Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Research: Encryption Less Secure Than We Thought

Posted by Soulskill on from the but-still-pretty-darn-secure dept.

A group of researchers from MIT and the University of Ireland has presented a paper (PDF) showing that one of the most important assumptions behind cryptographic security is wrong. As a result, certain encryption-breaking methods will work better than previously thought. "The problem, Médard explains, is that information-theoretic analyses of secure systems have generally used the wrong notion of entropy. They relied on so-called Shannon entropy, named after the founder of information theory, Claude Shannon, who taught at MIT from 1956 to 1978. Shannon entropy is based on the average probability that a given string of bits will occur in a particular type of digital file. In a general-purpose communications system, that’s the right type of entropy to use, because the characteristics of the data traffic will quickly converge to the statistical averages. ... But in cryptography, the real concern isn't with the average case but with the worst case. A codebreaker needs only one reliable correlation between the encrypted and unencrypted versions of a file in order to begin to deduce further correlations. ... In the years since Shannon’s paper, information theorists have developed other notions of entropy, some of which give greater weight to improbable outcomes. Those, it turns out, offer a more accurate picture of the problem of codebreaking. When Médard, Duffy and their students used these alternate measures of entropy, they found that slight deviations from perfect uniformity in source files, which seemed trivial in the light of Shannon entropy, suddenly loomed much larger. The upshot is that a computer turned loose to simply guess correlations between the encrypted and unencrypted versions of a file would make headway much faster than previously expected. 'It’s still exponentially hard, but it’s exponentially easier than we thought,' Duffy says."

47 of 157 comments (clear)

  1. What does this have to do with Computors? by For+a+Free+Internet · · Score: 5, Funny

    I thought this was News for Nerds, but instead we are reading about Math, which is some kind of religion, and I am an Atheist.

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
  2. good news for NSA by minstrelmike · · Score: 5, Interesting

    According to the Wired article on the huge Utah data center, its purpose is to store encrypted messages from foreign embassies and eventually, some time in the future, decrypt them and gain insight into how the 'enemy' (any foreigner) thinks. That time is now exponentially closer.

    1. Re:good news for NSA by DigitAl56K · · Score: 4, Insightful

      I severely doubt this is news to the NSA.

    2. Re:good news for NSA by Bob+the+Super+Hamste · · Score: 3, Informative
      But at the same time

      It’s still exponentially hard

      .

      --
      Time to offend someone
    3. Re:good news for NSA by Anonymous Coward · · Score: 2, Insightful

      Bad news for the NSA. Known insecurity can be fixed either through patch or brute force (bigger key). The NSA, I'm sure, prefers secret insecurity.

    4. Re:good news for NSA by Anonymous Coward · · Score: 5, Interesting

      Maybe, maybe not. Consensus has shifted, and many researchers no longer believe that the NSA has the best and the brightest, or that they possess much fundamental cryptographic insight not already available to civilian researchers.

      When the NSA tried to sneak a back door into an optional random number generator specified in a recent NIST specification, they were almost immediately caught by academics. http://en.wikipedia.org/wiki/Dual_EC_DRBG

      On the other hand, operationally they're clearly second to none. Security engineering and penetration involve much more than basic mathematical insight.

    5. Re:good news for NSA by MarkvW · · Score: 3, Insightful

      And, if you let them, the NSA will be owning exponentially expensive taxpayer-funded stuff that is then used to spy on taxpayers.

    6. Re:good news for NSA by freeze128 · · Score: 4, Funny

      Good! If it gets exponentially closer, that means it will never arrive!

    7. Re:good news for NSA by minstrelmike · · Score: 5, Funny

      When the NSA tried to sneak a back door into an optional random number generator specified in a recent NIST specification, they were almost immediately caught by academics. http://en.wikipedia.org/wiki/Dual_EC_DRBG

      They probably should have taken lessons from Xerox if they wanted to embed random numbers in documents.

    8. Re:good news for NSA by nospam007 · · Score: 2

      This works only if the content is only encrypted _once_.
      If you encrypt it twice, there will be no correlation, no recognizable content.

    9. Re:good news for NSA by camperdave · · Score: 2

      Um... Zeno died of an arrow wound trying to prove that.

