back to article Your encrypted files are 'exponentially easier' to crack, warn MIT boffins

Encryption systems may be a lot less secure than we thought, according to new research into the maths underpinning today's cryptography. Boffins in the US and Ireland have managed to poke holes in modern information theory, an area of mathematics used to prove the strength of cryptographic systems before they are trusted and …

COMMENTS

This topic is closed for new posts.

Page:

      1. Tom 13
        Joke

        Re: I am not a cryptographer but...

        But what if you combine the Captain Crunch Decoder ring, ROT-13, and THEN apply the Caesar cypher?

        1. the spectacularly refined chap

          Re: I am not a cryptographer but...

          ROT13 is a Caesar cipher.

  1. Player One

    Always wondered if this is true

    Would encypting a file and then encrypting the resulting file, with a different key, not make it impossible to crack? Assuming the use of a suitably long key. Ok, so not actually impossible ever but improbable in any meaningful timeframe.

    1. Sir Runcible Spoon

      Re: Always wondered if this is true

      Didn't 3DES do this? (albeit only with a 56 bit key)

    2. Anonymous Coward
      Anonymous Coward

      Re: Always wondered if this is true

      Probably the same effect of "zipping a zipped file". Could do, or may not. Depends on the method.

      For example, a simple decoder ring, applied twice with 2 different transforms, would add to the complexity, but not be "impossible" to decode.

      But I'm not an expert...

      1. MeRp

        Re: Always wondered if this is true

        The second application of a decoder ring would have no additional benefit. Decoder rings are purely transitive, so 1st transform plus 2nd transform is equivalent to some 3rd (single) transform. I believe that even the 3DES method would not help; 3DES does DES, then reverses the output of that, and DES again on that, then reverses that and does DES one more time (thus: triple DES). Reversing it each time does improve its encryption for DES, but, I believe, it would not for decoder ring style encryption.

      2. Anonymous Coward
        Anonymous Coward

        @ "TechnicalBen"

        Once again you show us that your chosen handle is a misnomer.

        Compressing a compressed file in a lossless process, using the same settings and algorithm - as in a ZIP file - will always yield a larger file, it will always make the file bigger due to adding overhead. There is nothing to be gained from a second pass, as the first pass has already achieved an optimum output under the given conditions.

        When we're talking about real encryption (i.e. not just a simple substitution), further encrypting a ciphertext using even the same method is very likely to improve its resistance to being cracked. This is because the first cipher will increase the entropy of the input data to the subsequent ciphers, as is explained above. This helps to avoid repetitious or predictable patterns, which are what the cryptanalyst is looking for to give her starting clues.

        If a number of different schemes or settings (block size is an important one) are used in sequence, then even better - an option provided for example by the popular TrueCrypt product.

  2. Henry Wertz 1 Gold badge

    I think this is accounted for in information theory...

    I think this is accounted for in information theory. It is just that people have made some incorrect assumptions. For instance, ASCII text, you have on average about 5 bits of information per character even though they are 8 bit bytes, taking advantage of this knowledge could potentially help cryptoanalysis compared to assuming totally unknown plaintext. If you had a compressed file, using a tar.bz, tar.gz, zip, etc., first, you then have a known plaintext "magic" header, if the file size is stored in the archive that is know plaintext, and for filename you may be able to make some assumptions. This may reduce the search space for cryptoanalysis. I'd assume longer keys are the way to go still though.

    1. Christian Berger

      Re: I think this is accounted for in information theory...

      Well the compression itself doesn't always need the header. Even if you need something like Huffman tables you can easily pre-share them as it's done in so many standards.

      Maybe it's even beneficial to use certain parts of the shared knowledge of the compression as a key.

  3. John F***ing Stepp

    OK, encrypting something.

    I tend to use a 1k or larger key; sometimes many times the actual information length. This key is, of course, based on that dandy pseudo random function with either the time of day to the millisecond or the actual message as the seed.

    Most of these things are rotations (remember ROT 13?) around the 256 ascii set, the number of rotations used against the key and message are many and randomly based. This allows you to play with modular math.

