Weak key

Last updated January 16, 2024

In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, a cipher key made by random number generation is very unlikely to give rise to a security problem. Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a flat, or linear, key space.

Historical origins

Virtually all rotor-based cipher machines (from 1925 onwards) have implementation flaws that lead to a substantial number of weak keys being created. Some rotor machines have more problems with weak keys than others, as modern block and stream ciphers do.

The first stream cipher machines were also rotor machines and had some of the same problems of weak keys as the more traditional rotor machines. The T52 was one such stream cipher machine that had weak key problems.

The British first detected T52 traffic in Summer and Autumn of 1942. One link was between Sicily and Libya, codenamed "Sturgeon", and another from the Aegean to Sicily, codenamed "Mackerel". Operators of both links were in the habit of enciphering several messages with the same machine settings, producing large numbers of depths.

There were several (mostly incompatible) versions of the T52: the T52a and T52b (which differed only in their electrical noise suppression), T52c, T52d and T52e. While the T52a/b and T52c were cryptologically weak, the last two were more advanced devices; the movement of the wheels was intermittent, the decision on whether or not to advance them being controlled by logic circuits which took as input data from the wheels themselves.

In addition, a number of conceptual flaws (including very subtle ones) had been eliminated. One such flaw was the ability to reset the keystream to a fixed point, which led to key reuse by undisciplined machine operators.

Weak keys in DES

The block cipher DES has a few specific keys termed "weak keys" and "semi-weak keys". These are keys that cause the encryption mode of DES to act identically to the decryption mode of DES (albeit potentially that of a different key).

In operation, the secret 56-bit key is broken up into 16 subkeys according to the DES key schedule; one subkey is used in each of the sixteen DES rounds. DES weak keys produce sixteen identical subkeys. This occurs when the key (expressed in hexadecimal) is:^[1]

Alternating ones + zeros (0x0101010101010101)
Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
'0xE0E0E0E0F1F1F1F1'
'0x1F1F1F1F0E0E0E0E'

If an implementation does not consider the parity bits, the corresponding keys with the inverted parity bits may also work as weak keys:

all zeros (0x0000000000000000)
all 'F' (0xFFFFFFFFFFFFFFFF)
'0xE1E1E1E1F0F0F0F0'
'0x1E1E1E1E0F0F0F0F'

Using weak keys, the outcome of the Permuted Choice 1 (PC-1) in the DES key schedule leads to round keys being either all zeros, all ones or alternating zero-one patterns.

Since all the subkeys are identical, and DES is a Feistel network, the encryption function is self-inverting; that is, despite encrypting once giving a secure-looking cipher text, encrypting twice produces the original plaintext.

DES also has semi-weak keys, which only produce two different subkeys, each used eight times in the algorithm: This means they come in pairs K₁ and K₂, and they have the property that:

E_{K_{1}}(E_{K_{2}}(M))=M

where E_K(M) is the encryption algorithm encrypting message M with key K. There are six semi-weak key pairs:

0x011F011F010E010E and 0x1F011F010E010E01
0x01E001E001F101F1 and 0xE001E001F101F101
0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1

There are also 48 possibly weak keys that produce only four distinct subkeys (instead of 16). They can be found in a NIST publication.^[2]

These weak and semi-weak keys are not considered "fatal flaws" of DES. There are 2⁵⁶ (7.21 × 10¹⁶, about 72 quadrillion) possible keys for DES, of which four are weak and twelve are semi-weak. This is such a tiny fraction of the possible keyspace that users do not need to worry. If they so desire, they can check for weak or semi-weak keys when the keys are generated. They are very few, and easy to recognize. Note, however, that currently DES is no longer recommended for general use since all DES keys can be brute-forced it's been decades since the Deep Crack machine was cracking them on the order of days, and as computers tend to do, more recent solutions are vastly cheaper on that time scale. Examples of progress are in Deep Crack's article.

