The IDEA algorithm (patented by ASCOM) is the core algorithmm
used in PGP. It is based on a rotating 128 bit key split into 16 bit segments. The
algorthm converts 64 bits of data at a time using the following operations '+', '^'
(exclusive-or) and '*'.
The formulas are :
64 bit data => D1, D2, D3 and D4 (all 16 bits)
=> K1,K2,K3....rotating extra 25 bits after all 128 bits are
used
There are 2 phases in each round and 8 rounds in total + 1 final
round of just phase 1.
Phase 1:
R1 = D1 * K1
R2 = D2 + K2
R3 = D3 + K3
R4 = D4 * K4
Phase 2:
E1 = R1 xor (((R2 xor R4) + ((R3 xor R1) * K5)) * K6)
E2 = R3 xor (((R2 xor R4) + ((R3 xor R1) * K5)) * K6)
E3 = R2 xor ((((R2 xor R4) + ((R3 xor R1) * K5)) * K6) + ((R3 xor R1) * K5))
E4 = R4 xor ((((R2 xor R4) + ((R3 xor R1) * K5)) * K6) + ((R3 xor R1) * K5))
Given a large random data message (ie 1000 samples - 64*1000 =
8Kb file). The distribution of the above operations can be used to break the key. ie both
the '+' and the '^' operations give an even distribution but the '*' operator gives a
biased distribution towards '0'.
Distribution (where '*' has a bias towards 1 of a)
R1 = a
R2 = even
R3 = even
R4 = a
(a5 & a6 are the bias for K5 and K6)
E1 = (bias a5) * (bias a6)
E2 = (bias a5) * (bias a6)
E3 = (bias a5) - (2 * (bias a5) * (bias a5) * (bias a6)) + ((bias
a5) * (bias a6))
= (bias a5) * (1 + (bias a6) - (2*(bias a5)*(bias a6)))
E4 = (bias a5) - (2 * (bias a5) * (bias a5) * (bias a6)) + ((bias
a5) * (bias a6))
= (bias a5) * (1 + (bias a6) - (2*(bias a5)*(bias a6)))
Also as the '*' operator is biased towards its own bit for the
result '1' - approx (60% to 100% depending on bit position). [Working from the low bit
upwards will provide an even greater approximation as then you would have the relevant Key
bits against a random data. ie for 1st bit, it is 100% dependant on the bit for a '1',...]
eg using a simple 3x3 matrix on second bit, gives (only
demonstrating the ratio):
if K bit is 1 => bias a ~ (2/8), if K
bit is 0 => bias a ~(1/8)
==> We can determine when :
K5=0 and K6=0 as (bias a5) and (bias a6) will be at their highest
==> E1 & E2 are highest
K5=1 and K6=1 as (bias a5) and (bias a6) are at their lowest
==> E1 & E2 are Lowest
To determine between K5=0,K6=1 and K5=1,K6=0.
K5 can be determined by check with E3 & E4 as they are both
equal to :
(bias a5) * (1 + (bias a6) - (2*(bias a5)*(bias a6))) =>
directly relate to (bias a5) => K5
=>When K5=0, both E3 & E4 will be low.
=> When K5=1, both E3 & E4 will be high.
The Key rotation start bits are :
Phase |
K1 |
K2 |
K3 |
K4 |
K5 |
K6 |
1 |
0 |
16 |
32 |
48 |
64 |
80 |
2 |
96 |
112 |
25 |
41 |
57 |
73 |
3 |
89 |
105 |
121 |
9 |
50 |
66 |
4 |
82 |
98 |
114 |
2 |
18 |
34 |
5 |
75 |
91 |
107 |
123 |
11 |
27 |
6 |
43 |
59 |
100 |
116 |
4 |
20 |
7 |
36 |
52 |
68 |
84 |
125 |
13 |
8 |
29 |
45 |
61 |
77 |
93 |
109 |
final |
22 |
38 |
54 |
70 |
n/a |
n/a |
Working backwards with these distributions you can deduce the
key.
ie work out K5 (93..108) and K6 (109..124) from its distribution
pattern [using just the distributions for E2 & E3, as E1 & E4 have had the '*'
operation applied in the final phase], then with K5 and K6 work out K1..K4 (22..85). You
now have the key values for K1 to K6 !!!. Modify the Samples such they are back a phase
and repeat (ie for each sample work backwards using known K1..K6 to find the E1..4
values).
MAJOR ASSUMPTION : Assume that a large random sample provides a
close to even distribution at the end of each phase (For E2 & E3) such that the
bias (ie a5 & a6) used to determine E2 and E3 are the only significant factors.
Reasoning : If the distribution is not even, then it is very much
easier to break (ie only the key values can cause the change in distribution pattern =>
know the pattern, know the key).
I have developed a program which does just this (NOTE: not tested
with real PGP data, as I have not had the time to investigate how the PGP file is
structured, ie where the IDEA code starts and ends).
It is available under a copyleft license similar to GNU. The Java Source code can be found at
:
[Application will not
be released until beginning of 1999 when enough people are
aware of the potential problem, and solutions are widely available - thus the threat to
the general users privacy is kept to a minimal. Software houses which would like a delay
in the release of this application so as to provide a solution should email: [email protected] with their request]
Task 1
The above 'kiss' pre-encryption is not 100% safe from non-bruteforce cracking !!
As the majority of files encrypted are text messages which are based mainly on the
characters 'a' to 'z' thus the Ascii codes of the characters are of the form
011xxxxx. From this you can see that the rotating distribution as used above will tend
toward '1'. Thus with enough samples they can deduce the key with the simple equation.
KeyValue xor 1 = CommonValue ==> KeyValue = !CommonValue
To prevent this my next application (codename Stable) will be a stabiliser program
which will ensure that the distribution of the data has an even distribution.
Target Release Date : 30/9/98.
Task 2
The integration of both 'kiss' and 'stable'.
Target Release Date : 15/10/98.
Task 3
Port of both kiss and stable to C/C++ (for speed and also for Task 4). [Wrote Kiss and
Stable in Java to test the speed of Java and also how it handled bit manipulation
operations].
Target Release Date : 31/10/98.
Task 4
Integration with PGP to provide uses with a much easier encryption method.