Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Are key files better than passwords?

6 views
Skip to first unread message

Dimona

unread,
Jun 27, 2009, 4:21:45 PM6/27/09
to
I am trying to protect some sensitive information from falling in the
wrong hands, I want to protect this data for at least 50 years and I
have of course encrypted it.

My main concern is that computer hardware and software advances will
have been overwhelming in 20 years from now on, and I am concerned
about brute force attacks, I have of course choosen a long passphrase
but even so, my question is.

Will key files guarantee me protection agains brute force attacks for
the next 50 years?

My thinking is that while the alphabet has a limit, keyfiles do not,
they are infinite, therefore any brute force attack will be useless
unless they know what keyfiles to use, with the alphabet however there
are only so many letters that can be used.

I am using Truecrypt with the AES algorythm and Whirlpool for this.


Peter Lind

unread,
Jun 27, 2009, 5:10:53 PM6/27/09
to
why not rent a bankvault if you really have something worth protecting
for 50 years (sounds a little suspicious).

And also, if you are storing the information on any media like DVD, USB
keys etc. then what if they break/become corrupt etc. which could happen
in 50 years. You would have to make new copies every few years or something.

David Eather

unread,
Jun 27, 2009, 5:21:29 PM6/27/09
to

Most of your post is meaningless or gibberish. For example -

> Will key files guarantee me protection agains brute force attacks for
> the next 50 years?

is meaningless, and -

> My thinking is that while the alphabet has a limit, keyfiles do not,
> they are infinite, therefore any brute force attack will be useless
> unless they know what keyfiles to use, with the alphabet however there
> are only so many letters that can be used.

is high class gibberish.

You will need to learn some basic crypto concepts so you can both see
the problem correctly and ask a meaningful question.

Paul Rubin

unread,
Jun 27, 2009, 5:30:13 PM6/27/09
to
Dimona <m...@mmm.mmm> writes:
> I am trying to protect some sensitive information from falling in the
> wrong hands, I want to protect this data for at least 50 years and I
> have of course encrypted it....

> Will key files guarantee me protection agains brute force attacks for
> the next 50 years?

Nobody knows. And even if they do, how will you keep the key file
secret for 50 years? If you have a method to keep the key file secret
for that long, why not just use the same method to keep the plaintext
secret, and not bother with encryption?

Gordon Burditt

unread,
Jun 27, 2009, 5:44:24 PM6/27/09
to
>why not rent a bankvault if you really have something worth protecting
>for 50 years (sounds a little suspicious).
>
>And also, if you are storing the information on any media like DVD, USB
>keys etc. then what if they break/become corrupt etc. which could happen
>in 50 years.

Worse, the DVD, USB stick, etc. could be perfectly fine: and you have
nothing that can read it. Memory crystals don't use electricity.

>You would have to make new copies every few years or something.

You'll probably have that problem ANYWAY, even if you change the security
requirement to a data preservation requirement and start by sending a
copy to everyone, and putting copies on every space launch..


Joseph Ashwood

unread,
Jun 28, 2009, 12:06:41 AM6/28/09
to
"Dimona" <m...@mmm.mmm> wrote in message news:h25v0p$arf$1...@news.mixmin.net...

> Will key files guarantee me protection agains brute force attacks for the
> next 50 years?

Taken in isolation, that question can be answered, a 384-bit key is
sufficient to resist a brute-force attack for the entire existence of the
universe (actually its about 330-bits, but 384 is rounder for computers).
But this does not answer your real question. Your real question is, what
will be secure in 50 years? History is not kind to this question. Looking
back to the absolute state-of-the-art knowledge just 32 years ago (DES and
original RSA publication), very little of that safety exists today.

> I am using Truecrypt with the AES algorythm and Whirlpool for this.

The odds are VERY high that neither of those will last 50 years, in truth we
have little confidnce of what will be necessary to last the next 5 years
undisturbed.

What I would recommend is to perform an analysis based on the value of the
information, build a depreciation/appreciation schedule for it, assume a
cost and computation model for the future of computers, assume an erosion
rate for th cipher(s). From there that will tell you how which ciphers will
be safe enough.

Good luck or lots of money, you'll need at least one.
Joe

Dimona

unread,
Jun 28, 2009, 1:01:22 AM6/28/09
to
on 28/06/2009, Joseph Ashwood supposed :

I am making the conclusion that the claims that certain algorythms make
to be uncrackable it is actually bullshit then.

A real quality encryption algorythm will be made future proof against
the expected computer power improvements.

My point of view is that brute force attacks will be the weakest point
of the chain per excellence, by using a secret keyfile I eliminate that
weak point, now what I need to establish is if the AES algorythm is
good enough to resist 50 years. I thought it was because everyone says,
but then they said the same of DES.


