Slashdot Mirror

← Back to Stories (view on slashdot.org)

Weak Elliptic Curve Cryptography Brute-Forced

Posted by timothy on from the 100-billion-dollars-for-the-next-contest dept.

thegrommit writes "It seems one implementation of elliptic curve cryptography has been broken. It took four years to break a 109 bit key, but the contest sponsors (who provide encryption products for Cisco, Nortel and Palm among others) believe it's still impossible to break their 163 bit keys. The real question is, for how long?" Update: 11/07 01:59 GMT by T : Dan Kaminsky wrote to point out that the key here was really brute forced, and not broken -- that is, no fundamental flaw was discovered in the algorithm.

15 of 270 comments (clear)

  1. Brute-Forced != broken by JUSTONEMORELATTE · · Score: 5, Informative

    It wasn't broken, it was brute-forced.
    --

    1. Re:Brute-Forced != broken by Anonymous Coward · · Score: 5, Informative

      To say that a cipher has been broken has a specific technical meaning: that a weakness has been found which reduces the cost of decryption without the key to less than the cost of an exhaustive search. The cipher in question was decrypted without the key using an exhaustive search. It was most certainly NOT broken.

    2. Re:Brute-Forced != broken by FamousLongAgo · · Score: 5, Insightful

      'Breaking' is a term of art in cryptography. It means finding a solution that requires less time than a brute-force search. Even a 1% improvement qualifies as a 'break', although it might not have any practical value.

      It's a valid distinction to make, since a flawed algorithm may be unsafe at any key length.

      --

      A customer service representative will be with me shortly.
  2. Impossible by Skyshadow · · Score: 5, Insightful

    Impossible seems like a pretty weird word to ever use in this sort of situation. "Very, very difficult" or "requiring technology or techniques in advance of what is presently available" might be more accurate.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
    1. Re:Impossible by djtack · · Score: 5, Informative

      Impossible seems like a pretty weird word to ever use in this sort of situation.

      Except that they didn't use the word 'impossible'... you can thank the slashdot editor for that bit of nonsense. The article actually claims it is "computationally infeasible" to break the larger keys.

  3. 4 long years and the answer was ... by burgburgburg · · Score: 5, Funny

    Mrs. Peacock with a metal pipe in the kitchen

  4. Some Background by Kramer747 · · Score: 5, Informative
    Wolfram has some cool stuff on Elliptic Curves:

    http://mathworld.wolfram.com/EllipticCurve.html

    It was also use by Anrew Wiles in 1993 to prove Fermat's famous last thereom.

    http://mathworld.wolfram.com/FermatsLastTheorem.ht ml

    Enjoy!

  5. Even if it was "broken" ... by binaryDigit · · Score: 5, Insightful

    The time is the most significant factor here. If this was military use, the 500+ days it took to break wouldn't worry anyone since any message more than a few days/hours old is pretty much worthless. If someone where more concerned about long term security, they could setup a system to refresh the keys on any encrypted data, say every year or every quarter.

  6. Duplicate article... by camusflage · · Score: 5, Informative

    We already covered this on slashdot. This is just Yahoo picking up on it now.

    --
    The truth about Scientology, Xenu, and you: Operation Clambake
  7. Difference between brute force and cryptanalysis by yerricde · · Score: 5, Informative

    Just because brute-force is an inelegant method of breaking encryption doesn't mean it isn't valid.

    Brute force just gives a baseline against which other attacks can be measured. With a brute-force break, it takes the same amount of time to break one key that it takes to break any other. With a cryptanalytic attack, on the other hand, you only need to successfully attack one key as a proof of concept; once you've expended the effort to break one key cryptanalytically, you've broken the system and probably reduced the effort to break a key by a couple dozen orders of magnitude relative to the baseline.

    --
    Will I retire or break 10K?
  8. 4 years? by CySurflex · · Score: 5, Funny

    4 years?? My bird broke all 104 keys on my keyboard in just one day when I mistakenly left the cage door open.

  9. too new... to say impossible. by jukal · · Score: 5, Insightful

    (or unfeasible to be exact) The study of elliptic curves - as a branch of mathematics is not very old one. And as Elliptic Curve Cryptography originates from this theory .... I think this is one of the main reasons why it has not yet been commonly approved for mission critical tasks. Currently, yes, we do know that it is pretty(very) strong against brute-force attacks - but there is still a significant chance that a fundamenta flaws or new discoveries are achieved in ECC theory - leading to easy compromise of previous implementations based on it.

  10. Security for the Masses by Oculus+Habent · · Score: 5, Interesting

    It's interesting to see graphs of cracking power.

    RC5 took almost 5 years to crack, but take look at the graph. At the beginning of 1998 there were about 15 GigaKeys/sec. Then look at the increase.

    Sure, a fair portion of the increase was also the addition of new computers, but 261 days to double is comfortably below Moore's Law. If the whole project had run continuously at 200 GigaKeys/sec, it would have taken under 2.5 years, and under two years at their reported peak rate of 270 GigaKeys/sec.

    So, if we follow the 261 day doubling statistic they had, all these encryption methods seem weaker than reported. The big issue is if it's 4 years now, it's 1 year soon, and 3 months, soon after.

    If the cracking power scales nearly linearly, shouldn't we make some projections on how fast we can crack this encryption in a year? In two years?

    If your data is very time sensitive, then most "strong" encryptions currently available will do. If your data is, however, of a continuously sensitive nature (some corporate or government info), maybe you should be looking at the 1000+ bit keys now.

