New Attack Against Multiple Encryption Functions

An anonymous reader sends word of a paper presented a few days back by Adi Shamir, the S in RSA, that promises a new form of mathematical attack against a broad range of cryptographic ciphers. The computerworld.com.au report leans heavily on Schneier's blog entry from the Crypto 2008 conference and the attached comments. Shamir's paper has not been published yet. "[The new attack could affect] hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES) at the Crypto 2008 conference. The new method of cryptanalysis has been called a 'cube attack' and formed part of Shamir's invited presentation at Crypto 2008 — 'How to solve it: New Techniques in Algebraic Cryptanalysis.' The new attack method isn't necessarily going to work against the exact ciphers listed above, but it offers a new generic attack method that can target basically formed ciphers irrespective of the basic cipher method in use, provided that it can be described in a 'low-degree polynomial equation'... What may be the biggest outcome from this research is the range of devices in widespread use that use weaker cryptographic protection, due to power or size limitations, that are now vulnerable to a straightforward mathematical attack."

Ha! I'm immune!

[DikSeaCup]

I store all of my passwords in plain text!

CUBES

ATTACK!

Re:CUBES

[Kiaser+Zohsay]

FOR GREAT JUSTICE!

Re:CUBES

[sexconker]

AND MASSIVE DAMAGE!

svefg cbfg!

svefg cbfg!

Re:svefg cbfg!

LBH SNVY VG

news at 11?

[Zironic]

Low degree polynomals are relatively easy to crack, news at 11?

I thought most people used RSA nowadays because of it's mathematical ubreakability. (Huge polynomal):

Breaking of the stream ciphers can be a problem though.

Re:news at 11?

If you think that low degree polynomials are easy to crack, then prove it by giving all 4 solutions to

x^2 = 1 mod RSA-1024.

Re:news at 11?

[MrNaz]

Solution 1: x = 1
Solution 2: x = -1
Solution 3: x = BUFFER OVERFLOW
%#$%#%#%#%##%%$$

Re:news at 11?

[sexconker]

uh...

X^2 = 1 % big number.

big number > 1; 1 % big number = 1.

X^2 = 1 % big number == X^2 = 1

X^2 = 1

X = +/- 1 ?

What?
What voodoo are you assuming that gets 4 solutions?

Re:news at 11?

[GodKingAmit]

Because there are many solutions to m mod n? Example X^2 = 1 mod 8 One solution: X^2 = 1, X = +/- 1 Another solution X^2 = 9 = 1 mod 8 X = +/-3 Etc ...

Re:news at 11?

[geekgirlandrea]

RSA is a public-key cipher. They usually don't get used directly because they're much more expensive computationally than AES and the like, and potentially vulnerable to chosen-plaintext attacks. Real protocols like SSL typically use a public-key cipher like RSA or DSA to negotiate a shared secret key and perform authentication, and then switch to a symmetric cipher like AES or IDEA.

Re:news at 11?

[WuphonsReach]

They usually don't get used directly because they're much more expensive computationally than AES and the like, and potentially vulnerable to chosen-plaintext attacks.

I was with you up until the last bit. Do you have any information regarding public-key ciphers being vulnerable to chosen plaintext attacks? And which of the various public-key encryption algorithms are vulnerable?

Re:news at 11?

[geekgirlandrea]

All of them are vulnerable. If you have a ciphertext, and you know the public key, you can just try brute-forcing the space of plaintexts rather than the space of keys, which may be much smaller, especially if the plaintexts all have a known form. Effectively, the fact that the public key must be public gives an attacker the ability to encrypt an unlimited number of chosen plaintexts.

If you use the public-key algorithm to encrypt a randomly generated secret key, and then switch to a secret-key cipher, then the space of possible plaintexts for the public-key cipher is at least as large as the keyspace for the secret-key cipher, and then the chosen-plaintext attack is no longer the weakest point.

Re:news at 11?

[bbhack]

Effectively, the fact that the public key must be public gives an attacker the ability to encrypt an unlimited number of chosen plaintexts.

Uhm, no, I don't think so. There is not symmetry between the encryption by private key and by public key. You cannot search for a ciphertext match by bruteforce plaintext + pubkey.

You may be on to something, but please explain more.

IANAC

Re:news at 11?

[geekgirlandrea]

Suppose Alice sends a message to Bob and encrypts it with Bob's public key. You're trying to intercept that message, and get to see the ciphertext, and you also get to see Bob's public key. If you knew Bob's private key you could decrypt the message and get the plaintext just like he does, but it'd take an unreasonably large amount of processor time to compute his private key from his public key, so you can't do that. If you know the space of possible plaintexts is relatively small, though, you can try encrypting every possible plaintext with the known public key until one matches the known ciphertext. This is really well-known stuff.

