Understanding DES

[cayoenrique]

My friend @Me2019H wants to keep up with tutorials. See his post https://www.sat-universe.com/index.php?threads/understanding-csa.319490/post-2037249506

Now as I said most popular CAS here has been powervu and tandberg. I guess Data Encryption Standard (DES) is been used in both. Powervu uses DES to encrypt video. Tanberg used DES as part of the ECM cypher algorithm.
You can read more in wiki

https://en.wikipedia.org/wiki/Data_Encryption_Standard
https://en.wikipedia.org/wiki/DES_supplementary_material

Now I will start by asking you all, if any one knows, a Tool in this forum to crack DES?
I know there are a few external programs that are build for Password Cracking that may include DES. For example John the Ripper, merikens-tripcode , hashcat or oclHashcat-plus variant.

In general we can find sources for DES as part of OpenSSL Libcrypto or oscam sources.
Just see

https://github.com/oscam-emu/oscam-patched/tree/master/cscrypt
https://raw.githubusercontent.com/oscam-emu/oscam-patched/master/cscrypt/des.c

Again I am asking you all, if any one knows, a Tool in this forum to crack DES?

 

[K2TSET]

Here is a FPGA version for many cores in parallel, have not tried myself but looks pretty good documented
https://github.com/aletempiac/DES-cracker

 

[cayoenrique]

I see K2TSET and I get happy.
I had a few bad years in SU where some users kept some what harassing me without any real reason. My best guess was that I agree with an old master that no longer post here. In any case, at that bad time, K2TSET ignore those and kept working helping me from time to time. The sad part was that even when he help and I learn a lot, I could not find any significant solution to post.

I am pretty interested in FPGA. But the companies that are behind FPGA are to greedy. They have so many Rules that you have to agree before they allow you to get to the code. If you read the small letters in their so called license you will notice they reserve so many rights that they in fact own your own code. I am a Open Source guy, I can not allow a company to claim that what I offer to the community belongs to them. Still I recognize that FPGA is a technology we should all learn.

Irdeto uses DES and many other. It is used in CS key sharing as a protection for IKS. I do not know why no one in sat community have work more in DES solution. The only ones that I know are PowerVu HomeEdition that internally most have DES capabilities and I know that K2TSET have some FPGA capabilities. But there is no real tool that I know that you can grab to experiment.

Yes key is 56 bits biger that 48bit CSA. But people DES code is faster. From what I recalled it takes longer than CSA for a full bruteforce key attack. But it is feasible.

 

[cayoenrique]

I for got, here the original specification

http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

And here a sample C code
des_cscrypt_001.zip (15.03 KB)

https://workupload.com/file/fHaS6UsHKVU

 

[Me2019H]

Since the DES is down, why is powervu and tandberg still using it?
YOU put a program decrypt it why hasn't decrypy ECM yet?

 

[cayoenrique]

Since the DES is down, why is powervu and tandberg still using it?...

@Me2019H DES is not down, you mean Obsolete.
Yes you are correct, DES is as Obsolete as CSA, But operators still using it. Operators will require Newer and Faster CPU. And just as Car Idustry can not get enough new CPU for the CARS, then the operators will not find cheap new faster CPU for new technologies. So they keep using old technology to have cheaper receivers build.

...YOU put a program decrypt it why hasn't decrypy ECM yet?

I could, but the Idea is to create like a teaching class. And you will ask next how can I brute force it? And I will have to tell you that there is not tool available... see my point. Better have the opencl tool 1rst, then I will show you the mechanism.
In any case soon after my next post I will provide a tandberg ECM sample so you can have a taste of it.

 

[cayoenrique]

For the most part this is the same program as before. I only made small changes, changes that we need to move into OpenCL.
For example, removed all unnecessary subroutines and arrays now have dimension of 1. Opencl 1.2 do not allow multidimensional arrays.

des_cscrypt_003.zip (9.75 KB)

https://workupload.com/file/DbxtzwUDPrU

And I did forgot to post last nist.gov published on DES

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf

I seen no post with questions other that @Me2019H @K2TSET , so I will just do quick overview

DES is a USA invention, officially published in 1977. Yes very old.

