Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Against Multiple Encryption Functions

Posted by kdawson on from the think-harder dept.

An anonymous reader sends word of a paper presented a few days back by Adi Shamir, the S in RSA, that promises a new form of mathematical attack against a broad range of cryptographic ciphers. The computerworld.com.au report leans heavily on Schneier's blog entry from the Crypto 2008 conference and the attached comments. Shamir's paper has not been published yet. "[The new attack could affect] hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES) at the Crypto 2008 conference. The new method of cryptanalysis has been called a 'cube attack' and formed part of Shamir's invited presentation at Crypto 2008 — 'How to solve it: New Techniques in Algebraic Cryptanalysis.' The new attack method isn't necessarily going to work against the exact ciphers listed above, but it offers a new generic attack method that can target basically formed ciphers irrespective of the basic cipher method in use, provided that it can be described in a 'low-degree polynomial equation'... What may be the biggest outcome from this research is the range of devices in widespread use that use weaker cryptographic protection, due to power or size limitations, that are now vulnerable to a straightforward mathematical attack."

26 of 130 comments (clear)

  1. Ha! I'm immune! by DikSeaCup · · Score: 5, Funny

    I store all of my passwords in plain text!

    --
    I talk about stuff.
  2. Re:ehm by moderatorrater · · Score: 5, Informative

    The summary is blatantly wrong. Take a look at the schneier blog post (from 3 days ago) and the second update: this attack only works against LSFR encryption of a low order, which means that none of the schemes mentioned in the summary are actually affected.

    Now, if I were to actually RTFA, I would know whether the article was slow on the uptake or slashdot, and whether or not they should have known that the attack wouldn't affect the major algorithms, just smaller ones. Either Slashdot's dead wrong on this or computerworld is, and I'm not sure which one's more likely.

  3. DES, AES, Blowshifh, twofish likely immune by Hoplite3 · · Score: 3, Informative

    See Schneier's blog. No word on MD5, which is extremely common.

    --
    Use the Firehose to mod down Second Life stories!
    1. Re:DES, AES, Blowshifh, twofish likely immune by Cyberax · · Score: 3, Informative

      MD5 is already completely broken: http://en.wikipedia.org/wiki/MD5#History_and_cryptanalysis

    2. Re:DES, AES, Blowshifh, twofish likely immune by Anonymous Coward · · Score: 5, Informative

      While finding collisions quickly does indeed show MD5 has weaknesses, no one has found a efficient way to match an existing checksum. For most that's the definition of completely broken.

  4. Nice use of language by gazbo · · Score: 3, Informative
    Contrast:

    [The new attack could affect] hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES)...The new attack method isn't necessarily going to work against the exact ciphers listed above

    With:

    Okay, he thinks that AES is immune to this attack...And this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use

    Slight shift in implications, dontchathink?

  5. Correct the summary/FUD by trifish · · Score: 5, Informative

    As Schneier wrote (emphasis mine): "this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use; their degree is much too high." Now, correct the misleading summary (or be uninformed FUD spreader like Computerworld).

    1. Re:Correct the summary/FUD by secPM_MS · · Score: 5, Informative
      The "low degree" here may be a bit higher than most readers suspect. The abstract I have for the talk is:

      ABSTRACT: In this talk I will describe a new algebraic attack which is very powerful and very general. It can solve large systems of low degree polynomial equations with surprisingly low complexity. For example, solving dense random-looking equations of degree 16 in several thousand variables over GF(2) (which correspond to many types of LFSR-based stream ciphers) can now be practically done in less than 2^{32} complexity by the new technique.

      That said, the algebraic degree associated with modern block codes is far beyond this. The possible uility of such approaches in reducing the complexity of collision generation in hashes is yet undetermined.

    2. Re:Correct the summary/FUD by CodeBuster · · Score: 3, Interesting

      That said, the algebraic degree associated with modern block codes is far beyond this.

      Would not a modern block cipher, AES for example, be of at least order 128 or possibly higher with at least as many variables? It was also mentioned in the summary of TFA that older or lower power devices might be vulnerable, but really where are these devices being used right now? It has been my experience that if something is encrypted at all (i.e. someone actually bothered to think about security) then a stronger algorithm is generally selected (AES, 3-DES, Twofish, etc...); otherwise, and this happens all too often, encryption is simply not employed even though it easily could have been and probably should have been.

    3. Re:Correct the summary/FUD by swillden · · Score: 3, Informative

      Would not a modern block cipher, AES for example, be of at least order 128 or possibly higher with at least as many variables?

      No. When you convert a cipher into a set of polynomial equations, the degree is dependent upon internal details of the cipher. It has nothing to do with the number of bits in the key. For example, I can make a cipher with a 1000-bit key, but a structure that is so simple that it can be represented with a linear function -- degree 1.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Re:Use two different encryption methods. by Zironic · · Score: 3, Informative

    Well, they rely on knowing what method you used but so does any cryptography attack, it's impossible to create an attack that can target any encryption since it's impossible to tell the difference between something encrypted and random noise.

    So if the attacker knows you're using two different methods he just has to crack them both one at a time. It's not terribly different from knowing you use one method.

    What you're doing is just attempting to practise security through obscurity when you layer encryption on encryption.

  7. Re:ehm by Thelasko · · Score: 4, Funny

    Does this mean, can I finally recover the data encrypted by the Gpcode virus?