      --
      When our name is on the back of your car, we're behind you all the way!
    10. Re:good news for NSA by BronsCon · · Score: 2, Interesting

      Shit I'm not even a crypto expert and it wasn't news to me. If you know what part of a stream of data is supposed to look like and you know where in the stream that part of the data should be, you can attack that part of the stream to determine at least a portion of the decryption key. From there, you try the partial key at set intervals within the datastream and look for anything else familiar, such as file headers or plain ol' empty space, additional patches of data you can fill in from things you already know. Lather, rinse, repeat, until you have the whole key.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    11. Re:good news for NSA by Shaiku · · Score: 5, Informative

      I read the article. The impression I got was that it will still take the same time today that it would have taken yesterday to break encryption, but it turns out that the metric used to demonstrate an algorithm's effectiveness at hiding information was inadequate for electronic communication. In a nutshell, the latest math explains that most encryption systems are vulnerable to side-channel attacks, even if you might not have realized it. But side-channel attacks have been employed for a long time, so those who do security already knew this anecdotally.

    12. Re:good news for NSA by doublebackslash · · Score: 5, Insightful

      I'll undo my moderation in this thread just to tell you that you are wrong. One cannot determine the key from the ciphertext. If they can this is known as a "break" in the cipher.

      A "break" in a cipher does not mean that it is practical to find the key, merely that it is more feasible than mere brute force. For example, a "break" could reduce the effective strength of a cipher from 256 bits to 212 bits under a known plaintext attack. This is a BAD break in the cipher given current standards, but it is the cipher is still completely uncrackable in human (or even geologic) timescales.

      The "weeks or months" number, by the way, has nothing to do with cracking cryptographic keys. I would surmise that is a number more geared towards cracking passwords, which is an entirely different topic. Also, for some realistic numbers on cracking encryption keys, check out Thermodynamic limits on cryptanalysis

      --
      md5sum /boot/vmlinuz
      d41d8cd98f00b204e9800998ecf8427e /boot/vmlinuz
    13. Re:good news for NSA by VortexCortex · · Score: 5, Funny

      Um... Zeno died of an arrow wound trying to prove that.

      "I used to believe in an infinitely divisible universe like you,
      then I took an arrow in the knee."
      - Zeno

    14. Re:good news for NSA by lgw · · Score: 2

      I'm not sure what the intent was with Dual_EC_DRBG! It's a bit silly to believe it was "sneaking in a backdoor" because (1) people figured it out using techniques the NSA knew were public, and more importantly (2) the dang thing is so slow there's no way anyone ever would have used it in the first place.

      The first you can argue was NSA arrogance, but the second? The second is just weird. I could believe the NSA trying to sneak in a backdoor, but one that obviously no one would use? I don't even?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    15. Re:good news for NSA by blincoln · · Score: 3, Insightful

      Actually, you're both wrong.

      For certain types of encryption, you are right - a known-plaintext attack that easily reveals the key is a fatal problem for the encryption method. This is true of AES, for example. The converse is also true - currently, knowing the plaintext and encrypted values for an AES-encrypted block of data does not let an attacker determine the encryption key in a reasonable amount of time. It still requires testing every possible key to see if it produces the same encrypted block given the known plaintext.

      Other types of encryption are absolutely vulnerable to known-plaintext attacks. I'm less familiar with this area, but certain common stream ciphers (like RC4) are literally just an XOR operation, and so if you know the plaintext and ciphertext, you can obtain the keystream by XORing them together.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
    16. Re:good news for NSA by shadowofwind · · Score: 2

      But at the same time

      It’s still exponentially hard

      .

      Maybe stating the obvious...."exponentially" isn't a synonym for "very". How hard it is depends on what the base and the exponent is.

    17. Re:good news for NSA by Anonymous Coward · · Score: 3, Insightful

      If the NSA was only concerned with open source cryptographic products and protocols, you would have a point. But aside from government procurement, NIST standards are in practice used to specify deliverables for corporate security products. Getting Duel_EC_DRBG into a NIST standard is the equivalent of putting a backdoor into an ISO standard for door locks.

      Once in the standard, the NSA can then lean on vendors to use the broken algorithm, and the vast majority of users of that product would be none the wiser. Most corporate security products are opaque and proprietary, and the purchasing agents are unlikely to have a clue about the problem. All they want to see is "NIST-approved".

