Brute force attack

From Wikipedia, the free encyclopedia

The EFF's US$250,000 DES cracking machine contained over 1,800 custom chips and could brute force a DES key in a matter of days. The photograph shows a DES Cracker circuit board fitted with several Deep Crack chips.

In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out. Accordingly, one definition of "breaking" a cryptographic scheme is to find a method faster than a brute force attack.

The selection of an appropriate key length depends on the practical feasibility of performing a brute force attack. By obfuscating the data to be encoded, brute force attacks are made less effective as it is more difficult to determine when one has succeeded in breaking the code.

[edit] Symmetric ciphers

For symmetric-key ciphers, a brute force attack typically means a brute-force search of the key space; that is, testing all possible keys in order to recover the plaintext used to produce a particular ciphertext.

In a brute force attack, the expected number of trials before the correct key is found is equal to half the size of the key space. For example, if there are 2⁶⁴ possible keys, a brute force attack would, on average, be expected to find a key after 2⁶³ trials.^[1]

For each trial of a candidate key the attacker needs to be able to recognize when he has found the correct key. The most straightforward way is to obtain a few corresponding plaintext and ciphertext pairs, that is, a known-plaintext attack or crib. Alternatively, a ciphertext-only attack is possible by decrypting ciphertext using each candidate key, and testing the result for similarity to plaintext language—for example, English encoded in ASCII.

In general, a symmetric key cipher is considered secure if there is no method less expensive (in time, memory requirements, etc) than brute force; Claude Shannon used the term "work factor" for this.

The COPACOBANA machine is a reprogrammable and cost-optimized hardware for cryptanalytical applications such as exhaustive key search. It was built for US$10,000 by the Universities of Bochum and Kiel, Germany, and contains 120 low-cost FPGAs.

Symmetric ciphers with keys of length up to 64 bits have been broken by brute force attacks. DES, a widely-used block cipher which uses 56-bit keys, was broken by custom hardware in 1998 (see EFF DES cracker), and a message encrypted with RC5 using a 64-bit key was broken more recently by Distributed.net. More recently, the COPACOBANA (Cost-Optimized Parallel COde Breaker) was built, which is a reconfigurable code breaker that is suited for key searching of many different algorithms, including DES. In addition, it is commonly speculated^[who?] that government intelligence agencies (such as the U.S. NSA) can successfully attack a symmetric key cipher with long key lengths, such as a 64-bit key, using brute force. For applications requiring long term security, 128 bits is, as of 2004^[update], is currently thought^[who?] a sufficient key length for new systems using symmetric key algorithms. NIST has recommended that 80-bit designs be phased out by 2015.

If keys are generated in a weak way, for example, derived from a guessable-password, it is possible to exhaustively search over a much smaller set, for example, keys generated from passwords in a dictionary. See password cracking and passphrase for more information.

Ciphers with proven perfect secrecy, such as the one-time pad, cannot be broken by a brute force attack.

[edit] Theoretical limits

The resources required for a brute force attack scale exponentially with increasing key size, not linearly. As a result, doubling the key size for an algorithm does not simply double the required number of operations, but rather squares them. Although algorithms which use 56-bit keys (e.g. the obsolete DES) are now vulnerable to brute force attack, this is not true of more modern encryption algorithms such as AES, Twofish and Serpent which use 128-, 192- or 256-bit keys as standard.

There is a physical argument that a 128-bit symmetric key is secure against brute force attack. The so-called Von Neumann-Landauer Limit implied by the laws of physics sets a lower limit on the energy required to perform a computation of $ln(2) k T$ per bit erased in a computation, where T is the temperature of the computing device in kelvin, k is the Boltzmann constant, and the natural logarithm of 2 is about 0.693. No irreversible computing device can use less energy than this, even in principle.^[2]

Thus, in order to simply flip through the possible values for a 128-bit symmetric key (ignoring doing the actual computing to check it) would require $2128 - 1$ bit flips. If we assume that the calculation occurs near room temperature (~300 K) we can apply the Von Neumann-Landauer Limit to estimate the energy required as $~10^{18}$ Joules, which is equivalent to consuming 30 gigawatts of power for one year ( $30 \times 10^9 W \times 365 \times 24 \times 3600 s = 9.46 \times 10^{17} J$ ). The full actual computation—checking each key to see if you have found a solution—would consume many times this amount.

However, this argument assumes that the register values are changed using conventional set and clear operations which inevitably generate entropy. It has been shown that computational hardware can be designed not to encounter this theoretical obstruction: see reversible computing. It should be pointed out that no such computers are known to have been constructed.

The amount of time required to break a 128-bit key is also daunting. Each of the $2128$ (340,282,366,920,938,463,463,374,607,431,768,211,456) possibilities must be checked. A device that could check a billion billion keys ( $1018$ ) per second would still require about $1013$ years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 ( $1.3 \times 10^{10}$ ) years.^{[citation needed]}

AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires $2128$ times more computational power than a 128-bit key. A device that could check a billion billion ( $1018$ ) AES keys per second would require about $3 \times 10^{51}$ years to exhaust the 256-bit key space.