    I used a conversion to hex mostly to allow the message (or log in, in some cases) to be sent as post (well, you try to escape a chunk of binary.)

    This essentially doubles post size, but a real clever person could encrypt the hex code and throw it back into hex (rinse, repeat, etc.)

    Most of this is just because it is fun and fairly easy.

    Now if we were dealing with credit card numbers or socials I suppose I would have to get serious.

    1. Jonathan Richards 1
      Facepalm

      Re: OK, encrypting something.

      > I used a conversion to hex mostly to allow the message (or log in, in some cases) to be sent as post (well, you try to escape a chunk of binary.)

      Man, that's what uuencode is for. It's almost like you never downloaded something from SIMTEL20 :)

  4. Anonymous Coward
    Anonymous Coward

    Crypto boffin here

    There are some notions in both the original article and the comments that need to be cleared up here.

    1. The idea that cryptosystems are built on the notion that the incoming data is uniformly distributed / random looking is absolute bollocks. All cryptosystems are designed to be secure regardless of input entropy. Otherwise, it's literally not a cryptosystem, it's some kind of text mangler that little Jimmy might write in his highschool computing class.

    2. A known plaintext attack is one of the attack models that cryptosystems are built to resist. That is to say, cryptosystems are specifically designed from the ground up (and have been for decades) to take this type of attack vector into account. That being said, attack models are theoretical only and are not actually useful for anything other than proving security of various cryptosystems and protocols. They aren't actual attacks - it's not like someone out there is an expert at known plaintext attacks and is just waiting for you to initiate a HTTPS connection to your dating website of choice.

    3. The material referenced in the article merely shows yet another type of cryptanalysis attack. There is a long history of new cryptanalysis methods popping up over the years - Differential cryptanalysis, linear cryptanalysis, integral cryptanalysis, boomerang attacks etc. These might result in a cryptographic break (theoretical or otherwise), but then the next round of cryptosystem development will take the various new attack methods into account. We aren't seeing any fundamental shift in information theory or cryptographic design here, at least from what I can see. Of course, that's not as interesting as your generic sky-is-falling-down story that El Reg uses to lure unwary internet surfers into a frantic click-fest of all their ads (or so I presume).

    4. There is definitely such thing as unbreakable encryption - the one time pad. One time pads are literally completely unbreakable, provided the pad is completely random (ie. not a PRNG) and that the pad is only used once and immediately destroyed after use. Given only the ciphertext of an OTP, all the cryptanalysts in the world still couldn't tell whether the message was "Attack at dawn" or "Retreat to sea" or even "We love Beiber". Of course, one time pads are not at all practical for most things, so discussion of OTPs is mostly just academic.

    5. If you use a PRNG with an OTP, you've literally just made a stream cipher. Of course, you need to use PRNGs designed for cryptographic use if you want any hope of some greasy analyst in a three-letter-agency not listening into your voip calls to your mother; most PRNGs are not designed for cryptographic use and are merely designed to provide pseudo-randomness in a statistical sense, rather than an unpredictable sense.

  5. graeme leggett Silver badge

    can one use the greater power of the human brain for pattern matching

    eg if I deliberately misspell or add random letters in my message does this make it harder for machines to identify the text. ie the opposite of Enigma operators using standard texts in their messages?

    "meet me at nine at the station below the clock"

    becomes

    "meet me 9 at stn below t'clok"

  6. Al_21
    Angel

    Simples

    Encrypt twice :)

  7. John Smith 19 Gold badge
    WTF?

    So the mathmatical basis of the "crib" used by Bletchley and the EFF DEScrack

    I guess this is part of the reason they used to transmit messages as 5 character alphanumeric groups.

    One of the classics for Enigma was (IIRC) to look for fo "Heil Hitler" at the end of the message. Get a station that used that and you could nail it's entire output (if not it's whole network).

    Likewise DESCrack had a mode where the processing elements would interrupt the control processor if they found something that looked "interesting". You might get a bunch of false positives but intuitively this is also the idea of non uniform entryopy.

    As for wireless door looks.

    Oh look another proprietary IE secret protocol that has not been subject to public scrutiny and turns out to not quite as secure as its makers claim.

