From daw@joseph.cs.berkeley.edu Wed Dec 4 13:50:42 PST 1996
Article: 59757 of sci.crypt
Path: agate!not-for-mail
From: daw@joseph.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: Security of Des key encrypted with its self????
Date: 4 Dec 1996 13:49:06 -0800
Organization: ISAAC Group, UC Berkeley
Lines: 65
Message-ID: <584rki$79n@joseph.cs.berkeley.edu>
References:
NNTP-Posting-Host: joseph.cs.berkeley.edu
In article ,
Adrian M Iley wrote:
> Does anyone know how easy it is to derive a Des key or unknown
> plaintexts if the following is done: The des key its self
> (56key+8parity) is used as the IVEC for des_pcbc_encrypt.
[...]
> I am especially interested in Known, and/or Chosen plaintext
> attacks, where the key or other unknown plaintexts may be derived. (even
> from repeated encryptions where the IVEC starts as the key)
This is bad, I think. I describe one way to break it, below.
What system is this? Is this Kerberos?
Suppose you have some known plaintext, namely the first block of
plaintext P[0], and you observe the corresponding ciphertext C[0].
You'll have the relation
C[0] = Encrypt(P[0] xor K)
where encryption is done under the key K.
Now I show how to recover K in a chosen-ciphertext attack. In an
active attack, suppose you intercept a new ciphertext C'[0],C'[1],...
and suppose you have some known plaintext -- namely you can predict
some plaintext block P'[n]. Replace C'[n+1] in the intercepted
ciphertext with C[0], and now inject the modified ciphertext
C'[0],C'[1],...,C'[n],C[0],C'[n+2],C'[n+3],...,
onto the wire. Under the premises of the chosen-ciphertext attack,
the attacker obtains the decryption of the modified ciphertext. In
more detail, suppose the recipient decrypts the modified packet to
obtain the plaintext
P'[0],P'[1],...,P'[n],P''[n+1],P''[n+2],P''[n+3],...
(Remember that we injected an "error" into the block numbered n+1,
so the decrypted plaintext will match the original sent plaintext
for blocks 0,1,...,n but thereafter will depart.)
Now we can recover K from P[0], P'[n], C'[n], and P''[n+1] in a
straightforward manner with very little work. By the definition
of PCBC mode, we have the relation
P''[n+1] = Decrypt(C[0]) xor C'[n] xor P'[n]
= P[0] xor K xor C'[n] xor P'[n].
Therefore we may recover K as
K = P[0] xor C'[n] xor P'[n] xor P''[n+1].
This attack requires one chosen-ciphertext query, a little bit of
known plaintext, and very little computation.
I think this attack may even be practical to mount in real life,
if you can mount an active attack. Known plaintext is often available
in the form of predictable headers, stereotyped text, etc. Chosen
ciphertext queries are often available: for example, in an encrypted
telnet application, you wait till the person is in the middle of
typing an email message; then you inject some chosen ciphertext,
let them finish & send off the message, and watch as the email is
transmitted (in the clear!) to/from the SMTP server, recovering the
decryption of the chosen ciphertext in the process.
This attack doesn't really require anything all that special about
PCBC mode -- it just relies on the fact that it's a chaining mode
with limited error propagation. In fact, I remember someone asking
(a while ago) about the security of CBC mode when the key is used
as the IV; back then I pointed out a (different) attack in a sci.crypt
post which is archived at
http://www.cs.berkeley.edu/~daw/my-posts/key-as-iv-broken
The moral is, don't ever stick the key into a plaintext or ciphertext
port, or you might get screwed by chosen-plaintext/ciphertext attacks.