Re:news at 11?

[Zironic]

With that aproach you still never get the secret key, you only become able to read small messages since the space of plaintexts is actually gargantuan.

The users of a public key algorithm can also protect themselves by just adding random noise to their messages.

Re:news at 11?

[bbhack]

The users of a public key algorithm can also protect themselves by just adding random noise to their messages.

Correct. I was thinking of signing, and I had things backwards, but by injecting entropy into the encryption by public key, chosen plaintext attack becomes "hard". In fact, this is not optional.

Re:news at 11?

[sexconker]

There is 1 solution to m mod n.

8 mod 2 = 0.
13 mod 4 = 1.
27 mod 5 = 2.

"X^2 = 9 = 1 mod 8"

9 != 1 mod 8
1 mod 8 = 1

Modulooooooooooooo?

Re:news at 11?

Your parent didn't mean "mod", the operator found in computer languages, but the mathematical "(mod n)" usually written in parentheses, which turns every equal sign on the same line into "equal + or - a multiple of n".

Rewriting using the mod operator you're familiar with, you'd get:

1^2 mod 8 = 1 mod 8 = 1
(-1)^2 mod 8 = 1 mod 8 = 1
3^2 mod 8 = 9 mod 8 = 1
(-3)^2 mod 8 = 9 mod 8 = 1

So indeed 1, -1, 3, -3 are all solutions to x^2 mod 8 = 1.

borg cube attack!

[Afrix]

only fractal encryption can save us now!

Re:ehm

[moderatorrater]

The summary is blatantly wrong. Take a look at the schneier blog post (from 3 days ago) and the second update: this attack only works against LSFR encryption of a low order, which means that none of the schemes mentioned in the summary are actually affected.

Now, if I were to actually RTFA, I would know whether the article was slow on the uptake or slashdot, and whether or not they should have known that the attack wouldn't affect the major algorithms, just smaller ones. Either Slashdot's dead wrong on this or computerworld is, and I'm not sure which one's more likely.

DES, AES, Blowshifh, twofish likely immune

[Hoplite3]

See Schneier's blog. No word on MD5, which is extremely common.

Re:DES, AES, Blowshifh, twofish likely immune

[Cyberax]

MD5 is already completely broken: http://en.wikipedia.org/wiki/MD5#History_and_cryptanalysis

Re:DES, AES, Blowshifh, twofish likely immune

[dubbreak]

True, but that doesn't make the summary any more accurate.

Re:DES, AES, Blowshifh, twofish likely immune

While finding collisions quickly does indeed show MD5 has weaknesses, no one has found a efficient way to match an existing checksum. For most that's the definition of completely broken.

Re:DES, AES, Blowshifh, twofish likely immune

Even beyond finding matches to an existing checksum, there's still many applications for hashing algorithms where the found collision would additionally have to be in a compatible format.

For instance, when MD5s are distributed for mirrored binaries, the attacker would not only have to find a collision but also find one that was either executable or could be decompressed using the same algorithm as the original. Those formats can offer attackers a chance to embed bits that get ignored, but it still makes the collision that much harder to find since part of that collision has to be whatever malicious content the attacker is trying to pass off in place of the original.

Nice use of language

[gazbo]

Contrast:

[The new attack could affect] hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES)...The new attack method isn't necessarily going to work against the exact ciphers listed above

With:

Okay, he thinks that AES is immune to this attack...And this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use

Slight shift in implications, dontchathink?

Correct the summary/FUD

[trifish]

As Schneier wrote (emphasis mine): "this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use; their degree is much too high." Now, correct the misleading summary (or be uninformed FUD spreader like Computerworld).

Re:Correct the summary/FUD

[Kjella]

Here's the bane of reliable internet news. I now predict have a kazillion stories like "OMG the sky is falling" on the news sites I visit because they produce way more hits than "completely irrelevant theoretical crypto-attack found". It's really that simple, I think even if they KNOW the story is bogus it's better to get the headliner and then make a "correction" later.

Re:Correct the summary/FUD

[secPM_MS]

The "low degree" here may be a bit higher than most readers suspect. The abstract I have for the talk is:

ABSTRACT: In this talk I will describe a new algebraic attack which is very powerful and very general. It can solve large systems of low degree polynomial equations with surprisingly low complexity. For example, solving dense random-looking equations of degree 16 in several thousand variables over GF(2) (which correspond to many types of LFSR-based stream ciphers) can now be practically done in less than 2^{32} complexity by the new technique.

