Shostack + Friends Blog Archive


A Cha-cha all the way to the bank


On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.

First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a fortnight. That’s not bad. If you think about Deep Crack and what you’d expect from normal semiconductor advances.

The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you’re clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight’s of computing, you can generate any one-time password the real owner can.

Maddeningly, there are other systems based on AES or some other crypto that aren’t at all vulnerable to this attack — because they have better keys. People who are vulnerable to this attack need not be.

Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It’s also negligent, when it’s so easy to get shot.

Photo courtesy of Imagem Compartilhada.

2 comments on "A Cha-cha all the way to the bank"

  • rob sama says:

    Cha Cha Cha with Klaus Flouride.
    Copacabana is in Brazil. And though I’ve never been to Cozumel, Copacabana is truly awesome.
    Sorry, this comment is completely irrelevant. Forget I made it.

  • Chris says:

    The project’s web page mentions that the beach’s name is spelled differently. IIRC, the club in the Manilow song is in Miami.
    Not my area of expertise, however. Then again, Enrique Iglesias is probably a lousy sysadmin.

Comments are closed.