Comment by oskarw85 - Hacker Neue

oskarw85 Feb 3, 2024 parent

It's nice to recover an image but encryption keys are not that. One bit flip and it's game over. This experiment is more useful for human-readable document forensics than anything else.

dist-epoch Feb 3, 2024

If from a 128 bit key 120 are correct, it's trivial to figure out the others, even if you don't know which bits are the flipped ones.

Cryptographers worry even when a few key bits are leaked.

tczMUFlmoNk Feb 3, 2024

> If from a 128 bit key 120 are correct, it's trivial to figure out the others, even if you don't know which bits are the flipped ones.

Can you elaborate a bit? Off the top of my head, I feel like that scenario would leave 128-choose-8 possibilities open, or about 1.4 trillion. Are we calling that "trivial" or am I misunderstanding the attack?

(If you're calling that "trivial", I think that could be reasonable in a cryptography context where you're considering attackers with a lot of resources. It's just different from how I usually use that word. I don't disagree with your conclusion that leakage of even a few bits is worth worrying about.)

IanCal Feb 4, 2024

If it's 1.4T it depends on what you're using it for. Someone on SO has a verify speed for 512 bit rsa keys at 350k/second which would leave it at I think a month and a half to run 1.4T. That's a random user and a single machine. ECDSA 128 bit verify maybe 6k/s on a single core of a not-great CPU. That puts you about a month or two of a moderate machine assuming there's no fancy gpu things for doing it.

dist-epoch Feb 4, 2024

These are symmetric keys - AES, not ECDSA. Much faster to test.

cloudbonsai Feb 4, 2024

> scenario would leave 128-choice-8 possibilities open

That only amounts to log2(C(128, 8)) ~= 40.3.

Your encryption key is now just 40-bit strength.

dist-epoch Feb 4, 2024

A NVIDIA 3090 with HashCat can do 3 billion AES decryptions per second. That would test all 1.4 trillion in less than an hour.

orlp Feb 3, 2024

Alright let's test this hypothesis. Load up a bitcoin wallet and post the private key here with 1 random bit flip :)

matheusmoreira Feb 4, 2024

If you just recovered a secret key, you have no idea how many bits were flipped or their positions or if they were flipped at all or even it if it's actually a key rather than random garbage data. Key strength is therefore maintained.

Posting a secret key here and specifying "exactly one bit was flipped" reduces the problem to N guesses where N is the key length since you know all the other N - 1 bits are correct. Leaking just a few bits has catastrophic consequences, in your example all bits except one are leaked.

ivancho Feb 4, 2024

You can't simultaneously have that key strength is maintained as long as they don't know how many bits are flipped, or where in memory the key was, but also that leaking any number of bits is catastrophic. If your memory dump creates a different distribution on the space of possible keys, it has already compromised the cryptographic security of the key, it's just a question of how much, and the answer here is a lot - even if we had GBs of garbage data, that is still tiny compared to the whole space and can be sifted extremely quickly

matheusmoreira Feb 4, 2024

> If your memory dump creates a different distribution on the space of possible keys

Is it possible to determine that this has happened though? If you're trying to recover an image and a bunch of bits are flipped, the result might be somewhat corrupted but a coherent image will still be visible. You know that the data was corrupted and where the damage is. Ciphers have avalanche effects, a single bit flip produces completely unusable output which by design reveals no information.

ivancho Feb 4, 2024

There is extensive research on key finding attacks. Often they only need 30% of the bits. Things can be sped up by exploiting entropy - keys are really random, unlike most of the rest of your memory, so that filters things down, and as you said, an incorrect key produces total garbage on decrypt, which is easy to detect, so you can automate testing and discarding key candidates. Lastly, if you have knowledge of the applications or algorithms involved, you often get some extra data structure around the keys, which makes searching the memory dump trivial.

All that is to say, yes, this is a viable attack vector, even if some or many of the bits are flipped

matheusmoreira Feb 5, 2024

I see. Then I was wrong when I said key strength was maintained due to unfounded assumptions.

Cheer2171 Feb 3, 2024

You might think you're being clever, but specifying exactly 1 random bit flip makes it a completely different scenario.

krab Feb 4, 2024

If you can reliably find the key in memory, even if it's partially damaged, it may practically possible to recover it. You can try keys sorted by edit distance from the recovered material. Maybe there are better methods taking into account the actual cryptography.

ivancho Feb 4, 2024

The original comment said "One bit flip and it's game over". Which is clear nonsense, I don't have to specify that there's exactly one bit flip, I just need to know that the key is in that general neighborhood and its security is already compromised.

PrimeMcFly Feb 3, 2024

a passphrase is much shorter than a key and may be in memory multiple times.

This item has no comments currently.

Preferences

Keyboard Shortcuts

Story Lists

Navigation

Miscellaneous