Network Working Group S. Kelly
Request for Comments: 4772 Aruba Networks
Category: Informational December 2006
Network Working Group S. Kelly
Request for Comments: 4772 Aruba Networks
Category: Informational December 2006
Security Implications of Using the Data Encryption Standard (DES)
使用数据加密标准(DES)的安全影响
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2006).
版权所有(C)IETF信托基金(2006年)。
Abstract
摘要
The Data Encryption Standard (DES) is susceptible to brute-force attacks, which are well within the reach of a modestly financed adversary. As a result, DES has been deprecated, and replaced by the Advanced Encryption Standard (AES). Nonetheless, many applications continue to rely on DES for security, and designers and implementers continue to support it in new applications. While this is not always inappropriate, it frequently is. This note discusses DES security implications in detail, so that designers and implementers have all the information they need to make judicious decisions regarding its use.
数据加密标准(DES)易受暴力攻击的影响,资金有限的对手很容易受到暴力攻击。因此,DES已被弃用,取而代之的是高级加密标准(AES)。尽管如此,许多应用程序仍然依赖DES来实现安全性,设计者和实现者继续在新的应用程序中支持DES。虽然这并不总是不合适的,但它经常是不合适的。本说明详细讨论了DES的安全含义,以便设计人员和实现人员能够获得关于DES使用的明智决策所需的所有信息。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Executive Summary of Findings and Recommendations ..........4
1.1.1. Recommendation Summary ..............................4
2. Why Use Encryption? .............................................5
3. Real-World Applications and Threats .............................6
4. Attacking DES ...................................................8
4.1. Brute-Force Attacks ........................................9
4.1.1. Parallel and Distributed Attacks ...................10
4.2. Cryptanalytic Attacks .....................................10
4.3. Practical Considerations ..................................12
5. The EFF DES Cracker ............................................12
6. Other DES-Cracking Projects ....................................13
7. Building a DES Cracker Today ...................................14
7.1. FPGAs .....................................................15
7.2. ASICs .....................................................16
7.3. Distributed PCs ...........................................16
7.3.1. Willing Participants ...............................17
7.3.2. Spyware and Viruses and Botnets (oh my!) ...........18
8. Why is DES Still Used? .........................................19
9. Security Considerations ........................................20
10. Acknowledgements ..............................................21
Appendix A. What About 3DES? .....................................22
A.1. Brute-Force Attacks on 3DES ...............................22
A.2. Cryptanalytic Attacks Against 3DES ........................23
A.2.1. Meet-In-The-Middle (MITM) Attacks ..................23
A.2.2. Related Key Attacks ................................24
A.3. 3DES Block Size ...........................................25
Informative References ............................................25
1. Introduction ....................................................3
1.1. Executive Summary of Findings and Recommendations ..........4
1.1.1. Recommendation Summary ..............................4
2. Why Use Encryption? .............................................5
3. Real-World Applications and Threats .............................6
4. Attacking DES ...................................................8
4.1. Brute-Force Attacks ........................................9
4.1.1. Parallel and Distributed Attacks ...................10
4.2. Cryptanalytic Attacks .....................................10
4.3. Practical Considerations ..................................12
5. The EFF DES Cracker ............................................12
6. Other DES-Cracking Projects ....................................13
7. Building a DES Cracker Today ...................................14
7.1. FPGAs .....................................................15
7.2. ASICs .....................................................16
7.3. Distributed PCs ...........................................16
7.3.1. Willing Participants ...............................17
7.3.2. Spyware and Viruses and Botnets (oh my!) ...........18
8. Why is DES Still Used? .........................................19
9. Security Considerations ........................................20
10. Acknowledgements ..............................................21
Appendix A. What About 3DES? .....................................22
A.1. Brute-Force Attacks on 3DES ...............................22
A.2. Cryptanalytic Attacks Against 3DES ........................23
A.2.1. Meet-In-The-Middle (MITM) Attacks ..................23
A.2.2. Related Key Attacks ................................24
A.3. 3DES Block Size ...........................................25
Informative References ............................................25
The Data Encryption Standard [DES] is the first encryption algorithm approved by the U.S. government for public disclosure. Brute-force attacks became a subject of speculation immediately following the algorithm's release into the public sphere, and a number of researchers published discussions of attack feasibility and explicit brute-force attack methodologies, beginning with [DH77].
数据加密标准[DES]是美国政府批准公开披露的第一个加密算法。暴力攻击在算法发布到公共领域后立即成为猜测的主题,许多研究人员发表了关于攻击可行性和明确暴力攻击方法的讨论,从[DH77]开始。
In the early to mid 1990s, numerous additional papers appeared, including Wiener's "Efficient DES Key Search" [WIEN94], and "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" [BLAZ96]. While these and various other papers discussed the theoretical aspects of DES-cracking machinery, none described a specific implementation of such a machine. In 1998, the Electronic Frontier Foundation (EFF) went much further, actually building a device and freely publishing the implementation details for public review [EFF98].
在20世纪90年代早期到中期,出现了许多其他论文,包括维纳的“高效DES密钥搜索”[WIEN94]和“对称密码的最小密钥长度以提供充分的商业安全”[BLAZ96]。虽然这些论文和其他各种论文讨论了DES裂解机械的理论方面,但没有一篇论文描述了此类机械的具体实现。1998,电子前沿基金会(EFF)走得更远,实际上建立了一个设备,并免费发布公开审查的实施细则[EF98]。
Despite the fact that the EFF clearly demonstrated that DES could be brute-forced in an average of about 4.5 days with an investment of less than $250,000 in 1998, many continue to rely on this algorithm even now, more than 8 years later. Today, the landscape is significantly different: DES can be broken by a broad range of attackers using technologies that were not available in 1998, including cheap Field Programmable Gate Arrays (FPGAs) and botnets [BOT05]. These and other attack methodologies are described in detail below.
尽管事实上EFF清楚地表明DES在1998年的平均投资不到250000美元的情况下,可以在大约4.5天内被粗暴地强迫,但许多人甚至在8年后的今天仍然依赖这种算法。如今,情况大不相同:DES可以被广泛的攻击者利用1998年不可用的技术破坏,包括廉价的现场可编程门阵列(FPGA)和僵尸网络[BOT05]。下面将详细描述这些攻击方法和其他攻击方法。
Given that the Advanced Encryption Standard [AES] has been approved by the U.S. government (under certain usage scenarios) for top-secret applications [AES-NSA], and that triple DES (3DES) is not susceptible to these same attacks, one might wonder: why even bother with DES anymore? Under more ideal circumstances, we might simply dispense with it, but unfortunately, this would not be so simple today. DES has been widely deployed since its release in the 1970s, and many systems rely on it today. Wholesale replacement of such systems would be very costly. A more realistic approach entails gradual replacement of these systems, and this implies a term of backward compatibility support of indefinite duration.
鉴于高级加密标准[AES]已获美国政府批准(在某些使用场景下)用于绝密应用程序[AES-NSA],而且三重DES(3DES)不易受到这些攻击,人们可能会想:为什么还要再使用DES?在更理想的情况下,我们可能干脆放弃它,但不幸的是,这在今天不会如此简单。DES自20世纪70年代发布以来已被广泛部署,如今许多系统都依赖于它。大规模更换此类系统的成本非常高。一个更现实的方法需要逐步替换这些系统,这意味着一个无限期的向后兼容性支持术语。
In addition to backward compatibility, in isolated instances there may be other valid arguments for continued DES support. Still, reliance upon this deprecated algorithm is a serious error from a security design perspective in many cases. This note aims to clarify the security implications of this choice given the state of technology today, so that developers can make an informed decision as to whether or not to implement this algorithm.
除了向后兼容之外,在孤立的实例中,可能还有其他有效的参数支持DES。然而,从安全设计的角度来看,在许多情况下,依赖这种不推荐的算法是一个严重的错误。本说明的目的是在当今的技术状态下澄清此选择的安全含义,以便开发人员能够就是否实现此算法做出明智的决定。
For many years now, DES usage has been actively discouraged by the security area of the IETF, but we nevertheless continue to see it in use. Given that there are widely published accounts of real attacks and that we have been vocally discouraging its use, a question arises: why aren't people listening? We can only speculate, but one possibility is that they simply do not understand the extent to which DES has been marginalized by advancing cryptographic science and technology. Another possibility is that we have not yet been appropriately explicit and aggressive about this. With these particular possibilities in mind, this note sets out to dispel any remaining illusions.
多年来,IETF的安全领域一直在积极阻止DES的使用,但我们仍然看到它在使用。鉴于有广泛发表的关于真实攻击的报道,并且我们一直在口头上劝阻它的使用,一个问题出现了:为什么人们不倾听?我们只能推测,但有一种可能性是,他们根本不了解DES在多大程度上因密码科学和技术的进步而被边缘化。另一种可能性是,我们还没有适当明确和积极地对待这一点。考虑到这些特殊的可能性,本说明旨在消除任何剩余的幻想。
The depth of background knowledge required to truly understand and fully appreciate the security risks of using DES today is somewhat daunting, and an extensive survey of the literature suggests that there are very few published materials encompassing more than a fraction of the considerations all in one place, with [CURT05] being one notable exception. However, even that work does not gather all of the pieces in such a way as to inform an implementer of the current real-world risks, so here we try to fill in any remaining gaps.
真正理解和充分理解当今使用DES的安全风险所需的背景知识的深度有点令人望而生畏,对文献的广泛调查表明,几乎没有出版的材料涵盖了一个地方的一小部分考虑因素,其中[05]是一个显著的例外。然而,即使是这项工作也不能以这样一种方式收集所有的信息,即告知实施者当前的现实世界风险,因此我们在这里尝试填补任何剩余的空白。
For convenience, the next section contains a brief summary of recommendations. If you don't know the IETF's current position on DES, and all you want is a summary, you may be content to simply read the recommendation summary section, and skip the rest of the document. If you want a more detailed look at the history and current state-of-the-art with respect to attacking DES, you will find that in subsequent sections.
为方便起见,下一节简要概述了建议。如果您不知道IETF在DES上的当前位置,并且您想要的只是一个摘要,那么您可以只阅读推荐摘要部分,而跳过文档的其余部分。如果您想更详细地了解攻击DES的历史和当前技术水平,您将在后续章节中找到。
There are several ways to attack a cryptographic algorithm, from simple brute force (trying each key until you find the right one) to more subtle cryptanalytic approaches, which take into account the internal structure of the cipher. As noted in the introduction, a dedicated system capable of brute-forcing DES keys in less than 5 days was created in 1998. Current "Moore's Law" estimates suggest that a similar machine could be built today for around $15,000 or less, and for the cost of the original system (~$250,000) we could probably build a machine capable of cracking DES keys in a few hours.
有几种方法可以攻击加密算法,从简单的暴力(尝试每个密钥直到找到正确的密钥)到考虑密码内部结构的更微妙的密码分析方法。如引言中所述,1998年创建了一个专用系统,该系统能够在不到5天的时间内强制执行DES密钥。当前的“摩尔定律”估计表明,今天可以以15000美元或更少的价格制造一台类似的机器,而以原始系统的成本(约合250000美元),我们可能可以制造一台能够在几个小时内破解DES密钥的机器。
Additionally, there have been a number of successful distributed attacks on DES [CURT05], and with the recent arrival of botnets [BOT05], these results are all the more onerous. Furthermore, there are a number of cryptanalytic attacks against DES, and while some of
此外,对DES[CURT05]的分布式攻击也取得了一些成功,随着僵尸网络[BOT05]的最近出现,这些结果变得更加复杂。此外,还有许多针对DES的密码分析攻击,其中一些
these remain purely theoretical in nature at present, at least one was recently implemented using a FPGA that can deduce a DES key in 12-15 hours [FPL02]. Clearly, DES cannot be considered a "strong" cryptographic algorithm by today's standards.
