1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
|
Network Working Group M. Leech
Request for Comments: 3607 Nortel Networks
Category: Informational September 2003
Chinese Lottery Cryptanalysis Revisited:
The Internet as a Codebreaking Tool
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document revisits the so-called Chinese Lottery
massively-parallel cryptanalytic attack. It explores Internet-based
analogues to the Chinese Lottery, and their potentially-serious
consequences.
1. Introduction
In 1991, Quisquater and Desmedt [DESMEDT91] proposed an esoteric, but
technically sound, attack against DES or similar ciphers. They
termed this attack the Chinese Lottery. It was based on a
massively-parallel hardware approach, using consumer electronics as
the "hosts" of the cipher-breaking hardware.
In the decade since Quisquater and Desmedt proposed their Chinese
Lottery thought experiment, there has been considerable growth in a
number of areas that make their thought experiment worth revisiting.
In 1991, the Internet had approximately 8 million reachable hosts
attached to it and in 2002, the number is a staggering 100 million
reachable hosts. In the time since the Chinese Lottery paper,
computer power available to the average desktop user has grown by a
factor of approximately 150.
Leech Informational [Page 1]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
2. Dangerous Synergy
The combined growth of the Internet, and the unstoppable march of
Moore's Law have combined to create a dangerous potential for
brute-force cryptanalysis of existing crypto systems.
In the last few years, several widescsale attacks by so-called
Internet Worms [SPAFF91] have successfully compromised and infected
surprisingly-large numbers of Internet-attached hosts. In 2001, The
Cooperative Association for Internet Data Analysis [CAIDA2001]
reported that the Code Red v2 worm was able to infect over 350,000
hosts in its first 14 hours of operation. The payload of the Code
Red worm was mischief: the defacement of the host website with a
political message. It was bold, brash, and drew attention to itself
nearly immediately.
Consider for a moment, an Internet worm with a darker and ultimately
more dangerous purpose: to brute-force cryptanalyse a message, in
order to determine the key used with that message. In order for the
worm to be successful, it must avoid detection for long enough to
build up a significant level of infected systems, in order to have
enough aggregate CPU cycles to complete the cryptanalysis.
Furthermore, our worm would need to avoid detection for long enough
for the cracked key to be useful to the owners of the worm. Recent
research [USEN2002] on stealthy worms paints a very dark picture
indeed.
Even after such a worm is detected it would be nearly impossible to
tell whose key the worm was attacking. Any realistic attack payload
will have one or two pieces of ciphertext, and some known plaintext,
or probable-plaintext characteristics associated with it; hardly
enough data to determine the likely victim.
3. Winner phone home
When a given instance of the worm determines the key, it needs to
contact the originator in order to give them the key. It has to do
this in such a way as to minimize the probability that the originator
will get caught.
One such technique would be for the worm to public-key encrypt the
key, under the public key(s) of the originator(s), and place this in
some innocuous spot on the website of the compromised host. The worm
could also back-propagate so that a number of compromised websites in
the topological neighborhood of the worm will also contain the data.
The file containing the key would be identified with some unique
keyword which the originators occasionally look for using Internet
Leech Informational [Page 2]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
search engines. The worm could make the process more efficient by
using the "keyword registry" services of various Internet search
engines.
Another approach would be to post a (possibly PGP-encrypted) message
to several newsgroups, through an anonymous posting service.
Similarly, Internet "chat" services like IRC could be used; indeed
there's an emerging tradition of using IRC and similar services for
real-time, anonymous, control of worms and viruses.
Any of these methods can be used both to allow the "winning" worm
instance to send results and for the originator to send new work for
the amassed army of compromised systems.
4. Evaluating the threat
Both Internet growth and CPU performance follow a reasonably
predictable doubling interval. Performance of computing hardware
appears to still be following Moore's Law, in which performance
doubles every 1.5 years. Internet growth appears to be following a
doubling period of 3 years.
By establishing a common epoch for both performance and Internet
growth, we can easily determine the likely attack time for any given
year, based on a purely arithmetic approach.
A simplifying assumption is that it is indeed possible to construct a
suitably-stealthy worm and that it can achieve a steady-state
infection of about 0.5% of all attached hosts on the Internet.
In 1995, J. Touch, at ISI, published a detailed performance analysis
of MD5 [RFC1810]. At that time MD5 software performance peaked at
87mbits/second, or an equivalent of 170,000 single-block MD5
operations per second. In the same year, peak DES performance was
about 50,000 setkey/encrypt operations per second.
In 1995, the Internet had about 20,000,000 attached hosts. In 2002,
there are a staggering 100,000,000 attached hosts.
A simple C program, given in Appendix A can be used to predict the
performance of our hypothetical worm for any given year. Running
this program for 2002 gives:
Year of estimate: 2002
For a total number of infected hosts of 503968
aggregate performance: MD5 9.79e+11/sec DES 2.88e+11/sec
DES could be cracked in about 1.45 days
Leech Informational [Page 3]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
DES with 8 character passwords could be cracked in 16.29 minutes
MD5 with 64-bit keys could be cracked in about 218.04 days
MD5 with 8 character passwords could be cracked in 4.79 minutes
The numbers given above suggest that an undetected attack against
MD5, for a reasonable key length, isn't likely in 2002. A successful
attack against DES, however, appears to be a near-certainty.
