Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!rpi!batcomputer!cornell!wayner
From: wayner@CS.Cornell.EDU (Peter Wayner)
Subject: Re: Key-related regularity in DES-encrypted files.
Message-ID: <1992Jan15.162854.21864@cs.cornell.edu>
Sender: news@cs.cornell.edu (USENET news user)
Nntp-Posting-Host: thokk.cs.cornell.edu
Organization: Cornell Univ. CS Dept, Ithaca NY 14853
References: <3228@wet.UUCP>
Distribution: usa
Date: Wed, 15 Jan 1992 16:28:54 GMT
Lines: 112

naga@wet.UUCP (Peter Davidson) writes:
>E.  Observations
> 
>1.  For encryption via The Private Line using key #1, and via PCSECURE
>using either key #1 or key #2, exactly 8 byte values occur in N_20000.ENC
>and these are the same as the 8 most-frequent byte values in CHAP6A.ENC
>(encrypted with the same program and key).
> 
>2.  For encryption via The Private Line using key #2, exactly 7 byte
>values occur in N_20000.ENC and these are the same as the 7 most-
>frequent byte values in CHAP6A.ENC (encrypted with the same program and
>key).
> 


I'm going to guess that the file "CHAP6A.WP" has several strings of
null bytes in them. The strings need to be at least 8 bytes long and
they need to be long enough so that DES will group 8 null bytes
together in the same block. What is happening here is that these null
blocks are going to encode into the same values as the null blocks in
"N_20000".  Then they will just skew the distribution and the more
there are of them the more the distribution will be skewed.


I will also guess that there are not very many of these strings of
null bytes. Why? The distribution of frequent byte values in CHAP6A is
slightly different than N_20000.ENC. DES has generally been found to
be a relatively good random number generator. It should be producing
each byte about 48,524/256 = ~ 196 times. I wish I knew a standard
deviation for the DES randomization because if I did I could probably
pin down the exact number of these null blocks in CHAP6A.WP. But I
don't and I would guess it would be something like 10 or 15.

> 
>A.  The files
> 
>1.  N_20000        A file of 20,000 null bytes.
>2.  CHAP6A.WP      A 48,524-byte Word Perfect file.
>3.  CHAP04.TXT     A 51,162-byte text file.
>4.  PRIVATE.DOC    A 116,096-byte text file.
>5.  R_20000        A file of 20,000 random bytes.
> 
>File         Program     16 most-frequent byte values
> 
>N_20000.ENC  PRIVATE     00 49 6D 9C AF BD BE F0
>CHAP6A.ENC   PRIVATE     00 49 6D BE F0 BD AF 9C  4C 12 C1 A9 71 77 FA CE
>CHAP04.ENC   PRIVATE     DC 02 FC 7C F9 8E 2B 26  FB FD 61 47 23 DD 93 C3
>PRIVATE.ENC  PRIVATE     FC 8E 02 26 2B F9 DC 7C  D8 4C A7 34 49 18 77 61
>R_20000.ENC  PRIVATE     C7 B2 D2 49 A7 68 E7 6F  D8 E8 5D DC 2C 37 60 65
> 
>N_20000.SEC  PCSECURE    1C 66 25 70 77 81 AC FA  7F 9A 35 54 8F 99 B8 CD
>CHAP6A.SEC   PCSECURE    81 70 25 66 77 FA AC 1C  C6 1D 4D 23 27 76 51 31
>CHAP04.SEC   PCSECURE    17 6D 63 DB CA 00 70 F1  67 D9 AB C0 2E 43 79 16
>PRIVATE.SEC  PCSECURE    17 00 CA DB 70 6D 63 4C  38 30 B2 E0 94 03 C8 A6
>R_20000.SEC  PCSECURE    84 8E 1B 6D 33 5A 97 35  12 68 88 16 51 B1 08 0D
> 
> 
>2.  Using key 04 91 C5 32 F3 49 9F AA
> 
>File         Program     16 most-frequent byte values
> 
>N_20000.ENC  PRIVATE     7A 16 32 4B 7D B2 BE
>CHAP6A.ENC   PRIVATE     7A 16 4B 7D BE B2 32 E4  E2 8B 63 C6 BA 1D 50 99
>CHAP04.ENC   PRIVATE     99 6C A3 D4 1F 71 55 7E  3B 77 93 CD BE 68 BD FA
>PRIVATE.ENC  PRIVATE     7E 6C 8B 99 1F A3 55 F1  71 D4 2B 62 48 39 74 EA
>R_20000.ENC  PRIVATE     DE A2 75 7C 12 90 B5 49  8B 05 54 6A 81 6C 7F 28
> 
>N_20000.SEC  PCSECURE    F8 0C 32 48 5D 76 91 95  35 4A 5A 6B 6E 98 A3 00
>CHAP6A.SEC   PCSECURE    95 F8 48 5D 32 91 76 0C  7F F4 70 61 31 69 A2 53
>CHAP04.SEC   PCSECURE    FE 69 0F 47 1C 21 35 EA  6F DE B3 95 F8 F9 E5 09
>PRIVATE.SEC  PCSECURE    FE 21 0F 47 EA 1C 35 69  3B C6 13 C2 39 B2 FB 9D
>R_20000.SEC  PCSECURE    04 36 BA 74 43 AE 39 B6  CE FA 32 34 44 B0 B9 8B
> 
> 
> 
>F.  Conclusion
> 
>Under some circumstances the 8 most-frequent bytes in ciphertext
>encrypted using DES (in electronic codebook mode) with the same 8-byte
>key will be the same despite major differences in the plaintext.
> 
> 
>G.  Further comment
> 
>The files used were not especially selected, and are typical of their
>class.  Observations such as the above may be confirmed with other files.
> 
>If several files are encrypted using the same DES key, it will be found
>that among the most-frequent bytes in the files (the 8 most-frequent, the
>12-most frequent, etc.) there are many common values.  A DES key thus
>generates a relatively small set of byte values which are the most common
>byte values in files encrypted using that key.
> 
>It may be that a reverse relationship can be discovered, in which the
>most-frequent byte values in a DES-encrypted file determine a relatively
>small set of DES keys, one of which is the key used to encrypt the file.
>If this cannot be done analytically then it might be possible to do by
>recording which sets of most-frequent values are generated (using different
>plaintexts) by each DES key.  This may require much computing time, but if
>properly planned would have to be done only once, and the result would be a
>table mapping most-frequent bytes into a relatively small set of possible
>DES keys.  If such a table could be computed then cracking a DES-encrypted
>file would be quite easy, consisting of a table look-up and testing of the
>indicated keys.  Furthermore, if such a table is possible then it is not
>unreasonable to suppose that it already exists.
> 
Nope. Unlikely.
-- 
Peter Wayner   Department of Computer Science Cornell Univ. Ithaca, NY 14850
EMail:wayner@cs.cornell.edu    Office: 607-255-9202 or 255-1008
Home: 116 Oak Ave, Ithaca, NY 14850  Phone: 607-277-6678