目前,这些仍然是纯理论性质的,至少有一个是最近使用FPGA实现的,可以在12-15小时内推导出DES密钥[FPL02]。显然,按照今天的标准,DES不能被视为“强”加密算法。
To summarize current recommendations on using DES, the simple answer is "don't use it - it's not safe." While there may be use cases for which the security of DES would be sufficient, it typically requires a security expert to determine when this is true. Also, there are much more secure algorithms available today (e.g., 3DES, AES) that are much safer choices. The only general case in which DES should still be supported is when it is strictly required for backward compatibility, and when the cost of upgrading outweighs the risk of exposure. However, even in these cases, recommendations should probably be made to phase out such systems.
总结目前关于使用DES的建议,简单的答案是“不要使用它-它不安全。”虽然可能存在DES安全性足够的用例,但通常需要安全专家来确定何时这是真的。此外,现在有更安全的算法(如3DES、AES)是更安全的选择。唯一仍然应该支持DES的一般情况是,在向后兼容性方面严格要求DES,并且升级的成本超过了暴露的风险。然而,即使在这些情况下,也可能应该提出逐步淘汰此类系统的建议。
If you are simply interested in the current recommendations, there you have it: don't use DES. If you are interested in understanding how we arrive at this conclusion, read on.
如果您只是对当前的建议感兴趣,那么您就有了它:不要使用DES。如果您有兴趣了解我们是如何得出这个结论的,请继续阅读。
In order to assess the security implications of using DES, it is useful and informative to review the basic rationale for using encryption. In general, we encrypt information because we desire confidentiality. That is, we want to limit access to information, to keep something private or secret. In some cases, we want to share the information within a limited group, and in other cases, we may want to be the sole owner of the information in question.
为了评估使用DES的安全性影响,回顾使用加密的基本原理非常有用,而且信息丰富。通常,我们加密信息是因为我们希望保密。也就是说,我们想要限制对信息的访问,以保密。在某些情况下,我们希望在有限的集团内共享信息,在其他情况下,我们可能希望成为相关信息的唯一所有者。
Sometimes, the information we want to protect has value only to the individual (e.g., a diary), and a loss of confidentiality, while potentially damaging in some limited ways, would typically not be catastrophic. In other cases, the information might have significant financial implications (e.g., a company's strategic marketing plan). And in yet others, lives could be at stake.
有时,我们想要保护的信息只对个人有价值(例如日记),而机密性的丧失,虽然在某些有限的方面可能造成损害,但通常不会是灾难性的。在其他情况下,信息可能具有重大的财务影响(例如,公司的战略营销计划)。而在另一些国家,生命可能受到威胁。
In order to gauge our confidentiality requirements in terms of encryption strength, we must assess the value of the information we are trying to protect, both to us and to a potential attacker. There are various metrics we can employ for this purpose:
为了衡量我们在加密强度方面的保密要求,我们必须评估我们试图保护的信息对我们和潜在攻击者的价值。为此,我们可以采用各种指标:
o Cost of confidentiality loss: What could we lose if an adversary were to discover our secret? This gives some measure of how much effort we should be willing to expend to protect the secret.
o 保密损失成本:如果对手发现了我们的秘密,我们会损失什么?这在一定程度上说明了我们应该付出多少努力来保护这个秘密。
o Value to adversary: What does the attacker have to gain by discovering our secret? This gives some measure of how much an adversary might reasonably be willing to spend to learn the secret.
o 对对手的价值:攻击者通过发现我们的秘密获得了什么?这在一定程度上衡量了一个对手可能愿意花多少钱来了解这个秘密。
o Window of opportunity: How long does the information have value to an adversary? This gives some measure of how acceptable a weakness might be. For example, if the information is valuable to an attacker for months and it takes only days to break the encryption, we probably need much stronger encryption. On the other hand, if the window of opportunity is measured in seconds, then an encryption algorithm that takes days to break may be acceptable.
o 机会之窗:信息对对手有价值的时间有多长?这在一定程度上反映了弱点的可接受程度。例如,如果信息对攻击者来说有价值几个月,而破解加密只需几天,那么我们可能需要更强的加密。另一方面,如果机会窗口以秒为单位,那么需要几天才能打破的加密算法可能是可以接受的。
There are certainly other factors we would consider in conducting a comprehensive security analysis, but these are enough to give a general sense of important questions to answer when evaluating DES as a candidate encryption algorithm.
当然,在进行全面的安全性分析时,我们还需要考虑其他因素,但是当DES作为候选加密算法进行评估时,这些都足以给出一般意义上的重要问题。
Numerous commonly used applications rely on encryption for confidentiality in today's Internet. To evaluate the sufficiency of a given cryptographic algorithm in this context, we should begin by asking some basic questions: what are the real-world risks to these applications, i.e., how likely is it that an application might actually be attacked, and by whom, and for what reasons?
在当今的互联网上,许多常用的应用程序都依赖加密来保密。为了评估给定密码算法在这种情况下的充分性,我们应该首先问一些基本问题:这些应用程序的实际风险是什么,即应用程序实际受到攻击的可能性有多大,由谁攻击,原因是什么?
While it is difficult to come up with one-size-fits-all answers based on general application descriptions, we can easily get some sense of the relative threat to many of these applications. It is important to note that what follows is not an exhaustive enumeration of all likely threats and attacks, but rather, a sampling that illustrates that real threats are more prevalent than intuition might suggest.
虽然很难根据一般的应用程序描述得出一刀切的答案,但我们很容易对这些应用程序中的许多应用程序的相对威胁有所了解。重要的是要注意,下面的内容并不是对所有可能的威胁和攻击的详尽列举,而是一个样本,表明真正的威胁比直觉可能暗示的更普遍。
Here are some examples of common applications and related threats:
以下是一些常见应用程序和相关威胁的示例:
o Site-to-site VPNs: Often, these are used to connect geographically separate corporate offices. Data traversing such links is often business critical, and sometimes highly confidential. The FBI estimates that every year, billions of U.S. dollars are lost to foreign competitors who deliberately target economic intelligence in U.S. industry and technologies [FBI06]. Searching for 'corporate espionage' in Google yields many interesting links, some of which indicate that foreign competitors are not the only threat to U.S. businesses. Obviously, this threat can be generalized to include businesses of any nationality.
o 站点到站点VPN:通常,它们用于连接地理位置不同的公司办公室。通过此类链接的数据通常是业务关键型的,有时是高度机密的。美国联邦调查局估计,每年都有数十亿美元输给外国竞争对手,这些竞争对手故意将经济情报锁定在美国工业和技术领域[FBI06]。在谷歌搜索“企业间谍”会产生许多有趣的链接,其中一些链接表明外国竞争者不是美国企业的唯一威胁。显然,这种威胁可以概括为包括任何国籍的企业。
o Remote network access for business: See previous item.
o 业务远程网络访问:请参阅上一项。
o Webmail/email encryption: See Site-to-site VPNs.
o 网络邮件/电子邮件加密:请参阅站点到站点VPN。
o Online banking: Currently, the most common threat to online banking is in the form of "phishing", which does not rely on breaking session encryption, but instead relies on tricking users into providing their account information. In general, direct attacks on session encryption for this application do not scale well. However, if a particular bank were known to use a weak encryption algorithm for session security, it might become worthwhile to develop a broader attack against that bank. Given that organized criminal elements have been found behind many phishing attacks, it is not difficult to imagine such scenarios.
o 网上银行:目前,网上银行最常见的威胁是“网络钓鱼”,它不依靠破坏会话加密,而是依靠欺骗用户提供其帐户信息。通常,针对该应用程序的会话加密的直接攻击无法很好地扩展。然而,如果已知某一特定银行使用弱加密算法进行会话安全,那么开发针对该银行的更广泛攻击可能是值得的。鉴于在许多网络钓鱼攻击背后都发现了有组织犯罪分子,不难想象会出现这种情况。
o Electronic funds transfers (EFTs): The ability to replay or otherwise modify legitimate EFTs has obvious financial incentives (and implications). Also, an industrial spy might see a great deal of intelligence value in the financial transactions of a target company.
o 电子资金转账(EFT):重播或以其他方式修改合法EFT的能力具有明显的财务激励(和影响)。此外,工业间谍可能会在目标公司的金融交易中看到大量的情报价值。
o Online purchases (E-commerce): The FBI has investigated a number of organized attacks on e-commerce applications [FBI01]. If an attacker has the ability to monitor e-commerce traffic directed to a large merchant that relies on weak encryption, the attacker could harvest a great deal of consumer credit information. This is the sort of data "phishers" currently harvest on a much smaller scale, so one can easily imagine the value of such a target.
o 在线购买(电子商务):联邦调查局调查了一些针对电子商务应用程序的有组织攻击[FBI01]。如果攻击者能够监控指向依赖弱加密的大型商户的电子商务流量,则攻击者可以获取大量消费者信用信息。这是“钓鱼者”目前收集的数据,规模要小得多,因此人们可以很容易地想象这样一个目标的价值。
o Internet-based VoIP applications (e.g., Skype): While many uses of this technology are innocuous (e.g., long distance calls to family members), VoIP technology is also used for business purposes (see discussion of FBI estimates regarding corporate espionage above).
o 基于互联网的VoIP应用程序(例如Skype):虽然这种技术的许多用途都是无害的(例如,给家庭成员打长途电话),但VoIP技术也用于商业目的(见上文FBI关于企业间谍活动的估计讨论)。
o Cellular telephony: Cell phones are very common, and are frequently used for confidential conversations in business, medicine, law enforcement, and other applications.
o 移动电话:移动电话非常常见,经常用于商业、医学、执法和其他应用中的保密对话。
o Wireless LAN: Wireless technology is used by many businesses, including the New York Stock Exchange [NYSE1]. The financial incentives for an attacker are significant in some cases.
o 无线局域网:许多企业都使用无线技术,包括纽约证券交易所[NYSE1]。在某些情况下,攻击者的经济诱因非常重要。
o Personal communications (e.g., secure instant messaging): Such communication may be used for corporate communications (see industrial espionage discussion above), and may also be used for financial applications such as stock/securities trading. This has both corporate/industrial espionage and financial implications.
o 个人通信(例如,安全即时消息):此类通信可用于公司通信(见上文的工业间谍讨论),也可用于股票/证券交易等金融应用。这既涉及公司/工业间谍活动,也涉及财务问题。
o Laptop hard-drive encryption: See discussion on corporate/ industrial espionage above. Also, consider that stolen and lost laptops have been cited for some of the more significant losses of control over sensitive personal information in recent years, notably the Veterans Affairs data loss [VA1].
o 笔记本电脑硬盘加密:见上文关于公司/工业间谍的讨论。此外,考虑到近年来一些被盗和丢失的笔记本电脑受到了一些敏感的个人信息控制的重大损失,特别是退伍军人事务数据丢失[VA1]。
There are real-world threats to everyday encryption applications, some of which could be very lucrative to an attacker (and by extension, very costly to the victim). It is important to note that if some of these attacks are infrequent today, it is precisely because the threats are recognized, and appropriately strong cryptographic algorithms are used. If "weak" cryptographic algorithms were to be used instead, the implications are indeed thought-provoking.