5. Security Considerations
DES has been shown to be weak in the recent past. The success of the
EFF machine, described in [EFF98] shows how a massively-parallel
hardware effort can succeed relatively economically. That this level
of brute-force cryptanalytic strength could be made available without
custom hardware is a sobering thought. It is clear that DES needs to
be abandoned; in favor of either 3DES or the newer AES [FIPS197].
The picture for MD5 (when used in simple MAC constructions) is much
brighter. For short messages long keys with MD5 are effectively
free, computationally, so it makes sense to use the longest
architecturally-practical key lengths with MD5.
Operating system software is becoming more complex and the
perpetrators of Internet Worms, Viruses, Trojan Horses, and other
malware, are becoming more sophisticated. While their aim has
largely been widescale vandalism, it seems reasonable to assume that
their methods could be turned to a more focussed and perhaps more
sinister activity.
As of February 2003, at least one worm, known as W32/Opaserv.A has a
payload designed to implement a distributed DES cracker.
6. Acknowledgements
John Morris, of Nortel IS, contributed the idea of anonymous
newsgroup posting.
Leech Informational [Page 4]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
Appendix A: Source Code
/*
* This program calculates the performance of a hypothetical
* "Chinese Lottery" brute-force cryptanalysis worm, based on
* the current date, estimates of Internet growth rate and
* Moores Law.
*
*/ #include <stdio.h> #include <math.h> /*
* EPOCH for the calculations
*/ #define EPOCH 1995.0 /*
* Size of the Internet (ca 1995)
*/ #define INTERNET_SIZE 20000000.0
/*
* Software MD5 performance (ca 1995)
*/ #define MD5PERF 170000.0
/*
* Software DES performance (ca 1995)
*/ #define DESPERF 50000.0
main (argc, argv) int argc; char **argv; {
double yeardiff;
double cryptoperf, multiplier;
double cracktime;
yeardiff = (double)atoi(argv[1]) - EPOCH;
/*
* Moores Law performance double interval is 1.5 years
*/
cryptoperf = yeardiff / 1.5;
cryptoperf = pow(2.0, cryptoperf);
/*
* Some fuzz here--not all hosts will be the fastest available
*/
cryptoperf *= 0.450;
/*
* Internet size doubling interval is every 3 years
*/
multiplier = yeardiff / 3.0;
multiplier = pow(2.0, multiplier);
multiplier *= (INTERNET_SIZE*0.0050);
fprintf (stderr, "Year of estimate: %d\n", atoi(argv[1]));
Leech Informational [Page 5]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
fprintf (stdout, "For a total number of infected hosts of %d\n",
(int)multiplier);
fprintf (stdout, "aggregate performance: MD5 %5.2e/sec DES
%5.2e/sec\n",
MD5PERF*cryptoperf*multiplier,
DESPERF*cryptoperf*multiplier);
cracktime = pow(2.0, 55.0);
cracktime /= (DESPERF*cryptoperf*multiplier);
fprintf (stdout,
"DES could be cracked in about %3.2lf days\n",
cracktime/86400.0);
cracktime = pow(2.0, 8.0*6.0);
cracktime /= (DESPERF*cryptoperf*multiplier);
fprintf (stdout,
"DES with 8 character passwords could be cracked in
%3.2lf minutes\n",cracktime/60);
cracktime = pow(2.0, 64.0);
cracktime /= (MD5PERF*cryptoperf*multiplier);
fprintf (stdout,
"MD5 with 64-bit keys could be cracked in about
%3.2lf days\n", cracktime/86400.0);
cracktime = pow(2.0, 8.0*6.0);
cracktime /= (MD5PERF*cryptoperf*multiplier);
fprintf (stdout,
"MD5 with 8 character passwords could be cracked in
%3.2lf minutes\n", cracktime/60); }
Leech Informational [Page 6]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
Normative References
[DESMEDT91] "Chinese Lotto as an Exhaustive Code-Breaking Machine".
J. Quisquater, Y. Desmedt, Computer, v. 24, n. 11, Nov
1991, pp. 14-22.
[RFC1810] Touch, J., "Report on MD5 Performance", RFC 1810, June
1995.
[EFF98] "Cracking DES: Secrets of Encryption Research, Wiretap
Politics & Chip Design", Electronic Frontier Foundation,
1998.
[CAIDA2001] "CAIDA Analysis of Code Red"
http://www.caida.org/analysis/security/code-red/
[SPAFF91] "The Internet Worm Program: An Analysis", Eugene
Spafford, 1991.
[FIPS197] "Advanced Encryption Standard", US FIPS197, November,
2001.
[USEN2002] "How to 0wn the Internet in Your Spare Time", Proc. 11th
Usenix Security Symposium, 2002.
Author's Address
Marcus D. Leech
Nortel Networks
P.O. Box 3511, Station C
Ottawa, ON
Canada, K1Y 4H7
Phone: +1 613-763-9145
EMail: mleech@nortelnetworks.com
Leech Informational [Page 7]
^L
RFC 3607 Chinese Lottery Cryptanalysis Revisited September 2003
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Leech Informational [Page 8]
^L
|