Even when DES Block size is 8 bytes, due to USA Export controls key length was set to ONLY use 56 bits. Transmitted as 8 bytes each with odd parity.

Now DES is strange to me. It is a Block cypher that work in bits. Remember Stream Cypher was the one that works in bits!!

Input Data = Unencrypted Data of 8 Bytes or 64bits.
Output Data = Encrypted Data of 8 Bytes or 64bits.
If you recalled my explanations, Encryption tries to force use of may steps witch only purpose is to require you to spent lots of time. It is this consumption of time that is the base of encryption security. As Brut-force attack will require so much time that you get Old before you get the KEY.

So encryption uses Loops, Sboxes and permutations to hide the real value. In the image you may not see the Loop but if you look careful you see it repeats 16 times. On every Iteration it requires 1 key. So again there is a Key schedule process that takes the REAL 56bits Key and uses permutations to create 16 new Keys of size 48 bits. This are K1 --> K16

Now Look carefully. We have 1 Initial permutations of the Input Data called Initial Permutation
We have another permutation at the end just before ir returns the Output Data called Inverse Initial Permutation

The 64 bit permuted Input Data is divided in two. The right side register and the left side register.
Encryption is ONLY perform per Iteration on the left side!!
At the end of every Iteration the Left Side is SWAP with the Right side and the process is repeated 16 times.

The basic characteristic of DES encryption is to move bits out of original position. In byte digital programing Splitting bytes in to bits and moving it bits to other positions, just to recombine in bytes is a process that takes time.

Now just as a reference. CSA is 48bit and if you can use CUDABIS on one of the latest GPU you could do all test in 1 day.
Now DES Key is 56 bits. This means it has 8 more bits. This 8 bits represent 256 (2^8 =) times harder. In other words you could expect just in this factor that you will required 256 days on best GPU to break DES KEY!!!!

Now DES was created when GPU or even Bitslice was unknown. This makes DES perfect for bitslice as it has no designed protection against such implementation.

Now I would not go into a detail bitslice definition. Use this as refernce, but do not put a lot on effort understanding. Bitslice can be confusing if you do not see it first in use.

https://usubalang.github.io/usuba/2020/01/14/bitslicing.html
https://timtaubert.de/blog/2018/08/bitslicing-an-introduction/
https://timtaubert.de/blog/2018/08/bitslicing-with-karnaugh-maps/
https://timtaubert.de/blog/2018/08/bitslicing-with-quine-mccluskey/

In a bitsliced implementation, instead of having a single KEY/DATA storing a, say, 64-bit number ( DES=8Byte=64bit), you use instead 64 BS variables. Where BS stand for Bit slice.
Because GPU variables are 32bit long and we used ONLY 1bit, we have then 31 EXTRA bits empty. We can then have 32 Key store on each of our BS variables.
So when we process 1 BS variables we in fact are resolving 32 keys in parallel.
Now the most important aspect of DES bitslice is that, the process is in fact performed in BITS as BS variables contains just 1bit of 32keys!!

NOW PLEASE remember when I say
The basic characteristic of DES encryption is to move bits out of original position. In byte digital programing Splitting bytes in to bits and moving it bits to other positions, just to recombine in bytes is a process that takes time.

So here is where we perform MAGIK. If I remove Splitting bytes in to bits and moving it bits to other positions, because BS variables are already bits, then I also remove takes time. !!! So bitslice then is FASTER.

What all this means? Just as with CSA I do not have on hand a DES OpenCL program. But we can build it if you give me a few days.

Soon I will provide you with a OpenCl program base on des_cscrypt_003, It should be slow as des_cscrypt_003 reads to many tables. Reading memory is a slow process in GPU.