    So bottom line randomness is the enemy of compressability. So first randomize your files contents. I don't mean what a character means, I mean it's actual location in the file IE transmit the file out of order, and try to ensure no one knows what type of file is being transmitted in the first place. If it's known that this file is a Word or Excel document you already know it's structure. You've already got cribs

    Frankly I'm very surprised this assumption is made.

  8. Zippy's Sausage Factory
    Joke

    Boffins prove crypto marketing 'exponentially' overhyped

    There. Fixed it for you.

    Seriously, it's marketing we're talking about here.

    In other news, bear poop found in woods. Pope found to be Catholic. Film at 11.

  9. Vociferous

    If you have both the unencrypted and the encrypted version of the file...

    ...why bother cracking it at all?

    1. Peter Fairbrother 1

      Re: If you have both the unencrypted and the encrypted version of the file...

      If you can crack it you get the key - which may be used for other files which you don't have.

    2. Dazed and Confused

      Re: If you have both the unencrypted and the encrypted version of the file...

      Garbo, With one of the Nazi encrypted networks they used to plant in information via a double agent. Then wait for the report to turn up in the traffic and they'd have the plain text and the ciphertext and that would give them the keys. Bingo. now you can read the rest of the traffic you didn't know already.

  10. Identity
    Facepalm

    Ain't it always the way?

    Complexity doesn't necessarily add security — sometimes it adds a way in. You know what the hardest lock to crack is? A mortice lock — one where a bar slides into a hole!

  11. Werner McGoole

    Actually

    Doesn't this stuff make encryption potentially more secure for those who know what they're doing?

    If there are biases in (say) how people choose keys, or in the plaintext, that can be exploited, then an attacker will be using methods that search for the most likely cases first.

    So if you are able to choose keys or plaintext that are statistically unlikely (as far as the attacker's knowledge goes), then it's likely to take the attacker longer to crack the encryption than if he used unbiased techniques.

    It's a bit like trying to choose lottery numbers that no-one else will have chosen, in order get a bigger payout.

  12. Peter Fairbrother 1

    Lot of sound and fury, signifying ... nothing.

    I would hope the authors (none of whom seem to be crypto mainstream) are not responsible for the puffery in this article. It's perhaps an advance in terms of coding theory, but not cryptography (which is completely different).

    Cryptographers already know about low entropy in plaintexts and passwords. They don't often consider uniform sources, and they hardly ever think asymptotic equipartition to be relevant.

    In real life, when considering resistance against a brute force attack, cryptographers typically assume that a plaintext is known, and therefore has entropy of 1. For advanced situations, they assume a chosen plaintext with an entropy of zero.

    These are the main forms of theoretical brute force attack on a cipher. Some are pretty unlikely in real life, but a cipher which is not resistant to all of these will be rejected out of hand.:

    Ciphertext-only attack - the attacker has only the ciphertext and what he knows about the sender - eg he speaks English - to help him.

    Known plaintext attack - the attacker can find the plaintext for one message, and wants too find the key so he can decrypt more messages sent with the same key.

    Chosen plaintext attack - the attacker can trick the sender into encrypting a message of his choice. In some cases this can be more useful when trying ti find the key.

    Adaptive chosen plaintext attack, where the attacker choses a plaintext and gets the sender to encrypt it, then can choose another based on the resuylts iof the first encryption and trick the sender again. And so on.

    Chosen ciphertext attack - the attacker can get the recipient to decrypt messages of his choice. Again he wants to find the key.

    Adaptive chosen ciphertext attack - as in the adaptive chosen plaintext attack above but with ciphertexts.

    1. John Smith 19 Gold badge
      Thumb Up

      Re: Lot of sound and fury, signifying ... nothing.

      Nice summary of methods.

  13. Anonymous Coward
    Facepalm

    'You’d be surprised how quickly it takes'

    Another black mark for an El Reg sub.

  14. RonWheeler

    Evidence?

    Theory is okay. I want to see some evidence of attacks against realistically defended targets. Till then just more white noise from people looking for employment.

    .

Page:

This topic is closed for new posts.

Other stories you might like