Network Working Group M. Leech Request for Comments: 3607 Nortel Networks Category: Informational September 2003 Chine Lottery Cryptanalysis Revisited:
The Internet as a Codebreaking Tool
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice原因英文
Copyright (C) The Internet Society (2003). All Rights Rerved. Abstract
This document revisits the so-called Chine Lottery
massively-parallel cryptanalytic attack. It explores Internet-bad analogues to the Chine Lottery,
and their potentially-rious
conquences.
1. Introduction
In 1991, Quisquater and Desmedt [DESMEDT91] propod an esoteric, but technically sound, attack against DES or similar ciphers. They
termed this attack the Chine Lottery. It was bad on a
massively-parallel hardware approach, using consumer electronics as
the "hosts" of the cipher-breaking hardware.
In the decade since Quisquater and Desmedt propod their Chine
Lottery thought experiment, there has been considerable growth in a
number of areas that make their thought experiment worth revisiting. In 1991, the Internet had approximately 8 million reachable hosts
attached to it and in 2002, the number is a staggering 100 million
reachable hosts. In the time since the Chine Lottery paper,
computer power available to the average desktop ur has grown by a
factor of approximately 150.
Leech Informational [Page 1]
2. Dangerous Synergy
The combined growth of the Internet, and the unstoppable march of
Moore’s Law have combined to create a dangerous potential for
brute-force cryptanalysis of existing crypto systems.
In the last few years, veral widescsale attacks by so-called
Internet Worms [SPAFF91] have successfully compromid and infected
surprisingly-large numbers of Internet-attached hosts. In 2001, The Cooperative Association for Internet Data Analysis [CAIDA2001]
reported that the Code Red v2 worm was able to infect over 350,000
hosts in its first 14 hours of operation. The payload of the Code
Red worm was mischief: the defacement of the host website with a
political message. It was bold, brash, and drew attention to itlf nearly immediately.
Consider for a moment, an Internet worm with a darker and ultimately more dangerous purpo: to brute-force cryptanaly a message, in
order to determine the key ud with that message. In order for the worm to be successful, it must avoid detection for long enough tonor
build up a significant level of infected systems, in order to have
enough aggregate CPU cycles to complete the cryptanalysis.
warfare
Furthermore, our worm would need to avoid detection for long enough
for the cracked key to be uful to the owners of the worm. Recent
rearch [USEN2002] on stealthy worms paints a very dark picture
indeed.
Even after such a worm is detected it would be nearly impossible to
tell who key the worm was attacking. Any realistic attack payload will have one or two pieces of ciphertext, and some known plaintext, or probable-plaintext characteristics associated with it; hardly
enough data to determine the likely victim.
3. Winner phone home
When a given instance of the worm determines the key, it needs to
contact the originator in order to give them the key. It has to do
this in such a way as to minimize the probability that the originator will get caught.
One such technique would be for the worm to public-key encrypt the
key, under the public key(s) of the originator(s), and place this in some innocuous spot on the website of the compromid host. The worm could also back-propagate so that a number of compromid websites in the topological neighborhood of the worm will also contain the data. The file containing the key would be identified with some unique
keyword which the originators occasionally look for using Internet Leech Informational [Page 2]
arch engines. The worm could make the process more efficient by
april是几月
using the "keyword registry" rvices of various Internet arch
engines.
Another approach would be to post a (possibly PGP-encrypted) message to veral newsgroups, through an anonymous posting rvice.
Similarly, Internet "chat" rvices like IRC could be ud; indeed
there’s an emerging tradition of using IRC and similar rvices for
real-time, anonymous, control of worms and virus.
Any of the methods can be ud both to allow the "winning" worm
instance to nd results and for the originator to nd new work for the amasd army of compromid systems.
4. Evaluating the threat
2018年6月英语四级答案
Both Internet growth and CPU performance follow a reasonably
predictable doubling interval. Performance of computing hardware
appears to still be following Moore’s Law, in which performance
doubles every 1.5 years. Internet growth appears to be following a
doubling period of 3 years.
By establishing a common epoch for both performance and Internet
growth, we can easily determine the likely attack time for any given year, bad on a purely arithmetic approach.
A simplifying assumption is that it is indeed possible to construct a suitably-stealthy worm and that it can achieve a steady-state
infection of about 0.5% of all attached hosts on the Internet.
In 1995, J. Touch, at ISI, published a detailed performance analysis of MD5 [RFC1810]. At that time MD5 software performance peaked at
87mbits/cond, or an equivalent of 170,000 single-block MD5
operations per cond. In the same year, peak DES performance was
about 50,000 tkey/encrypt operations per cond.