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  8. The synopsis stated "low grade" crypto by billsf · · Score: 4, Interesting

    An order of magnitude improvement in cracking a 56bit key would be significant. However, most of us use far greater key-spaces and only flaws in the crypto itself or the container is the real threat. It is however interesting when anybody can make a massive improvement in cryptoanalysis. A 10x improvement would make cracking 40bit 'consumer-grade' (such as GSM and DECT) crypto trivial on the latest processors. The most likely application is to give governments easy access to snoop 'private' phone and data conversations.

    This is not threatening to me at all. I don't really see the need to encrypt phone calls in the first place. It is absolutely essential to encrypt other data. This seems to be because there is a social taboo about tapping phones, but not so much so with data. Therefore all system admins must use SSH and others should consider it too.

    The real threat is the quantum computer, if it exists in a practical form. If that is the case, there is one complete solution -- The awkward 'one-time pad'.

    1. Re:The synopsis stated "low grade" crypto by eudaemon · · Score: 5, Insightful

      The reason to casually encrypt phone calls or any other data is to prevent the casual snooping of same.

      Look at this way -- the barrier to entry for snooping your data is very low, and getting lower with each
      new executive order. On the other hand the barrier to entry on snooping your data can be set arbitrarily high;
      you can choose anything from 56 bit single-DES to 2048 bit RC4. The effort required to casually snoop you for
      no other reason has now exploded. It was fear of people adopting this strategy and blocking the casual snooping
      that inspired the clipper chip. It was the people's laziness, ignorance or both towards protecting their privacy
      and their fear of terror that has eroded any expectation of privacy now, which is truly unfortunate.

      If we had an expectation of privacy in this country, I think things would be very different now with regards to
      all the second order effects such as identity theft.

  9. Re:Ha! I'm immune! by oahazmatt · · Score: 5, Funny

    I do one better. I use inkblot tests. I can leave them in plain sight and their totally secure.

    Co-worker: Your password is "flower"?
    Me: What? No. It's "zombie clown hitting fish with hammer". What's wrong with you?

    --
    Those who believe the Internet is private,
    find their privates are on the Internet.
  10. Re:disgusting fatbodies by thedonger · · Score: 5, Funny

    I'm sure this post is encrypted...If only there were a way to use Schneier's algorithm...Wait...Got it! Here is the decrypted text:

    Yes, I agree with moderatorrater. It appears Slashdot was jumping the gun. I like to ride mopeds.

    --
    Help fight poverty: Punch a poor person.
  11. Re:Ha! I'm immune! by iminplaya · · Score: 5, Funny

    Me too. It's ******

    --
    What?
  12. Re:Ha! I'm immune! by jam244 · · Score: 5, Funny

    Your password is hunter2?

  13. Re:Use two different encryption methods. by moderatorrater · · Score: 3, Insightful

    I have an enormous amount of respect for Bruce Schneier, but his writing is designed to get him business, not to give easy answers to big problems.

    umm, easy answers to big problems? There are none, sir, and while bruce does occasionally plug his own products, I've never thought that he was just into it to make money. Reading his blog is the most informative part of my day.

    Besides, we all know that his real reason for blogging is to help squid become the dominant species on the planet like they were intended to be.

  14. Re:ehm by MightyMartian · · Score: 5, Funny

    Nonsense. The real solution is to get a court order banning the guy from giving his presentation. After all, as has been demonstrated just recently, court orders are the preferred means of securing anything.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  15. Re:Ha! I'm immune! by MooseMuffin · · Score: 3, Funny

    No you moron, that's my password!

  16. Cube attack in detail... by Anonymous Coward · · Score: 4, Funny

    ENCRYPTION IS CUBE
    cube have 4 sides
    1 side = 1 encryption stage
    ENCRYPTION STAGE IS TIME
    TIME IS CUBE
    THEREFORE ENCRYPTION = TIME
    time slowed by day/night on planet corners
    move algorythm to cube corners to solve in limited time
    move algorithm to cube centers to unsolve in unlimited time.

  17. Re:"Cube" attack by k1e0x · · Score: 3, Funny

    TIMECUBE theory can never be broken because Shamir's math is educated stupid.

    --
    Bringing liberty to the masses. - http://freetalklive.com/
  18. It will be interesting to see the full paper by wirelessbuzzers · · Score: 4, Insightful

    I saw the talk. The cube attack was very impressive: it allowed Shamir to break a fairly difficult-looking toy cipher (constructed, of course, to have an Achilles heel, but still probably impossible to break with other known techniques). He used only one bit per packet (with a million packets) and didn't use any particular knowledge of the cipher's internals.

    However, as presented the attack probably only breaks toy examples. Its real-world applicability will depend on how well Shamir and Dinur manage to adapt it to ciphers which don't have this simple structure. For example, it will be difficult to apply the attack to either hash functions or block ciphers, because their iterated design tends to give them high degree. The attack will also be difficult to adapt because of its low tolerance for noise and its applicability to a narrow range of scenarios. Still, Shamir believes that it will be applicable at least to some modern stream ciphers, so I'll be keeping an eye out for the full version.

    --
    I hereby place the above post in the public domain.
  19. Hold on, I've got to get this out of my system by sabre86 · · Score: 4, Funny

    ...password ... like 1-2-3-4.

    So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

    Apologies to Rick Moranis and Mel Brooks.

    That said, what's the difference between lower case numbers and upper case numbers?

    --sabre86

  20. Re:ehm by UncleTogie · · Score: 4, Funny

    "Honey, we've simply GOT to have all this porn.... to recover our hard drive!"

    Kudos to the individual that can pull THAT line off...

    --
    Don't tell me to get a life. I'm a gamer; I have LOTS of lives!