3DES(CBC)算法破解

MTC3 Brute-Force-Attack on Triple-DES with Reduced Key Space

https://www.mysterytwisterc3.org/en/challenges/level-ii/brute-force-attack-on-triple-des-with-reduced-key-space

题目当中：“对于这个挑战，密钥不是随机生成的，而是选择了一种可以轻松重建的方式:作者只是使用了在2006年建造的被描述机器的名称，并添加了六个有意义的数字。然后，他将这个包含字符和数字的字符串转换为十六进制表示，并使用结果作为键。对于这个挑战，你可以发现一个密文文本在文文件中(mtc3-shoellhammer-01-3des.txt)，使用此密钥使用2-Key
Triple-DES (CBC)加密。明文的第一行就是这个挑战的解决方案。”

  首先可以根据题意“作者使用了在2006年建造的被描述机器的名称”，所以我们先去找这个机器的名字叫什么，在百度百科词条1998年建造的机器EFF-DES破解机中，我们找到了：

  得出密钥的前十位为“COPACOBANA”,然后题目中告诉我们剩下的6位是数字，所以我们可以采用暴力破解的方式，从0-999999进行循环。
  但是有个问题：用999999个密钥去破解整个密文文本，然后一个一个去观察明文确定哪一个是正确的密钥这显然不现实。所以我们只破解第一行的密文，之后用代码自动判断哪一个明文是999999个明文中，正确的密钥解密得到的明文：

  我们可以看到错误的密钥，对明文的解密得到的依旧是16进制字符串，所以我们可以认为正确的明文不是16进制字符串，当出现一个明文不含有“\x”的16进制字符串的标志时，我们就认为它是正确的密文。
  但是这样竟然没有找到一个正确答案。。。所以我们换了个思路，找到一个出现“\x”的16进制字符串的标志次数最少的明文，我们就认为它是正确的密文：

所以我们得到密钥为COPACOBANA008880，得出密钥所用的代码:

# py -3
# coding:utf-8
import re
from Crypto.Cipher import DES3
import binascii

if __name__ == '__main__':
    # data = 'FC3455BF7BC0C27D7A88A7349B807CB541380887336B0A084C11128529D0F4C1'
    # 第一行密文字节
    ciphertext = b'\xFC\x34\x55\xBF\x7B\xC0\xC2\x7D\x7A\x88\xA7\x34\x9B\x80\x7C\xB5\x41\x38\x08\x87\x33\x6B\x0A\x08\x4C\x11\x12\x85\x29\xD0\xF4\xC1'

    # min记录\x最少的值
    min = 100
    for k in range(0, 999999 + 1):
        # 不足6位数的地方填充0
        tmp = str(k).zfill(6)
        # 密钥循环，key='COPACOBANA008880';
        key = 'COPACOBANA' + tmp
        # 转化为密钥字节
        key1 = bytes(key, 'utf-8')
        # 初始向量，需为8的倍数,做过PA2应该理解它的含义  DES3.MODE_CBC
        cipher = DES3.new(key1, DES3.MODE_CBC, b"00000000")
        plaintext = cipher.decrypt(ciphertext)

        # 输出当前密钥
        # print("密钥：", key)
        # 输出当前密钥解密出的明文
        # print("明文：", plaintext)

        # 把16进制明文转成字符串
        plaintext = str(plaintext)
        # 当前明文中的'\x'个数
        num = len(re.findall('\\\\x', plaintext))
        # 找到\x最少的明文
        if num < min:
            min = num
            # 正确的明文
            truePlaintext = plaintext
            # 正确的密钥
            trueKey = key
    print("key:", trueKey)
    print(truePlaintext[2:-1])

之后我们再用密钥COPACOBANA008880，解密完整的密文得到完整的明文：
源代码：

import re
import binascii
from Crypto.Cipher import DES3
if __name__ == '__main__':
   with open( 'mtc3-shoellhammer-01-3des.txt','r') as fp:
       # 密文字符串，并且去掉空格和回车
      ciphertext = "".join(fp.read().split())

   # 字符串转字节
   ciphertext = ciphertext.encode('utf-8')

   # 字节转16进制字节
   ciphertext = binascii.a2b_hex(ciphertext)
   
   key='COPACOBANA008880'
   #密钥字符串转字节
   keyBytes=bytes(key,'utf-8')
  
   # 初始向量，需为8的倍数,做过PA2应该理解他的含义  DES3.MODE_CBC
   cipher = DES3.new(keyBytes,DES3.MODE_CBC,b"00000000")
   plaintext = cipher.decrypt(ciphertext)
  # 字节转换成字符
   plaintext = str(plaintext)[2:-1]
   print(key)
   print(plaintext)

运行结果：

成功解密，只是其中的\r\n被解释成了普通字符串，没有回车换行。
在Linux系统终端中输出的明文字符串是可以自动换行的：

最终解密出来的明文：

x_G\x10D_\x10rreak DES for 8,980 Euro

S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, A. Rupp, M. Schimmler, “How
to Break DES for Euro 8,980”. 2nd Workshop on Special-purpose
Hardware for Attacking Cryptographic Systems � SHARCS 2006, Cologne,
Germany, April 3�4, 2006.

Abstract:

Cryptanalysis of symmetric and asymmetric ciphers is computationally
extremely demanding. Since the security parameters of almost all
practical crypto algorithms are chosen such that attacks with
conventional computers are computationally infeasible, the only
promising way to tackle existing ciphers (in the absence of
mathematical breakthroughs) is to build special-purpose hardware.
Dedicating those machines to the task of cryptanalysis holds the
promise of a dramatically improved cost-performance ratio so that
breaking of commercial ciphers comes within reach.

This contribution describes the design and realization of the
reprogrammable machine COPACOBANA (Cost-Optimized Parallel Code
Breaker), which is optimized for running cryptanalytical algorithms.
The primary design goal was to produce a re-programmable low-cost
design for less than BC 10,000 which is applicable for attacking the
Data Encryption Standard (DES) in less than nine days.

It will be shown that the architecture outperforms conventional
computers by several orders of magnitude. Fully configured, COPACOBANA
hosts 120 low-cost FPGAs and is able to perform an exhaustive key
search of DES at a rate of more than 235 keys per second, yielding an
average search time of less than nine days. For this, we used the
high-speed DES engine design of the Universite Catholique de Louvain’s
Crypto Group.

We provide a real-world example by giving an estimate of an attack
with COPACOBANA against a formerly popular encryption tool (Norton
Diskreet). Due to a cryptographical weak key derivation function it
can be broken in very little time by applying a smart key search. As a
further application, COPACOBANA can also be used to attack machine
readable travel documents (ePass).

COPACOBANA is suitable for computational problems which are
parallelizable and have low communication requirements. The hardware
can be used, e.g., to attack elliptic curve cryptosystems and to
factor numbers. COPACOBANA is intended to, but not necessarily
restricted to solving problems related to cryptanalysis.

是一篇2006年的论文《How to Break DES for Euro 8,980》：

根据题目中“明文的第一行就是这个挑战的解决方案”，所以答案应该就是：How to Break DES for 8,980 Euro。