 77=53
• Decryption
– (p-1)(q-1)=60, 1337 mod 60=1 (D=37)
– 5337 mod 77 =
628358038363668332248635694548393830494073197
3668146791149026213 mod 77 = 4
25
 Performance

• Hardware implementations
– DES 1Gbits/s
– 512 bit RSA 600Kbits/s (1500 times slower)

26
 RSA Security

• The security of RSA hinges on the

difficulty of finding p,q from N (factoring)
– if we know p,q we can easily compute D
– for reasonable security, M > 512 bits
• Technically a lot more difficult than DES
(maths a lot more complicated - “number
field sieve”)

27
 Factoring Facts
• Problem: given n=pq, find p and q
• For any (odd) n, if N=pq then it can be expressed in the form
n=(x-y)(x+y)=x2-y2
(with x=(p+q)/2 and y=(p-q)/2. p and q must be odd.)
• If we can find (x,y) s.t. n=x2-y2 we have solved the problem
(Fermat 1601-1665)
• Instead look for “random” (x, y) s.t. nx2-y2 (mod n). Does not
solve the problem but n divides x2-y2 and have 50% chance
GCD(n, x-y) is a nontrivial factor of n (Kraitchik 1882-1957)
• Modern large number factoring methods use this idea & try to
find (x,y)

28
 Dixon’s Algorithm
• Let factor base (fb) p1,p2,…,pm be the first m primes
• Randomly choose an integer r
• Let g(r)=rr mod n and factorize g(r) wrt fb. If no
factors, choose another r.
g(r)= p1a1  p2a2  …  pmam
• Let v(r)=(a1,a2,…,am) if all ai are even, g(r) is a perfect
square and we have found g(r)r2 (mod n) (but not
likely to happen)
• Do the above for many r and construct many vectors
w(r)=(b1,b2,…,bm) where bi=ai mod 2
29
 Dixon’s Algorithm
(Gaussian Elimination)
• Collect many such w(ri) (binary vectors with
elements mostly 0)
• Perform Gaussian elimination modulo 2 on these
vectors to find a subset of ri’s for which the
corresponding g(ri)’s are a perfect square
g(r1)  g(r2)  …  g(rt)  r12  r22  …  rt2 (mod n)
• Both sides are perfect squares and have 50%
chance this yields a factor of n

30
 Example: factorize 119
• Factor base 2,3,5 111
• r1=60, g(r1)=60*60 mod 119 =
30
011
30=213151, v1=(1,1,1), 100
w1=(1,1,1) • Adding all the rows mod 2
• r2=82, g(r2)=82*82 mod 119 = we get 0 0 0
60
213151 .223151 .213050
60=223151, v2=(2,1,1),
602.822.112 mod 119
w2=(0,1,1)
i.e. 602  54120 2 mod 119
• r3=11, g(r3)=11*11 mod 119 = 2
gcd(54120-60,119) = 17
2=213050, v3=(1,0,0), w3=(1,0,0)
so 119 = 177
31
 Number Field Sieve
• Attempts to construct a – Congruences are found by
solution to sieving all primes in factor
– x2y2 (mod N) base over a long sieve interval
– Then GCD(x-y, n) is a factor of • Step 2: Look for a set of
n these congruences which
• Step 1: factor many when multiplied gives
comgruences of form squares on both sides
– C  D mod N where there is a – Done by solving a large set of
special relation between C and linear equations
D • Step 1 takes most of the
– C, D factors wrt a fixed set of
time but can be parallelized,
primes called factor base ci =
di mod N where ci, di in factor
step 2 difficult to parallelize
base

32
Historic Factoring Records

33
 512 bit RSA
• RSA-512
– Aug 1999: factored in 3.7 months, 35.7 CPU years,
approx 300 computers + a Cray 916
– Montgomery
– Number field sieve
• Simon Singh: The Code Book
– October 2000: factored by a team of students at the
Royal Institute of Technology, Sweden
– Used same code as above

34

• RSA: M=CD mod N (D
private key)
• Exponentiation algorithm:
Let s0 = 1.
For k = 0 upto w-1:
If (bit k of D) is 1 then
Let Rk = (sk · C) mod n.
Else
Let Rk = sk.
Let sk+1 = Rk2 mod n.
EndFor.
Return (Rw-1).  
Timing Attacks
• If Dk=1 need to do
multiplication which
takes longer than if Dk=0
 we can deduce if Dk=1
• If we have a lot of
different (C, timing)
pairs, can deduce D
(signal detection
problem)
• Paul Kocher (22 yr
biology student)
35
 Side Channel attacks
• Applicable to any
algorithm which has
different timing (or
e.g. power) for
different inputs

36
 (Easier) Ways to get passwords
• Crack cryptography • Trojan horse
– Weak algorithm (e.g. Enigma) – WWW based (PayPaI.com)
– Short keys (Netscape export
40 bits) – Public terminals
• Sniffer attacks • Backdoors
– Look at plaintext passwords – Microsoft Internet Server
sent by ftp, telnet etc “weenies”
– Keyboard tapping
• Stored passwords
• Poor Implementations
– Netscape SSL 1.1 PRNG seed • Social engineering
easily guessed
– Buffer overflow

37
 Conclusion
• DES and RSA can be cracked but probably not
worth the effort
– 3-DES and 1024 RSA probably will not be cracked in
the next 10 years
• Computer security is only as strong as its weakest
link
– Don’t worry too much about the DES and RSA
cryptographic algorithms
– But worry about the implementations and protocols!

38
 References
• B. Schneier, “Applied Cryptography”, 2nd Edition, Wiley 1996
• A. Menezes, P. Van Oorschot (Editor), Scott A. Vanstone (Editor),
“Handbook of Applied Cryptography”, CRC Press Series on Discrete
Mathematics and Its Applications, 1996
• http://www.eff.org/descracker.html
• J. Gilmore (Editor), “Cracking DES: Secrets of Encryption Research,
Wiretap Politics & Chip Design”, Electronic Frontier Foundation, 1998
• D. Knuth, “The Art of Computer Programming”, Volume 2
Seminumerical Algorithms, 3rd Edition, Addison-Wesley, 1997
• www.rsa.com
• D.M. Bressoud, “Factorization and Primality Testing”, Springer, 1989

39