日常加密应用程序面临着现实世界中的威胁,其中一些威胁对攻击者来说是非常有利可图的(反过来,对受害者来说也是非常昂贵的)。重要的是要注意,如果这些攻击中的一些在今天很少发生,那正是因为这些威胁被识别,并且使用了适当的强加密算法。如果改用“弱”加密算法,其含义确实发人深省。
In keeping with the objectives of this document, it is important to note that the U.S. government has never approved the use of DES for anything but unclassified applications. While DES is still approved for unclassified uses until May 19, 2007, the U.S. government clearly sees the need to move to higher ground. For details on the National Institute of Standards and Technology (NIST) DES Transition plan, see [NIST-TP]. Despite this fact, DES is still sometimes chosen to protect some of the applications described above. Below, we discuss why this should, in many cases, be remedied.
为了与本文件的目标保持一致,需要注意的是,美国政府从未批准将DES用于非保密应用之外的任何用途。虽然DES在2007年5月19日之前仍被批准用于非机密用途,但美国政府显然认为有必要向更高的领域发展。有关国家标准与技术研究所(NIST)DES过渡计划的详细信息,请参见[NIST-TP]。尽管如此,有时仍然选择DES来保护上述一些应用程序。下面,我们将讨论为什么在许多情况下,这应该得到纠正。
DES is a 64-bit block cipher having a key size of 56 bits. The key actually has 64 bits (matching the block size), but 1 bit in each byte has been designated a 'parity' bit, and is not used for cryptographic purposes. For a full discussion of the history of DES along with an accessible description of the algorithm, see [SCHN96].
DES是一种64位分组密码,密钥大小为56位。密钥实际上有64位(与块大小匹配),但每个字节中的1位被指定为“奇偶校验”位,不用于加密目的。有关DES历史的完整讨论以及算法的可访问描述,请参见[SCHN96]。
A detailed description of the various types of attacks on cryptographic algorithms is beyond the scope of this document, but for clarity, we provide the following brief descriptions. There are two general aspects of attacks we must consider: the form of the inputs/outputs along with how we might influence them, and the internal function of the cryptographic operations themselves.
对密码算法的各种攻击类型的详细描述超出了本文档的范围,但为清楚起见,我们提供以下简要描述。我们必须考虑攻击的两个一般方面:输入/输出的形式以及我们可能如何影响它们,以及密码操作本身的内部功能。
In terms of input/output form, some of the more commonly discussed attack characteristics include the following:
就输入/输出形式而言,一些更常见的攻击特征包括:
o known plaintext - the attacker knows some of the plaintext corresponding to some of the ciphertext
o 已知明文-攻击者知道与某些密文对应的一些明文
o ciphertext-only - only ciphertext is available to the attacker, who has little or no information about the plaintext
o 仅密文-只有密文可供攻击者使用,而攻击者几乎没有或根本没有关于明文的信息
o chosen plaintext - the attacker can choose which plaintext is encrypted, and obtain the corresponding ciphertext
o 选择明文-攻击者可以选择加密的明文,并获得相应的密文
o birthday attacks - relies on the fact that for N elements, collisions can be expected in ~sqrt(N) randomly chosen samples; for systems using CBC mode with random Initialization Vectors (IVs), ciphertext collisions can be expected in about 2^28 samples. Such collisions leak information about the corresponding plaintexts: if the same cryptographic key is used, then the xor of the IVs is equal to the xor of the plaintexts.
o 生日攻击-依赖于以下事实:对于N个元素,在~sqrt(N)个随机选择的样本中可以预期碰撞;对于使用带有随机初始化向量(IVs)的CBC模式的系统,大约2^28个样本中可能会出现密文冲突。这种冲突会泄漏有关相应明文的信息:如果使用相同的加密密钥,则IVs的xor等于明文的xor。
o meet-in-the-middle attacks - leverages birthday characteristic to precompute potential key collision values
o 中间相遇攻击-利用生日特征预计算潜在的密钥冲突值
Due to the limited scope of this document, these are very brief descriptions of very complex subject matter. For more detailed discussions on these and many related topics, see [SCHN96], [HAC], or [FERG03].
由于本文件的范围有限,这些是对非常复杂主题的非常简短的描述。有关这些和许多相关主题的更详细讨论,请参阅[SCHN96]、[HAC]或[FERG03]。
As for attack characteristics relating to the operational aspects of cipher algorithms, there are essentially two broad classes we consider: cryptanalytic attacks, which exploit some internal structure or function of the cipher algorithm, and brute-force attacks, in which the attacker systematically tries keys until the right one is found. These could alternatively be referred to as white box and black box attacks, respectively. These are discussed further below.
至于与密码算法的操作方面有关的攻击特征,我们主要考虑两大类:利用密码算法的某些内部结构或功能的密码分析攻击和暴力攻击,其中攻击者系统地尝试密钥,直到找到正确的密钥。这些攻击可以分别称为白盒攻击和黑盒攻击。下文将进一步讨论这些问题。
In general, a brute-force attack consists of trying each possible key until the correct key is found. In the worst case, this will require 2^n steps for a key size of n bits, and on average, it will require 2^n-1 steps. For DES, this implies 2^56 encryption operations in the worst case, and 2^55 encryption operations on average, if we assume no shortcuts exist. As it turns out, the complementation property of DES provides an attack that yields a reduction by a factor of 2 for a chosen plaintext attack, so this attack requires an average of 2^54 encryption operations.
通常,暴力攻击包括尝试每个可能的密钥,直到找到正确的密钥。在最坏的情况下,需要^n-2个位的平均值。对于DES,这意味着在最坏的情况下需要2^56个加密操作,如果我们假设不存在快捷方式,则平均需要2^55个加密操作。事实证明,DES的互补属性提供了一种攻击,对于选定的明文攻击,该攻击会减少2倍,因此该攻击平均需要2^54次加密操作。
Above, we refer to 2^n 'steps'; note that what a 'step' entails depends to some extent on the first attack aspect described above, i.e., what influence and knowledge we have with respect to input/ output forms. Remember, in the worst case, we will be performing 72,057,594,037,927,936 -- over 72 quadrillion -- of these 'steps'. In the most difficult case, we have ciphertext only, and no knowledge of the input, and this is very important.
以上,我们指的是2^n‘步骤’;请注意,“步骤”在某种程度上取决于上述第一个攻击方面,即我们对输入/输出形式的影响和知识。请记住,在最坏的情况下,我们将执行72057594037927936个“步骤”,超过720万亿次。在最困难的情况下,我们只有密文,没有输入的知识,这是非常重要的。
If the input is effectively random, we cannot tell by simply looking at a decrypted block whether we've succeeded or not. We may have to resort to other potentially expensive computation to make this determination. While the effect of any additional computation will be linear across all keys, repeating a large amount of added computation up to 72 quadrillion times could have a significant impact on the cost of a brute-force attack against the algorithm. For example, if it takes 1 additional microsecond per computation, this will add almost 101 days to our worst-case search time, assuming a serial key search.
如果输入实际上是随机的,我们不能通过简单地查看解密的块来判断我们是否成功。我们可能不得不求助于其他可能昂贵的计算来做出这一决定。尽管任何额外计算的效果在所有关键点上都是线性的,但重复大量增加的计算(高达72万亿次)可能会对针对该算法的暴力攻击的成本产生重大影响。例如,如果每次计算额外需要1微秒,那么假设使用串行键搜索,最坏情况下的搜索时间将增加近101天。
On the other hand, if we can control the input to the encryption function (known plaintext), we know precisely what to expect from the decryption function, so detecting that we've found the key is straightforward. Alternatively, even if we don't know the exact input, if we know something about it (e.g., that it's ASCII), with limited additional computation we can infer that we've most likely found a key. Obviously, which of these conditions holds may significantly influence attack time.
另一方面,如果我们可以控制加密函数(已知明文)的输入,我们就可以准确地知道解密函数的预期内容,因此检测到密钥是很简单的。或者,即使我们不知道确切的输入,如果我们知道一些关于它的信息(例如,它是ASCII),通过有限的额外计算,我们可以推断我们很可能找到了一个键。显然,这些条件中的哪一个可能会显著影响攻击时间。
Given that a brute-force attack involves systematically trying keys until we find the right one, it is obviously a good candidate for parallelization. If we have N processors, we can find the key roughly N times faster than if we have only 1 processor. This requires some sort of centralized control entity that distributes the work and monitors the search process, but is quite straightforward to implement.
鉴于蛮力攻击需要系统地尝试密钥,直到找到正确的密钥为止,因此它显然是并行化的一个很好的候选者。如果我们有N个处理器,我们可以找到密钥的速度大约是只有1个处理器时的N倍。这需要某种集中控制实体来分配工作和监视搜索过程,但实现起来非常简单。
There are at least two approaches to parallelization of a brute-force attack on a block cipher: the first is to build specialized high-speed hardware that can rapidly cycle through keys while performing the cryptographic and comparison operations, and then replicate that hardware many times, while providing for centralized control. The second involves using many copies of general purpose hardware (e.g., a PC), and distributing the load across these while placing them under the control of one or more central systems. Both of these approaches are discussed further in sections 5 and 6.
分组密码暴力攻击的并行化至少有两种方法:第一种方法是构建专门的高速硬件,在执行加密和比较操作时可以快速循环密钥,然后多次复制该硬件,同时提供集中控制。第二种方法涉及使用多个通用硬件副本(如PC),并在将其置于一个或多个中央系统控制下的同时,将负载分布到这些副本上。第5节和第6节将进一步讨论这两种方法。
Brute-force attacks are so named because they don't require much intelligence in the attack process -- they simply try one key after the other, with little or no intelligent keyspace pruning. Cryptanalytic attacks, on the other hand, rely on application of some intelligence ahead of time, and by doing so, provide for a significant reduction of the search space.
蛮力攻击之所以得名,是因为它们在攻击过程中不需要太多的智能——它们只是一个接一个地尝试密钥,很少或根本没有智能密钥空间修剪。另一方面,密码分析攻击依赖于提前应用某些智能,这样做可以显著减少搜索空间。
While an in-depth discussion of cryptanalytic techniques and the resulting attacks is well beyond the scope of this document, it is important to briefly touch on this area in order to set the stage for subsequent discussion. It is also important to note that, in general, cryptanalysis can be applied to any cryptographic algorithm with varying degrees of success. However, we confine ourselves here to discussing specific results with respect to DES.
