DES Challenge Risks

C Matthew Curtin (cmcurtin@research.megasoft.com)
Thu, 17 Apr 1997 19:47:32 -0400 (EDT)


--CtURx3l8mrXBtRK/xvG/w8Su6UFaouIqbc7NTgK6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Forwarded from the Risks digest, and potentially of interest.

--CtURx3l8mrXBtRK/xvG/w8Su6UFaouIqbc7NTgK6
Content-Type: multipart/digest;
boundary="kSJnYMCxb3i1LiqhUPS/LP9oEVfSpONOhW25i5r+"
Content-Transfer-Encoding: 7bit

This is a forwarded message, MIME encapsulation.

--kSJnYMCxb3i1LiqhUPS/LP9oEVfSpONOhW25i5r+

X-Digest: RISKS DIGEST 19.09
From: Thomas Koenig <ig25@mvmap66.ciw.uni-karlsruhe.de>
Subject: Re: DES Challenge risks
Date: Thu, 17 Apr 1997 19:36:19 +0200 (MET DST)

You may have heard of the effort to crack the DES challenge by
a group originating from Sweden (http://www.des.sollentuna.se/).

This has one very worrying aspect: The organizers don't give out the
sources. The reason given on their web site is:

> Q5: Will you release the source-code? And why not!?
> No, unfortunately we will not release the sourcecode for the client.
> This is due to the fact that people may, advertently or inadvertently,
> modify the client so that it breaks. This would of course jeopardize
> the entire effort, since some clients would not be able to find the
> correct key. When the project is finished, we will release all of the
> source-code used in the project.

There are quite a lot of things a malicious binary expected to soak up
cycles of CPU could do:

a) The program could do any of the the traditional naughty things
(send out password information, install Trojans or back doors, ...)

b) The program could look for local passwords, try to crack them,
and send them back to the master server.

c) The program could also try to crack other codes. The master
DES keys of the EuroCheque ATM cards, for example, would be a
an attractive target. [There are about 40 million EC ATM cards in
use in Germany today; fraud involving EC cards is increasing].

Point c) is especially worrying. I do assume the organizers themselves are
honest (mostly because at least two people I know quite well by 'net
reputation are involved in this). But even with that assumption, a criminal
could still break into the organizer's web site and substitute modified
clients. The organizers have take no precautions against this that I can
see. There are no PGP signatures of the supplied binaries, not even MD5
checksums (which a criminal could also alter on the web pages).

Finally, the organizers also rely on security through obscurity to
ensure integrity of their clients:

> Both between a client and a server and between a server and the
> masterserver, a special authentication method is used to make sure
> that it is the correct program in the other end. This is done to avoid
> people from disturbing the challenge by reporting in blocks as
> finished even if they are not.

It's almost unnecessary to say that this is not good enough.

Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.

--kSJnYMCxb3i1LiqhUPS/LP9oEVfSpONOhW25i5r+--

--CtURx3l8mrXBtRK/xvG/w8Su6UFaouIqbc7NTgK6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

-- 
Matt Curtin  Chief Scientist  Megasoft, Inc.  cmcurtin@research.megasoft.com
http://www.research.megasoft.com/people/cmcurtin/    I speak only for myself
Death to small keys.  Crack DES NOW!   http://www.frii.com/~rcv/deschall.htm

--CtURx3l8mrXBtRK/xvG/w8Su6UFaouIqbc7NTgK6--