That said, the algebraic degree associated with modern block codes is far beyond this. The possible uility of such approaches in reducing the complexity of collision generation in hashes is yet undetermined.

Re:Correct the summary/FUD

[trifish]

Yes. The sad truth is that even the researchers themselves engage in FUD spreading. It is much easier to get publicity if you claim "I can break anything (but wait 2 weeks for the full details)." When those full details are revealed (i.e. the fact that there is no real attack is implicitly contained in the paper) it is already too late to undo the FUD. Nobody really cares.

Re:Correct the summary/FUD

[CodeBuster]

That said, the algebraic degree associated with modern block codes is far beyond this.

Would not a modern block cipher, AES for example, be of at least order 128 or possibly higher with at least as many variables? It was also mentioned in the summary of TFA that older or lower power devices might be vulnerable, but really where are these devices being used right now? It has been my experience that if something is encrypted at all (i.e. someone actually bothered to think about security) then a stronger algorithm is generally selected (AES, 3-DES, Twofish, etc...); otherwise, and this happens all too often, encryption is simply not employed even though it easily could have been and probably should have been.

Re:Correct the summary/FUD

[trifish]

Your post, sir, is as misleading as the Computerworld article. Was the ambiguity in it deliberate or unintentional? I hope the latter.

Re:Correct the summary/FUD

[Eighty7]

.. (or be a uninformed FUD spreader like Computerworld)

That was completely uncalled for. What has Computerworld done to deserve being compared to kdawson?

Re:Correct the summary/FUD

[swillden]

Would not a modern block cipher, AES for example, be of at least order 128 or possibly higher with at least as many variables?

No. When you convert a cipher into a set of polynomial equations, the degree is dependent upon internal details of the cipher. It has nothing to do with the number of bits in the key. For example, I can make a cipher with a 1000-bit key, but a structure that is so simple that it can be represented with a linear function -- degree 1.

Re:Correct the summary/FUD

[fermion]

further comments suggest that it might be used against systems with weaker protection, such as HDTV, bluetooth, mobile telephone networks. So no, the secure stuff is still secure. In any case, the secure stuff is seldom broken by breaking the encryption. The secure stuff is broken by social and other backdoor attacks.

Re:Correct the summary/FUD

[ksd1337]

Well, seeing as kdawson is the editor, I'm not surprised at the summary's inaccuracy.

Re:Correct the summary/FUD

[lgw]

What part of this is specifi to internet news. This isn't news, this is CNN!

Re:Correct the summary/FUD

As Schneier wrote (emphasis mine): "this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use; their degree is much too high."

AES can be described as a system of equations with order 2 (http://eprint.iacr.org/2002/044.pdf). It doesn't get much lower than that.

Re:Correct the summary/FUD

Yes, because the summary quotes Computerworld.

Re:Correct the summary/FUD

Nice FUD post.

Elliptic Curve

[extirpater]

i'm wondering if elliptic curve cryptography vulnerable to this kind of attack since it's about polynomial equations.

Re:Elliptic Curve

[Zironic]

Everything uses polynomial equations, what matters is the degree. Elliptic curve crypyography uses really high degree polynomials so you don't have to worry.

the S

I thought the S in RSA stood for 'simple'. As in Really Simple Ancryption.

Re:the S

[NatasRevol]

Really Simple Acronyms.

Was that so hard?

Re:the S

[MrNaz]

Was that NP hard?

Was that so hard?

Re:ehm

[beckerist]

So long as there are ways to decrypt, there will always be a way to "attack." It isn't necessarily the fault of the algorithm either. Prime example: social engineering.

Use two different encryption methods.

[Futurepower(R)]

My understanding is that this is the big issue about mathematical attacks: They depend on the encryption method. If you merely encrypt things more than once, using two or more different encryption methods, the chances there will ever be a successful mathematical attack are very, very small.

I have an enormous amount of respect for Bruce Schneier, but his writing is designed to get him business, not to give easy answers to big problems.

I recommend GNU Privacy Guard.

Re:Use two different encryption methods.

[Zironic]

Well, they rely on knowing what method you used but so does any cryptography attack, it's impossible to create an attack that can target any encryption since it's impossible to tell the difference between something encrypted and random noise.

So if the attacker knows you're using two different methods he just has to crack them both one at a time. It's not terribly different from knowing you use one method.

What you're doing is just attempting to practise security through obscurity when you layer encryption on encryption.

Re:Use two different encryption methods.

[TMB]

That's why I use rot13 not once, but twice!

Re:Use two different encryption methods.

