In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, if one generates a random key to encrypt a message, weak keys are very unlikely to give rise to a security problem. Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a flat, or linear, key space.
Historical origins
Virtually all rotor-based cipher machines have implementation flaws that lead to a substantial number of weak keys being created. Some machines have more problems with weak keys than others, as modern block and stream ciphers do. The first stream cipher machines, that were also rotor machines had some of the same problems of weak keys as the more traditional rotor machines. The T52 was one such stream cipher machine that had weak key problems. The British first detected T52 traffic in Summer and Autumn of 1942. One link was between Sicily and Libya, codenamed "Sturgeon", and another from the Aegean to Sicily, codenamed "Mackerel". Operators of both links were in the habit of enciphering several messages with the same machine settings, producing large numbers of depths. There were several versions of the T52: the T52a and T52b, T52c, T52d and T52e. While the T52a/b and T52c were cryptologically weak, the last two were more advanced devices; the movement of the wheels was intermittent, the decision on whether or not to advance them being controlled by logic circuits which took as input data from the wheels themselves. In addition, a number of conceptual flaws had been eliminated. One such flaw was the ability to reset the keystream to a fixed point, which led to key reuse by undisciplined machine operators.
The block cipher DES has a few specific keys termed "weak keys" and "semi-weak keys". These are keys that cause the encryption mode of DES to act identically to the decryption mode of DES. In operation, the secret 56-bit key is broken up into 16 subkeys according to the DES key schedule; one subkey is used in each of the sixteen DES rounds. DES weak keys produce sixteen identical subkeys. This occurs when the key is:
Alternating ones + zeros
Alternating 'F' + 'E'
'0xE0E0E0E0F1F1F1F1'
'0x1F1F1F1F0E0E0E0E'
If an implementation does not consider the parity bits, the corresponding keys with the inverted parity bits may also work as weak keys:
all zeros
all ones
'0xE1E1E1E1F0F0F0F0'
'0x1E1E1E1E0F0F0F0F'
Using weak keys, the outcome of the Permuted Choice 1 in the DES key schedule leads to round keys being either all zeros, all ones or alternating zero-one patterns. Since all the subkeys are identical, and DES is a Feistel network, the encryption function is self-inverting; that is, despite encrypting once giving a secure-looking cipher text, encrypting twice produces the original plaintext. DES also has semi-weak keys, which only produce two different subkeys, each used eight times in the algorithm: This means they come in pairs K1 and K2, and they have the property that: where EK is the encryption algorithm encrypting message M with key K. There are six semi-weak key pairs:
0x011F011F010E010E and 0x1F011F010E010E01
0x01E001E001F101F1 and 0xE001E001F101F101
0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
There are also 48 possibly weak keys that produce only four distinct subkeys. They can be found in a NIST publication. These weak and semi-weak keys are not considered "fatal flaws" of DES. There are 256 possible keys for DES, of which four are weak and twelve are semi-weak. This is such a tiny fraction of the possible keyspace that users do not need to worry. If they so desire, they can check for weak or semi-weak keys when the keys are generated. They are very few, and easy to recognize. Note, however, that currently DES is no longer recommended for general use since all DES keys can be brute-forced it's been decades since the Deep Crack machine was cracking them on the order of days, and as computers tend to do, more recent solutions are vastly cheaper on that time scale. Examples of progress are in Deep Crack's article.
IDEA. IDEA's weak keys are identifiable in a chosen-plaintext attack. They make the relationship between the XOR sum of plaintext bits and ciphertext bits predictable. There is no list of these keys, but they can be identified by their "structure".
Blowfish. Blowfish's weak keys produce bad S-boxes, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish.
GMAC. Frequently used in the AES-GCM construction. Weak keys can be identified by the group order of the authentication key H.
RSA and DSA. August 2012Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman found that TLS certificates they assessed share keys due to insufficient entropy during key generation, and were able to obtain DSA and RSA private keys of TLS and SSH hosts knowing only the public key.
No weak keys as a design goal
The goal of having a 'flat' keyspace is always a cipher design goal. As in the case of DES, sometimes a small number of weak keys is acceptable, provided that they are all identified or identifiable. An algorithm that has unknown weak keys does not inspire much trust. The two main countermeasures against inadvertently using a weak key:
Checking generated keys against a list of known weak keys, or building rejection of weak keys into the key scheduling.
When the number of weak keys is known to be very small, generating a key uniformly at random ensures that the probability of it being weak is a very small number.
A large number of weak keys is a serious flaw in any cipher design, since there will then be a large chance that a randomly generated one will be a weak one, compromising the security of messages encrypted under it. It will also take longer to check randomly generated keys for weakness in such cases, which will tempt shortcuts in interest of 'efficiency'. However, weak keys are much more often a problem where the adversary has some control over what keys are used, such as when a block cipher is used in a mode of operation intended to construct a secure cryptographic hash function.
