A Cha-cha all the way to the bank
On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.
First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a fortnight. That’s not bad. If you think about Deep Crack and what you’d expect from normal semiconductor advances.
The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you’re clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight’s of computing, you can generate any one-time password the real owner can.
Maddeningly, there are other systems based on AES or some other crypto that aren’t at all vulnerable to this attack — because they have better keys. People who are vulnerable to this attack need not be.
Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It’s also negligent, when it’s so easy to get shot.
Photo courtesy of Imagem Compartilhada.