[moderatorrater]

I have an enormous amount of respect for Bruce Schneier, but his writing is designed to get him business, not to give easy answers to big problems.

umm, easy answers to big problems? There are none, sir, and while bruce does occasionally plug his own products, I've never thought that he was just into it to make money. Reading his blog is the most informative part of my day.

Besides, we all know that his real reason for blogging is to help squid become the dominant species on the planet like they were intended to be.

Re:Use two different encryption methods.

Sorry, that's absurd. It's a great tradtion in crypto forums to denigrate the idea of using two ciphers in series - IMO because that is the LAST thing an intel service that can (at a cost) break one cipher, wants people doing. Can we say, crypto astroturf?

The facts: Superencipherment - encrypting data with one cipher and key, then encrypting the ciphertext with a different cipher and key - does not double the keyspace search for an attack - it raises it exponentially. The same applies not only to brute force attacks, it also applies to the complexity of /any/ solution to the ciphertext in question.

So for instance using 3DES with a 160 bit key, then enciphering the output with AES using a different, 256 bit key, is approximately equivalent to using a cipher with a key space of 160^256 bits.

Re:Use two different encryption methods.

[Detritus]

Bad assumption. The composition of two ciphers can be treated as a third cipher, which may not be any stronger than its parents, and can even be weaker. The attacker is not obligated to solve the system in the same sequence that was used to encrypt the plaintext.

Re:Use two different encryption methods.

[pjt33]

I use it three times, in encrypt-decrypt-encrypt mode. It works for DES, so it must be good!

Re:Use two different encryption methods.

[Vellmont]

If you merely encrypt things more than once, using two or more different encryption methods, the chances there will ever be a successful mathematical attack are very, very small.

Maybe. The fact that nobody really does this is a strong indication that this isn't as good a solution as you might think it is though.

The encryption algorithm itself is likely the strongest part of your whole system anyway. Most of the time the attacks on the system don't completely break it open and make it useless. The weak parts are the software implementation of the system, key exchange, and simply the human beings involved. The encryption algorithm is just one part of the entire system.

I have an enormous amount of respect for Bruce Schneier, but his writing is designed to get him business, not to give easy answers to big problems.

So if you can't attack his ideas, attack his motivation? I don't know that anyone has come up with easy answers to the big problems of security. Are you really implying that there exists simple solutions that a select few know about, but are (for some reason) keeping secret from everyone else?

Re:Use two different encryption methods.

[marxmarv]

Bad assumption. The composition of two ciphers can be treated as a third cipher, which may not be any stronger than its parents, and can even be weaker.

Other than the frankly incompetent cases of using two ciphers composed with the same key, or including known plaintext in the inner ciphertext, when has such a weakness been observed?

The attacker is not obligated to solve the system in the same sequence that was used to encrypt the plaintext.

I agree that the composite cipher may well be weaker than the sum of its parents. As the composite cipher may contain redundancies that can be optimized away, so too would the attack. However, I don't see why a composed cipher, with each component keyed separately, would not be much stronger than the strongest of its parents.

Quick, apply DMCA!

Ban the Math, it's a circumvention tool.

Re:Quick, apply DMCA!

[k1e0x]

Yeah, thats funny. :)

It's like saying "Quick we need a law against this math, that will get rid of it!"

Re:Quick, apply DMCA!

[smoker2]

nah, they can't ban it, how would they patent software then ?

Some quick thoughts

[Ex-Linux-Fanboy]

I'm no crypto guru, but I have read Schneier's Applied Cryptography and have read various papers describing cryptographic primitives. Looking at the blog entry (yes, I do read Slashdot for its articles), the paper hasn't been published yet. We don't know, at this point, whether this is a theoretical attack or a practical attack.

It doesn't affect AES; it may or may not affect RC4, which is pretty widely used. What it appears to affect is Radio Gatun, a nice, fairly new construction that can either be a hash or stream cipher, taking a key of any length. Radio Gatun is nice because its core can fit in under 2k of memory and it's an elegant, extensible construction.

However, scanning the paper describing the function, I note the quote "It has algebraic degree 2" on page 10. So it looks like a nice, small elegant cryptographic primitive has fallen.

Re:ehm

[NetNinja]

FUD!

Re:ehm

[Thelasko]

Does this mean, can I finally recover the data encrypted by the Gpcode virus?

The synopsis stated "low grade" crypto

[billsf]

An order of magnitude improvement in cracking a 56bit key would be significant. However, most of us use far greater key-spaces and only flaws in the crypto itself or the container is the real threat. It is however interesting when anybody can make a massive improvement in cryptoanalysis. A 10x improvement would make cracking 40bit 'consumer-grade' (such as GSM and DECT) crypto trivial on the latest processors. The most likely application is to give governments easy access to snoop 'private' phone and data conversations.