Dimona

unread,
Jun 28, 2009, 1:09:26 AM6/28/09
to
> > My thinking is that while the alphabet has a limit, keyfiles do not,
> > they are infinite, therefore any brute force attack will be useless
> > unless they know what keyfiles to use, with the alphabet however there
> > are only so many letters that can be used.
>
> is high class gibberish.
>
> You will need to learn some basic crypto concepts so you can both see the
> problem correctly and ask a meaningful question.

Brute force attacks use dictionary words, if a given encryption
software can have a maximum of for example, 64 characters, given enough
time to try all combinations you will crack it.

But you can not succesfully brute force a password unless you have a
list of the possible passwords, if you hide the keyfile you thwart all
brute force attacks because the keyfile will always be missing from the
possible combinations.


WTShaw

unread,
Jun 28, 2009, 2:05:16 AM6/28/09
to

Some sensitive information? The quantity of it makes all the
difference. There are many ways to be really secure for a limited
amount of information, less for more generally speaking. Then, there
are other ways...

Both of your choices you gave yourself tend to be bad ones. Then,
there are other ways...

Gordon Burditt

unread,
Jun 28, 2009, 3:22:17 AM6/28/09
to
>I am making the conclusion that the claims that certain algorythms make
>to be uncrackable it is actually bullshit then.

The One Time Pad can make this claim. Others (AES, DES, RSA,
Adacrypt, etc.) can't.

>A real quality encryption algorythm will be made future proof against
>the expected computer power improvements.

Assume your secret is 1GB long.

Take N 1GB USB sticks (N >= 2). Using truly random processes,
generate 1GB of truly random bits for each of N-1 memory sticks.
(Note: computers do not generate random bits, although they might
have hardware peripherals that can generate random bits.) Bitwise
XOR your secret with each of the sets of random bits on the N-1
memory sticks, and put the result on the last memory stick. Put
these memory sticks in widely-dispersed places, preferably those
under the combined control of more than 10 unique governments, and
if you can arrange it, don't put them all on Earth.

To decrypt, bitwise XOR all N of the memory sticks (lose one and
you're screwed!) together, in no particular order. You get the
secret back.

No amount of computer power will be able to determine which of
2**(8*1GB) possible messages were stored given less than all N of
the memory sticks if you used truly random bits.

Use of more than 2 memory sticks tends to cover possible slight
biases in your random-number generation, and it makes it much harder
to steal all the memory sticks.

>My point of view is that brute force attacks will be the weakest point
>of the chain per excellence, by using a secret keyfile I eliminate that
>weak point, now what I need to establish is if the AES algorythm is
>good enough to resist 50 years. I thought it was because everyone says,
>but then they said the same of DES.

The One Time Pad can. Do not accept substitutes pushed by "adacrypt".

David Eather

unread,
Jun 28, 2009, 3:47:31 AM6/28/09
to
The above paragraph is simply incorrect rubbish. Straightening out your
faulty concepts would take a long time and is probably not possible for
an outsider - hence you need to the basic concepts.

I'm sorry if that is hard for you to take - but it is true.

Joseph Ashwood

unread,
Jun 28, 2009, 3:50:40 AM6/28/09
to
"Dimona" <m...@mmm.mmm> wrote in message news:h26tf2$57j$1...@news.mixmin.net...

> on 28/06/2009, Joseph Ashwood supposed :
>> Good luck or lots of money, you'll need at least one.
>> Joe

> I am making the conclusion that the claims that certain algorythms make to
> be uncrackable it is actually bullshit then.

That much is true, the only exception is the One Time Pad, but that is
generally considered completely impractical.

> My point of view is that brute force attacks will be the weakest point of
> the chain

That will absolutely be incorrect. In a different sub-thread you said "Brute
force attacks use dictionary words" that could be the source of the
misunderstanding. Brute force attacks try every key until they reach the
correct one, cryptanalysis can be considered to be simply a method of
determining an optimum order to test keys in. Dictionary attacks use
dictionary words, and are one optimization that can be used.

Any reasonable attack on the system will not be brute force, if your
passphrase is the weakest point, then a dictionary attack will be used, if
whirlpool has weaknesses then the attacker will begin there, if AES has
holes the attacker will attack AES directly. One of the fundamental rules is
that the attacker will do what is best for the attacker, very often this is
what is worst for you.

> per excellence, by using a secret keyfile I eliminate that weak point,

All you do is move the problem, how do you protect the keyfile?

> now what I need to establish is if the AES algorythm is good enough to
> resist 50 years. I thought it was because everyone says, but then they
> said the same of DES.

Until you do the analysis, there is no way of knowing.
Joe

rossum

unread,
Jun 28, 2009, 4:43:51 AM6/28/09
to
On Sun, 28 Jun 2009 07:09:26 +0200, Dimona <m...@mmm.mmm> wrote:

>> > My thinking is that while the alphabet has a limit, keyfiles do not,
>> > they are infinite, therefore any brute force attack will be useless
>> > unless they know what keyfiles to use, with the alphabet however there
>> > are only so many letters that can be used.
>>
>> is high class gibberish.
>>
>> You will need to learn some basic crypto concepts so you can both see the
>> problem correctly and ask a meaningful question.
>
>Brute force attacks use dictionary words,

No. A Dictionary Attack uses dictionary words, and common variants
thereof: pillow, p1llow, pill0w, ...