虽然对密码分析技术和由此产生的攻击的深入讨论远远超出了本文件的范围,但重要的是要简要介绍这一领域,以便为后续讨论奠定基础。还需要注意的是,一般来说,密码分析可以应用于任何成功程度不同的密码算法。然而,我们在此仅讨论DES的具体结果。
Here is a very brief summary of the currently known cryptanalytic attacks on DES:
以下是目前已知的DES密码分析攻击的简要总结:
o Differential Cryptanalysis - First discussed by Biham and Shamir, this technique (putting it very simply) analyzes how differences in plaintext correspond to differences in ciphertext. For more detail, see [BIH93].
o 差分密码分析-首先由Biham和Shamir讨论,这种技术(简单地说)分析明文中的差异如何对应于密文中的差异。有关更多详细信息,请参见[BIH93]。
o Linear Cryptanalysis - First described by Matsui, this technique uses linear approximations to describe the internal functions of DES. For more detail, see [MAT93].
o 线性密码分析-首先由松井描述,这种技术使用线性近似来描述DES的内部功能。有关更多详细信息,请参见[MAT93]。
o Interpolation Attack - This technique represents the S-boxes of DES with algebraic functions, and then estimates the coefficients of the functions. For more information, see [JAK97].
o 插值攻击-这种技术用代数函数表示DES的S盒,然后估计函数的系数。有关更多信息,请参阅[JAK97]。
o Key Collision Attack - This technique exploits the birthday paradox to produce key collisions [BIH96].
o 钥匙碰撞攻击-该技术利用生日悖论产生钥匙碰撞[BIH96]。
o Differential Fault Analysis - This attack exploits the electrical characteristics of the encryption device, selectively inducing faults and comparing the results with uninfluenced outputs. For more information, see [BIH96-2].
o 差分故障分析-这种攻击利用加密设备的电气特性,选择性地诱发故障,并将结果与未受影响的输出进行比较。有关更多信息,请参阅[BIH96-2]。
Currently, the best publicly known cryptanalytic attacks on DES are linear and differential cryptanalysis. These attacks are not generally considered practical, as they require 2^43 and 2^47 known plaintext/ciphertext pairs, respectively. To get a feel for what this means in practical terms, consider the following:
目前,对DES最广为人知的密码分析攻击是线性和差分密码分析。这些攻击通常被认为不实用,因为它们分别需要2^43和2^47个已知的明文/密文对。要从实际意义上理解这意味着什么,请考虑以下几点:
o For linear cryptanalysis (the more efficient of the two attacks), the attacker must pre-compute and store 2^43 ciphertexts; this requires 8,796,093,022,208 (almost 9 trillion) encryption operations.
o 对于线性密码分析(两种攻击中效率最高的一种),攻击者必须预先计算并存储2^43个密文;这需要8796093022208(近9万亿)加密操作。
o Each ciphertext block is 8 bytes, so the total required storage is 70,368,744,177,664 bytes, or about 70,369 gigabytes of storage. If the plaintext blocks cannot be automatically derived, they too must be stored, potentially doubling the storage requirements.
o 每个密文块是8字节,因此所需的总存储量是70368744177664字节,即大约70369 GB的存储量。如果无法自动派生明文块,则必须存储明文块,这可能会使存储需求增加一倍。
o The 2^43 known plaintext blocks must be somehow fed to the device under attack, and that device must not change the encryption key during this time.
o 必须以某种方式将2^43个已知明文块提供给受攻击的设备,并且该设备在此期间不得更改加密密钥。
Clearly, there are practical issues with this attack. Still, it is sobering to look at how much more realistic 70,000 gigabytes of storage is today than it must have seemed in 1993, when Matsui first proposed this attack. Today, 400-GB hard drives can be had for around $0.35/gigabyte. If we only needed to store the known ciphertext, this amounts to ~176 hard drives at a cost of less than $25,000. This is probably practical with today's technology for an adversary with significant financial resources, though it was difficult to imagine in 1993. Still, numerous other practical issues remain.
显然,这次攻击存在实际问题。不过,令人清醒的是,如今70000千兆字节的存储容量比1993年松井首次提出这种攻击时看起来要现实得多。如今,400 GB硬盘的价格约为每GB 0.35美元。如果我们只需要存储已知的密文,这相当于约176个硬盘驱动器,成本不到25000美元。对于一个拥有大量财政资源的对手来说,这在今天的技术中可能是可行的,尽管在1993年很难想象。然而,许多其他实际问题仍然存在。
Above, we described several types of attacks on DES, some of which are more practical than others, but it's very important to recognize that brute force represents the very worst case, and cryptanalytic attacks can only improve on this. If a brute-force attack against a given DES application really is feasible, then worrying about the practicality of the other theoretical attack modes is just a distraction. The bottom line is this: if DES can be brute-forced at a cost the attacker can stomach today, this cost will invariably come down as technology advances.
上面,我们描述了几种针对DES的攻击,其中一些攻击比其他攻击更实用,但认识到暴力是最坏的情况非常重要,密码分析攻击只能在此基础上改进。如果针对给定DES应用程序的暴力攻击确实可行,那么担心其他理论攻击模式的实用性只是一种干扰。底线是这样的:如果DES可以以攻击者今天可以承受的代价进行暴力强迫,那么随着技术的进步,这一成本必然会下降。
On the question as to whether DES is susceptible to brute-force attack from a practical perspective, the answer is a resounding and unequivocal "yes". In 1998, the Electronic Frontier Foundation financed the construction of a "DES Cracker", and subsequently published "Cracking DES" [EFF98]. For a cost of less than $250,000, this system can find a 56-bit DES key in the worst-case time of around 9 days, and in 4.5 days on average.
从实际角度来看,DES是否容易受到暴力攻击的问题,答案是响亮而明确的“是”。1998,电子前沿基金会资助了“DES饼干”的建设,随后出版了《破解DES》[EF98]。成本不到250000美元,该系统可以在最坏的情况下(大约9天)找到56位DES密钥,平均4.5天。
Quoting from [EFF98],
引用[EFF98],
"The design of the EFF DES Cracker is simple in concept. It consists of an ordinary personal computer connected with a large array of custom chips. Software in the personal computer instructs the custom chips to begin searching, and interacts with the user. The chips run without further help from the software until they find a potentially interesting key, or need to be directed to search a new part of the key space. The software periodically polls the chips to find any potentially interesting keys that they have turned up.
“EFF DES Cracker的设计概念简单。它由一台普通的个人计算机与大量定制芯片连接而成。个人计算机中的软件指示定制芯片开始搜索,并与用户交互。芯片运行时不需要软件的进一步帮助,直到他们发现潜在的兴趣该软件会定期轮询芯片,以找到它们找到的任何可能感兴趣的密钥。
The hardware's job isn't to find the answer. but rather to eliminate most of the answers that are incorrect. Software is then fast enough to search the remaining potentially-correct keys, winnowing the false positives from the real answer. The strength of the machine is that it replicates a simple but useful search circuit thousands of times, allowing the software to find the answer by searching only a tiny fraction of the key space.
硬件的任务不是找到答案。而是要消除大多数不正确的答案。然后,软件的速度足以搜索剩余的可能正确的密钥,从真实答案中筛选出误报。这台机器的优势在于它将一个简单但有用的搜索电路复制了数千次,使得软件只需搜索密钥空间的一小部分就可以找到答案。
As long as there is a small bit of software to coordinate the effort, the problem of searching for a DES key is 'highly parallelizable'. This means the problem can be usefully solved by many machines working in parallel, simultaneously. For example, a single DES-Cracker chip could find a key by searching for many years. A thousand DES-Cracker chips can solve the same problem in one thousandth of the time. A million DES-Cracker chips could theoretically solve the same problem in about a millionth of the time, though the overhead of starting each chip would become visible in the time required. The actual machine we built contains 1536 chips."
只要有一点软件来协调工作,搜索DES密钥的问题就是“高度并行化”。这意味着多台机器同时并行工作可以有效地解决这个问题。例如,单个DES破解芯片可以通过多年的搜索找到一把钥匙。一千个DES破解芯片可以在千分之一的时间内解决同样的问题。理论上,一百万个DES Cracker芯片可以在大约百万分之一的时间内解决同样的问题,尽管启动每个芯片的开销在所需的时间内变得显而易见。我们制造的实际机器包含1536个芯片。”
This project clearly demonstrated that a practical system for brute force DES attacks was well within reach of many more than previously assumed. Practically any government in the world could easily produce such a machine, and in fact, so could many businesses. And that was in 1998; the technological advances since then have greatly reduced the cost of such a device. This is discussed further below.
该项目清楚地表明,一个用于暴力DES攻击的实用系统比以前设想的要多得多。实际上,世界上任何一个政府都可以轻松地生产出这样的机器,事实上,许多企业也可以。那是在1998年;此后的技术进步大大降低了这种装置的成本。这将在下文进一步讨论。
In the mid-1990s, many were interested in whether or not DES was breakable in a practical sense. RSA sponsored a series of DES Challenges over a 3-year period beginning January of 1997. These challenges were created in order to help underscore the point that cryptographic strength limitations imposed by the U.S. government's export policies were far too modest to meet the security requirements of many users.
在20世纪90年代中期,许多人对DES在实际意义上是否易碎感兴趣。RSA在1997年1月开始的3年期间赞助了一系列DES挑战。创建这些挑战是为了帮助强调一点,即美国政府出口政策施加的加密强度限制太小,无法满足许多用户的安全要求。
The first DES challenge was solved by the DESCHALL group, led by Rocke Verser, Matt Curtin, and Justin Dolske [CURT05][RSA1]. They created a loosely-knit distributed effort staffed by volunteers and backed by Universities and corporations all over the world who donated their unused CPU cycles to the effort. They found the key in 90 days.
第一个DES挑战由洛克维瑟、马特·柯廷和贾斯汀·多尔斯克领导的DESCHALL小组解决[CURT05][RSA1]。他们创建了一个松散的分布式工作,由志愿者组成,由世界各地的大学和公司支持,他们将未使用的CPU周期捐赠给该工作。他们在90天内找到了钥匙。
The second DES challenge was announced on December 19, 1997 [RSA2][CURT05], and on February 26, 1998, RSA announced a winner. This time, the challenge was solved by group called distributed.net
第二次DES挑战赛于1997年12月19日宣布[RSA2][CURT05],1998年2月26日,RSA宣布获胜者。这一次,这个挑战由一个名为distributed.net的小组解决了
working together with the EFF, in a total of 39 days [RSA3] [CURT05]. This group coordinated 22,000 participants and over 50,000 CPUs.
与EFF合作,共39天[RSA3][05]。该小组协调了22000名参与者和50000多个CPU。
The third DES challenge was announced on December 22, 1998 [RSA4][CURT05], and on January 19, 1999, RSA announced the winner. This time, the challenge was again solved by distributed.net working together with the EFF, in a total of 22 hours [RSA5]. This was a dramatic improvement over the second challenge, and should give some idea of where we're headed with respect to DES.
第三次DES挑战赛于1998年12月22日宣布[RSA4][CURT05],RSA于1999年1月19日宣布获胜者。这一次,distributed.net与EFF合作,在总共22小时内再次解决了这一难题[RSA5]。与第二个挑战相比,这是一个巨大的改进,应该可以让我们了解DES的发展方向。
We've seen what was done in the late 1990s -- what about today? A survey of the literature might lead one to conclude that this topic is no longer interesting to cryptographers. Hence, we are left to infer the possibilities based on currently available technologies. One way to derive an approximation is to apply a variation on "Moore's Law": assume that the cost of a device comparable to the one built by the EFF would be halved roughly every N months. If we take N=18, then for a device costing $250,000 at the end of 1998, this would predict the following cost curve:
我们已经看到了20世纪90年代末所做的事情——今天呢?对文献的调查可能会得出这样的结论:密码学家对这个话题不再感兴趣。因此,我们只能根据目前可用的技术推断可能性。推导近似值的一种方法是应用“摩尔定律”的变化:假设与EFF制造的设备相当的设备成本大约每N个月减半一次。如果我们取N=18,那么对于1998年底成本为250000美元的设备,这将预测以下成本曲线:
o mid-2000............: $125,000
o mid-2000............: $125,000
o beginning of 2002...: $62,500
o 2002年初……62500美元
o mid-2003............: $31,250
o mid-2003............: $31,250
o beginning of 2006...: $15,625
o 2006年初……15625美元
It's important to note that strictly speaking, "Moore's Law" is more an informal approximation than a law, although it has proven to be uncannily accurate over the last 40 years or so. Also, some would disagree with the use of an 18-month interval, preferring a more conservative 24 months instead. So, these figures should be taken with the proverbial grain of salt. Still, it's important to recognize that this is the cost needed not to crack one key, but to get into the key-cracking business. Offering key-cracking services and keeping the machine relatively busy would dramatically decrease the cost to a few hundred dollars per unit or less.