This is not threatening to me at all. I don't really see the need to encrypt phone calls in the first place. It is absolutely essential to encrypt other data. This seems to be because there is a social taboo about tapping phones, but not so much so with data. Therefore all system admins must use SSH and others should consider it too.

The real threat is the quantum computer, if it exists in a practical form. If that is the case, there is one complete solution -- The awkward 'one-time pad'.

Re:The synopsis stated "low grade" crypto

[eudaemon]

The reason to casually encrypt phone calls or any other data is to prevent the casual snooping of same.

Look at this way -- the barrier to entry for snooping your data is very low, and getting lower with each
new executive order. On the other hand the barrier to entry on snooping your data can be set arbitrarily high;
you can choose anything from 56 bit single-DES to 2048 bit RC4. The effort required to casually snoop you for
no other reason has now exploded. It was fear of people adopting this strategy and blocking the casual snooping
that inspired the clipper chip. It was the people's laziness, ignorance or both towards protecting their privacy
and their fear of terror that has eroded any expectation of privacy now, which is truly unfortunate.

If we had an expectation of privacy in this country, I think things would be very different now with regards to
all the second order effects such as identity theft.

Re:The synopsis stated "low grade" crypto

[Hal_Porter]

A 10x improvement would make cracking 40bit 'consumer-grade' (such as GSM and DECT) crypto trivial on the latest processors. The most likely application is to give governments easy access to snoop 'private' phone and data conversations.

Governments either tap unencrypted GSM conversations at the basestation or have custom hardware to break 40 bit encryption. Or both probably.

Re:The synopsis stated "low grade" crypto

[thogard]

40 bit DES is already in the realm of home machines. The problem isn't trying all the 2^40 key combinations but detecting when one of them gives you the right key. If you know the plain text is most likly ASCII, then you can check that the top bits of a block are all zeros but then you still have to have another way to process the 2^32 results that pass the 1st test. The more you know about the plain text the more false results you can discard but there still may be loads of other keys that might look right until you get to the next block depending on the chaining method.

Re:The synopsis stated "low grade" crypto

Is it just me or does the "one-time pad" sound like a feminine hygiene product?

Re:The synopsis stated "low grade" crypto

[93+Escort+Wagon]

The real threat is the quantum computer, if it exists in a practical form. If that is the case, there is one complete solution -- The awkward 'one-time pad'.

I use a "one-time pad" for all my account logins.

A Post-it note counts as a one-time pad, right?

Re:The synopsis stated "low grade" crypto

[swillden]

The real threat is the quantum computer, if it exists in a practical form.

Incorrect. No one has demonstrated any way to use a quantum computer (even if one existed) to break a symmetric block cipher like AES or DES. Shor's algorithm allows a quantum computer to factor large numbers quickly, which would destroy RSA, and it seems likely that similar approaches might be used to attack other public-key algorithms.

Public key cryptography is useful for easing the key distribution problem, but it's not essential to most uses of cryptography.

Re:The synopsis stated "low grade" crypto

[psydeshow]

The barrier to entry for snooping your data is very low, and getting lower with each
new executive order. On the other hand the barrier to entry on snooping your data can be set arbitrarily high;
you can choose anything from 56 bit single-DES to 2048 bit RC4.

I find this point fascinating, actually. It has never been easier to provably hide information, even as the social safeguards protecting privacy are being systematically dismantled.

In some ways, each of those Executive Orders is doing us a favor, by telling us again and again, "Encrypt your communications, or keep your trap shut."

Re:The synopsis stated "low grade" crypto

[rjhubs]

As others have mentioned, this is not an attack on the key space, so the size of your key won't matter. Rather it is an attack on the algorithm itself, which is more like saying, this analysis will make the algorithm not so 'random'.

From my small understanding of cryptography and the vague article is that some ciphers can be represented in a polynomial form. I remember in my crypto class we were shown how to figure out the polynomial of one of the algorithms but i've long forgotten it. But anyways, cryptographers have always been somewhat weary of ciphers that can be represented as a polynomial because perhaps someday someone would figure out a way to solve the polynomial. And I believe this new attack must have something to do with that. Although I could be wrong because to the best of my recollection I thought the Rijndael (AES) cipher could not be represented as a polynomial.. Yet it is mentioned in the article.. perhaps it has to do with one of the modes or something...

