TakeDownCon Rocket City: Cryptanalysis by Chuck Easttom
What cryptanalysis is NOT
It’s not fast
It’s not guaranteed
It’s not easy
It’s not what you see in
Levels of Success
Total break — the attacker deduces the secret key.
Global deduction — the attacker discovers a functionally equivalent
algorithm for encryption and decryption, but without learning the
Instance (local) deduction — the attacker discovers additional
plaintexts (or ciphertexts) not previously known.
Information deduction — the attacker gains some Shannon
information about plaintexts (or ciphertexts) not previously known.
Distinguishing algorithm — the attacker can distinguish the cipher
from a random permutation.
Time — the number of "primitive operations"
which must be performed. This is quite loose;
primitive operations could be basic computer
instructions, such as addition, XOR, shift, and so
forth, or entire encryption methods.
Memory — the amount of storage required to
perform the attack.
Data — the quantity of plaintexts and ciphertexts
This means finding any method to decrypt the
message that is more efficient than simple brute
force attempts. Brute force is simply trying every
possible key. If they algorithm uses a 128 bit key
that means 2128 possible keys. In the decimal
number system that is 3.402 * 1038 possible keys. If
you are able to attempt 1 million keys every
second it could still take as long as
10,790,283,070,806,014,188,970,529 years to
Cryptanalysis is using other techniques (other
than brute force) to attempt to derive the key.
In some cases cryptographic techniques are
used to test the efficacy of a cryptographic
algorithm. Such techniques are frequently
used to test hash algorithms for collisions.
You must keep in mind that any attempt to
crack any non-trivial cryptographic algorithm
is simply an ‘attempt’. There is no guarantee of
any method working. And whether it works
or not it will probably be a long and tedious
process. This should make sense to you. If
cracking encryption where a trivial process,
then encryption would be useless.
This is the basic tool for breaking most classical
ciphers. In natural languages, certain letters of the
alphabet appear more frequently than others. By
examining those frequencies you can derive some
information about the key that was used. This
method is very effective against classic ciphers like
Caesar, Vigenere, etc. It is far less effective against
modern methods. In fact with modern methods, the
most likely result is that you will simply get some
basic information about the key, but you will not get
the key. Remember in English the words’ the and and
are the two most common three letter words. The
most common single letter words are I and a. If you
see two of the same letters together in a word, it is
most likely ee or oo.
Known Plain Text/ Chosen Plain Text
In this attack the attacker obtains the ciphertexts
corresponding to a set of plaintexts of his own
choosing. This can allow the attacker to attempt to
derive the key used and thus decrypt other messages
encrypted with that key. This can be difficult but is
Cipher Text Only
Ciphertext-only: The attacker only has access to a collection of
cipher texts. This is much more likely than known plaintext,
but also the most difficult. The attack is completely successful
if the corresponding plaintexts can be deduced, or even
better, the key. The ability to obtain any information at all
about the underlying plaintext is still considered a success.
Related Key attack
Related-key attack: Like a chosen-plaintext attack, except the
attacker can obtain ciphertexts encrypted under two different
keys. This is actually a very useful attack if you can obtain the
plain text and matching cipher text.
Linear cryptanalysis is based on finding affine approximations
to the action of a cipher. It is commonly used on block
ciphers. This technique was invented by Mitsarue Matsui. It
is a known plaintext attack and uses a linear approximation
to describe the behavior of the block cipher. Given enough
pairs of plaintext and corresponding ciphertext, bits of
information about the key can be obtained. Obviously the
more pairs of plain text and cipher text one has, the greater
the chance of success.
Remember cryptanalysis is an attempt to crack
cryptography. For example with the 56 bit DES key brute
force could take up to 256 attempts. Linear cryptanalysis will
take 243 known plaintexts. This is better than brute force,
but still impractical for most situations.
With this method, a linear equation expresses the
equality of two expressions which consist of
binary variables XOR’d. For example, the
following equation, XORs sum of the first and
third plaintext bits and the first ciphertext bit is
equal to the second bit of the key:
You can use this method to slowly recreate the
key that was used.
Now after doing this for each bit you will have an equation of
we can then use Matsui's Algorithm 2, using known plaintextciphertext pairs, to guess at the values of the key bits involved
in the approximation. For each set of values of the key bits on
the right-hand side (referred to as a partial key), count how
many times the approximation holds true over all the known
plaintext-ciphertext pairs; call this count T. The partial key
whose T has the greatest absolute difference from half the
number of plaintext-ciphertext pairs is designated as the most
likely set of values for those key bits
Differential cryptanalysis is a form of cryptanalysis applicable to
symmetric key algorithms. This was invented by Elii Biham and
Adi Shamir. Essentially it is the examination of differences in an
input and how that affects the resultant difference in the
output. It originally worked only with chosen plaintext. Could
also work with known plaintext and ciphertext only.
By analyzing the changes in some chosen
plaintexts, and the difference in the
outputs resulting from encrypting each
one, it is possible to recover some
properties of the key.
Differential Cryptanalysis is a Chosen Plaintext attack.
By analyzing the Cipher, Differential Characteristics are
discovered and used to discover information about the
This technique doesn’t recover the key, but it attempts to
reduce the number of possible keys so that it is possible
to find the key in a reasonable amount of time.
Higher Order Differential Cryptanalysis
Truncated Differential Cryptanalysis
Impossible Differential Cryptanalysis
Using other passwords
Learning about the subject
Tricking the person into giving you the password