Login/Register
Why can I encrypt data with one DES key and successfully decrypt with another?
Asked Answered
Solved pythoncryptographydesencryption-symmetricpycrypto
R

2

8

I tried to implement DES algorithm using pyDes and Crypto.Cipher.DES modules. I found a problem that when I encrypt with 82514145 key and then decrypt the cipher with 93505044 I can retrieve the decrypted text. I found 256 keys behaving like this. This is violation of cryptography. My code is as follows:

    from Crypto.Cipher import DES
    plain_text = 'asdfghij'
    print 'plain Text: ', plain_text

    des = DES.new('82514145', DES.MODE_ECB)
    cipher_text = des.encrypt(plain_text)
    print 'the cipher text is ', cipher_text

    des = DES.new('93505044', DES.MODE_ECB)
    print 'the decrypted text is: ', des.decrypt(cipher_text)

Output is: 

plain Text:  asdfghij

the cipher text is  @�Z����

the decrypted text is:  asdfghij

Is there any mistake in my work? I got same results with pyDes also.

Ranitta answered 22/4, 2014 at 9:53 Comment(1)
Same case was observed in Different block cipher modes of DESRanitta
C
9

DES keys are only 56 bits long, but they are expanded to 64 bits thanks to parity bits. The eighth bit of each byte should be set to ensure odd parity.

Many crypto libraries ignore parity bits, which means there are many ways to represent the same 56-bit key in a 64-bit key string. In fact, there are 28 different ways, which explains why you found 256 matching keys.

Your example includes two key values that differ only in parity bits. See below - parity bits are in []:

82514145 
= 0x3832353134313435 
= 0011100[0] 0011001[0] 0011010[1] 0011000[1] 0011010[0] 0011000[1] 0011010[0] 0000000[0]

93505044 
= 0x3933353035303434 
= 0011100[1] 0011001[1] 0011010[1] 0011000[0] 0011010[1] 0011000[0] 0011010[0] 0000000[0]

Neither key is actually truly valid. The correct representation of that key is: 0x3832343134313401.

Cletuscleve answered 22/4, 2014 at 10:21 Comment(4)
Thank you very much for making me clear that those keys actually corresponds to a unique key ...Ranitta
Can u help me in sortig out how openssl library deal with 8 byte keys that these 256 matching keys maps to corresponding unique cipher ?? Thanks in advance :)Ranitta
@Ranitta If you have a new question, please post it separately. Feel free to reference this question for further reading. Also feel free to ping me the link in a comment so I can find it.Cletuscleve
#23248433Ranitta
O
3

This is a great example of why you should never use a user provided password as a key itself in a key in a cipher. You should use a key derivation function instead.

Also, you shouldn't be using DES for purposes other than education, as it's generally regarded as being insecure. The key is considered too short nowadays, and there are some known attacks to reduce its complexity.

Oby answered 22/4, 2014 at 10:20 Comment(6)
-1 This is not an example of why using passwords as keys are bad. Firstly, there is no sign of passwords being used directly as keys in the code example. Secondly, this isn't the cause of the problem - the ignored parity bits are the cause. Your points about key length and the general observation about passwords are quite valid.Cletuscleve
@Duncan DES.new creates a new cipher instance using 82514145 as a raw binary key. It's arguable whether 82514145 is "a password", but one of the main problems that KDFs solve is that of avoiding predictable patterns in the key that may interfere with the expected behavior of the cipher, which, in my opinion, is what is happening, as you documented in your answer.Oby
We have no idea where the key value is coming from, so we cannot assume it's a password. Using a KDF will produce good keys from a password, but they will be entirely random and will still exhibit the same behaviour explained in my answer if they differ only in parity bits.Cletuscleve
@Duncan Note I'm not saying it's a password - merely that the example key exhibits patterns, and that using a KDF makes this kind of problem much less likely. It's trivial to find two ascii printable keys that exhibit this behaviour, but much harder to do so when they are run through a KDF. I certainly agree that your answer is the most appropriate to the question posed, but I think this information is still worth mentioning.Oby
Ah, I see. You're looking at this from the perspective of subverting the system by trying different keys/passwords. That makes more sense!Cletuscleve
#23249756Ranitta

© 2022 - 2024 — McMap. All rights reserved.