|
|
Line 1: |
Line 1: |
| {{distinguish|man-in-the-middle attack}}
| | <br><br>The other day I woke up and realised - I've been single for some time today and luke bryan 2014 tickets ([http://lukebryantickets.flicense.com http://lukebryantickets.flicense.com]) after much bullying from friends I today find myself registered for web dating. They guaranteed me that there are plenty of fun, pleasant [http://lukebryantickets.lazintechnologies.com luke bryan sold out] and [http://lukebryantickets.neodga.com luke Bryan tour 2014 dates] standard individuals to fulfill, therefore here goes the toss!<br>I try to maintain as toned as potential being at the gymnasium many times per week. I enjoy my athletics and try to luke concert - [http://lukebryantickets.pyhgy.com explanation], perform or see because many a [http://www.guardian.co.uk/search?q=potential potential]. I am going to regularly at Hawthorn matches being wintertime. Notice: I have noticed the carnage of fumbling matches at stocktake revenue, If you really contemplated buying a hobby I don't brain.<br>My household and pals are amazing and hanging out with them at pub gigs or meals is definitely essential. As I see that you could not get a significant dialog against the sound I haven't ever been into clubs. Additionally, I got two really adorable and unquestionably cheeky canines that are always ready to meet up fresh folks.<br><br>My weblog :: luke bryan tickets chicago ([http://www.banburycrossonline.com explanation]) |
| {{Synthesis|article|date=May 2013}}
| |
| {{refimprove|date=March 2009}}
| |
| {{Inadequate lead|date=December 2012}}
| |
| | |
| The '''Meet-in-the-Middle attack''' is a generic [[space–time tradeoff]] [[cryptography|cryptographic]] attack. | |
| | |
| == Description ==
| |
| | |
| MITM is a generic attack, applicable on several cryptographic systems. The internal structure of a specific system is therefore negligible to this attack. It is possible though to combine it with other kinds of attack as has been done.
| |
| | |
| Naturally it requires the ability to encrypt and decrypt, and the possession of pairs of plaintexts and corresponding ciphertexts.
| |
| | |
| When trying to improve the security of a block cipher, a tempting idea is to simply use several independent [[cryptographic key|key]]s to encrypt the data several times using a sequence of functions (encryptions). Then one might think that this doubles or even ''n''-tuples the security of the multiple-encryption scheme, depending on the number of encryptions the data must go through.
| |
| | |
| The Meet-in-the-Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions (or block ciphers) such that the forward mapping through the first functions is the same as the backward mapping (inverse image) through the last functions, quite literally ''meeting'' in the middle of the composed function.
| |
| | |
| The Multidimensional MITM (MD-MITM) uses a combination of several simultaneous MITM-attacks like described above, where the meeting happens in multiple positions in the composed function.
| |
| | |
| Certainly, an exhaustive search on all possible combination of keys (simple bruteforce) would take ''2<sup>k·j</sup>'' attempts if ''j'' encryptions has been used with different keys in each encryption, where each key is ''k'' bits long.
| |
| Using MITM or MD-MITM, this can be done better.
| |
| | |
| == History ==
| |
| | |
| It was first developed as an attack on an attempted expansion of a [[block cipher]] by [[Whitfield Diffie|Diffie]] and [[Martin Hellman|Hellman]] in 1977.<ref>{{note|dh-exh}} {{cite journal
| |
| | last1=Diffie
| |
| | first1=Whitfield
| |
| | last2=Hellman
| |
| | first2=Martin E.
| |
| | date=June 1977
| |
| | title=Exhaustive Cryptanalysis of the NBS Data Encryption Standard
| |
| | journal=Computer
| |
| | volume=10
| |
| | issue=6
| |
| | pages=74–84
| |
| | doi=10.1109/C-M.1977.217750
| |
| | url=http://www.computer.org/portal/web/csdl/doi/10.1109/C-M.1977.217750
| |
| }}</ref>
| |
| | |
| Diffie and Hellman, however, devised a [[space-time tradeoff]] that could break the scheme in only double the time to break the single-encryption scheme.
| |
| | |
| In 2011, Bo Zhu and Guang Gong investigate the ''Multidimensional Meet-in-the-Middle attack'' and present new attacks on the block ciphers [[GOST (block cipher)]], KTANTAN and Hummingbird-2.<ref name="ZhuGuang2011" />
| |
| | |
| == MITM (1D-MITM) ==
| |
| Assume the attacker knows a set of plaintext ''P'' and ciphertext ''C'' that satisfies the following:
| |
| <math> C=ENC_{k_2}(ENC_{k_1}(P)) </math> <br />
| |
| <math> P=DEC_{k_1}(DEC_{k_2}(C)) </math>
| |
| | |
| where ''ENC'' is the encryption function, ''DEC'' the decryption function defined as ''ENC<sup>-1</sup>'' (inverse mapping) and ''k<sub>1</sub>'' and ''k<sub>2</sub>'' are two keys.
