[ISN] Cryptanalysis of Multiswap

From: InfoSec News (isnat_private)
Date: Mon Oct 29 2001 - 00:50:31 PST

  • Next message: InfoSec News: "[ISN] Win-XP firewall defeats Gibson NanoProbes"

    Forwarded from: Gary Stock <gstockat_private>
    Topic: a new Microsoft block cipher dissected, and its weakness revealed.
    Some readers may prefer a more 'mainstream' analysis of this exploit,
    which I suspect will appear soon enough.  The original introduction and
    conclusion appear below, with full details here:
    The use of graphical notation in the original may make transcription to
    flat text inappropriate.  I encourage interested cryptogs to visit the
    URL directly (while it is permitted to persist :-)
    A few mirrors, with proper attribution, might not hurt...
    Cryptanalysis of Multiswap
    Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner
    UC Berkeley
    An anonymous security researcher working under the pseudonym "Beale
    Screamer" reverse engineered the Microsoft Digital Rights Management
    subsystem and, by October 20th, the results were available on
    cryptome.org.  As part of the reverse engineering effort Screamer found
    an unpublished block cipher, which he dubbed MultiSwap, being used as
    part of DRM.  Screamer did not need to break the MultiSwap cipher to
    break DRM, but we thought it would be a fun excercise, and summarize the
    results of our investigation below.  The attacks described here show
    weaknesses in the MultiSwap encryption scheme, and could potentially
    contribute to an attack on DRM.  However, the attack on DRM described by
    Beale Screamer would be much more practical, so we feel that these
    weaknesses in MultiSwap do not pose a significant threat to DRM at this time.
    We present these results to further the science of computer security,
    not to promote rampant copying of copyrighted music.
    The cipher
    The Multswap algorithm takes a 64-bit block consisting of two 32-bit
    numbers x0 and x1 and encrypts them using the subkeys
    k0,...,k11 as diagramed below...
    [...body of article contains graphic notation...]
    We have seen that MultiSwap can be broken with a 2^14 chosen-plaintext
    attack or a 2^22.5 known-plaintext attack, requiring 2^25 work.  We
    believe this shows that MultiSwap is not safe for any use.
    # # #
    Gary Stock                                            vox 616.226.9550
    CIO & Technical Compass                               fax 616.349.9076  
    Nexcerpt, Inc.                                     gstockat_private
      "The first thing you'll notice is, when the camera's plugged in..."
      Bill Gates, launching Windows XP Earthquake, Seattle, 28 Feb 2001
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 02:53:52 PST