This, somehow, triggered my mind to recall LifeLock's CEO Todd Davis’s public marketing campaign where he displayed his Social Security number on the company website and advertisements to demonstrate the security of his platform, however, the challenge backfired dramatically and he becomes a victim of identity theft on at least 13 separate occasions.
Looks awesome! I see some Flipper Zero apps were already created. When will you be releasing this for the Chameleon? Also, any plans to port this over to the Proxmark?
All of the attacks are released for the three platforms (Proxmark3, Flipper Zero, and Chameleon Ultra). Our goal was day 1 support for RFID testing devices.
> Is this a flaw in the cryptography itself?
No. The underlying cryptographic algorithms (3DES and AES-128) remain secure. The vulnerabilities arise from:
Protocol design choices that allow unauthenticated memory writes after initial authentication
Lack of atomicity when writing cryptographic keys across multiple memory pages
Widespread misconfiguration in real-world deployments (unlocked memory, static keys)
Non-NXP compatible chips with severely flawed random number generators
Surely someone who has been here as long as you have understands that this type of behavior is not compatible with the guidelines.
> Converse curiously; don't cross-examine.
You could have just corrected them and not goaded them into further revealing their ignorance. Yes, they underestimated how difficult it is to crack 3DES. You could have simply told them that.
I have no idea who they are or what they were talking about. I think they're thinking about 3DES used as a password hash. I never in 100 years would have guessed that's where they were coming from.
The thread that ensued, a discussion of what it means for a cipher to be obsoleted or unsafe versus "broken", is an actually-interesting question.
You could never, in a million years, have guessed by "broken" they meant "it can be decrypted by the public with little effort?" I doubt that. I see no evidence they are talking about a password hash. Here's what they actually cited:
> The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, ...
They're clearly talking about it's use as a cipher. Again, someone who has been here as long as you have should understand that you shouldn't put words in their mouth or be evasive in this way.
The conversation would still have touched on these interesting topics, and would likely have done so more immediately.
It means you should not use it for anything important, because it can be decrypted by the public with little effort. If you look back, it has been this way for quite awhile. My gripe is with the clickbait title 'Break Me If You Can'
We're talking about symmetric ciphers and you're talking about password cracking software.
Triple-DES has 168 bit keys. Even if you use a meet-in-the-middle attack, your attack cost has an exponent of 112 (with an associated memory cost with an exponent of 88).
That's not practically exploitable today.
If you think I'm wrong, here's a single block message encrypted with 3DES, then hex-encoded. Have fun:
if i were to guess, they are referring to CVE-2016-2183, which lead to deprecation of 3DES by NIST in 2019 (announced in 2017) and disallowing all uses in 2023. openssl also stopped including it in default builds starting in 2016 because it is considered weak.
This is Sweet32, an attack on any block cipher with an 8-byte block size. We don't consider those ciphers "broken"; they just can't be used safely in some common modes. You shouldn't use 3DES or IDEA or Blowfish, of course, but I don't think they're considered "broken", not in the same sense that, say, RC4 is.
It's true that 64 bits was known not to be enough when DES shipped decades ago, but there is some difference between "We know that's a bad idea" and a demo showing why, and so I think I'm OK with the word "broken" in that context.
There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.
I'm not a cryptographer but to me "broken" seems to imply that the core algorithm itself can be attacked. If merely applying it in certain ways as part of some larger system can fail then aren't most (possibly all) ciphers broken? It's entirely possible to do all sorts of stupid things.
Granted, a 2^32 block limit is pretty severe by modern standards.
Not to be rude, but it seems to me that you are engaging in some hairsplitting. In general, security people do not recommend to use 3DES or RC4 - even if RC4 is broken in other ways than 3DES.
RC4 is actually broken. It's fundamentally broken. As you run it, it's face melts off like the guy at the end of Raiders. It's genuinely weird nobody noticed how bad it was, in a practical sense, until the late aughts.
The 64 bit block size in 3DES (and Blowfish and IDEA) limits how much data you can encrypt under a single key. I think the real "tell" that this isn't hair-splitting is that people don't ever generally talk about Blowfish being "broken", just obsoleted.
to any non-cryptographer, i think that's a distinction without a difference. it's disallowed from use by the major standards institute due to a vulnerability where people can recover the plain text.
that sounds "broken" to me, but i'm not a cryptographer. so, i'll defer to you when you say it's not broken. (i dont know what the cryptographer-specific definition of broken is -- it'd be great if you would shed some light on that)
> Break Me If You Can
This, somehow, triggered my mind to recall LifeLock's CEO Todd Davis’s public marketing campaign where he displayed his Social Security number on the company website and advertisements to demonstrate the security of his platform, however, the challenge backfired dramatically and he becomes a victim of identity theft on at least 13 separate occasions.
Looks awesome! I see some Flipper Zero apps were already created. When will you be releasing this for the Chameleon? Also, any plans to port this over to the Proxmark?