Re:The synopsis stated "low grade" crypto

[Prune]

The real threat is the quantum computer, if it exists in a practical form. If that is the case, there is one complete solution -- The awkward 'one-time pad'.

Nonsense. There are many quantum-resistant encryption algorithms (such as most of the symmetric encryption ones).

Doesn't Affect me

[exabrial]

My data is safe since I see that ROT13 isn't affected... Nice try you so-called 'crypto experts'!

Re:Doesn't Affect me

[trongey]

What an amateur.
I use ROT14. That really screws 'em up.

'low-degree polynomial equation'

[Cheesebisquit]

Why is 'low-degree polynomial equation' in quotes? These are the things every high school and middle school student studies; it's not some exotic term.

Re:'low-degree polynomial equation'

[u38cg]

Well, given that Taco & co can't manage to add up the number of people who wish idle./. would go the f*** away, I think it's safe to assume that 'low-degree polynomial equation' is pretty scary biscuits from their point of view.

Re:Ha! I'm immune!

[oahazmatt]

I do one better. I use inkblot tests. I can leave them in plain sight and their totally secure.

Co-worker: Your password is "flower"?
Me: What? No. It's "zombie clown hitting fish with hammer". What's wrong with you?

"Cube" attack

[dpilot]

TFA (I read it a day or two ago, before it was posted to Slashdot.) mentions this as a "cube" attack, along with the low-order polynomial stuff, etc.

Does this also mean that TIMECUBE is busted?
I know it's been a while since TIMECUBE reared its ugly head here, but it would be good to hear that it's fully busted, not just sleeping.

(For the humor impaired, I know the cube attack has nothing to do with TIMECUBE other than sharing 4 letters, but it seemed like a neat idea.)

Re:"Cube" attack

[k1e0x]

TIMECUBE theory can never be broken because Shamir's math is educated stupid.

Re:disgusting fatbodies

[thedonger]

I'm sure this post is encrypted...If only there were a way to use Schneier's algorithm...Wait...Got it! Here is the decrypted text:

Yes, I agree with moderatorrater. It appears Slashdot was jumping the gun. I like to ride mopeds.

Re:Ha! I'm immune!

[iminplaya]

Me too. It's ******

Re:Ha! I'm immune!

[jam244]

Your password is hunter2?

Re:ehm

[SoVeryTired]

The obvious solution to this problem is to develop an un-decryptable cypher.
Behold:

AME33u899##d8909iksalel!

kdawson FUD again

Enough said

Good cracking utility?

[cat_jesus]

I've recently come across a situation where my client's data is being held hostage by their application vendor. The vendor decided to encrypt the data during one of their 'upgrades' and now that the client wants to move to another application, the vendor won't decrypt the data without being paid a huge fee. They probably used something easy like an XOR cipher but I don't have the time to research how to figure this out. Are there any tools out there that I can use to give a sample of the encrypted data and the decrypted data, figure out the method used and then decrypt all the data?

I'd love to stick it to the application vendor. What a dick move.

Re:Good cracking utility?

pay with credit card. next question.

Re:Good cracking utility?

The vendor decided to encrypt the data during an upgrade? This sounds more like an issue for legal.

Also, I'm not sure that using a 3rd party tool to attempt to decrypt all of their data is such a good idea, to me it wreaks with concerns of liability.

Re:Good cracking utility?

Seriously? That's essentially extortion, isn't it? Your client should just get a nice lawyer to contact them.

And you should publish the vendor's name here, so everyone can avoid them forever.

Re:Good cracking utility?

[Hurricane+Floyd]

Such a situation would be illegal in most countries, time for court. BTW, next time use ant-virus as I am aware that you have been infected by an encrypting virus and the writers want money to decrypt your data, you were just too embarrassed to tell the truth.

Re:Good cracking utility?

[cat_jesus]

Seriously. The bizarre thing is that this is a small police department. They would rather have someone manually move the data rather than go through the hassle of going after the vendor or paying them.

I have already told them they should notify the State AG. But these people are technologically challenged and don't want to advertise their ignorance. It's all about maintaining appearances.

It takes a lot of balls to do something like this to the government, especially to the police.

The name of the software is COPERS(pronounced coppers). I kid you not.

I think we agree.

[Futurepower(R)]

I think my point is correct: It is very unlikely that two different very strong encryption methods will be cracked at the same time. So using two or more, even if the methods and their order are known by an attacker, provides protection against attack.

You said, "... it's impossible to create an attack that can target any encryption..." That's part of what I was saying.

And my comment should not have been moderated Redundant, since all the comments posted before it were just junk when it was posted.

Re:I think we agree.

