When the DES was adopted in 1977, two well-know cryptographers, Whitfield Diffie and Martin Hellman, argued that 56-bit keys were not secure [10]. They estimated that they could build a search machine that would crack keys at a cost of $100 each by 1994. In 1993, Michael Wiener described a special-purpose architecture for cracking DES keys. He estimated that a machine with 57,600 search chips and costing $1 million could break a key in 3.5 hours [11]. Neither of these machines was built, but Wiener's design in particular was put forth as proof that DES was crackable.
Concern about key length was heightened when a 40-bit key was cracked by a French student, Damien Doligez, in 8 days using 120 workstations and a few supercomputers [12]. Even though a 56-bit key would take 65 thousand times longer to break and a 64-bit key 17 million times longer, the perception was that much longer keys were needed for adequate protection.
Crack Dc Unlocker 2 Clientl
Download Zip: https://tinourl.com/2vzSXE
In 1996, a group of seven cryptographers issued a report recommending that keys be at least 75-90 bits to protect against a well-funded adversary [13]. The cryptographers estimated that a 40-bit key could be cracked in 12 minutes and a 56-bit key in 18 months using a $10,000 machine consisting of 25 Field Programmable Gate Array (FPGA) chips. Each chip would cost $200 and test 30 million keys per second. For $10 million, a machine with 25,000 FPGA chips could crack a 56-bit DES key in 13 hours; one with 250,000 Application-Specific Integrated Circuits costing $10 each could do it in 6 minutes. By comparison, the National Security Agency estimated it would take 10 minutes to crack a 40-bit key and 1 year and 87.5 days to crack a 56-bit key on a Cray T3D supercomputer with 1024 nodes and costing $30 million. Table 2 shows the estimates for the FPGA and ASIC architectures and for the Cray (row 3). The first row corresponds to the actual attack carried out by the French student.
At their January 1997 conference, RSA Data Security announced a set of challenge ciphers with prizes for the first person breaking each cipher [14]. These included $1,000 for breaking a 40-bit RC5 key, $5,000 for breaking a 48-bit RC5 key, and $10,000 for breaking a 56-bit RC5 or DES key. The challenges extend to 128-bit RC5 keys in increments of 8 bits each. The 40-bit prize was won shortly thereafter by Ian Goldberg, a student at Berkeley, who cracked it in 3.5 hours using a network of 250 computers that tested 100 billion keys per hour. The 48-bit prize was won a few weeks later by Germano Caronni, a student at the Swiss Federal Institute of Technology. Caronni harnessed the power of over 3,500 computers on the Internet to achieve a peak search rate of 1.5 trillion keys per hour. The key was found after 312 hours (13 days).
Although key length is significant to the strength of an algorithm, weaknesses in key management protocols or implementation can allow keys to be cracked that would be impossible to determine by brute force. For example, shortly after the French student cracked the 40-bit key in 8 days, Ian Goldberg and David Wagner found that the keys generated for Netscape could be hacked in less than a minute because they were not sufficiently random [17]. Paul Kocher showed that under suitable conditions, a key could be cracked by observing the time it took to decrypt or sign messages with that key [18]. Richard Lipton, Rich DeMillo, and Dan Boney at Bellcore showed that public-key cryptosystems implemented on smart cards and other tamperproof tokens hardware were potentially vulnerable to hardware fault attacks if the attacker could induce certain types of errors on the card and observe their effect [19]. Eli Biham and Adi Shamir showed that the strategy could also work against single-key systems such as DES and Triple-DES [20]. Thus, while key length is a factor in security, it is by no means the only one.
Because not all encryption systems have built-in key recovery mechanisms, there is also a market for recovering keys (and ultimately the plaintext) by other means, for example, brute-force attacks against short keys or attacks that exploit weaknesses in design or implementation. Many systems contain flaws, for example, in key management, that allow them to be cracked despite using long keys. In some cases, the key may be stored on a disk encrypted with a password that can be cracked. AccessData Corp., a company in Orem, Utah, provides software and services to help law enforcement agencies and companies recover data that has been locked out by encryption. In an interview with the Computer Security Institute, Eric Thompson, founder of AccessData, reported that they had a recovery rate of about 80-85% with large-scale commercial commodity software applications [23]. Thompson also noted that former CIA spy Aldrich Ames had used off-the-shelf software that could be broken.
Commercial products for domestic markets now use algorithms with key lengths that are totally infeasible to crack by brute force, for example 128-bit RC4 and 168-bit Triple-DES. At the same time, code breakers on the Internet are pooling resources to break ever longer keys, most recently 48 bits. Although many commercial products are breakable through flaws in design and implementation, the trend is to build products with stronger security and to provide emergency decryption, both for the owners of the data and for lawfully authorized government officials, through a key recovery system. 2ff7e9595c
Comments