[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IDEA(tm) weakness?





Title: Privacy Page

Privacy

 

How private is your electronic communication ?

[taken from the PGP FAQ]

You should encrypt your e-mail for the same reason that you don't write all of your correspondence on the back of a post card. E-mail is actually far less secure than the postal system. With the post office, you at least put your letter inside an envelope to hide it from casual snooping. Take a look at the header area of any e-mail message that you receive and you will see that it has passed through a number of nodes on its way to you. Every one of these nodes presents the opportunity for snooping.

Encryption in no way should imply illegal activity. It is simply intended to keep personal thoughts personal.

Do you trust your mail servers/gateways/virtual redirects ?

With the increasing use of virtual email accounts which allow you to keep the same email address no matter if you change jobs, ISPs, etc, the opportunity for snooping increases.

Is PGP secure ?

PGP uses acombination of IDEA, RSA and MD5. RSA is used to allow the transfer of session keys and MD5 is used to generate a unique message digest from the passphrase for generating the IDEA key and signatures. IDEA is the core algorithm used to encrypt the actual message. Thus the security of IDEA is also means the security of PGP <read the section 'is IDEA secure'>.

Is IDEA secure ?

The IDEA algorithm (patented by ASCOM) is the core algorithmm used in PGP. It is based on a rotating 128 bit key split into 16 bit segments. The algorthm converts 64 bits of data at a time using the following operations '+', '^' (exclusive-or) and '*'.

The formulas are :

64 bit data => D1, D2, D3 and D4 (all 16 bits)

=> K1,K2,K3....rotating extra 25 bits after all 128 bits are used

There are 2 phases in each round and 8 rounds in total + 1 final round of just phase 1.

Phase 1:

R1 = D1 * K1

R2 = D2 + K2

R3 = D3 + K3

R4 = D4 * K4

Phase 2:

E1 = R1 xor (((R2 xor R4) + ((R3 xor R1) * K5)) * K6)
E2 = R3 xor (((R2 xor R4) + ((R3 xor R1) * K5)) * K6)
E3 = R2 xor ((((R2 xor R4) + ((R3 xor R1) * K5)) * K6) + ((R3 xor R1) * K5))
E4 = R4 xor ((((R2 xor R4) + ((R3 xor R1) * K5)) * K6) + ((R3 xor R1) * K5))

Given a large random data message (ie 1000 samples - 64*1000 = 8Kb file). The distribution of the above operations can be used to break the key. ie both the '+' and the '^' operations give an even distribution but the '*' operator gives a biased distribution towards '0'.

Distribution (where '*' has a bias towards 1 of a)

R1 = a

R2 = even

R3 = even

R4 = a

(a5 & a6 are the bias for K5 and K6)

E1 = (bias a5) * (bias a6)

E2 = (bias a5) * (bias a6)

E3 = (bias a5) - (2 * (bias a5) * (bias a5) * (bias a6)) + ((bias a5) * (bias a6))

= (bias a5) * (1 + (bias a6) - (2*(bias a5)*(bias a6)))

E4 = (bias a5) - (2 * (bias a5) * (bias a5) * (bias a6)) + ((bias a5) * (bias a6))

= (bias a5) * (1 + (bias a6) - (2*(bias a5)*(bias a6)))

Also as the '*' operator is biased towards its own bit for the result '1' - approx (60% to 100% depending on bit position). [Working from the low bit upwards will provide an even greater approximation as then you would have the relevant Key bits against a random data. ie for 1st bit, it is 100% dependant on the bit for a '1',...]

eg using a simple 3x3 matrix on second bit, gives (only demonstrating the ratio):

     if K bit is 1 => bias a ~ (2/8), if K bit is 0 => bias a ~(1/8)

==> We can determine when :

K5=0 and K6=0 as (bias a5) and (bias a6) will be at their highest

==> E1 & E2 are highest

K5=1 and K6=1 as (bias a5) and (bias a6) are at their lowest

==> E1 & E2 are Lowest

To determine between K5=0,K6=1 and K5=1,K6=0.