List of algorithms with weak keys

DES, as detailed above.
RC4. RC4's weak initialization vectors allow an attacker to mount a known-plaintext attack and have been widely used to compromise the security of WEP ^[3] and ARC4 DMRA DMR.
IDEA. IDEA's weak keys are identifiable in a chosen-plaintext attack. They make the relationship between the XOR sum of plaintext bits and ciphertext bits predictable. There is no list of these keys, but they can be identified by their "structure".
Blowfish. Blowfish's weak keys produce bad S-boxes, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish.
GMAC. Frequently used in the AES-GCM construction. Weak keys can be identified by the group order of the authentication key H (for AES-GCM, H is derived from the encryption key by encrypting the zero block).
RSA and DSA. August 2012 Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman found that TLS certificates they assessed share keys due to insufficient entropy during key generation, and were able to obtain DSA and RSA private keys of TLS and SSH hosts knowing only the public key.^[4]

No weak keys as a design goal

The goal of having a 'flat' keyspace (i.e., all keys equally strong) is always a cipher design goal. As in the case of DES, sometimes a small number of weak keys is acceptable, provided that they are all identified or identifiable. An algorithm that has unknown weak keys does not inspire much trust.^{[ citation needed ]}

The two main countermeasures against inadvertently using a weak key:

Checking generated keys against a list of known weak keys, or building rejection of weak keys into the key scheduling.
When the number of weak keys is known to be very small (in comparison to the size of the keyspace), generating a key uniformly at random ensures that the probability of it being weak is a (known) very small number.

A large number of weak keys is a serious flaw in any cipher design, since there will then be a (perhaps too) large chance that a randomly generated one will be a weak one, compromising the security of messages encrypted under it. It will also take longer to check randomly generated keys for weakness in such cases, which will tempt shortcuts in the interest of 'efficiency'.

However, weak keys are much more often a problem where the adversary has some control over what keys are used, such as when a block cipher is used in a mode of operation intended to construct a secure cryptographic hash function (e.g. Davies–Meyer).

Related Research Articles

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

<span class="mw-page-title-main">Triple DES</span> Block cipher

In cryptography, Triple DES, officially the Triple Data Encryption Algorithm, is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, led to NIST deprecating DES and 3DES for new applications in 2017, and for all applications by the end of 2023. It has been replaced with the more secure, more robust AES.

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Articles related to cryptography include:

This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA). For classification of keys according to their usage see cryptographic key types.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

In cryptography, the Fluhrer, Mantin and Shamir attack is a stream cipher attack on the widely used RC4 stream cipher. The attack allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream.

In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to such an attack. In other words, modern encryption schemes are pseudorandom permutations and are designed to have ciphertext indistinguishability. If an algorithm is found that can distinguish the output from random faster than a brute force search, then that is considered a break of the cipher.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

The following outline is provided as an overview of and topical guide to cryptography:

crypt is a POSIX C library function. It is typically used to compute the hash of user account passwords. The function outputs a text string which also encodes the salt, and identifies the hash algorithm used. This output string forms a password record, which is usually stored in a text file.

References

↑ FIPS, Guidelines for Implementing and Using the NBS Data Encryption Standard, FIPS-PUB 74, http://www.itl.nist.gov/fipspubs/fip74.htm
↑ NIST, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, page 14
↑ Fluhrer, S., Mantin, I., Shamir, A. Weaknesses in the key scheduling algorithm of RC4 Eighth Annual Workshop on Selected Areas in Cryptography (August 2001), http://citeseer.ist.psu.edu/fluhrer01weaknesses.html
↑ "Research Paper - factorable.net". factorable.net. Retrieved 2020-06-26.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] FIPS, Guidelines for Implementing and Using the NBS Data Encryption Standard, FIPS-PUB 74, http://www.itl.nist.gov/fipspubs/fip74.htm

[2] NIST, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, page 14

[3] Fluhrer, S., Mantin, I., Shamir, A. Weaknesses in the key scheduling algorithm of RC4 Eighth Annual Workshop on Selected Areas in Cryptography (August 2001), http://citeseer.ist.psu.edu/fluhrer01weaknesses.html

[4] "Research Paper - factorable.net". factorable.net. Retrieved 2020-06-26.

[1]

[2]

[3]

[4]