值得注意的是,严格地说,“摩尔定律”与其说是定律,不如说是一种非正式的近似,尽管在过去40年左右的时间里,它已经被证明是不可思议的精确。此外,有些人不同意使用18个月的间隔,宁愿使用更保守的24个月。因此,这些数字应该被视为是众所周知的事实。尽管如此,重要的是要认识到,这不是破解一个密钥所需的成本,而是进入密钥破解业务所需的成本。提供密钥破解服务并保持机器相对繁忙将大大降低每台机器的成本至几百美元或更少。
Given that such calculations roughly hold for other computing technologies over the same time interval, the estimate above does not seem too unreasonable, and is probably within a factor of two of today's costs. Clearly, this would seem to indicate that DES-cracking hardware is within reach of a much broader group than in 1998, and it is important to note that this assumes no design or algorithm improvements since then.
鉴于此类计算大致适用于同一时间间隔内的其他计算技术,上述估算似乎并不太不合理,可能在当今成本的两倍以内。显然,这似乎表明DES破解硬件的范围比1998年要广得多,需要注意的是,这假设此后没有设计或算法改进。
To put this in a slightly different light, let's consider the typical rendition of Moore's Law for such discussions. Rather than considering shrinking cost for the same capability, consider instead increasing capability for the same cost (i.e., doubling circuit densities every N months). Again choosing N=18, our DES-cracking capability (in worst-case time per key) could be expected to have approximately followed this performance curve over the last 7 or so years:
为了把这个放在一个稍微不同的光中,让我们考虑穆尔定律的典型再现。与其考虑降低相同能力的成本,不如考虑增加相同成本的能力(即每N个月增加一倍的电路密度)。再次选择N=18,我们的DES开裂能力(在每个键的最坏情况下时间)预计在过去7年左右的时间内大致符合该性能曲线:
o 1998................: 9 days
o 1998................: 9 days
o mid-2000............: 4.5 days
o mid-2000............: 4.5 days
o beginning of 2002...: 2.25 days
o 2002年初…:2.25天
o mid-2003............: 1.125 days
o mid-2003............: 1.125 days
o beginning of 2006...: 0.5625 days
o 2006年初…:0.5625天
That's just over a half-day in the worst case for 2006, and under 7 hours on average. And this, for an investment of less than $250,000. It's also very important to note that we are talking about worst-case and average times here - sometimes, keys will be found much more quickly. For example, using such a machine, 1/4 of all possible DES keys will be found within 3.375 hours. 1/8 of the keys will be found in less than 1 hour and 42 minutes. And this assumes no algorithmic improvements have occurred. And again, this is an estimate; your actual mileage may vary, but the estimate is probably not far from reality.
在2006年最糟糕的情况下,这仅仅超过半天,平均不到7小时。这项投资不到25万美元。同样重要的是要注意,我们在这里讨论的是最坏情况和平均时间——有时,可以更快地找到钥匙。例如,使用这种机器,所有可能的DES键中的1/4将在3.375小时内找到。1/8的钥匙将在不到1小时42分钟内找到。这假设算法没有改进。再一次,这是一个估计;您的实际里程数可能会有所不同,但估计值可能与实际情况相差不远。
Since the EFF device first appeared, Field Programmable Gate Arrays (FPGAs) have become quite common, and far less costly than they were in 1998. These devices allow low-level logic programming, and are frequently used to prototype new logic designs prior to the creation of more expensive custom chips (also known as Application Specific Integrated Circuits, or ASICs). They are also frequently used in place of ASICs due to their lower cost and/or flexibility. In fact, a number of embedded systems implementing cryptography have employed FPGAs for this purpose.
自从EFF器件首次出现以来,现场可编程门阵列(FPGA)已变得相当普遍,而且成本远低于1998年。这些设备允许低级别逻辑编程,并且在创建更昂贵的定制芯片(也称为专用集成电路,或ASIC)之前,经常用于原型化新的逻辑设计。由于其较低的成本和/或灵活性,它们也经常被用来代替ASIC。事实上,许多实现加密的嵌入式系统已经为此目的使用了FPGA。
Due to their generalized nature, FPGAs are naturally slower than ASICs. While the speed difference varies based on many factors, it is reasonable for purposes of this discussion to say that well-designed FPGA implementations typically perform cryptographic
由于其通用性,FPGA自然比ASIC慢。虽然速度差异取决于许多因素,但出于本讨论的目的,可以合理地说,设计良好的FPGA实现通常执行加密
operations at perhaps 1/4 the speed of well-designed ASICs performing the same operations, and sometimes much slower than that. The significance of this comparison will become obvious shortly.
操作速度可能是设计良好的ASIC执行相同操作速度的1/4,有时甚至慢得多。这一比较的意义不久将变得显而易见。
In our Moore's Law estimate above, we noted that the cost extrapolation assumes no design or algorithm improvements since 1998. It also implies that we are still talking about a brute-force attack. In section 4 ("Attacking DES"), we discussed several cryptanalytic attacks, including an attack that employs linear cryptanalysis [MAT93]. In general, this attack has been considered impractical, but in 2002, a group at Universite Catholique de Louvain in Belgium built a DES cracker based on linear cryptanalysis, which, employing a single FPGA, returns a DES key in 12-15 hours [FPL02].
在上述摩尔定律估算中,我们注意到成本外推假设自1998年以来没有设计或算法改进。这也意味着我们仍然在谈论暴力袭击。在第4节(“攻击DES”)中,我们讨论了几种密码分析攻击,包括采用线性密码分析的攻击[MAT93]。一般来说,这种攻击被认为是不切实际的,但在2002年,比利时卢旺天主教大学的一个小组基于线性密码分析构建了DES破解器,该破解器使用单个FPGA,在12-15小时内返回DES密钥[FPL02]。
While there are still some issues of practicality in terms of applying this attack in the real world (i.e., the required number of known plaintext-ciphertext pairs), this gives a glimpse of where technology is taking us with respect to DES attack capabilities.
尽管在现实世界中应用这种攻击仍存在一些实用性问题(即已知明文-密文对的所需数量),但这让我们大致了解了DES攻击能力方面的技术进展。
Application Specific Integrated Circuits are specialized chips, typically optimized for a particular set of operations (e.g., encryption). There are a number of companies that are in the business of designing and selling cryptographic ASICs, and such chips can be had for as little as $15 each at the low end. But while these chips are potentially much faster than FPGAs, they usually do not represent a proportionally higher threat when it comes to DES-cracking system construction.
专用集成电路是专门的芯片,通常针对一组特定的操作(例如,加密)进行优化。有许多公司从事密码ASIC的设计和销售业务,这种芯片在低端的售价仅为15美元。但是,尽管这些芯片可能比FPGA快得多,但在DES裂解系统建设方面,它们通常不代表更高的威胁。
The primary reason for this is cost: it currently costs more than $1,000,000 to produce an ASIC. There is no broad commercial market for crypto-cracking ASICs, so the number a manufacturer could expect to sell is probably small. Likewise, a single attacker is not likely to require more than a few of these. The bottom line: per-chip costs would be very high; when compared to the costs of FPGAs capable of similar performance, the FPGAs are clear winners. This doesn't mean such ASICs have never been built, but the return is probably not worth the investment for the average attacker today, given the other available options.
其主要原因是成本:目前生产ASIC的成本超过1000000美元。密码破解ASIC没有广阔的商业市场,因此制造商预计销售的数量可能很小。类似地,单个攻击者不太可能需要超过其中几个。底线是:每个芯片的成本将非常高;与具有类似性能的FPGA的成本相比,FPGA显然是赢家。这并不意味着这样的ASIC从未建造过,但考虑到其他可用选项,对于今天的普通攻击者来说,回报可能不值得投资。
Parallel processing is a powerful tool for conducting brute-force attacks against a block cipher. Since each key can be tested independently, the keyspace can easily be carved up and distributed across an arbitrary number of processors, all of which are running identical code. A central "control" processor is required for
并行处理是对分组密码进行暴力攻击的强大工具。由于每个密钥都可以独立测试,因此密钥空间可以很容易地分割并分布在任意数量的处理器上,所有处理器都运行相同的代码。系统需要一个中央“控制”处理器
distributing tasks and evaluating results, but this is straightforward to implement, and this paradigm has been applied to many computing problems.
分配任务和评估结果,但这很容易实现,而且这种范式已经应用于许多计算问题。
While the EFF demonstrated that a purpose-built system is far superior to general purpose PCs when applied to cracking DES, the DESCHALL effort [CURT05][RSA1] aptly demonstrated that the idle cycles of everyday users' PCs could be efficiently applied to this problem. As noted above, distributed.net teamed with the EFF group to solve the third RSA DES Challenge using a combination of PCs and the EFF's "Deep Crack" machine to find a DES key in 22 hours. And that was using 1999 technologies.
虽然EFF证明了专用系统在用于破解DES时远远优于通用PC,但DESCHALL的研究[CURT05][RSA1]恰当地证明了日常用户PC的空闲周期可以有效地应用于该问题。如上所述,distributed.net与EFF小组合作,使用PC机和EFF的“深度破解”机器,在22小时内找到DES密钥,解决了第三个RSA DES挑战。这是使用1999年的技术。
Clearly, PCs have improved dramatically since 1999. At that time, state-of-the-art desktops ran at around 800MHz. Today, desktop PCs commonly run at 3-4 times that speed, and supporting technologies (memory, cache, storage) offer far higher performance as well. Since the distributed.net effort used a broad spectrum of computers (from early 1990s desktops to state-of-the-art (in 1999) multiprocessors, according to [DIST99]), it is difficult to do a direct comparison with today's technologies. Still, we know that performance has, in general, followed the prediction of Moore's Law, so we should expect an improvement on the order of a factor of 8-16 by now, even with no algorithmic improvements
显然,个人电脑自1999年以来有了显著的改善。当时,最先进的台式机的运行频率约为800MHz。如今,台式PC的运行速度通常是这一速度的3-4倍,而支持技术(内存、缓存、存储)也提供了更高的性能。根据[DIST99],由于分布式.net工作使用了广泛的计算机(从20世纪90年代早期的台式机到最先进的(1999年)多处理器),因此很难与当今的技术进行直接比较。尽管如此,我们知道性能总体上遵循摩尔定律的预测,因此我们现在应该期望在因子8-16的数量级上有改进,即使没有算法改进
It is important to note that the distributed.net efforts have relied upon willing participants. That is, participants must explicitly and voluntarily join the effort. It is equally important to note that only the idle cycles of the enrolled systems are used. Depending on the way in which "idle" is defined, along with the user's habits and computing requirements, this could have a significant effect on the contribution level of a given system.