All of the attacks are released for the three platforms (Proxmark3, Flipper Zero, and Chameleon Ultra). Our goal was day 1 support for RFID testing devices.
3DES has been broken for a decade. Nice job putting it all together though.
> Is this a flaw in the cryptography itself? No. The underlying cryptographic algorithms (3DES and AES-128) remain secure. The vulnerabilities arise from:
Protocol design choices that allow unauthenticated memory writes after initial authentication Lack of atomicity when writing cryptographic keys across multiple memory pages Widespread misconfiguration in real-world deployments (unlocked memory, static keys) Non-NXP compatible chips with severely flawed random number generators
It has? What exactly do you mean by that?
Surely someone who has been here as long as you have understands that this type of behavior is not compatible with the guidelines.
> Converse curiously; don't cross-examine.
You could have just corrected them and not goaded them into further revealing their ignorance. Yes, they underestimated how difficult it is to crack 3DES. You could have simply told them that.
I have no idea who they are or what they were talking about. I think they're thinking about 3DES used as a password hash. I never in 100 years would have guessed that's where they were coming from.
The thread that ensued, a discussion of what it means for a cipher to be obsoleted or unsafe versus "broken", is an actually-interesting question.
I feel pretty OK about how this went.
You could never, in a million years, have guessed by "broken" they meant "it can be decrypted by the public with little effort?" I doubt that. I see no evidence they are talking about a password hash. Here's what they actually cited:
> The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, ...
They're clearly talking about it's use as a cipher. Again, someone who has been here as long as you have should understand that you shouldn't put words in their mouth or be evasive in this way.
The conversation would still have touched on these interesting topics, and would likely have done so more immediately.
Do we have conflicting premises about what Hashcat is? I'm pretty sure you're just wrong here.
It means you should not use it for anything important, because it can be decrypted by the public with little effort. If you look back, it has been this way for quite awhile. My gripe is with the clickbait title 'Break Me If You Can'
https://nvd.nist.gov/vuln/detail/cve-2016-2183
BREAKMEIFYOUCAN! is the default factory key programmed into every MIFARE Ultralight C chip by NXP.
Ok that makes much more sense.
How exactly would you decrypt a 3DES ciphertext "with little effort"?
It's supported in hashcat
Is this a bit?
Have you tried it?
We're talking about symmetric ciphers and you're talking about password cracking software.
Triple-DES has 168 bit keys. Even if you use a meet-in-the-middle attack, your attack cost has an exponent of 112 (with an associated memory cost with an exponent of 88).
That's not practically exploitable today.
If you think I'm wrong, here's a single block message encrypted with 3DES, then hex-encoded. Have fun:
But really, the bigger problem is Sweet32.if i were to guess, they are referring to CVE-2016-2183, which lead to deprecation of 3DES by NIST in 2019 (announced in 2017) and disallowing all uses in 2023. openssl also stopped including it in default builds starting in 2016 because it is considered weak.
This is Sweet32, an attack on any block cipher with an 8-byte block size. We don't consider those ciphers "broken"; they just can't be used safely in some common modes. You shouldn't use 3DES or IDEA or Blowfish, of course, but I don't think they're considered "broken", not in the same sense that, say, RC4 is.
It's true that 64 bits was known not to be enough when DES shipped decades ago, but there is some difference between "We know that's a bad idea" and a demo showing why, and so I think I'm OK with the word "broken" in that context.
There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.
I'm not a cryptographer but to me "broken" seems to imply that the core algorithm itself can be attacked. If merely applying it in certain ways as part of some larger system can fail then aren't most (possibly all) ciphers broken? It's entirely possible to do all sorts of stupid things.
Granted, a 2^32 block limit is pretty severe by modern standards.
This semantic argument was more plausible before the original commenter claimed 3DES can be "broken with little effort".
That's fair, I won't defend "broken with little effort".
Not to be rude, but it seems to me that you are engaging in some hairsplitting. In general, security people do not recommend to use 3DES or RC4 - even if RC4 is broken in other ways than 3DES.
RC4 is actually broken. It's fundamentally broken. As you run it, it's face melts off like the guy at the end of Raiders. It's genuinely weird nobody noticed how bad it was, in a practical sense, until the late aughts.
The 64 bit block size in 3DES (and Blowfish and IDEA) limits how much data you can encrypt under a single key. I think the real "tell" that this isn't hair-splitting is that people don't ever generally talk about Blowfish being "broken", just obsoleted.
People just don’t talk about Blowfish.
to any non-cryptographer, i think that's a distinction without a difference. it's disallowed from use by the major standards institute due to a vulnerability where people can recover the plain text.
that sounds "broken" to me, but i'm not a cryptographer. so, i'll defer to you when you say it's not broken. (i dont know what the cryptographer-specific definition of broken is -- it'd be great if you would shed some light on that)