[1195] in cryptography@c2.net mail archive
Re: cracking n-DES?
daemon@ATHENA.MIT.EDU (Phil Karn)
Thu Jul 10 16:12:04 1997
Date: Wed, 9 Jul 1997 20:51:03 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: smb@research.att.com
CC: daw@cs.berkeley.edu, cryptography@c2.net, karn@qualcomm.com
In-reply-to: <199706281406.KAA17399@raptor.research.att.com> (message from
Steven Bellovin on Sat, 28 Jun 1997 10:06:16 -0400)
>Thanks for an interesting set of attacks. The book states that he used
>Sun's and IBM's implementations of DES. The former is probably Sun's
>"des" command for SunOS 4.1.x; I don't know about the latter.
I'm familiar with Sun's DES command, because circa 1986-7 I wrote a
public domain interoperable clone of this command for MS-DOS that was
very widely distributed. So the "IBM implementation" that Poulson used
could very well have been mine.
The Sun DES command simply used the first 8 bytes of the typed ASCII
password as the 56-bit DES key. It then encrypted standard input in
CBC mode. To retain the entropy contained in the low order bit of each
ASCII key byte when DES ignores it, the high bit of each key byte is
first set to have correct parity. (I forget if it was odd or even).
Obviously this scheme is still quite weak since the key is not likely
to include unprintable ASCII bytes. If NSA confined its initial search
to printable 8-character ASCII alphanumeric strings with correct
parity, I could well believe that they'd find the key by brute force
search, especially on a purpose-built DES cracker.
Poulson's key of "KPfofip0ST" should amuse any old-time phone
phreak. "KP" ("keypulse") and "ST" ("start") were the designations
given to the old interoffice multifrequency (MF) signalling tones (aka
"bluebox" tones) used to mark the beginning (KP) and end (ST) of the
transmission of a telephone number.
And "fofip" represents the fourth column of touch-tone buttons used to
indicate call precedence on a military (AUTOVON?) telephone. These are
labeled, from top to bottom, "FO" (Flash Override), "F" (Flash), "I"
(Immediate) and "P" (Priority). And presumably the "0" was for
"Operator". So this key was arguably a syntactically valid interoffice
MF message that called the operator with all of the precedence flags
set.
Of course, since the Sun (and my) DES command only used the first 8
characters of the password, there is no way that a brute-force search
would have discovered the "ST" characters on the end. So perhaps they
simply found the password written down somewhere on a scrap of paper,
and started a rumor about brute-force cracking to spread a little
paranoia amongst the hacker underground.
Phil