      All we can do is conjecture, but I don't think the scenario is that outlandish. To my mind it seems more like standard operating procedure than unlikely conspiracy. The fact that the backdoor is clumsy reflects less on the carelessness of the NSA, and more on the exceptional skills of the civilian community. We're smarter now. The NSA has fewer tricks up its sleeve, but it's not like they can just quit and go home.

  3. Just Great by Anonymous Coward · · Score: 5, Funny

    Just great, Now instead of 100 Quintillion years, it's only going to take 100 Trillion years to decrypt my porn

    1. Re:Just Great by Anonymous Coward · · Score: 4, Funny

      I have changed my key from '1234' to '123456' to mitigate this...

    2. Re:Just Great by steelfood · · Score: 2

      Mine is hunter2. And I know it's safe because it looks like ******* to you.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  4. Huh? by Black+Parrot · · Score: 3, Insightful

    What correlation between the plaintext and cyphertext are they talking about?

    Also, I think there is a theorem about modern crypto systems that says if you can guess one bit, the rest doesn't get any easier.

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:Huh? by Arker · · Score: 5, Interesting

      Any correlation between plain and cipher. For instance if you can deduce that a particular string will occur at a particular point in the plaintext, then you can isolate the cipher equivelant and use that as a lever to break the rest of the ciphertext. You dont have to deduce it with certainty for this to be important, even if you have to try and discard a number of possible correlations before you find one that holds up.

      This is a pretty basic old-school cryptographic method, kind of fun to think that fancy-pants mathematicians have been missing it all these years.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    2. Re:Huh? by Anonymous Coward · · Score: 3, Informative

      There is no "cipher equivalent", unless you're doing something stupid like using ECB mode.
      No modern encryption scheme works by simple one-to-one substitution; you use a nonce or an IV with a chaining mode so that even if the same plaintext appears several times, either in the same document or over multiple messages, it will "never" (neglible chance) encode to the same value twice.

    3. Re:Huh? by Trepidity · · Score: 5, Informative

      As usual, the paper makes more sense than the press release, but is less grandiose in its claims.

      It's a fairly technical result that finds some appeals to the asymptotic equipartition property lead to too-strong claims, compared to a more precise analysis.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    4. Re:Huh? by Speare · · Score: 2

      If you want a visual analogy that works, think of the "WOPR guesses launch codes" scene in War Games. In that movie, it's really just eye candy to drive tension in the plot, but it works in that general way for larger texts. If WOPR could somehow compute or infer that the third digit of the launch code is A, and can't be any other letter, then it "locks" that digit down and looks for other inferences it can make. Code breaking and sudoku overlap here too.

      --
      [ .sig file not found ]
    5. Re:Huh? by Hatta · · Score: 5, Funny

      Also, I think there is a theorem about modern crypto systems that says if you can guess one bit, the rest doesn't get any easier.

      Nah, once you guess one bit, the only bit left is zero.

      --
      Give me Classic Slashdot or give me death!
    6. Re:Huh? by Arker · · Score: 2

      It's not supposed to lead to better cracks. It's supposed to lead to a more accurate mathematical representation of how difficult cracks are to achieve.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
  5. Interesting times by DigitAl56K · · Score: 3, Insightful

    There was also an article on Slashdot just over a week ago about a separate advance against RSA.
    http://it.slashdot.org/story/13/08/06/2056239/math-advance-suggest-rsa-encryption-could-fall-within-5-years

    A picture is emerging where not only are the tools available to the layman for protecting information difficult to use, their is a good chance that they also do not offer as much protection as we have long held them to provide.

    1. Re:Interesting times by nigelo · · Score: 3, Funny

      There, there - They're there.

      --
      *Still* negative function...
    2. Re:Interesting times by delt0r · · Score: 2

      There is a reason that government does want you to use encryption.... And not because it gives you a false sense of security

      --
      If information wants to be free, why does my internet connection cost so much?
  6. FUD by sinij · · Score: 3, Interesting

    This is well-known FUD that is making life difficult in government-facing Information Assurance circles. We are still talking ^n where to bruteforce N >>> heat death of universe. This is such unlikely cause of concern that effort currently spent on mitigating and testing is much better spent on ensuring proper implementation and validation of modern cryptographic algorithms. Instead all they care about is entropy assessment and don't care that it is for the implementation of ROT13.

