Home page logo

isn logo Information Security News mailing list archives

Cryptanalysis of Multiswap
From: InfoSec News <isn () c4i org>
Date: Mon, 29 Oct 2001 02:50:31 -0600 (CST)

Forwarded from: Gary Stock <gstock () unblinking com>

Topic: a new Microsoft block cipher dissected, and its weakness revealed.

Some readers may prefer a more 'mainstream' analysis of this exploit,
which I suspect will appear soon enough.  The original introduction and
conclusion appear below, with full details here:


The use of graphical notation in the original may make transcription to
flat text inappropriate.  I encourage interested cryptogs to visit the
URL directly (while it is permitted to persist :-)

A few mirrors, with proper attribution, might not hurt...



Cryptanalysis of Multiswap

Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner
UC Berkeley

An anonymous security researcher working under the pseudonym "Beale
Screamer" reverse engineered the Microsoft Digital Rights Management
subsystem and, by October 20th, the results were available on
cryptome.org.  As part of the reverse engineering effort Screamer found
an unpublished block cipher, which he dubbed MultiSwap, being used as
part of DRM.  Screamer did not need to break the MultiSwap cipher to
break DRM, but we thought it would be a fun excercise, and summarize the
results of our investigation below.  The attacks described here show
weaknesses in the MultiSwap encryption scheme, and could potentially
contribute to an attack on DRM.  However, the attack on DRM described by
Beale Screamer would be much more practical, so we feel that these
weaknesses in MultiSwap do not pose a significant threat to DRM at this time.

We present these results to further the science of computer security,
not to promote rampant copying of copyrighted music.

The cipher

The Multswap algorithm takes a 64-bit block consisting of two 32-bit
numbers x0 and x1 and encrypts them using the subkeys
k0,...,k11 as diagramed below...

[...body of article contains graphic notation...]


We have seen that MultiSwap can be broken with a 2^14 chosen-plaintext
attack or a 2^22.5 known-plaintext attack, requiring 2^25 work.  We
believe this shows that MultiSwap is not safe for any use.

# # #

Gary Stock                                            vox 616.226.9550
CIO & Technical Compass                               fax 616.349.9076  
Nexcerpt, Inc.                                     gstock () nexcerpt com

  "The first thing you'll notice is, when the camera's plugged in..."
  Bill Gates, launching Windows XP Earthquake, Seattle, 28 Feb 2001

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]