From daw@CS.BERKELEY.EDU Thu Jun 4 14:26:20 PDT 1998 Article: 4096 of isaac.lists.bugtraq Path: news.isaac.cs.berkeley.edu!not-for-mail From: David Wagner Newsgroups: isaac.lists.bugtraq Subject: Re: CISCO PIX Vulnerability Date: 3 Jun 1998 21:40:38 -0700 Organization: ISAAC Group, UC Berkeley Lines: 48 Sender: daemon@abraham.cs.berkeley.edu Approved: mail2news@news.isaac.cs.berkeley.edu Distribution: isaac Message-ID: <199806040225.TAA32489@joseph.cs.berkeley.edu> Reply-To: David Wagner NNTP-Posting-Host: abraham.cs.berkeley.edu Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Approved-By: aleph1@NATIONWIDE.NET X-Mailer: ELM [version 2.4 PL25] X-To: Damir.Rajnovic@EUROCERT.NET Xref: joseph.cs.berkeley.edu isaac.lists.bugtraq:4096 In article you write: > CISCO PIX Private Link feature uses DES key that is only 48 bits in length. [...] > Apparently, knowing what bits are fixed will not bring attacker > any additional 'gain' in breaking a DES. At least I was told that by > people from sci.crypt group. Either the sci.crypt folks were confused, or I am. With only 48 unknown bits in the DES key, you can break the encryption 2^8 = 256 times faster than you can break DES. This is a serious weakness. > Another thing is that PIX is using DES in ECB mode. My god, that's atrocious! This is ``kindergarten crypto'' (to steal a quote from Bruce Schneier). You can probably break a fair amount of traffic with classical frequency analysis (roughly like solving a simple substitution cipher like in the back of the daily newspapers, only trickier). Stereotyped text and headers should be easily recovered. What's worse is that this has a nasty interaction with the weakening of the key down to 48 bits. In export-weakened SSL, one adds some public salt to the 40-bit secret key, to stop precomputation attacks; but note that CISCO's algorithm adds no salt, so there are all sorts of precomputation attacks possible. The simplest attack (``the Exabyte attack'') is to encrypt some common plaintext block (e.g. "\nlogin: ") under all 2^48 possible keys, and store the 2^48 ciphertext results on a big Exabyte tape; then each subsequent link-encryption key can be broken with O(1) effort. Thanks to the ECB mode, such a common plaintext block should be easy to find. (With a real chaining mode, these attacks are not possible under a ciphertext-only assumption, because the chaining vector serves as a kind of salt.) A much more practical approach would use Hellman's time-space tradeoff. There, you'd need only about 2^32 space (e.g. $100 at Fry's for a cheap hard disk), plus you'd need to do a 2^48 precomputation. After the precomputation, each subsequent link-encryption key can be broken with about 2^32 trial encryptions. So you should think of CISCO PIX as roughly 32-bit crypto... and that might be an overstatement. I don't think I need to tell you that a 2^32 work factor is *trivial*. I could be breaking this in real-time, and I'm only a grad student.