K5 can be determined by check with E3 & E4 as they are both equal to :

(bias a5) * (1 + (bias a6) - (2*(bias a5)*(bias a6)))  => directly relate to (bias a5) => K5

=>When K5=0, both E3 & E4 will be low.

=> When K5=1, both E3 & E4 will be high.

 

The Key rotation start bits are :

Phase K1 K2 K3 K4 K5 K6
1 0 16 32 48 64 80
2 96 112 25 41 57 73
3 89 105 121 9 50 66
4 82 98 114 2 18 34
5 75 91 107 123 11 27
6 43 59 100 116 4 20
7 36 52 68 84 125 13
8 29 45 61 77 93 109
final 22 38 54 70 n/a n/a

 

Working backwards with these distributions you can deduce the key.

ie work out K5 (93..108) and K6 (109..124) from its distribution pattern [using just the distributions for E2 & E3, as E1 & E4 have had the '*' operation applied in the final phase], then with K5 and K6 work out K1..K4 (22..85). You now have the key values for K1 to K6 !!!. Modify the Samples such they are back a phase and repeat (ie for each sample work backwards using known K1..K6 to find the E1..4 values).

MAJOR ASSUMPTION : Assume that a large random sample provides a close to  even distribution at the end of each phase (For E2 & E3) such that the bias (ie a5 & a6) used to determine E2 and E3 are the only significant factors.

Reasoning : If the distribution is not even, then it is very much easier to break (ie only the key values can cause the change in distribution pattern => know the pattern, know the key).

I have developed a program which does just this (NOTE: not tested with real PGP data, as I have not had the time to investigate how the PGP file is structured, ie where the IDEA code starts and ends).

It is available under a copyleft license similar to GNU. The Java Source code can be found at :

[Application will not be released until beginning of 1999 when enough people are aware of the potential problem, and solutions are widely available - thus the threat to the general users privacy is kept to a minimal. Software houses which would like a delay in the release of this application so as to provide a solution should email: [email protected] with their request]

 

What can we do ?

The above crack works because there is a large sample involved. If however you pre-encrypted the file such that you got your pre-encrypted file and a key file, where this key file is small and contains only the key required to open the pre-encrypt file. You then PGP the two files, this would make it much harder to break as the key file cannot be broken from the sampling technique descibed above.

I have developed an application which does just that. It is available under a copyleft license similar to GNU. The Java source code can be found here :

kiss.zip

To run the application you will need Java installed on your machine. Place the files in a directory named KISS. The command line is :

java KISS.kiss e <filename>             - encrypt

java KISS.kiss d <filename>             - decrypt (do not add the kiss extension to the filename)

After encryption you will get 2 files. The '.kiss' file is the encrypted file and the '.lips' file contains the key used to encrypt the file. You should then encrypt both files with PGP.

 

What is in the pipeline for the future ?

Task 1

The above 'kiss' pre-encryption is not 100% safe from non-bruteforce cracking !!

As the majority of files encrypted are text messages which are based mainly on the characters 'a' to 'z' thus the Ascii codes of the characters are of the form   011xxxxx. From this you can see that the rotating distribution as used above will tend toward '1'. Thus with enough samples they can deduce the key with the simple equation.

KeyValue xor 1 = CommonValue ==> KeyValue = !CommonValue

To prevent this my next application (codename Stable) will be a stabiliser program which will ensure that the distribution of the data has an even distribution.

Target Release Date : 30/9/98.

Task 2

The integration of both 'kiss' and 'stable'.

Target Release Date : 15/10/98.

Task 3

Port of both kiss and stable to C/C++ (for speed and also for Task 4). [Wrote Kiss and Stable in Java to test the speed of Java and also how it handled bit manipulation operations].

Target Release Date : 31/10/98.

Task 4

Integration with PGP to provide uses with a much easier encryption method.

Target Release Date : 31/11/98.

Author : SGOSHA33

Return to Albert's Home Page.