值得注意的是,分布式.net的工作依赖于自愿的参与者。也就是说,参与者必须明确和自愿地加入这项工作。同样重要的是要注意,只使用注册系统的空闲周期。根据“空闲”的定义方式,以及用户的习惯和计算要求,这可能会对给定系统的贡献水平产生重大影响。
These factors impose significant limitations in terms of scale. While distributed.net was able to enlist over 100,000 computers from around the world for the third RSA DES Challenge, this is actually a rather small number when compared to 2^56 (over 72 quadrillion) possible DES keys. And when you consider the goal (i.e., to prove DES can be cracked), it seems reasonable to assume these same participants would not willingly offer up their compute cycles for a more nefarious use (like attacking the keys used to encrypt your online banking session). Hence, this particular model does not appear to pose a significant threat to most uses of encryption today. However, below, we discuss a variation on this approach that does pose an immediate threat.
这些因素在规模上施加了重大限制。虽然distributed.net能够从世界各地征集超过100000台计算机参加第三次RSA DES挑战,但与2^56(超过72万亿)可能的DES密钥相比,这实际上是一个相当小的数字。当你考虑目标(即,证明DES可以被破解)时,假设这些参与者不会愿意为更恶毒的使用提供他们的计算周期(比如攻击用于加密你的在线银行会话的密钥),这似乎是合理的。因此,这种特殊的模型似乎不会对当今大多数加密应用构成重大威胁。然而,在下文中,我们将讨论这种方法的一种变体,它确实会造成直接威胁。
"Spyware" is a popular topic in security newsfeeds these days. Most of these applications are intended to display context-sensitive advertisements to users, and some actually modify a user's web browsing experience, directing them to sites of the distributor's choice in an effort to generate revenue. There are many names for this type of software, but for our purposes, we will refer to it simply as "spyware". And while there are some instances in which rogue software actually does spy on hapless users and report things back to the issuer, we do not focus here on such distinctions.
“间谍软件”是当今安全新闻源中的热门话题。其中大多数应用程序旨在向用户显示上下文相关的广告,有些应用程序实际上修改了用户的web浏览体验,将用户引导到分销商选择的网站,以努力创造收入。这类软件有很多名称,但出于我们的目的,我们将其简称为“间谍软件”。虽然在某些情况下,流氓软件确实会对倒霉的用户进行间谍活动,并向发卡机构报告情况,但我们在此并不关注这些区别。
Indeed, what we are more interested in is the broader modality in which this software functions: it is typically installed without the explicit knowledge and/or understanding of the user, and typically runs without the user's knowledge, sometimes slowing the user's PC to a crawl. One might note that such behavior seems quite surprising in view of the fact that displaying ads to users is actually a light-weight task, and wonder what this software is actually doing with all those compute cycles.
事实上,我们更感兴趣的是该软件功能的更广泛的模式:它通常在没有用户明确了解和/或理解的情况下安装,并且通常在用户不知情的情况下运行,有时会让用户的PC缓慢爬行。有人可能会注意到,鉴于向用户显示广告实际上是一项轻量级任务,这种行为似乎相当令人惊讶,并想知道这个软件在所有这些计算周期中到底在做什么。
Worms and viruses are also very interesting: like spyware, these are installed without the user's knowledge or consent, and they use the computer in ways the user would not voluntarily allow. And unlike the spyware that is most common today, this malware usually contains explicit propagation technology by which it automatically spreads. It is not difficult to imagine where we are going with this: if you combine these techniques, forcible induction of user machines into an "army" of systems becomes possible. This approach was alluded to in [CURT98] and, in fact, is being done today.
蠕虫和病毒也很有趣:像间谍软件一样,它们是在用户不知情或不同意的情况下安装的,并且它们以用户不自愿允许的方式使用计算机。与当今最常见的间谍软件不同,这种恶意软件通常包含显式传播技术,通过这种技术可以自动传播。不难想象我们将向何处发展:如果你将这些技术结合起来,将用户机器强行引入系统的“大军”成为可能。这一方法在[98]中有提及,事实上,今天正在实施。
Botnets [BOT05] represent a relatively recent phenomena. Using various propagation techniques, malware is distributed across a range of systems, where it lies in wait for a trigger of some sort. These "triggers" may be implemented through periodic polling of a centralized authority, the arrival of a particular date, or any of a large number of other events. Upon triggering, the malware executes its task, which may involve participating in a Distributed Denial of Service (DDoS) attack, or some other type of activity.
僵尸网络[BOT05]代表了一种相对较新的现象。通过使用各种传播技术,恶意软件分布在一系列系统中,并等待某种触发。这些“触发器”可以通过集中管理机构的定期轮询、特定日期的到达或大量其他事件中的任何一个来实现。一旦触发,恶意软件将执行其任务,这可能涉及参与分布式拒绝服务(DDoS)攻击或其他类型的活动。
Criminal groups are currently renting out botnets for various uses [CERT01]. While reported occurrences have typically involved using these rogue networks for DDoS attacks, we would be naive to think other uses (e.g., breaking encryption keys) have not been considered. Botnets greatly mitigate the scaling problem faced by distributed.net: it is no longer a volunteer-only effort, and user activity no longer significantly impedes the application's progress. This should give us pause.
犯罪集团目前出租僵尸网络用于各种用途[CERT01]。虽然报告的事件通常涉及使用这些流氓网络进行DDoS攻击,但如果我们认为没有考虑其他用途(例如,破解加密密钥),那就太天真了。僵尸网络极大地缓解了distributed.net面临的扩展问题:它不再是一项仅由志愿者参与的工作,用户活动也不再显著阻碍应用程序的进展。这应该让我们停下来。
It is very important to clearly recognize the implications of this: botnets are cheap, and there are lots of PCs out there. You don't need the $15,625 that we speculated would be enough to build a copy of the EFF system today -- you only need a commodity PC on which to develop the malware, and the requisite skills. Or, you need access to someone with those things, and a relatively modest sum of cash. The game has changed dramatically.
清楚地认识到这一点是非常重要的:僵尸网络很便宜,而且有很多个人电脑。你不需要我们推测的15625美元就足以在今天构建一个EFF系统的副本——你只需要一台用于开发恶意软件的商品PC和必要的技能。或者,你需要找一个有这些东西的人,并且需要一笔相对适中的现金。游戏发生了巨大的变化。
Obviously, DES is not secure by most measures -- why is it still used today? There are probably many reasons, but here are perhaps the most common:
显然,DES在大多数情况下都是不安全的——为什么它在今天仍然被使用?可能有很多原因,但以下可能是最常见的原因:
o Backward compatibility - Numerous deployed systems support DES, and rather than replace those systems, new systems are implemented with compatibility in mind.
o 向后兼容性—许多已部署的系统支持DES,而不是替换这些系统,新系统的实现考虑了兼容性。
o Performance - Many early VPN clients provided DES as the default cryptographic algorithm, because PCs of the day suffered a noticeable performance hit when applying stronger cryptography (e.g., 3DES).
o 性能-许多早期的VPN客户端提供DES作为默认加密算法,因为当时的PC在应用更强的加密(例如3DES)时会受到明显的性能影响。
o Ignorance - People simply do not understand that DES is no longer secure for most uses.
o 无知——人们根本不明白DES在大多数情况下不再安全。
While there are probably other reasons, these are the most frequently cited.
虽然可能还有其他原因,但这些是最常被引用的。
Performance arguments are easily dispensed with today. PCs have more than ample power to implement stronger cryptography with no noticeable performance impact, and for systems that are resource constrained, there are strong algorithms that are far better performers than DES (e.g., AES-128). And while backward compatibility is sometimes a valid argument, this must be weighed carefully. At the point where the risk is higher than the cost of replacement, legacy systems should be abandoned.
今天,性能参数很容易被忽略。PC有足够的能力实现更强大的加密,而不会对性能造成明显影响,对于资源受限的系统,有比DES(如AES-128)性能更好的强大算法。尽管向后兼容性有时是一个有效的论据,但必须仔细权衡这一点。当风险高于更换成本时,应放弃遗留系统。
With respect to the third reason (ignorance), this note attempts to address this, and we should continue to make every effort to get the word out. DES is no longer secure for most uses, and it requires significant security expertise to evaluate those small number of cases in which it might be acceptable. Technologies exist that put DES-cracking capability within reach of a modestly financed or modestly skilled motivated attacker. There are stronger, cheaper, faster encryption algorithms available. It is time to move on.
关于第三个原因(无知),本说明试图解决这一问题,我们应该继续尽一切努力把这个词说出来。DES在大多数情况下不再安全,它需要大量的安全专家来评估少数情况下它可能是可以接受的。现有的技术使DES的破解能力在资金充足或技术熟练的攻击者的能力范围内。有更强、更便宜、更快的加密算法可用。是时候继续前进了。
This entire document deals with security considerations. Still, it makes sense to summarize a few key points here. It should be clear by now that the DES algorithm offers little deterrence for a determined adversary. While it might have cost $250,000 to build a dedicated DES cracker in 1998, nowadays it can be done for considerably less. Indeed, botnets are arguably free, if you don't count the malware author's time in your cost computation.
整个文档都涉及安全方面的考虑。不过,这里总结几个关键点还是有意义的。现在应该清楚的是,DES算法对坚定的对手几乎没有威慑力。虽然1998年建造一个专门的DES裂解器可能要花费250000美元,但现在可以用更少的钱完成。事实上,如果你在计算成本时不计算恶意软件作者的时间,僵尸网络可以说是免费的。
Does this mean DES should never be used? Well, no - but it does mean that if it is used at all, it should be used with extreme care. It is important to carefully evaluate the value of the information being protected, both to its owner and to an attacker, and to fully grasp the potential risks. In some cases, DES may still provide an acceptable level of security, e.g., when you want to encrypt a file on the family PC, and there are no real threats in your household.
这是否意味着永远不应该使用DES?嗯,不,但这确实意味着,如果使用它,应该非常小心。仔细评估所保护信息对其所有者和攻击者的价值,并充分把握潜在风险,这一点非常重要。在某些情况下,DES仍然可以提供可接受的安全级别,例如,当您想要在家庭PC上加密文件,并且您的家庭中没有真正的威胁时。
However, it is important to recognize that, in such cases, DES is much like a cheap suitcase lock: it usually helps honest people remain honest, but it won't stop a determined thief. Given that strong, more efficient cryptographic algorithms (e.g., AES) are available, it seems the only rational reason to continue using DES today is for compulsory backward compatibility. In such cases, if there is no plan for gradually phasing out such products, then, as a security implementer, you can do the following:
然而,重要的是要认识到,在这种情况下,DES就像一个便宜的手提箱锁:它通常帮助诚实的人保持诚实,但它不会阻止一个坚定的小偷。考虑到强大、更高效的加密算法(如AES)可用,目前继续使用DES的唯一合理原因似乎是强制向后兼容。在这种情况下,如果没有逐步淘汰此类产品的计划,那么作为安全实施者,您可以执行以下操作:
o Recommend a phased upgrade approach.
o 建议分阶段升级方法。
o If possible, use 3DES rather than DES (and in any case, DO NOT make DES the default algorithm!).
o 如果可能,使用3DES而不是DES(在任何情况下,不要将DES作为默认算法!)。
o Replace keys before exceeding 2^32 blocks per key (to avoid various cryptanalytic attacks).
o 在每个密钥超过2^32个块之前替换密钥(以避免各种密码分析攻击)。
o If there is a user interface, make users aware of the fact that the cryptography in use is not strong, and for your particular application, make appropriate recommendations in this regard.
o 如果有用户界面,请让用户意识到正在使用的加密功能不强,并针对您的特定应用程序,在这方面提出适当的建议。
The bottom line: it is simpler to not use this algorithm than it is to come up with narrow scenarios in which it might be okay. If you have legacy systems relying on DES, it makes sense to begin phasing them out as soon as possible.
