[IWAR] Re: (g2i) 3DES weakness

From: Dorothy Denning (denningat_private)
Date: Wed Apr 01 1998 - 08:25:46 PST

  • Next message: 7Pillars Partners: "[IWAR] INTERNET spam flurry expected"

      3DES weakness paper (and other interesting papers):
    Biham and Knudsen's attack against Triple-DES is an interesting result
    and worth following.  However, while of theoretical interest, it
    is not practical.
    One attack requires 2^65 blocks of chosen ciphertext (i.e., you pick the
    ciphertext and request the plaintext from the person whose messages
    you're trying to break).  Even ignoring the prospects of getting the
    plaintext for chosen ciphertext at all, if I've done my math right,
    that's about 1 billion terabytes of data that must be acquired from a
    single message.  I can't even imagine the download time :-)
    The other attack requires that you get a known plaintext block encrypted
    under 2^33 (about 10 billion) variants of one of the three keys.  You,
    of course, do not know that key or the others, but you must be able to
    control exactly how these variants are formed.  Thus, this can be
    regarded as a chosen-key attack of sorts (the authors call it a
    "related-key" attack).  Then you crack that one key.  The second key is
    cracked with a chosen ciphertext attack and the third key by brute
    The time requirements for the attacks are not much more than for
    breaking single DES, but the chosen ciphertext and chosen key
    requirements are the show stoppers.  To pull these off, you really must
    have access to the encryption process, as it is unlikely your adversary
    will be a willing accomplice.  But if you can get that kind of access,
    you can probably get plaintext and keys by much simpler methods.  Folks
    like Eric Thompson at AccessData Corp. do this all the time.
    Cryptographers worry about these flaws, however, as they might be
    signs of weaknesses that could be exploited by more practical
    means.  So codes are designed to withstand even theoretical attacks 
    like this.  The version of Triple-DES that Biham and Knudsen attacked
    had already undergone several rounds of revisions to patch up
    other weaknesses.  One has to wonder, however, whether the quest
    for a method that withstands all theoretical attacks is worth the
    effort or even has an end.
    Dorothy Denning

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:50 PDT