| |
| | |
| The attacker can then compute ''ENC<sub>k<sub>1</sub></sub>(P)'' for all possible keys ''k<sub>1</sub>'' and then decrypt the ciphertext by computing ''DEC<sub>k<sub>2</sub></sub>(C)'' for each ''k<sub>2</sub>''. Any matches between these two resulting sets are likely to reveal the correct keys. (To speed up the comparison, the ''ENC<sub>k<sub>1</sub></sub>(P)'' set can be stored in an in-memory lookup table, then each ''DEC<sub>k<sub>2</sub></sub>(C)'' can be matched against the values in the lookup table to find the candidate keys)
| |
| | |
| This attack is one of the reasons why DES was replaced by [[Triple DES]] — "Double DES" does not provide much additional security against exhaustive key search for an attacker with 2<sup>56</sup> space.<ref>{{cite journal|last=Zhu|first=Bo|coauthors=Guang Gong|title=MD-MITM Attack and Its Applications to GOST, KTANTAN and Hummingbird-2|journal=eCrypt|year=2011}}</ref> However, Triple DES with a "triple length" (168-bit) key is vulnerable to a meet-in-the-middle attack in 2<sup>56</sup> space and 2<sup>112</sup> operations.<ref>{{cite journal|last=Moore|first=Stephane|title=Meet-in-the-Middle Attacks|date=November 16, 2010|pages=2|url=http://stephanemoore.com/pdf/meetinthemiddle.pdf}}</ref>
| |
| | |
| [[File:1D MITMNEW.png|thumb|upright=1.5|An illustration of 1D-MITM attack]]
| |
| | |
| Once the matches are discovered, they can be verified with a second test-set of plaintext and ciphertext.
| |
| | |
| === MITM algorithm ===
| |
| | |
| Compute the following:
| |
| *'''<math>SubCipher_1=ENC_{f_1}(k_{f_1},P) </math> ∀ <math> k_{f_1} </math> ∈ <math> K </math>''':
| |
| : and save each <math> SubCipher_{1} </math> together with corresponding <math> k_{f_1} </math> in a set A | |
| | |
| *'''<math> SubCipher_1=DEC_{b_1}(k_{b_1},C)</math> ∀ <math> k_{b_1} </math> ∈ <math> K </math>''':
| |
| : and compare each new <math> SubCipher_1 </math> with the set A
| |
| | |
| When a match is found, keep ''k<sub>f<sub>1</sub></sub>,k<sub>b<sub>1</sub></sub>'' as candidate key-pair in a table ''T''. Test pairs in ''T'' on a new pair of ''(P,C)'' to confirm validity. If the key-pair does not work on this new pair, do MITM again on a new pair of ''(P,C)''.
| |
| | |
| === MITM complexity ===
| |
| | |
| If the keysize is ''k'', this attack uses only 2<sup>k+1</sup>encryptions(and decryptions) (and ''O(2<sup>k</sup>)'' memory in case a look-up table have been built for the set of forward computations) in contrast to the naive attack, which needs 2<sup>2·k</sup> encryptions but ''O(1)'' space.
| |
| | |
| == Multidimensional-MITM ==
| |
| {{Original research|section|date=May 2013}}
| |
| | |
| While 1D-MITM can be efficient, a more sophisticated attack has been developed: '''Multi Dimensional-Meet In The Middle attack''', also abbreviated '''MD-MITM'''.
| |
| This is more preferred when the data has been encrypted using more than 2 encryptions with different keys.
| |
| Instead of meeting in the middle (one place in the sequence), the MD-MITM attack attempts to reach several specific intermediate states using the forward and backward computations at several positions in the cipher.<ref name="ZhuGuang2011">{{cite journal|last=Zhu|first=Bo|coauthors=Guang Gong|title=MD-MITM Attack and Its Applications to GOST, KTANTAN and Hummingbird-2|journal=eCrypt|year=2011|url=http://eprint.iacr.org/2011/619/}}</ref>
| |
| | |
| Assume that the attack has to be mounted on a block cipher, where the encryption and decryption is defined as before:
| |
| | |
| <math> C=ENC_{k_n}(ENC_{k_{n-1}}(...(ENC_{k_1}(P))...))</math> <br />
| |
| <math> P=DEC_{k_1}(DEC_{k_2}(...(DEC_{k_n}(C))...))</math>
| |
| | |
| that is a plaintext P is encrypted multiple times using a repetition of the same block cipher
| |
| | |
| [[File:MD MITMNEW.png|thumb|center|upright=4|An illustration of MD-MITM attack]]
| |
| | |
| The MD-MITM has been used for cryptanalysis of among many, the [[GOST (block cipher)|GOST block cipher]], where it has been shown that a 3D-MITM has significantly reduced the time complexity for an attack on it.<ref name="ZhuGuang2011" />
| |
| | |
| === MD-MITM algorithm ===
| |
| | |
| Compute the following:
| |
| *'''<math> SubCipher_1=ENC_{f_1}(k_{f_1},P)</math> ∀ <math> k_{f_1} </math> ∈ <math> K </math>''':
| |
| : and save each <math>SubCipher_1</math> together with corresponding <math>k_{f_1}</math> in a set <math>H_1</math>.
