[IWAR] Re: (g2i) 3DES weakness

From: Dorothy Denning (denningat_private)
Date: Wed Apr 01 1998 - 08:25:46 PST

Next message: 7Pillars Partners: "[IWAR] INTERNET spam flurry expected"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  3DES weakness paper (and other interesting papers):
  http://www.cs.technion.ac.il/%7Ebiham/publications.html

Biham and Knudsen's attack against Triple-DES is an interesting result
and worth following.  However, while of theoretical interest, it
is not practical.

One attack requires 2^65 blocks of chosen ciphertext (i.e., you pick the
ciphertext and request the plaintext from the person whose messages
you're trying to break).  Even ignoring the prospects of getting the
plaintext for chosen ciphertext at all, if I've done my math right,
that's about 1 billion terabytes of data that must be acquired from a
single message.  I can't even imagine the download time :-)

The other attack requires that you get a known plaintext block encrypted
under 2^33 (about 10 billion) variants of one of the three keys.  You,
of course, do not know that key or the others, but you must be able to
control exactly how these variants are formed.  Thus, this can be
regarded as a chosen-key attack of sorts (the authors call it a
"related-key" attack).  Then you crack that one key.  The second key is
cracked with a chosen ciphertext attack and the third key by brute
force.

The time requirements for the attacks are not much more than for
breaking single DES, but the chosen ciphertext and chosen key
requirements are the show stoppers.  To pull these off, you really must
have access to the encryption process, as it is unlikely your adversary
will be a willing accomplice.  But if you can get that kind of access,
you can probably get plaintext and keys by much simpler methods.  Folks
like Eric Thompson at AccessData Corp. do this all the time.

Cryptographers worry about these flaws, however, as they might be
signs of weaknesses that could be exploited by more practical
means.  So codes are designed to withstand even theoretical attacks 
like this.  The version of Triple-DES that Biham and Knudsen attacked
had already undergone several rounds of revisions to patch up
other weaknesses.  One has to wonder, however, whether the quest
for a method that withstands all theoretical attacks is worth the
effort or even has an end.

Dorothy Denning

Next message: 7Pillars Partners: "[IWAR] INTERNET spam flurry expected"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:50 PDT