    1. Re:FUD by sinij · · Score: 2

      >>>This also confirms that full-drive encryption of an OS drive is barely better than an empty admin password when it comes to security.

      This is an absurd claim.

      There is no such thing as "plaintext matching", you probably thinking about CPA (chosen plain text attack). Things like nonce, CBC and random IV make sure that such matching impossible.

    2. Re:FUD by Anonymous Coward · · Score: 3, Insightful

      With all due respect, "citation needed". The authors of the paper aren't FUDsters spewing soundbites for the media, they are presenting it at the International Symposium on Information Theory before their peers. I can't tell from the link whether the paper has been accepted by a peer-reviewed journal or whether it's still in review, so some skepticism might be called for before uncritically accepting the conclusions, but this is still a far cry from FUD.

      I'd like to see something more than just a dismissive handwave that this is "well known" old news and not new evidence of weaknesses in cryptographic methods. Even if this has been suspected for some time and the paper merely describes rigorously the nature of such weaknesses, that's still scientific progress and undeserving of the label FUD.

    3. Re:FUD by c0d3g33k · · Score: 2

      This isn't dismissive hand wave. What they discovered is a marginal concern, especially when dealing with on-the-way-out algorithms (e.g. 3DES).

      "Dismissive hand wave" refers to your terse dismissal and accusations of FUD while providing nothing more than personal opinion as evidence. If there is a basis for your assertions, prove it with links to actual proof that this is nothing.

      Authors are FUDsters not because what they discovered is false, but because they are making huge deal out of it, and some illiterate CIOs within government circles listened and redirected resources to mitigate this non-issue.

      You must be in the field, then, and have inside knowledge. You come across as someone who is offended by the behavior of attention seeking scientific peers and are calling them out. Fine. But the MIT research article and the paper it describes don't support your claims - they appear to be a typical report of interesting research by MIT researchers and a fairly typical scientific paper. They don't seem to be making a huge deal out of anything. So your assertions must be based on additional information that we don't know about. If there is evidence to support your accusation of FUD and 'making a big deal', show us why you believe this is true. Otherwise you're just some /.er throwing out insulting accusations. Back those accusations up with something substantial and we might all learn something useful.

  7. University of Ireland is gibberish by Anonymous Coward · · Score: 3, Informative

    It is (as given on the paper) the "National University of Ireland, Maynooth" and NOT simply "University of Ireland". "The constituent universities are for all essential purposes independent universities, except that the degrees and diplomas are those of the National University of Ireland with its seat in Dublin". I'm from Ireland and had no clue WTF "University of Ireland" was going to be and had it not been for the MIT connection would have assumed it was one of those places you send a few dollars to get a "fake" degree. When and if it's truncated you might see "NUI", "NUIM" or "NUI Maynooth".

  8. Common mistake. by Hatta · · Score: 5, Interesting

    I remember reading in an ecology textbook about researchers who wanted to model reforestation after a Mt. St. Helens erupted. They used the average seed dispersion as input to their model, and found that reforestation occured much, much faster.

    Turns out the farthest flung seeds take root just as well as the average seed, and they grow and disperse seeds. And the farthest flung of those seeds grow and disperse seeds, compounding the disparity between average and extreme seed dispersion.

    Just something to keep in mind when you're working with averages.

    --
    Give me Classic Slashdot or give me death!
  9. That's why you shouldn't use plain text by NotQuiteReal · · Score: 4, Funny

    Use Word! Those zippy-looking XML-ish .docx files are all messed up!

    --
    This issue is a bit more complicated than you think.
    1. Re:That's why you shouldn't use plain text by gmuslera · · Score: 3, Funny

      I prefer anonymous coward encryption. There should be some meaning in their posts, but not even the NSA could decrypt them.

  10. Times have changed by Anonymous Coward · · Score: 3, Interesting

    I don't have insider knowledge, this is just speculation based on societal trends. Where cryptography used to be the almost exclusive realm of governments to protect their secrets, it is now quite mainstream. Encryption protects e-commerce transactions among other things that are useful for the average person and vital to our businesses. It is now a field that university researchers pay attention to (where only cryptographers under the employ of spy agencies did previously) and companies spend their own money to pursue R&D on.

    The NSA still does research, but it just doesn't seem likely they have a big edge over the academics who public in journals that everyone can read.