| |
| | |
| *'''<math> SubCipher_{n+1}=DEC_{b_{n+1}}(k_{b_{n+1}},C) </math> ∀ <math> k_{b_{n+1}} </math> ∈ <math> K </math>''':
| |
| : and save each <math>SubCipher_{n+1}</math> together with corresponding <math>k_{b_{n+1}}</math> in a set <math>H_{n+1}</math>.
| |
| | |
| For each possible guess on the intermediate state <math>s_1</math> compute the following:
| |
| | |
| *'''<math> SubCipher_1=DEC_{b_1}(k_{b_1},s_1) </math> ∀ <math> k_{b_1} </math> ∈ <math>K</math>''':
| |
| : and for each match between this <math> SubCipher_1 </math> and the set <math> H_1 </math>, save <math> k_{b_1} </math> and <math> k_{f_1} </math> in a new set <math> T_1 </math>.
| |
| | |
| *'''<math> SubCipher_2=ENC_{f_2}(k_{f_2},s_1) </math> ∀ <math> k_{f_2} </math> ∈ <math> K </math>''':
| |
| : and save each <math> SubCipher_2 </math> together with corresponding <math> k_{f_2} </math> in a set <math> H_2</math>.
| |
| | |
| : For each possible guess on an intermediate state <math> s_2 </math> compute the following:
| |
| :: '''1 <math> SubCipher_2=DEC_{b_2}(k_{b_2},s_2) </math> ∀ <math> k_{b_1} </math> ∈ <math> K </math>'''
| |
| ::: and for each match between this <math> SubCipher_2 </math> and the set <math> H_2 </math>, check also whether
| |
| ::: it matches with <math> T_1 </math> and then save the combination of sub-keys together in a new set <math> T_2 </math>.
| |
| | |
| :: '''2 ...'''
| |
| | |
| ::: For each possible guess on an intermediate state <math> s_n </math> compute the following:
| |
| :::: '''a) <math> SubCipher_n=DEC_{b_n}(k_{b_n},s_n) </math> ∀ <math> k_{b_n}</math> ∈ <math> K </math> '''
| |
| ::::: and for each match between this <math> SubCipher_n </math> and the set <math>H_n</math>, check also whether
| |
| ::::: it matches with <math> T_{n-1} </math>, save <math> k_{b_n} </math> and <math> k_{f_n} </math> in a new set
| |
| ::::: <math> T_n </math>.
| |
| | |
| :::: '''b) <math> SubCipher_{n+1}=ENC_{f_n+1}(k_{f_n+1},s_n)</math> ∀ <math>k_{f_{n+1}}</math> ∈ <math>K</math>'''
| |
| ::::: and for each match between this <math>SubCipher_{n+1}</math> and the set <math>H_{n+1}</math>, check also
| |
| ::::: whether it matches with <math>T_n</math>. If this is the case then:"
| |
| | |
| Use the found combination of sub-keys <math>(k_{f_1},k_{b_1},k_{f_2},k_{b_2}, ... ,k_{f_{n+1}},k_{b_{n+1}})</math> on another pair of plaintext/ciphertext to verify the correctness of the key.
| |
| | |
| Note the nested element in the algorithm. The guess on every possible value on ''s<sub>j</sub>'' is done for each guess on the previous ''s<sub>j-1</sub>''.
| |
| This make up an element of exponential complexity to overall time complexity of this MD-MITM attack.
| |
| | |
| === MD-MITM complexity ===
| |
| | |
| Time complexity of this attack without brute force, is <math>2^{|k_{f_1}|}+2^{|k_{b_{n+1}}|}+2^{|s_1|}</math>⋅<math>(2^{|k_{b_1}|}+2^{|k_{f_2}|}+2^{|s_2|}</math>⋅<math>(2^{|k_{b_2}|}+2^{|k_{f_3}|}+...))</math>
| |
| | |
| Regarding the memory complexity, it is easy to see that <math>T_2,T_3,... ,T_n</math> are much smaller than the first built table of candidate values: <math>T_1</math> as i increases, the candidate values contained in <math>T_i</math> must satisfy more conditions thereby fewer candidates will pass on to the end destination <math>T_n</math>.
