Re: A basic cryptanalysis question

From: Rick Wash (rwash_at_citi.umich.edu)
Date: 07/09/03 

Date: Wed, 09 Jul 2003 03:15:55 GMT

In article <h3LOa.3$Uz3.2@news-server.bigpond.net.au>, RR wrote:
> According to my limited understanding of cryptanalysis, Mallory can only
> know that he has recovered a pX based on what it looks like. For example,
> if p1 is "Hello World", then when Mallory sees that string appear out of his
> attack, he assumes he's recovered the plaintext.
>
> Is my understanding correct?

Yes, but only for what is known as a ciphertext-only attack. In the real
world, it usually isn't very difficult to find or guess very accurately a
plaintext block. There are known headers, signatures, etc that make known
plaintext fairly easy to come by. And when this happens, validating
plaintext is much easier.
 
> If so, then it follows that a brute-force attack is impossible if I do this
> instead (where F is another symmetric cipher):
> c1 = E(F(p1))

I wouldn't say impossible, but slightly more difficult. You forgot to
include the keys in your construction. Let's assume you did it right and
used different, independent keys for E and F. (if you used the same or a
derived key for F, then what you said is not true). With independent keys
and a single known plaintext, you can build an encryption table for E and a
decryption table for F and use a meet-in-the-middle strategy to recover the
keys. This means that the work required to brute-force this construction
is only that required to brute-force E and F independently, instead of
together. This is a well-known meet in the middle attack on double
encryption. This is why the world uses triple-DES (3DES) instead of just
2DES.

HTH,
  Rick

Relevant Pages

  • Re: A basic cryptanalysis question
    ... >> appear out of his attack, he assumes he's recovered the plaintext. ... >include the keys in your construction. ... such a function look at my second order bijective compression of english ...
    (sci.crypt)
  • Re: OpenSSH security advisory: cbc.adv
    ... automated connection is configured to retry indefinitely in the event of ... it might be possible to recover as much as 14 bits ... 32 bits of plaintext that can be recovered." ... Ignoring the attack success probability, ...
    (Bugtraq)
  • Re: Bijective - an explanation please?
    ... :>: of all bitstrings of length n or less map to images that begin ... :> rejecting keys, though. ... If that's the case then a particular compressor might well be able to ... convert that knowledge into known plaintext. ...
    (sci.crypt)
  • Re: EFS - Please help to unsecure data
    ... be mostly based on your chances of recovering your lost keys. ... I should know before the end of the day today if I'm even able to recover ... the data after a fresh installation and generating some random drive ... to FAT32 to remove the encryption.) ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: EFS - Please help to unsecure data
    ... be mostly based on your chances of recovering your lost keys. ... I should know before the end of the day today if I'm even able to recover ... the data after a fresh installation and generating some random drive ... to FAT32 to remove the encryption.) ...
    (microsoft.public.windowsxp.general)
Quantcast