  11. Known or chosen plaintext by Geirzinho · · Score: 3, Informative

    How is this in principle different from the known plaintext attacks (https://en.wikipedia.org/wiki/Known-plaintext_attack)?

    These assume that the attacker knows both the encrypted version of the text and the original it was based on, and tries to glean information from their correlation.

    Modern ciphers are made resistant even to chosen plaintext attacks, where the analyst knows the key and can tailor-make pairs of plain- and ciphertext.

    1. Re:Known or chosen plaintext by cryptizard · · Score: 3, Informative

      Pretty sure what they are saying here is that having a lot of Shannon entropy in your key is not enough for security. The paper seems to be deliberately obtuse though, which is really annoying. I am a cryptographer and it doesn't make a whole lot of sense to me right away. They note that if you draw a word from some stochastic process then the difficulty in guessing that word may not be very high, even if the entropy is high. This is completely intuitive and known.

      Imagine you have an algorithm that generates an n-bit secret key. First, it flips a random bit b. If b = 0, then it just outputs a string of n zeroes as the key. If b = 1, then it outputs n random bits. The entropy of this process is n bits, which seems good, but cryptographically it is terrible because half the time it just uses a fixed key of all zeroes. Instead of Shannon entropy, cryptographers uses a different form called min entropy which is inversely proportional to the most likely event. So in the above case, the min entropy would only be one bit, which properly reflects how bad that algorithm is.

      It's late, and I might be missing something, but it doesn't seem like anything that wasn't known before. Particularly, they talk about distributions with high entropy but which are not uniform, and in cryptography you always assume you have uniform randomness. It has been known for quite a while that many things are not even possible without uniform randomness. For instance, it is known that encryption cannot be done without uniform randomness.

  12. Re:Key Size implications by Em+Adespoton · · Score: 5, Interesting

    So, can someone clarify for me exactly what the implications of this are? Is this a lowering of the relevant exponent in the exponentially hard problem, meaning you should multiply your key sizes by some factor that perhaps the paper somehow could provide, or is it a constant factor meaning you should extend your keys by a fixed amount?

    Either way, this is important news. I expect the details depend on the nature of the data in question, so there aren't easy answers. Its things like this that are the reasons we use key sizes that are significantly larger than could be practically cracked today.

    This might be news in mathematical circles, but this has been a known issue in cryptoanalysis circles for years. It's even the basis for the smart card attacks performed by a German group in the mid-90's. Shannon entropy theory is fine for its limited domain, but as soon as you start dealing with encryption-during-transit of values known to the attacker (plus timings and order of sequence), a LOT more has to be done to ensure high entropy of the metainformation too, and Shannon entropy doesn't account for that.

    So in properly defined encryption systems, this isn't much of an issue. The problem arises when people shout "we use AES-256" or "we use SSL/TLS 2.0" (which have fine Shannon entropy) and yet handle that encrypted data in a way that exposes it to pattern analysis attack, whether encrypted or not.

    Note that this is a separate issue from that of choosing a secure encryption key/keylength in the first place. It has more to do with how you're wrapping the unencrypted data and how random separate unencrypted data sets using the same key are.

    The way I've always thought of it is: if the entropy source is truly random, then any meaningful data injected into it will impart a pattern into the randomness. This can be used to identify the data based on patterns discovered in the supposedly random data. Conversely, if the entropy source isn't truly random, it is possible to discover its pattern, extract that from the equation, and what you are left with is the data.

    You still have to deal with the secret key in either case, but this makes building that key exponentially easier, given a known cleartext source and a collection of cleartext encrypted samples. The more encrypted samples of the known cleartext you've got, the simpler the decryption becomes.

  13. Whole-disk encryption a bad idea? by Dorianny · · Score: 2

    Can a knowledgeable party weigh in on what this research means to whole-disk encryption, where an attacker has knowledge of what significant amounts of data, specifically the operating system files, look like un-encrypted? It would seem to me that such knowledge makes the sort of attack described by the article much easier.

  14. Disregard... by Anonymous Coward · · Score: 2, Funny

    Any sentences that starts with, "What if it is we..."

  15. Re:Easy fix by cryptizard · · Score: 2

    This is a widely held misconception. Double encryption is not significantly stronger than single encryption due to the meet-in-the-middle attack.