After that we will try to create a DES using bitslice. This is where I will prove that we will NOT need 256 days on best GPU to break DES KEY. My best guess around 15 days. Hey do not complain. That is better than what you have now, witch is no tool, witch mean you can do it in NEVER time.

 

[Me2019H]

What you want to achieve is to find the fastest way to decrypt the DES to decrypt ECM to obtain the Key
But I think there is more than one algorithm that is used to decrypt ECM for example DES then 3DES ...
By the way, please put some comments in the code so that programmers can understand it

 

[cayoenrique]

For me the most simplest of the ECM is Tandberg ECM. You will see. Well original tool sources are around for poc.exe. Now days sources are in Oscam-emu.
Best ti study in my program ostsdec. Look into oetsdec/oscamfiles/module-emulator-director.c

In line 67 you will find int8_t director_ecm(uint8_t *ecm, uint8_t *dw)
Type EC is broken as there is no solution for decrypting Video.

But we can test type ED and EE. See
Line 214 for case 0xEC
Line 256 for case 0xED

What you want to achieve is to find the fastest way to decrypt the DES to decrypt ECM to obtain the Key..

Yes We need a tool to do bruteforce for DES. There is none designed for SAT like CUDABISS.

Then we can talk about ECM and How we go from ECM KEY to obtain Video/Audio Key. And how the process of Key Rolling make it difficult, as video/audio key changes in about 10 seconds intervals. So difficult that we are require to have ECM key, in order to have next key every 10 seconds.

After that, we can simulate how we will go if ECM Key is NOT known. We will then have to find Video/Audio Key 1rst. Then we try to brute force ECM Key.

...But I think there is more than one algorithm that is used to decrypt ECM for example DES then 3DES ...

Tandberg ECM uses DES in Type EE. And uses DES CBC in type ED.

I believe Irdeto do use 3DES or 2DES.

 

[K2TSET]

cayoenrique please keep up the interesting work you are doing, it's very inspiring for many of us, thank you

You can install free FPGA dev soft on both PC and Linux without have to pay or be tracked while using them from some vendors but it's still big software and you have a steep learning curve but it great technology which can be used for many thing

FPGA chips are getting better / faster but you will need to spin PCB boards or buy dev boards which does cost some money.
You can have smaller one's just to learn for reasonable price.

FPGA are very strong in bit moving (permutation) since you "just" connect the bit where it shall be go (like a wire) and it takes 0 resources.

Anyway back to DES I think Hashcat which are open and free is a good starting point.
The full seek time with 5x1080 GPU's are 6days 5hours if you see here (from 2017)
https://gist.github.com/mubix/b7976d0e56c6b6b0dfe0e629a9bc9cdb

https://hashcat.net/forum/thread-10646.html
Algorithm 14000 looks for key, plaintext and ciphertext are known. Size of DES key is 56 bits, LSBs of each byte are NOT used. Therefore there are 256 collisions in 8-bytes key, each collision is complete solution. You can try to encrypt/decrypt data using any key above, result will be the same.

I have not done any test with DES yet

 

[cayoenrique]

Nice info: THANK YOU. I know about Hashcat and in fact I was tempting to selected one of the des modes as a possible candidate for bitslice.

What I did not knew is that Algorithm 14000 looks for key, plaintext and ciphertext are known.. WAO. This is the missing DES tool to play in SATellite.

If this works we will not need our own tool. But in any case it could serve as our BASE results to compare against any new tool we build.

Now we have NOT to forget that Hashcat is used primarily for printable ASCII bytes, such as the ones you use in your passwords. In particular they love to use what they call word dictionaries. That is why they find keys in no time.

We in the other hand need DES full 56 bits range. On search I see there is a lot of info complaining about DES not working as it should. My best guess is that those issues should have status resolved by now.

Just looking at the post you mention one date Oct 5, 2017 And in fact last one title reads Example hash for DES 14000 does not crack correctly.

