If attackers can figure out what your key is, they can decrypt your data. One approach, the brute-force attack,is to try every possible key until the right one is identified. It works this way. Let’s say your key is a number between 0 and 100,000,000,000 (one hundred billion). The attacker takes your ciphertext (perhaps only 8 or 16 bytes’ worth) and feeds it to the decryption algorithm along with the “alleged key” of 0. The algorithm does its job and produces a result. If the resulting data appears reasonable, 0 is probably the correct key. If it’s gibberish, 0 is not the true key. In that case, you try 1, and then 2, 3, 4, and so on (see Figure 2-7).
Remember, an algorithm simply performs its steps, regardless of the input. It has no way of knowing whether the result it produces is the cor- rect one. Even if the value is close to the key, maybe off by only 1, the result is gibberish. So it’s necessary to look at the result to tell whether it might be the key. Smart attackers write programs to examine the result. Is it a series of letters of the alphabet? Yes? Pass this key to the attacker. No? Try the next key.
Chapter 2
30
It usually takes very little time to try a key. The attacker can probably write a program that tries many keys per second. Eventually, the attacker could try every possible number between 0 and 100 billion, but that may not be necessary. Once the correct key is found, there’s no need to search any more. On average, the attacker will try half of all possible keys—in our example, 50 billion keys—before finding the correct one. Sometimes it takes more time, sometimes less, but, on average, about half the possible keys must be tried.
The brute force attack. If you know that the key is a number between 1 and 100,000,000,000, you try each number in turn until a number produces
something that’s not gibberish
How long would it take an attacker to try 50 billion keys? Three years? Three days? Three minutes? Suppose you want to keep your secret safe for at least three years, but it takes an attacker only three minutes to try 50 billion values. Then what do you do? You choose a bigger range. Instead of finding a number between 0 and 100 billion, you find a number between 0 and 100 billion billion billion billion. Now the attacker will have to try, on average, many more keys before finding the right one.
This concept of the range of possible keys is known as key size. Gold is measured in troy ounces, atoms are measured in moles, and cryptographic keys are measured in bits. If someone asks, “How big is that key?” the answer might be 40 bits, 56 bits, 128 bits, and so on. A 40-bit key means that the range of possible values is from 0 to about 1 trillion. A 56-bit key is 0 to about 72 quadrillion. The range of a 128-bit key is so large that it’s easier just to say it’s a 128-bit key (see Figure 2-8).
Chapter 2
32
Figure 2-8
The larger the key size, the greater the range of possible values a key can be. Each bit in each position, whether 0 or 1, is
important
Each bit of key size you add doubles the time required for a brute-force attack. If a 40-bit key takes 3 hours to break, a 41-bit key would take 6 hours, a 42-bit key, 12 hours, and so on. Why? Each additional bit doubles the number of possible keys. For example, there are eight possible num- bers of size 3 bits:
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
Every number possible with 3 bits is possible with 4 bits, but each of those numbers is possible “twice”: once with the first bit not set, and again with it set. So if you add a bit, you double the number of possible keys. If you double the number of possible keys, you double the average time it takes for brute-force attack to find the right key.
In short, if you want to make the attacker’s job tougher, you choose a bigger key. Longer keys mean greater security. How big should a key be? Over the years, RSA Laboratories has offered challenges. The first person or organization to crack a particular message wins a money prize. Some of the challenges have been tests of brute-force time. In 1997, a 40-bit key fell in 3 hours, and a 48-bit key lasted 280 hours. In 1999, the Electronic Frontier Foundation found a 56-bit key in 24 hours. In each case, a little more than 50 percent of the key space was searched before the key was found. In January 1997, a 64-bit challenge was issued. As of December 2000, it has still not been solved.
In all these situations, hundreds or even thousands of computers were operating cooperatively to break the keys. In fact, with the 56-bit DES challenge that the Electronic Frontier Foundation broke in 24 hours, one of those computers was a custom-built DES cracker. This kind of computer does only one thing: check DES keys. An attacker working secretly would probably not be able to harness the power of hundreds of computers and might not possess a machine built specifically to crack a particular algo- rithm. That’s why, for most attackers, the time it takes to break the key would almost certainly be dramatically higher. On the other hand, if the attacker were a government intelligence agency with enormous resources, the situation would be different.
We can devise worst-case scenarios. Let’s use as our baseline an exag- gerated worst-case scenario: examining 1 percent of the key space of a 56-bit key takes 1 second, and examining 50 percent takes 1 minute (see Table 2-1). Each time that we add a bit to the key size, we double the search time.
Currently, 128 bits is the most commonly used symmetric-key size. If technology advances and brute-force attackers can improve on these num- bers (maybe they can reduce the 128-bit times to a few years), then we would need to use a 256-bit key.
You may be thinking, “Technology is always advancing, so I’ll have to keep increasing key sizes again and again. Won’t there come a time when I’ll need a key so big it becomes too unwieldy to handle?” The answer is
that you’ll almost certainly never need a key longer than 512 bits (64 bytes). Suppose that every atom in the known universe (there are about 2300 of them) were a computer and that each of these computers
could check 2300 keys per second. It would take about 2162 millennia to
search 1 percent of the key space of a 512-bit key. According to the Big Bang theory, the amount of time that has passed since the universe came into existence is less than 224 millennia. In other words, it is highly
unlikely that technology will ever advance far enough to force you to use a key that’s “too big.”
That may not matter, though, because there’s another attack on the key. Instead of trying to reproduce the key, attackers can try to reproduce the PRNG and seed that were used to produce the key. It works like this. Attackers know the particular PRNG and seed-collection method you used. (Remember, as discussed earlier in this chapter in “Historical Note: They Always Figure Out the Algorithm,” the attacker will always know your algorithms and methods.) If attackers can guess your seed, they can seed the PRNG and produce the same key. If you used a small seed, attackers will try every possible value until they find the correct one. This happened to Netscape, as described in “Historical Note: Netscape’s Seed.” Your defense against this kind of attack is to use a good seed. A PRNG will always produce good pseudo-random numbers regardless of seed. But the seed must also be strong enough to withstand a brute-force attack.
Chapter 2
34
Bits 1 percent of Key Space 50 percent of Key Space
56 1 second 1 minute 57 2 seconds 2 minutes 58 4 seconds 4 minutes 64 4.2 minutes 4.2 hours 72 17.9 hours 44.8 days 80 190.9 days 31.4 years 90 535 years 321 centuries
108 140,000 millennia 8 million millennia
128 146 billion millennia 8 trillion millennia
Table 2-1
A Worse Than Worst-Case Scenario: How Long a Brute- Force Attack Will Take for Various Key Sizes