History
Developed at the Universities of Bochum and Kiel in Germany2006- Breaks DES in 9 daysLater improved to ~6 days
Architecture
ReconfigurableUses Xilinx Spartan-3 1000
Parallel120 FPGA chipsController board
Optimized cost-performance ratioCOTS hardware
Motivation for RC
SupercomputersFast, powerful, easy to programExpensive, bad cost-performance ratio
Distributed systems may have privacy issuesi.e. Boinc: Using other user’s idle PCs
ReconfigurableFlexible compared to ASICS
Applications
Optimized for cryptanalysisMain application: DES key searchCan also crack 1-time password systemsAttack primitive systems
ePass: machine readable passports Norton Diskreet: hard drive encryption
Security EstimationsAids other attacks
Parallelized Elliptic Curve Method (ECM)
DES
Symmetric block cipherEncryption standard set in 1976Remained a popular standard for several decadesWeaknesses:
Short key length (56-bits)Susceptible to differential, linear cryptanalysis
2002 – AES effective
Cryptanalysis
Encryption: Ek(P) -> CiphertextGoal: Get the preimage (plaintext)
Little knowledge of plaintext beforehandRequires the key
Known-plaintextUse a preexisting plaintext block found in the ciphertext
Methods
Brute forceTry every key until something works56-bit key -> 2^56 or 72,057,594,037,927,936 keys
Differential cryptanalysisObserve how different inputs affect the output
Linear cryptanalysis
Performance
Per FPGA:4 keys per cycle400 million keys per second @ 100MHz
Total:120 FPGAs -> 4.8E10 keys per secondOn average check 2^55 keys750,599 seconds
Average time: 6-8 days
Vs. GPP
Pentium 4 CPU2 million keys per second @ 3GHzWith 1 PC2^34 seconds -> 545 yearsNeed ~22,000 processors to match the performance of COPACOBANA
Vs Supercomputer
1998 – Deep Crack breaks DES in 56 hours1999 – Deep Crack and distributed.net break DES in < 24 hours
Cost
As of 2006: $10,000Deep Crack: $250,000Equivalent performance PC
Need ~22k Pentium 43.6 million Euros (2006)
Power600W
Limitations
Brute force infeasible for bigger keysAES-128: 1.1x10^77 keysFastest supercomputer would take 1 billion billion years
More complex methods not possible with COPACOBANA aloneDES is deprecated
Conclusion
COPACOBANA delivers low-cost DES cracking capabilitiesCan’t break modern/advanced encryption
DES is mainly used in legacy systems
Later work:2008- New version developed with Virtex-4 SX 35 FPGAsRIVYERA: breaks DES in < one day
Sources
[1]Arora, Mohit. Nov. 6 2012. http://www.eetimes.com/design/embedded-internet-design/4372428/How-secure-is-AES-against-brute-force-attacks-
[2] COPACOBANA S3-1000. 2 Nov. 2012. http://www.sciengines.com/products/computers-and-clusters/copacobana-s3-1000.html
[3] COPACOBANA: A Codebreaker for DES and other Ciphers. 2 Nov. 2012. http://www.copacobana.org/index.html
[4] Data Encryption Standard. 2 Nov. 2012. http://en.wikipedia.org/wiki/Data_Encryption_Standard#cite_note-copacobana-2006-18
[5] Howson, Ian. A Cost/Performance Study of Modern FPGAs in Cryptanalysis.
[6] Pelzl, Jan. 4 Dec. 2006. Cryptanalysis With a Cost-Optimized FPGA Cluster.[7] S. Kumar et. al. 10 Oct. 2009. Breaking Ciphers with COPACOBANA A Cost-Optimized Parallel Code Breaker or How to Break DES for 8,980 €[8] Tim Erhan Guneysu. Feb. 2009. Cryptography and Cryptanalysis on Reconfigurable Devices: Security Implementations for Hardware and Reprogrammable Devices.
Pictures
http://www.copacobana.org/photos/photo_b3.jpg
http://upload.wikimedia.org/wikipedia/commons/thumb/0/06/Data_Encryption_Standard_InfoBox_Diagram.png/300px-Data_Encryption_Standard_InfoBox_Diagram.png
http://www.copacobana.org/photos/photo_5.jpg
http://sigma.octopart.com/9219807/image/Xilinx-XC3S1000-4FGG456C.jpg
http://www.copacobana.org/photos/photo_7.jpg
http://mixeur.x86-guide.com/Photos/Stock_photos/Intel%20Pentium%204%20%20LGA775.jpg
http://www.maximrio.com/Images/copacabana/copacabana_beach_1.jpg
Key search layout and Deep Crack image taken from [6]