I will test hascat in Debian to see if it can meet our needs. What I wonder is the requirements AMD GPUs on Linux require "AMDGPU" (21.50 or later) and "ROCm" (5.0 or later)
While those drivers may meet needs for latest GPU, I believe those drivers will never work with OLD AMD GPUs such as mine.

Same could apply with:
AMD GPUs on Windows require "AMD Adrenalin Edition" (Adrenalin 22.5.1 exactly)
NVIDIA GPUs require "NVIDIA Driver" (440.64 or later) and "CUDA Toolkit" (9.0 or later)

So lets hope it works and we can use this as reference. Again BIG THANKS my friend.

 

[K2TSET]

I just ran over this site https://crack.sh/ and they seem to have a big DES setup but does talk about much longer search time

 

[cayoenrique]

It is below 256 / 768,000,000,000 = ~26 hours Lower they also say a couple of days!! And they say: Why are you charging so much money for this??

And

Time-Memory Tradeoff Free Jobs

We recently released support for running jobs with the plaintext of 1122334455667788 for FREE! We’re able to do this because we built one of the largest publicly available Rainbow Tables (Time-Memory Tradeoff Attack) for the entire DES keyspace (256). We are able to achieve an average crack time of 25 seconds and a success rate of 99.5%. If our system doesn’t crack your key immediately, it forwards the job on to our brute-force rig which will find the key within a couple days.

 

[cayoenrique]

Wao you are bad. I spent the whole day looking into hashcat. As I suggested problem for me is that I have an OLD unsupported GPU.

I finally seems to make run without spitting errors using an old version hashcat-3.6.0. It still not work in windows, but seems to not give errors in linux.
Now I need to see if I can make it roll and guess a Key.

 

[cayoenrique]

Again I am using hashcat-3.6.0 under Linux because my GPU is OLD and unsupported on new drivers.

1rst the file charsets/DES_full.charset have at least on wrong value, it has 27 instead of 26. See numbers of bits has to add to ODD.

27 wrong
0010 0111
has 4 bits showing 1

26 Correct
0010 0110
has 3 bits showing 1

So I copied from new hashcat-6.2.6/charsets/DES_full.hcchr into hashcat-3.6.0/charsets/DES_full.charset

Now this is the data I am using to test

Clear text= 000001F85D8A7F01
DES Encrypted= 3643CDE63F679D20
Key= 7A67101A5BE52601

And this was the result I got

# ./hashcat --force --gpu-temp-disable --potfile-disable --keep-guessing -1 charsets/DES_full.charset -a 3 -m 14000 3643CDE63F679D20:000001F85D8A7F01 --hex-charset 7A67101A5B?1?1?1
hashcat (pull/1273/head) starting...

OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
* Device #1: Turks, 1024/1024 MB allocatable, 6MCU
* Device #2: Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

status pause resume bypass checkpoint quit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: DES (PT = $salt, key = $pass)
Hash.Target......: 3643cde63f679d20:000001f85d8a7f01
Time.Started.....: Mon Oct 23 21:15:56 2023 (10 secs)
Time.Estimated...: Mon Oct 23 21:17:24 2023 (1 min, 18 secs)
Guess.Mask.......: 7A67101A5B?1?1?1 [13]
Guess.Charset....: -1 charsets/DES_full.charset, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 23675 H/s (13.60ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 239616/2097152 (11.43%)
Rejected.........: 0/239616 (0.00%)
Restore.Point....: 239616/2097152 (11.43%)
Candidates.#1....: $HEX[7a67101a5b64a71c] -> $HEX[7a67101a5bfeab1c]

3643cde63f679d20:000001f85d8a7f01:$HEX[7a67101a5be52601]
Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: DES (PT = $salt, key = $pass)
Hash.Target......: 3643cde63f679d20:000001f85d8a7f01
Time.Started.....: Mon Oct 23 21:15:56 2023 (1 min, 27 secs)
Time.Estimated...: Mon Oct 23 21:17:23 2023 (0 secs)
Guess.Mask.......: 7A67101A5B?1?1?1 [13]
Guess.Charset....: -1 charsets/DES_full.charset, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 24842 H/s (13.54ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 2097152/2097152 (100.00%)
Rejected.........: 0/2097152 (0.00%)
Restore.Point....: 2097152/2097152 (100.00%)
Candidates.#1....: $HEX[7a67101a5b64fefe] -> $HEX[7a67101a5bfefefe]