一句话:不使用这种算法要比提出一个可能没问题的狭窄场景简单得多。如果您有依赖DES的遗留系统,那么尽快开始淘汰它们是有意义的。
The author gratefully acknowledges the contributions of Doug Whiting, Matt Curtin, Eric Rescorla, Bob Baldwin, and Yoav Nir. Their reviews, comments, and advice immeasurably improved this note. And of course, we all have the EFF and all those involved with the "Deep Crack", DESCHALL, and distributed.net efforts to thank for their pioneering research and implementations in this area.
作者衷心感谢道格·惠汀、马特·柯廷、埃里克·雷斯科拉、鲍勃·鲍德温和约阿夫·尼尔的贡献。他们的评论、评论和建议极大地改进了这篇文章。当然,我们都有EFF和所有参与“深度破解”、DESCHALL和distributed.net的人,感谢他们在这一领域的开创性研究和实现。
Appendix A. What About 3DES?
附录A.3DES如何?
It seems reasonable, given that we recommend avoiding DES, to ask: how about 3DES? Is it still safe? Thankfully, most of the discussion above does not apply to 3DES, and it is still "safe" in general. Below, we briefly explain why this is true, and what caveats currently exist.
考虑到我们建议避免DES,问:3DES如何?它还安全吗?谢天谢地,上面的大部分讨论并不适用于3DE,总体上它仍然是“安全的”。下面,我们简要解释为什么这是真的,以及目前存在哪些警告。
Recall that for DES there are 2^56 possible keys, and that a brute-force attack consists of trying each key until the right one is found. Since we are equally likely to find the key on the first, second, or even last try, on average we expect to find the key after trying half (2^55) of the keys, or after 36,028,797,018,963,968 decryptions. This doesn't seem completely impossible given current processor speeds, and as we saw above, we can expect with today's technology that such an attack could almost certainly be carried out in around half a day.
回想一下,DES有2^56个可能的密钥,暴力攻击包括尝试每个密钥,直到找到正确的密钥。由于我们平均要在第二个密钥中找到第7955个,所以我们很可能在第二个密钥中找到第7955个。考虑到当前的处理器速度,这似乎不是完全不可能的,正如我们在上面看到的,我们可以预期,在今天的技术中,这种攻击几乎肯定可以在大约半天内实施。
For a brute-force attack on 3DES, however, the outlook is far less optimistic. Consider the problem: we know C (and possibly p), and we are trying to guess k1, k2, and k3 in the following relation:
然而,对于3DE的暴力攻击,前景远不乐观。考虑这个问题:我们知道C(并且可能p),并且我们试图猜测K1、K2和K3在以下关系中:
C = E_k3(D_k2(E_k1(p)))
C = E_k3(D_k2(E_k1(p)))
In order to guess the keys, we must execute something like the following (assuming k1, k2, and k3 are 64-bit values, as are Ci and p):
为了猜测键,我们必须执行如下操作(假设k1、k2和k3是64位值,Ci和p也是64位值):
for ( k3 = 0 to 2^56 step 1 )
compute C2 = D_k3(C1)
for ( k2 = 0 to 2^56 step 1 )
compute C3 = E_k2(C2)
for ( k1 = 0 to 2^56 step 1 )
begin
compute p = D_k1(C3) xor IV
if ( p equals p-expected )
exit loop; we found the keys
end
for ( k3 = 0 to 2^56 step 1 )
compute C2 = D_k3(C1)
for ( k2 = 0 to 2^56 step 1 )
compute C3 = E_k2(C2)
for ( k1 = 0 to 2^56 step 1 )
begin
compute p = D_k1(C3) xor IV
if ( p equals p-expected )
exit loop; we found the keys
end
Note that in the worst case the correct key combination will be the last one we try, meaning we will have tried 2^168 crypto operations. If we assume that each 3DES decryption (2 decryptions plus one encryption) takes a single microsecond, this would amount to 1.19 x 10^37 years. That's FAR longer than scientists currently estimate our universe to have been in existence.
请注意,在最坏的情况下,正确的密钥组合将是我们最后一次尝试的密钥组合,这意味着我们将尝试2^168加密操作。如果我们假设每个3DES解密(两次解密加一次加密)需要一微秒的时间,这相当于1.19 x 10^37年。这比科学家目前估计的宇宙存在的时间要长得多。
While it is important to note that we could slightly prune the key space by assuming that two equal keys would never be used (i.e., k1 != k2, k2 != k3, k1 != k3), this does not result in a significant work reduction when you consider the magnitude of the numbers we're dealing with. And what if we instead assumed that technological advances allow us to apply DES far more quickly?
虽然重要的是要注意,我们可以通过假设两个相等的密钥永远不会被使用(即k1!k2=k2,k2!k3,k1=k3)来稍微修剪密钥空间,当考虑到我们处理的数字的大小时,这不会导致显著的功减少。如果我们假设技术进步使我们能够更快地应用DES会怎么样?
Today, commercial 3DES chips capable of 10-Gbps encryption are widely available, and this translates to 15,625,000 DES blocks per second. The estimate given above assumed 1,000,000 DES blocks/second, so 10-Gbps hardware is 15 times as fast. This means in the worst case it would take 7.6 x 10^35 years -- not much faster in the larger scheme of things.
如今,能够进行10 Gbps加密的商用3DES芯片已被广泛使用,这相当于每秒1565000 DES块。上面给出的估计值假设每秒1000000个DES块,因此10 Gbps硬件的速度是原来的15倍。这意味着在最坏的情况下需要7.6 x 10^35年——在更大的情况下不会更快。
Even if we consider hardware that is 1,000,000 times faster, this would still require 7.6 x 10^29 years - still FAR longer than the universe has been around. Obviously, we're getting nowhere fast here. 3DES, for all practical purposes, is probably safe from brute-force attacks for the foreseeable future.
即使我们认为硬件是1000000倍的速度,这仍然需要7.6×10 ^ 29年-仍然远比宇宙长得多。显然,我们在这方面进展很快。就所有实际用途而言,3DE在可预见的未来可能不会受到暴力攻击。
Unlike DES, there are only a few known cryptanalytic attacks against 3DES. Below, we describe those attacks that are currently discussed in the literature.
与DES不同,只有少数已知的针对3DE的密码分析攻击。下面,我们将描述目前文献中讨论的那些攻击。
The most commonly described 3DES attack is MITM, described in [HAC] and elsewhere. It works like this: take a ciphertext value 'C' (with corresponding known plaintext value 'p'), and compute the values of Cx = D_kx(C) for all possible (2^56) keys. Store each Cx,kx pair in a table indexed by Cx.
最常见的3DES攻击是MITM,如[HAC]和其他地方所述。它的工作原理是这样的:取一个密文值'C'(与相应的已知明文值'p'),并计算所有可能(2^56)密钥的Cx=D_kx(C)的值。将每个Cx、kx对存储在由Cx索引的表中。
Now, compute the values of Cy = D_ki(E_kj(p)) in a nested loop, as illustrated above in our brute-force exercise. For each Cy, do a lookup on the table of Cx's. For each match found, test the triple of keys. It is important to note that a match does not imply you have the right keys - you must test this against additional ciphertext/plaintext pairs to be certain (~3 pairs for a strong measure of certainty with 3DES). Ultimately, there will be exactly one correct key triplet.
现在,计算嵌套循环中Cy=D_ki(E_kj(p))的值,如我们的蛮力练习中所示。对于每个Cy,在Cx表上进行查找。对于找到的每个匹配项,测试三重键。重要的是要注意,匹配并不意味着您拥有正确的密钥-您必须针对额外的密文/明文对进行测试,以确定这一点(~3对用于3DES的强确定性度量)。最终,将只有一个正确的密钥三元组。
Note that computing the initial table of Cx,kx pairs requires 2^56 encryptions and 2^56 blocks of storage (about 576 gigabytes). Computing the lookup elements requires at most 2^112 cryptographic
请注意,计算Cx、kx对的初始表需要2^56次加密和2^56个存储块(约576 GB)。计算查找元素最多需要2^112个密码
operations (table lookups are negligible by comparison), and 2^111 operations on average. Lucks [LUCKS] has come up with optimizations that reduce this to about 2^108.
操作(相比之下,表查找可以忽略不计),平均2^111个操作。Lucks[Lucks]已经提出了一些优化方案,将其减少到大约2^108。
3DES, even at a strength of 2^108, is still very strong. If we use our brute-force limits from above (15,625,000 blocks per second), this attack will take on the order of 6.586 x 10^17 years to carry out. Make the machine 1 million times faster, and you still need more than 658 BILLION years. We are probably safe from MITM attacks on 3DES for the foreseeable future.
即使强度为2^108,3DES仍然非常强大。如果我们使用以上的蛮力限制(每秒15625000个区块),则此攻击将需要6.586 x 10^17年的时间执行。让机器快一百万倍,你还需要6580多亿年。在可预见的未来,我们可能不会受到3DES上的MITM攻击。
For a detailed description of related key attacks against 3DES (and other algorithms), see [KELSEY]. In a nutshell, for this approach the attacker knows the encryption of given plaintext under the original key K, and some related keys K'_i. There are attacks where the attacker chooses how the key is to be changed, and attacks in which the difference is known, but not controlled, by the attacker.
有关针对3DES(和其他算法)的相关密钥攻击的详细说明,请参阅[KELSEY]。简而言之,对于这种方法,攻击者知道在原始密钥K和一些相关密钥K〃u i下对给定明文的加密。有些攻击是攻击者选择如何更改密钥,有些攻击是攻击者已知差异但无法控制的。
Here's how it works. Assume the following cryptographic relation:
下面是它的工作原理。假设以下加密关系:
C = E_k3(D_k2(E_k1(p)))
C = E_k3(D_k2(E_k1(p)))
Then, the following defines the key relation:
然后,以下内容定义了键关系:
K = (k1,k2,k3) and K' = (k1 + d,k2,k3)
K = (k1,k2,k3) and K' = (k1 + d,k2,k3)
with d being a fixed constant. Knowing p and C, we need to decrypt C under K' as follows:
d是一个固定常数。知道p和C,我们需要在K'下解密C,如下所示:
Let kx = k1 + d (note: '+' represents xor)
Let kx = k1 + d (note: '+' represents xor)
and
和
p' = D_kx(E_k1(p))
p' = D_kx(E_k1(p))
Once we have p', we can find kx by exhaustively trying each key until we find a match (2^56 encryptions, worst case). Once we find kx, we can conduct a double-DES MITM attack to find k2 and k3, which requires between 2^56 and 2^72 trial offline encryptions.