[flonker]

Actually, the security of using two encryption methods is not fully additive as you would assume. (Security refers to the amount of time required to crack the message.)

If you use the same key for both encryption methods, it may actually be less secure. (ie. The old ROT13 twice joke.)

If you use two different keys, the security of the resultant encryption has a minimum security of the stronger of the two algorithm/keys, and in a perfect case, the maximum security is simply the security of the first protocol plus the security of the second protocol. The only way to know what the actual security of 2 cryptosystems used in tandem is, is to actually perform a cryptanalysis. And cryptanalysis is not an exact science. You don't get many positive affirmations of security.

For example, a substitution cypher applied repeatedly with 100 different keys has the same security as a single substitution cypher, or, potentially, no encryption. Let's say your cypher is: a=0, b=1, etc. Your key is a random number between 1 and 25. You take the plaintext, convert to a number, add the key, modulo 26, and convert back to a letter. If you have 100 keys you used to encrypt, you can add all of the keys up, modulo 26, and you have a single key to decrypt.

In short, if you're using two cryptosystems for added security, the attacker may find a shortcut from the way the two systems interact so that he can retrieve the plaintext with less work than actually cracking both cryptosystems completely. I would assume that cryptosystems based on the same mathematical principles have a greater chance to interact in such a way, but I'm no expert.

And while there is no general crypto attack, there is information there, so with enough analysis, (and it may be a lot,) you can discover what cryptosystem was used.

I apologize in advance for any mistakes or oversimplifications I made.

Re:ehm

[MightyMartian]

Nonsense. The real solution is to get a court order banning the guy from giving his presentation. After all, as has been demonstrated just recently, court orders are the preferred means of securing anything.

Re:Ha! I'm immune!

[MooseMuffin]

No you moron, that's my password!

Cube attack in detail...

ENCRYPTION IS CUBE
cube have 4 sides
1 side = 1 encryption stage
ENCRYPTION STAGE IS TIME
TIME IS CUBE
THEREFORE ENCRYPTION = TIME
time slowed by day/night on planet corners
move algorythm to cube corners to solve in limited time
move algorithm to cube centers to unsolve in unlimited time.

Re:Cube attack in detail...

[failedlogic]

I've always had a problem with my unsolved Rubix-Cube puzzle. I think once I actually understand what you wrote, I might be able to solve the puzzle. Then again, peeling off the stickers and placing them in the correct location is a much more efficient way.

crypto law and public policy

[Benjamin_Wright]

From a public policy perspective: This post reminds us that cryptography is a dynamic and sometimes surprising science. The implication is that to achieve data security with cryptography is not just a simple task. But politicians have recently been writing laws and regulations with the assumption that to "encrypt" data is the end-all be-all of data security. It is not. Lawmakers are unwise to require a specific technology like "encryption" for data security. --Ben Wright http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html

Imagine

[joeflies]

Imagine a beowoulf cluster of quantum computers!

Re:disgusting fatbodies

[k1e0x]

I'm sure this post is encrypted...If only there were a way to use Schneier's algorithm...Wait...Got it! Here is the decrypted text:

Yes, I agree with moderatorrater. It appears Slashdot was jumping the gun. I like to ride mopeds.

It is, but unfortunately he is using ROT26.

Re:ehm

[wirelessbuzzers]

There was a rump session talk on Gpcode, actually. It was suggested that if you had enough porn and/or music on your computer (tens of thousands of files with known headers, I believe), an attack on RC4 would recover your disk. It's related to the attack that breaks WEP. I don't know if it's been implemented.

It will be interesting to see the full paper

[wirelessbuzzers]

I saw the talk. The cube attack was very impressive: it allowed Shamir to break a fairly difficult-looking toy cipher (constructed, of course, to have an Achilles heel, but still probably impossible to break with other known techniques). He used only one bit per packet (with a million packets) and didn't use any particular knowledge of the cipher's internals.

However, as presented the attack probably only breaks toy examples. Its real-world applicability will depend on how well Shamir and Dinur manage to adapt it to ciphers which don't have this simple structure. For example, it will be difficult to apply the attack to either hash functions or block ciphers, because their iterated design tends to give them high degree. The attack will also be difficult to adapt because of its low tolerance for noise and its applicability to a narrow range of scenarios. Still, Shamir believes that it will be applicable at least to some modern stream ciphers, so I'll be keeping an eye out for the full version.

Re:It will be interesting to see the full paper

[kevinbrock]

I was at the talk as well. It look like the technique will be applicable to a number of LFSRs, but the most interesting thing I saw was that the preprocessing stage lets you figure out whether a cipher is susceptible to the attack without knowing anything about the cipher. The preprocessing stage starts with a guess at the degree of an unknown cipher, and adjusts the guess based on the results of the preprocessing tests.