    --
    That what was all this school was for... to teach us how to solve our own problems. -- janeowit
  11. Re:How Long? A Loooooooong Time... by richard-parker · · Score: 5, Informative

    Since a 163-bit key is 2^54 times more complex than a 109-bit key, and it took 4 years for the 109-bit key, aren't we looking at at least 4 * 2^53 years, not even figuring in the elliptical complexity (which I admit I would need to read up on)?
    Recovering a 163-bit ECC key is estimated to require 2^27 times as much effort as a 109-bit ECC key. Current recommendations are that 163-bit ECC keys should be safe to use until 2011, although I don't think we'll see public key-recovery efforts succeed against 163-bit ECC until 2020 or so.

    The following is one of the better articles on this subject:

    A. Lenstra and E. Verheul, "Selecting Cryptographic Key Sizes,"
    Journal of Cryptography, v. 14, 2001, pp. 255-293.

    A PDF file of the article can be downloaded here.
  12. Quantum Crypto and OTP by reverseengineer · · Score: 5, Informative

    One-time pads are uncrackable- mathematical proof exists. That assumes (and it's a rather large assumption) that the rules of using a one time pad are followed.

    Messages encrypted with a OTP have been deciphered in the past, but not from any mathematical failing- people simply failed to correctly follow the rules.

    1. You need a random process to generate the pad. This means random, not pseudorandom. Admittedly, modern pseudorandom number generator algorithms are very complex, and trying to reverse engineer (hey!) a PRNG from just a stream of outputs would be a mammoth task. Rules are rules, however complex- if your pad is pseudorandom, your cipher will only be pseudo-uncrackable. The Enigma produced vey complex keys with a convoluted series of rules, but if you know how an Enigma works, as the Brits did, you can use the ciphertext to help find the key, and then dechiper the entire message. This is one area where quantum mechanics fits in- lots of nice random phenomena arise naturally from quantization- I'll get back to that. Also, the key on the pad must be as long as the message you wish to encode- if you try to encode a 2000-character message by using a 1000-character key two times, your security is no longer guaranteed.

    2. Only use each key on the pad once. That's why it's a one-time pad. If you use the same key more than once, you remove the randomness, and create a pattern that can help the cryptanalyst. Deciphering will still be difficult- but if you wanted difficult, you could have just used triple-DES or RSA or elliptic curve crypto- those are all varying degrees of difficult. You want impossible.

    OTP is unbreakable, if you follow the rules- but the rules are really hard follow. You need random processes, and once you have these neat pads, you face the Key Exchange Problem- if you have an agent out in the field that you'd like to communicate with, and you must communicate in an absolutely secure fashion, you must get a copy of the one-time pad to the agent- it's the only thing that will decipher your messages. However, you can't just pick up the phone and relay the contents of the pad to your agent- the enemy might be bugging your phones- and hilarious hijinks will no doubt ensue when the enemy uses their new your insecurely transmitted pad to read your secure encrypted messages. Encrypting transmission is a good idea, but you can't use OTP to send the first OTP to the agent- how will the agent decrypt his encrypted pad? The classic analogy is that you're trying to send a key (think physical, lock-opening key) in a locked box that only the key inside the box can open. You could encrypt the key with hardass public key crypto, say 1024-bit RSA, but that isn't unbreakable in the same now-and-forever sense as OTP. It would be vulnerable to quantum computers, and vulnerable to any computer if someone discovered a polynomial time algorithm for prime factorization of really gigantic numbers, or if I win a Clay Mathemtics Prize for proving P=NP. You could of course do what the government does for secure key distribution- send couriers carrying OTPs directly to the agent in the field. This is an expensive, difficult, dangerous method, so better ways were searched for.

    This is of course where Quantum Cryptography comes in. Photons all have specific polarizations. You can send a stream of randomly polarized photons through a polarizing filter, and photons with the same polarization angle as the filter will pass, while those with a polarization rotated 90 degrees with respect to the filter are blocked. What then happens to photons that have some intermediate angle? On the macroscale, we can say that the intensity of the light is a function of the angle, and infer that at a 45 degree tilt, 1/2 of the light is blocked, and 1/2 passes through. Enter Quantum Mechanics. It is fairly obvious to see the effect that polarizing filters have on a large scale quantity of light, but what about individual photons? Since the intensity of light at a 45 degree angle is 1/2 its normal value, one can infer that one half of the photons with a 45 degree polarization pass through, while one half are blocked. Simple enough. But if you send just one photon through with a 45 degree polarization, can you determine whether it will pass through? The answer, surprisingly enough, is no. You cannot determine whether a photon will pass through, and you will not know whether it passed through until it hits (or fails to hit) a detector on the other side. Can't determine? That makes it a random process, perfect to set up a OTP. It happens to have some interesting side benefits as well. Since the possibilities are pass and blocked, two possibilities- a string of photons sent at the filter produces a random binary sting of 1's (passed) and 0's (blocked). There is another fascinating benefit- if someone tries to sit in the middle of the photon stream and determine photon polarization, their eavesdropping will be evident- by checking the polarization of a photon in transit, they change the value of the polarization. All two people using quantum crypto need to do is confirm a few values that were sent (this can be done insecurely, since these values will not actually be used in the cipher pad)- if they match up, then send the message, encoded with the OTP, if not, someone is eavesdropping, and so discard the pad. It's a lot more complex than that, of course, but that's the general idea- you can use QC to generate a one-time pad, and then send it in such a way that you know whether or not you're being spied on.

    --
    "FDA staff reviewers expressed concern about the number of patients who were left out of the study because they died."