| |
| | |
| An upper bound of the memory complexity of MD-MITM is then
| |
| | |
| <math> 2^{|k_{f_1}|}+2^{|k_{b_{n+1}}|}+2^{|k|-|s_n|}...</math>
| |
| | |
| where <math>k</math> denotes the length of the whole key (combined).
| |
| | |
| The data complexity depends on the probability that a wrong key may pass (obtain a false positive), which is <math>1/2^{|l|}</math>, where <math>l</math> is the intermediate state in the first MITM phase. The size of the intermediate state and the block size is often the same!
| |
| Considering also how many keys that are left for testing after the first MITM-phase, it is <math>2^{|k|}/2^{|l|}</math>.
| |
| | |
| Therefore after the first MITM phase, there are <math>2^{|k|-b}</math>⋅<math>2^{-b} = 2^{|k|-2b}</math>
| |
| ,where $|b|$ is the block size.
| |
| | |
| For each time the final candidate value of the keys are tested on a new plaintext/ciphertext-pair, the amount of keys that will pass will be multiplied by the probability that a key may pass which is <math>1/2^{|b|}</math>.
| |
| | |
| The part of brute force testing (testing the candidate key on new ''(P,C)''-pairs, have time complexity <math>2^{|k|-b}+2^{|k|-2b}+2^{|k|-3b}+2^{|k|-4b}</math>...
| |
| | |
| ,clearly for increasing multiples of b in the exponent, number tends to zero.
| |
| | |
| The conclusion on data complexity is by similar reasoning restricted by that around ⌈<math>|k|/n</math>⌉ ''(P,C)''-pairs.
| |
| | |
| Below is a specific example of how a 2D-MITM is mounted:
| |
| | |
| == A general example of 2D-MITM ==
| |
| | |
| This is a general description of how 2D-MITM is mounted on a block cipher encryption.
| |
| | |
| In Two-dimensional MITM (2D-MITM) the method is to reach 2 intermediate states inside the multiple encryption of the plaintext. See below figure:
| |
| | |
| [[File:2D MITMNEW.png|thumb|upright=2|An illustration of 2D-MITM attack]] | |
| | |
| === 2D-MITM algorithm ===
| |
| | |
| Compute the following:
| |
| * ''' <math> SubCipher_1=ENC_{f_1}(k_{f_1},P)</math> ∀ <math> k_{f_1} </math> ∈ <math> K </math>'''
| |
| : and save each <math> SubCipher_1 </math> together with corresponding <math> k_{f_1} </math> in a set A
| |
| * ''' <math> SubCipher_2=DEC_{b_2}(k_{b_2},C)</math> ∀ <math> k_{b_2} </math> ∈ <math> K </math>
| |
| : and save each <math> SubCipher_2 </math> together with corresponding <math> k_{b_2} </math> in a set B.
| |
| | |
| For each possible guess on an intermediate state ''s'' between <math>SubCipher_1</math> and <math>SubCipher_2</math>
| |
| compute the following:
| |
| :1 <math> SubCipher_1=DEC_{b_1}(k_{b_1},s)</math> ∀ <math> k_{b_1} </math> ∈ <math> K </math>
| |
| :: and for each match between this <math>SubCipher_1</math> and the set A, save <math>k_{b_1}</math> and <math>k_{f_1}</math> in a new set T.
| |
| | |
| :2 <math> SubCipher_2=ENC_{f_2}(k_{f_2},s) </math> ∀ <math> k_{f_2} </math> ∈ <math> K </math>
| |
| :: and for each match between this <math>SubCipher_2</math> and the set B, check also whether it matches with T for
| |
| :: if this is the case then:
| |
| | |
| Use the found combination of sub-keys <math>(k_{f_1},k_{b_1},k_{f_2},k_{b_2})</math> on another pair of plaintext/ciphertext to verify the correctness of the key.
| |
| | |
| === 2D-MITM complexity ===
| |
| | |
| Time complexity of this attack without brute force, is
| |
| <math>2^{|k_{f_1}|}+2^{|k_{b_2}|}+2^{|s|}</math>⋅<math>(2^{|k_{b_1}|}+2^{|k_{f_2}|})</math>
| |
| where |⋅| denotes the length.
| |
| | |
| Main memory consumption is restricted by the construction of the sets ''A'' and ''B'' where ''T'' is much smaller than the others.
| |
| | |
| For data complexity see subsection on complexity for MD-MITM.
| |
| | |
| ==See also==
| |
| *[[Space–time tradeoff]]
| |
| *[[Birthday attack]]
| |
| *[[Triple DES]]
| |
| *[[Data Encryption Standard]]
| |
| *[[GOST (block cipher)]]
| |
| *[[Brute-force attack]]
| |
| | |
| ==References==
| |
| | |
| {{reflist}}
| |
| | |
| {{cryptography navbox | block}}
| |
| | |
| [[Category:Cryptographic attacks]]
| |