Current block ciphers have degrees that are (probably) in the thousands, but hey, if in doubt there's an automated way to check this out now, and you don't even need to know anything about the structure of the cipher. Of course it could take a long time to run :-)

Re:Ha! I'm immune!

[norminator]

Some security... you have just become a victim of social engineering. If you have to correct people who misinterpret your inkblots, your security is even weaker than with a simple 4 letter all lower case numeric-only password... like 1-2-3-4.

And now to log into your /. account with "zombie clown hitting fish with hammer" as the password...

depends what you're using it for

Wikipedia mentions a certificate scenario. How about reversing hashtext back to a passphrase for free? No, didn't think so.

Re:depends what you're using it for

For a non-injective function? Yeah, good luck with that. Just use a rainbow table.

Re:disgusting fatbodies

[Hurricane+Floyd]

WTF? He said he likes to mop, not mopeds, get your decryption right.

BS

[Hurricane+Floyd]

This is just more snake oil bunk that really shows no weakness in modern hash functions or algorithms either one.

Break my Serpent 256bit!

[Bengie]

How many orders of magnitude would one have to increase breaking 256bit Serpent to make it relative to one life time?... :P

Setec Astronomy

[Deliveranc3]

"And give him head whenever he wants." - Sidney Poitier.

Frontalot was right

[fudgefactor7]

http://frontalot.com/index.php/?page=lyrics&lyricid=41

Re:Ha! I'm immune!

This really isn't a bad idea. Didn't Slashdot have a story about Microsoft publishing a paper backing this idea up?

A CRITICAL FLAW!x7q

[genericpoweruser]

Cubes have 6 sides.

...*whoosh!*

Re:A CRITICAL FLAW!x7q

YOU ARE WRONG SIR HERE IS PROOF
cube have 4 sides in 2 dimensions
1 dimension is TIME
2 dimension is SPACE
3 dimension is BEING
4 dimension is CUBE
THEREFORE PROOF CUBE 4 SIDES

Hold on, I've got to get this out of my system

[sabre86]

...password ... like 1-2-3-4.

So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Apologies to Rick Moranis and Mel Brooks.

That said, what's the difference between lower case numbers and upper case numbers?

--sabre86

Re:Hold on, I've got to get this out of my system

Depends on your keyboard layout--
1234567890
!@#$%^&*()

Re:Hold on, I've got to get this out of my system

[Tolkien]

That said, what's the difference between lower case numbers and upper case numbers?

Upper case numbers aren't alphanumeric. ;)

Re:ehm

[UncleTogie]

"Honey, we've simply GOT to have all this porn.... to recover our hard drive!"

Kudos to the individual that can pull THAT line off...

Re:ehm

[beckerist]

aq4jhfg80q34tru92q34wv354rgq3giehjgbpoe
=Then what's the point? (Couldn't decipher it could you?!)

Re:Ha! I'm immune!

[Alsee]

Wow! Cool! Me too! I have 5 different inkblots for logging into five different systems.

All five passwords are "Boobies".

-

Re:Ha! I'm immune!

[ewhac]

"An elephant wearing a hat."

Re:Ha! I'm immune!

[gad_zuki!]

The new slashcode will replace your password with asterisks if you type it out in a comment.

Here's mine: **********

See?

Give it a try.

Re:Ha! I'm immune!

*whoosh*

ROT13

I store all of my passwords in plain text!

Hah! ROT13 isn't one of the algorithms listed so I'm safe.

cryptic......

is just for unlimited....
anything limited.....
there is NO such thing......
any crypto inside the box is just like u in the panic room

Get a grip, moderators

So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

So every time somebody posts that lame joke, it'll get modded to +5 funny? No need to write anything witty, just keep regurgitating the same old rubbish. If a joke is funny once, it'll be super funny after a thousand repetitions! And everybody will want to read exactly the same joke again! It'd take too long to understand a new joke! Good old slashdot.

Two reasons why. MOD PARENT UP.

[Futurepower(R)]

MOD PARENT UP.

Using 2 encryption methods and two keys prevents a vulnerability in one from being a method of attack.

Using 2 encryption methods and two keys prevents a brute-force attack, since brute-force attacks require some way to recognize the success of an attack, such as a series of words as a result. With 2 encryption methods a successful brute-force attack will only present almost perfectly random data to the attacker.

Re:Ha! I'm immune!

[johnny0099]

"We have to move past Furher Yay Transfers!"