一旦我们有了p',我们就可以找到kx,方法是用尽全力尝试每个密钥,直到找到匹配项为止(最坏的情况是2^56次加密)。一旦找到kx,我们就可以进行双重DES-MITM攻击来找到k2和k3,这需要2^56到2^72之间的离线加密。
From a practical standpoint, it's very important to recognize the "what-if" nature of this attack: the adversary must know the plaintext/ciphertext pair, he must be able to influence a subsequent encryption key in a highly controlled fashion (or at least, know
从实际的角度来看,认识到这种攻击的“假设”性质非常重要:对手必须知道明文/密文对,他必须能够以高度受控的方式影响后续加密密钥(或者至少知道)
exactly how the key changes), and then have the cryptographic cooperation required to compute p'. This is clearly a very difficult attack in the real world.
确切地说,密钥是如何变化的),然后进行计算p'所需的加密协作。在现实世界中,这显然是一个非常困难的攻击。
While the effective key length for 3DES is clearly much larger than for DES, the block size is, unfortunately, still only 64 bits. For CBC mode (the most commonly deployed mode in Internet security protocols), this means that, due to the birthday paradox, information about the plaintext begins to leak after around 2^32 blocks have been encrypted. For this reason, 3DES may not be the best choice for high-throughput links, or other high-density encryption applications. At minimum, care should be taken to refresh keys frequently enough to minimize ciphertext collisions in such scenarios.
虽然3DES的有效密钥长度明显大于DES,但不幸的是,块大小仍然只有64位。对于CBC模式(Internet安全协议中最常用的部署模式),这意味着,由于生日悖论,大约2^32个块加密后,明文信息开始泄漏。因此,3DES可能不是高通量链路或其他高密度加密应用程序的最佳选择。至少,应该注意足够频繁地刷新密钥,以尽量减少此类场景中的密文冲突。
Informative References
资料性引用
[AES] "The Advanced Encryption Standard", November 2001, <http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf>.
[AES]“高级加密标准”,2001年11月<http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf>。
[AES-NSA] "CNSS Policy No. 15, Fact Sheet No. 1", June 2003, <http://csrc.nist.gov/cryptval/CNSS15FS.pdf>.
[AES-NSA]“CNSS第15号政策,第1号概况介绍”,2003年6月<http://csrc.nist.gov/cryptval/CNSS15FS.pdf>.
[BIH93] Biham, E. and A. Shamir, "Differential Cryptanalysis of the Data Encryption Standard", 1993.
[BIH93]Biham,E.和A.Shamir,“数据加密标准的差分密码分析”,1993年。
[BIH96] Biham, E., "How to Forge DES-Encrypted Messages in 2^28 Steps", 1996.
《1996年第2步至第28步的加密信息》,比哈姆。
[BIH96-2] Biham, E. and A. Shamir, "A New Cryptanalytic Attack on DES", 1996.
[BIH96-2]Biham,E.和A.Shamir,“对DES的新密码分析攻击”,1996年。
[BLAZ96] Blaze, M., Diffie, W., Rivest, R., Schneier, B., Shimomura, T., Thompson, E., and M. Wiener, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security", January 1996.
[BLAZ96]Blaze,M.,Diffie,W.,Rivest,R.,Schneier,B.,Shimomura,T.,Thompson,E.,和M.Wiener,“对称密码提供充分商业安全的最小密钥长度”,1996年1月。
[BOT05] "Know Your Enemy: Tracking Botnets", March 2005, <http://www.honeynet.org/papers/bots/>.
[BOT05]“了解你的敌人:追踪僵尸网络”,2005年3月<http://www.honeynet.org/papers/bots/>.
[CERT01] Ianelli, N. and A. Hackworth, "Botnets as a Vehicle for Online Crime", December 2005, <http://www.cert.org/archive/pdb/Botnets.pdf>.
[CERT01]Ianelli,N.和A.Hackworth,“僵尸网络作为网络犯罪的工具”,2005年12月<http://www.cert.org/archive/pdb/Botnets.pdf>.
[CURT05] Curtin, M., "Brute Force: Cracking the Data Encryption Standard", 2005.
[Curtin,M.,“暴力:破解数据加密标准”,2005年。
[CURT98] Curtin, M. and J. Dolske, "A Brute Force Search of DES Keyspace", 1998, <http://www.interhack.net/pubs/des-key-crack/>.
[Curtin,M.和J.Dolske,“对DES Keyspace的暴力搜索”,1998年<http://www.interhack.net/pubs/des-key-crack/>.
[DES] "Data Encryption Standard", January 1977, <http://www.nist.gov>.
[DES]“数据加密标准”,1977年1月<http://www.nist.gov>.
[DH77] Hellman, M. and W. Diffie, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard", June 1977.
[DH77]Hellman,M.和W.Diffie,“NBS数据加密标准的详尽密码分析”,1977年6月。
[DIST99] Press Release, distributed., "US GOVERNMENT'S ENCRYPTION STANDARD BROKEN IN LESS THAN A DAY", 1999, <http://www1.distributed.net/des/release-desiii.txt>.
[DIST99]发布的新闻稿,“美国政府的加密标准在不到一天的时间内被打破”,1999年<http://www1.distributed.net/des/release-desiii.txt>.
[EFF98] EFF, "Cracking DES", July 1998.
[EFF98]EFF,“破解DES”,1998年7月。
[FBI01] "NIPC Advisory 01-003", March 2001, <http://www.fbi.gov/pressrel/pressrel01/nipc030801.htm>.
[FBI01]“NIPC咨询01-003”,2001年3月<http://www.fbi.gov/pressrel/pressrel01/nipc030801.htm>.
[FBI06] "FBI Webpage: Focus on Economic Espionage", January 2006, <http://www.fbi.gov/hq/ci/economic.htm>.
[FBI06]“FBI网页:关注经济间谍”,2006年1月<http://www.fbi.gov/hq/ci/economic.htm>.
[FERG03] Ferguson, N. and B. Schneier, "Practical Cryptography", 2003.
[FERG03]Ferguson,N.和B.Schneier,“实用密码学”,2003年。
[FPL02] Koeune, F., Rouvroy, G., Standaert, F., Quisquater, J., David, J., and J. Legat, "An FPGA Implementation of the Linear Cryptanalysis", FPL 2002, Volume 2438 of Lecture Notes in Computer Science, pages 846-852, Spriger-Verlag, September 2002.
[FPL02]Koeune,F.,Rouvroy,G.,Standaert,F.,Quisquater,J.,David,J.,和J.Legat,“线性密码分析的FPGA实现”,FPL 2002,计算机科学讲稿2438卷,846-852页,Spriger Verlag,2002年9月。
[HAC] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook of Applied Cryptography", 1997.
[HAC]Menezes,A.,van Oorschot,P.,和S.Vanstone,“应用密码学手册”,1997年。
[JAK97] Jakobsen, T. and L. Knudsen, "The Interpolation Attack on Block Ciphers", 1997.
[JAK97]Jakobsen,T.和L.Knudsen,“分组密码的插值攻击”,1997年。
[KELSEY] Kelsey, J., Schneier, B., and D. Wagner, "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES", 1996.
[KELSEY]KELSEY,J.,Schneier,B.,和D.Wagner,“3路、IDEA、G-DES、RC4、SAFER和三重DES的密钥计划密码分析”,1996年。
[LUCKS] Lucks, S., "Attacking Triple Encryption", 1998.
[LUCKS]LUCKS,S.,“攻击三重加密”,1998年。
[MAT93] Matsui, M., "Linear Cryptanalysis Method for DES Cipher", 1993.
[MAT93]Matsui,M.“DES密码的线性密码分析方法”,1993年。
[NIST-TP] "DES Transition Plan", May 2005, <http://csrc.nist.gov/cryptval/DESTranPlan.pdf>.
[NIST-TP]“DES过渡计划”,2005年5月<http://csrc.nist.gov/cryptval/DESTranPlan.pdf>.
[NYSE1] "Extreme availability: New York Stock Exchange's new IT infrastructure puts hand-held wireless terminals in brokers' hands.", June 2005.
[NYSE1]“极度可用性:纽约证券交易所新的IT基础设施将手持无线终端置于经纪人手中”,2005年6月。
[RSA1] Press Release, RSA., "Team of Universities, Companies and Individual Computer Users Linked Over the Internet Crack RSA's 56-Bit DES Challenge", 1997, <http:// www.rsasecurity.com/press_release.asp?doc_id=661&id=1034>.
[RSA1]新闻稿,RSA.,“通过互联网链接的大学、公司和个人计算机用户团队破解RSA的56位DES挑战”,1997年,<http://www.rsasecurity.com/Press_Release.asp?doc_id=661&id=1034>。
[RSA2] Press Release, RSA., "RSA to Launch "DES Challenge II" at Data Security Conference", 1998, <http:// www.rsasecurity.com/press_release.asp?doc_id=729&id=1034>.
[RSA2]新闻稿,RSA.,“RSA将在数据安全会议上推出“DES挑战II”,1998年,<http://www.rsasecurity.com/Press\u Release.asp?doc\u id=729&id=1034>。
[RSA3] Press Release, RSA., "Distributed Team Collaborates to Solve Secret-Key Challenge", 1998, <http:// www.rsasecurity.com/press_release.asp?doc_id=558&id=1034>.
[RSA3]新闻稿,RSA.,“分布式团队合作解决密钥挑战”,1998年,<http://www.rsasecurity.com/Press\u Release.asp?doc\u id=558&id=1034>。
[RSA4] Press Release, RSA., "RSA to Launch DES Challenge III Contest at 1999 Data Security Conference", 1998, <http:// www.rsasecurity.com/press_release.asp?doc_id=627&id=1034>.
[RSA4]新闻稿,RSA.,“RSA将在1999年数据安全会议上发起DES挑战III竞赛”,1998年,<http://www.rsasecurity.com/Press_Release.asp?doc_id=627&id=1034>。
[RSA5] Press Release, RSA., "RSA Code-Breaking Contest Again Won by Distributed.Net and Electronic Frontier Foundation", 1999, <http://www.rsasecurity.com/ press_release.asp?doc_id=462&id=1034>.
[RSA5]新闻稿,RSA.,“分布式.Net和电子前沿基金会再次赢得RSA密码破解大赛”,1999年<http://www.rsasecurity.com/ press_release.asp?doc_id=462&id=1034>。
[SCHN96] Schneier, B., "Applied Cryptography, Second Ed.", 1996.
[Schneier,B.,“应用密码学,第二版”,1996年。
[VA1] "Review of Issues Related to the Loss of VA Information Involving the Identities of Millions of Veterans (Report #06-02238-163)", July 2006, <http://www.va.gov/oig/51/ FY2006rpts/VAOIG-06-02238-163.pdf>.
[VA1]“涉及数百万退伍军人身份的退伍军人信息丢失相关问题审查(报告#06-02238-163)”,2006年7月<http://www.va.gov/oig/51/ FY2006rpts/VAOIG-06-02238-163.pdf>。
[WIEN94] Wiener, M., "Efficient DES Key Search", August 1993.
[WIEN94]Wiener,M.,“有效的DES密钥搜索”,1993年8月。
Author's Address
作者地址
Scott G. Kelly Aruba Networks 1322 Crossman Ave Sunnyvale, CA 94089 US
美国加利福尼亚州桑尼维尔市克罗斯曼大道1322号斯科特·G·凯利阿鲁巴网络公司,邮编94089
EMail: scott@hyperthought.com
EMail: scott@hyperthought.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2006).
版权所有(C)IETF信托基金(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST, AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。