Hence, 128-bit symmetric keys are impractical to attack by brute force methods using current technology and resources, and 256-bit keys are not likely to be broken by brute force methods using any obvious future technology^{[citation needed]}. The underlying assumption is that the complete keyspace is used to generate keys, something that relies on an effective random number generator. For example, a number of systems that were originally thought to be impossible to crack by brute force have nevertheless been cracked in this way because the key space to search through was found to be much smaller than originally thought, due to a lack of entropy in their pseudorandom number generators. These include Netscape's implementation of SSL (famously cracked by Ian Goldberg and David Wagner in 1995^[3]) and a Debian implementation of OpenSSL cracked in 2008.^[4]

[edit] Unbreakable codes

Certain types of encryption, by their mathematical properties, cannot be defeated by brute force. An example of this is one-time pad cryptography, where every cleartext bit has a corresponding key bit. One-time pads rely on the ability to generate a truly random sequence of key bits. A brute force attack would eventually reveal the correct decoding, but also every other possible combination of bits, and would have no way of distinguishing one from the other. A small, 100-byte, one-time-pad–encoded string subjected to a brute force attack would eventually reveal every 100-byte string possible, including the correct answer, but mostly nonsense. Of all the answers given, there is no way of knowing which is the correct one. Nevertheless, the system can be defeated if not implemented correctly, for example if one-time pads are re-used.^[5]

[edit] See also

Side-channel attack
Cryptographic key length for a fuller discussion of recommended key sizes for symmetric and asymmetric algorithms.
TWINKLE and TWIRL
40-bit encryption
Distributed.net
MD5CRK
Unicity distance
RSA Factoring Challenge
Custom hardware attack
Dictionary attack

[edit] References

^ Bruce Schneier (1996). Applied Cryptography, Second Edition. John Wiley & Sons. pp. 151. ISBN 0-471-11709-9.
^ Rolf Landauer, "Irreversibility and heat generation in the computing process," IBM Journal of Research and Development, vol. 5, pp. 183-191, 1961.
^ John Viega, Matt Messier, Pravir Chandra (2002). Network Security with OpenSS. O'Reilly. pp. 18. ISBN 059600270X. http://books.google.com/books?id=FBYHEBTrZUwC. Retrieved on 2008-11-25.
^ "Technical Cyber Security Alert TA08-137A: Debian/Ubuntu OpenSSL Random Number Generator Vulnerability". United States Computer Emergency Readiness Team. 2008-05-16. http://www.us-cert.gov/cas/techalerts/TA08-137A.html. Retrieved on 2008-08-10.
^ Robert Reynard (1997). Secret Code Breaker II: A Cryptanalyst's Handbook. pp. 86. ISBN 1889668060. http://books.google.com/books?id=3nTmBW0ONEEC&pg=PA86. Retrieved on 2008-09-21.

Leonard M. Adleman, Paul W. K. Rothemund, Sam Roweis and Erik Winfree, On Applying Molecular Computation To The Data Encryption Standard, in Proceedings of the Second Annual Meeting on DNA Based Computers, Princeton University, June 10–12, 1996.
Cracking DES — Secrets of Encryption Research, Wiretap Politics & Chip Design by the Electronic Frontier Foundation (ISBN 1-56592-520-3).
W. Diffie and M.E. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard, Computer 10 (1977), pp74–84.
Michael J. Wiener, "Efficient DES Key Search", presented at the rump session of Crypto 93; reprinted in Practical Cryptography for Data Internetworks, W. Stallings, editor, IEEE Computer Society Press, pp31–79 (1996).

[edit] External links

[0] Bruce Schneier (1996). Applied Cryptography, Second Edition. John Wiley & Sons. pp. 151. ISBN 0-471-11709-9.

[1] Rolf Landauer, "Irreversibility and heat generation in the computing process," IBM Journal of Research and Development, vol. 5, pp. 183-191, 1961.

[2] John Viega, Matt Messier, Pravir Chandra (2002). Network Security with OpenSS. O'Reilly. pp. 18. ISBN 059600270X. http://books.google.com/books?id=FBYHEBTrZUwC. Retrieved on 2008-11-25.

[3] "Technical Cyber Security Alert TA08-137A: Debian/Ubuntu OpenSSL Random Number Generator Vulnerability". United States Computer Emergency Readiness Team. 2008-05-16. http://www.us-cert.gov/cas/techalerts/TA08-137A.html. Retrieved on 2008-08-10.

[4] Robert Reynard (1997). Secret Code Breaker II: A Cryptanalyst's Handbook. pp. 86. ISBN 1889668060. http://books.google.com/books?id=3nTmBW0ONEEC&pg=PA86. Retrieved on 2008-09-21.

[1]

[2]

[3]

[4]

[5]

Brute force attack

From Wikipedia, the free encyclopedia

Contents

[edit] Symmetric ciphers

[edit] Theoretical limits

[edit] Unbreakable codes

[edit] See also

[edit] References

[edit] External links

Views

Personal tools

Navigation

Search

Interaction

Toolbox

Languages