Browser-Based Distributed DES Cracker

What is it?

This is a system for determining the DES encryption key that was used to encrypt a block of plaintext into some corresponding ciphertext. This is done by a brute force search of the keyspace (trying every possible key to see which key encrypts the known plaintext into the known ciphertext).

What makes this system interesting is that it allows anyone to participate using their web browser. Your browser will ask a server for a small range of keys to test, test each key in that range, and then report back to the server whether it found the key that turns the given plaintext into the given ciphertext.

A single web browser would take too long to search all of the keys, but a few million browsers could do it in a year.

Try it out

Go to the client interface to start participating, via your browser, in cracking a DES key by brute force testing of the keyspace. You can also work on keys of your own choosing without joining in the distributed brute force.

Or, try the easy version (you start very close to the key) so you can have the full experience. Note that the easy version's database is automatically reloaded every 15 minutes. The test itself takes about 1 minute on a decent system, so there's some chance you will get interrupted up in the middle of the test. If that happens, try again.

About

Author: Justin Samuel (justin -at- justinsamuel -dot- com)

Source: descrack-current.tar.gz

License: GPL

Initial version: 2008-04-25

Last updated: 2008-04-30

Notes

• The JavaScript DES code was written by me based off of the public domain code written by others that Schneier included in Applied Cryptography.
• The server side (written by me) is PHP/MySQL and makes use of the Zend Framework version 1.5.1.
• Public domain JSON (de)serialization javascript is used.
• Malicious clients that report false negatives (key not found when it really was) can wreak havoc on this system. Dealing with such clients is a whole, big topic in itself. Other distributed DES cracking systems [DESCHALL] didn't actually solve the problem or even truly address it, they only required that malicious clients had to do a little work before providing false responses.
• There's plenty of room in the code for optimization. This is just a proof of concept. Optimization could be done on the client side to speed up key checking and on the server side to enable scalability to a degree to handle the number of clients that would really be required to make a dent in searching the keyspace. -- The code as-is won't support millions of simultaneous clients (though it does cover the basics, such as database integrity when multiple clients affect the database at the same time).
• Much of the JavaScript could stand to be cleaned up. I don't do JavaScript in this quantity frequently enough that I remember how I should do it (until it's too late).

References and Related Work

1. DES
2. EFF DES cracker
3. COPACOBANA
4. DESCHALL
5. Optimized key search method used by DESCHALL