Started: Mon Oct 23 21:15:55 2023
Stopped: Mon Oct 23 21:17:25 2023
#

As you can see the Speed is tooo SLOWWWwwwww!!!! 23675 H/s = 0.023675 MKPS = 2.3675x10^4
When I hope to reach with my 480 core GPU at least 10^8 or 10^9.

Then method assume we know the whole clear text. When in practice we only know the first 3 bytes 00 00 01

Do you know to set search with partial cleat text?? I did try

3643CDE63F679D20:00001?b?b?b?b?b

but it does not work, as in fact it is interpreted as

3643CDE63F679D20:00001fbfbfbfbfb

Witch is the wrong value....

I guess we need to st1ck at our 1rst intention... To build our own OpenCl tool.

 

[ashoknek]

what about crack 3des

 

[dvlajkovic]

I guess we need to st1ck at our 1rst intention... To build our own OpenCl tool.

I would really appreciate if you st1ck to building opencl as we have spread over many topics and still got no tools

 

[cayoenrique]

@ashoknek
If DES KEY has 56bits, it was expected that 3DES was 56+56+56=168bits. But due to some hack, I believe man in the middle, then the actual length is like have of it something around 84. Witch is even worst that 2DES.
Still 3DES was used in many situation like in Key Sharing programs. In general if we could break DES in let say 2 weeks then we will require some what double of that.

I would really appreciate if you st1ck to building opencl as we have spread over many topics and still got no tools

I do not understand your comment.

1st my ONLY objective is to share with others thinks that I learn from other masters like colibri. So the purpose is teaching.

Encryption Projects as SU group <== this was a scrap area to openly talk about anything without Hijacking others people threads. At the time I was interested in speeds MKPS. We did talk about CW Finder, aycwabtu, cudabiss and others.

GPGPU using Opencl <== this one objective to teach Opencl. And I did post a working BISS bruteforce prototype. Yes it is unfinished, from the top of my head I believe we need to figure out what to do when we get to last key FFFFFFFFFFFFFFFF then we should ensure it restart on 0000000000000000.

Understanding CSA <== This one is to explain CSA structure and cypher. Since no one have questions on CSA, I did reuse the topic to talk about TS PES ES structures. I I did provided tools to manipulate the binary streams and pids.

Understanding DES <== This one is about DES. Why because after CSA, DES is one of the most common encryption used in Satellite. I hope to produce a cracking tool for DES.

For the future @Me2019H and @K2TSET seems to be interested on the process of How to bruteforce an ECM to obtain ECM Key from Video/Audio Keys. I guess that will be the next Topic.

I am pretty sure there is no confusion in the topics and why they are in 4 different threads. Or do you have any other questions?

Now as per why there is no CSA brute-force tool that can crack it in seconds. Well I have posted many time I will never provide such a tool even if I could build it, witch for me it is not possible. I do not have at the moment an antenna but I will never put in jeopardy CSA nor this forum. Now I provided enough information for any one of you to improve the tool I posted. I do not have a GPU with thousands of cores. But I guess that you guys could in private improve it to go 2X or even 4X as fast as cudabiss.

And not, I am not upset for the question, I know what you want. You did ask for it from the beginning. My answer is to be clear with others as to why there are 4 topics, what we are doing and what is next.

 

[dvlajkovic]

I do not understand your comment.
1st my ONLY objective is to share with others thinks that I learn from other masters like colibri. So the purpose is teaching.

Oh, you just want to teach brute-force? My bad, then I got you wrong.

 

[ashoknek]

@cayoenrique
its 56+56 bits and 3des is 16byte
you can share skype in pm