In 1995, the Internet had about 20,000,000 attached hosts. In 2002, there are a staggering 100,000,000 attached hosts.
A simple C program, given in Appendix A can be ud to predict the
performance of our hypothetical worm for any given year. Running
this program for 2002 gives:
Year of estimate: 2002
For a total number of infected hosts of 503968
aggregate performance: MD5 9.79e+11/c DES 2.88e+11/c
DES could be cracked in about 1.45 days
Leech Informational [Page 3]
DES with 8 character passwords could be cracked in 16.29 minutes MD5 with 64-bit keys could be cracked in about 218.04 days
MD5 with 8 character passwords could be cracked in 4.79 minutes
The numbers given above suggest that an undetected attack against
MD5, for a reasonable key length, isn’t likely in 2002. A successful attack against DES, however, appears to be a near-certainty.
5. Security Considerations
DES has been shown to be weak in the recent past. The success of the EFF machine, described in [EFF98] shows how a massively-parallel
hardware effort can succeed relatively economically. That this level of brute-force cryptanalytic strength could be made available without custom hardware is a sobering thought. It is clear that DES needs to be abandoned; in favor of either 3DES or the newer AES [FIPS197].
The picture for MD5 (when ud in simple MAC constructions) is much
brighter. For short messages long keys with MD5 are effectively
free, computationally, so it makes n to u the longest
architecturally-practical key lengths with MD5.
Operating system software is becoming more complex and the日本语能力测试成绩查询
perpetrators of Internet Worms, Virus, Trojan Hors, and other
malware, are becoming more sophisticated. While their aim has
largely been widescale vandalism, it ems reasonable to assume that their methods could be turned to a more focusd and perhaps more
sinister activity.
As of February 2003, at least one worm, known as W32/Oparv.A has a payload designed to implement a distributed DES cracker.
6. Acknowledgements
John Morris, of Nortel IS, contributed the idea of anonymous
newsgroup posting.
Leech Informational [Page 4]
Appendix A: Source Code
英音美音
/*
* This program calculates the performance of a hypothetical
* "Chine Lottery" brute-force cryptanalysis worm, bad on
* the current date, estimates of Internet growth rate and
* Moores Law.
*
*/ #include <stdio.h> #include <math.h> /*
* EPOCH for the calculations
*/ #define EPOCH 1995.0 /*
* Size of the Internet (ca 1995)
*/ #define INTERNET_SIZE 20000000.0
clo to you 原唱/
*
* Software MD5 performance (ca 1995)
*/ #define MD5PERF 170000.0
/*
* Software DES performance (ca 1995)
*/ #define DESPERF 50000.0
main (argc, argv) int argc; char **argv; {
double yeardiff;
double cryptoperf, multiplier;
double cracktime;
yeardiff = (double)atoi(argv[1]) - EPOCH;
/
*
* Moores Law performance double interval is 1.5 years
*/
cryptoperf = yeardiff / 1.5;
give me your love tonightcryptoperf = pow(2.0, cryptoperf);
/*
* Some fuzz here--not all hosts will be the fastest available
*/
cryptoperf *= 0.450;
/*
* Internet size doubling interval is every 3 years
*/
multiplier = yeardiff / 3.0;
multiplier = pow(2.0, multiplier);
multiplier *= (INTERNET_SIZE*0.0050);
fprintf (stderr, "Year of estimate: %d\n", atoi(argv[1]));
Leech Informational [Page 5]
fprintf (stdout, "For a total number of infected hosts of %d\n", (int)multiplier);
fprintf (stdout, "aggregate performance: MD5 %5.2e/c DES
%5.2e/c\n",
MD5PERF*cryptoperf*multiplier,
DESPERF*cryptoperf*multiplier);
小猴子英文
cracktime = pow(2.0, 55.0);
cracktime /= (DESPERF*cryptoperf*multiplier);
fprintf (stdout,
"DES could be cracked in about %3.2lf days\n",
cracktime/86400.0);
cracktime = pow(2.0, 8.0*6.0);
cracktime /= (DESPERF*cryptoperf*multiplier);
fprintf (stdout,
"DES with 8 character passwords could be cracked in
%3.2lf minutes\n",cracktime/60);
cracktime = pow(2.0, 64.0);
cracktime /= (MD5PERF*cryptoperf*multiplier);
fprintf (stdout,
"MD5 with 64-bit keys could be cracked in about
%3.2lf days\n", cracktime/86400.0);
cracktime = pow(2.0, 8.0*6.0);
cracktime /= (MD5PERF*cryptoperf*multiplier);
fprintf (stdout,
"MD5 with 8 character passwords could be cracked in
%3.2lf minutes\n", cracktime/60); }
Leech Informational [Page 6]
