[2796] in cryptography@c2.net mail archive
David Wagner: Re: CISCO PIX Vulnerability
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Jun 4 03:05:43 1998
To: cryptography@c2.net
Date: Thu, 04 Jun 1998 00:32:21 -0400
From: "Perry E. Metzger" <perry@piermont.com>
--Multipart_Thu_Jun__4_00:32:21_1998-1
Content-Type: text/plain; charset=US-ASCII
I thought this would be of interest.
--Multipart_Thu_Jun__4_00:32:21_1998-1
Content-Type: message/rfc822
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <199806040225.TAA32489@joseph.cs.berkeley.edu>
Date: Wed, 3 Jun 1998 19:25:30 -0700
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: David Wagner <daw@CS.BERKELEY.EDU>
Subject: Re: CISCO PIX Vulnerability
To: BUGTRAQ@NETSPACE.ORG
In article <v03007801b19b0b9bd8f5@[194.82.141.242]> you write:
> CISCO PIX Private Link feature uses DES key that is only 48 bits in length.
[...]
> Apparently, knowing what bits are fixed will not bring attacker
> any additional 'gain' in breaking a DES. At least I was told that by
> people from sci.crypt group.
Either the sci.crypt folks were confused, or I am. With only 48
unknown bits in the DES key, you can break the encryption 2^8 = 256
times faster than you can break DES. This is a serious weakness.
> Another thing is that PIX is using DES in ECB mode.
My god, that's atrocious! This is ``kindergarten crypto'' (to
steal a quote from Bruce Schneier).
You can probably break a fair amount of traffic with classical
frequency analysis (roughly like solving a simple substitution cipher
like in the back of the daily newspapers, only trickier).
Stereotyped text and headers should be easily recovered.
What's worse is that this has a nasty interaction with the
weakening of the key down to 48 bits. In export-weakened SSL, one
adds some public salt to the 40-bit secret key, to stop precomputation
attacks; but note that CISCO's algorithm adds no salt, so there are
all sorts of precomputation attacks possible.
The simplest attack (``the Exabyte attack'') is to encrypt some
common plaintext block (e.g. "\nlogin: ") under all 2^48 possible
keys, and store the 2^48 ciphertext results on a big Exabyte tape;
then each subsequent link-encryption key can be broken with O(1)
effort. Thanks to the ECB mode, such a common plaintext block
should be easy to find. (With a real chaining mode, these attacks
are not possible under a ciphertext-only assumption, because the
chaining vector serves as a kind of salt.)
A much more practical approach would use Hellman's time-space
tradeoff. There, you'd need only about 2^32 space (e.g. $100 at
Fry's for a cheap hard disk), plus you'd need to do a 2^48 precomputation.
After the precomputation, each subsequent link-encryption key
can be broken with about 2^32 trial encryptions.
So you should think of CISCO PIX as roughly 32-bit crypto...
and that might be an overstatement.
I don't think I need to tell you that a 2^32 work factor is
*trivial*. I could be breaking this in real-time, and I'm only
a grad student.
--Multipart_Thu_Jun__4_00:32:21_1998-1--