A Brute Force attack uses all possible bit patterns without reference
to any dictionary: 0x000...000, 0x000...001 -> 0xFFF...FFF

As others have said you need to learn more about baasic cryptography.

rossum

Peter Lind

unread,
Jun 28, 2009, 6:31:33 AM6/28/09
to

Unless you work for some company that needs to protect some trade
secrets or similar, I can not come up with a single thing that is worth
preserving for 50 years unless it is memorabilia - but then why encrypt it?

Sensitive data is usually handled by governments and agencies who are
more capable of - and have protocols for this.

If it is to keep others from knowing about some secret. Then why not
just destroy it. Problem solved. I can't imagine anything on a computer
that is in use today - as still being useful in 50 years.

So Either it is not even nessecary to keep the data for 50 years, or it
is something illegal =)

Maaartin

unread,
Jun 28, 2009, 9:37:09 AM6/28/09
to graj...@seznam.cz
> why not rent a bankvault if you really have something worth protecting for 50 years

Are you kidding? Would your really trust any bank? For 50 years?

> > Will key files guarantee me protection agains brute force attacks for
> > the next 50 years?

> is meaningless, and -

I disagree slightly. The question shows that he doesn't understand
much, but can be answered:
1. Yes: The number of entropy in a 1kB key file is more than
sufficient until the universe collapses, provided the file is
generated really randomly.
2. No: For the guarantee you need to use it properly. For example,
with AES you use only 256 key bits, which may be enought for 50 years
or not.
3. No: For any guarantee you need some understanding of the subject.

> > are only so many letters that can be used.

> is high class gibberish.

Right. But he probably means that using an alphabet means less
information.
That's obviously wrong, one letter contains less information than 1
byte, but sufficiently long random passphrase is as strong as a
keyfile.
He only needs to know how long the passphrase shoud be in order to get
the 330 bits mentioned below.

> > I am using Truecrypt with the AES algorythm and Whirlpool for this.

> The odds are VERY high that neither of those will last 50 years

IMHO, you'd need a very heavy weakness in the hash in order to get
problems with it in Truecrypt.
Maybe somebody'll correct me, but I can't imagine it could happen.

> if you hide the keyfile you thwart all
> brute force attacks because the keyfile will always be missing from the
> possible combinations.

You surely mean dictionary attacks.

> > I am making the conclusion that the claims that certain algorythms make to
> > be uncrackable it is actually bullshit then.

It depends on what uncrackable mean.
Do you want me to give you all my passwords and PINs in an encrypted
file?
No problem, you can try to find somebody to crack it, but the cost'll
be much higher than the gain.

> I can not come up with a single thing that is worth preserving for 50 years

Neither I can, but I can easily imagine many things which I don't want
to be REVEALED, even not in 50 years.

> Straightening out your faulty concepts would take a long time

Sure, but he isn't going to be a cryptographer, just a user. So he
needs wo know:
1. What program to use.
2. What options to use.
3. How to create the passphrase and/or the key file.
4. How to remember/store it.

My (surely not precise as I'm no expert at all) answer is:
1. Truecrypt.
2. For more security than 256 bits you need a cascade cipher.
3. This requires a long answer and good understanding. Start e.g. with
Diceware.
4. I can't imagine to remember a passphrase for 50 years.

Dimona

unread,
Jun 28, 2009, 2:28:28 PM6/28/09
to
> Unless you work for some company that needs to protect some trade secrets or
> similar, I can not come up with a single thing that is worth preserving for
> 50 years unless

I read your first reply and I decided to ignore it because that is not
the point, if you feel I am after something illegal then simply skip
the question that is it, but I will make an exception so you stop
insisting over this.

First of all it could be perfectly possible that I live in under some
oppresive regime (Iran,China,etc) and I want to protect data from them
for the rest of my life..

But the reality is that I live in a relatively free speech country, my
reason for wanting to protect private data for 50 years is simple,
PARANOIA, I am entitled to have it as much as you are entitled to have
your own personal paranoia about someone using encryption because
he/she is up to something bad.


Paul Rubin

unread,
Jun 28, 2009, 2:38:30 PM6/28/09
to
Dimona <m...@mmm.mmm> writes:
> But the reality is that I live in a relatively free speech country, my
> reason for wanting to protect private data for 50 years is simple,
> PARANOIA, I am entitled to have it as much as you are entitled to have
> your own personal paranoia about someone using encryption because
> he/she is up to something bad.

Nothing wrong with paranoia (at least here on sci.crypt, where we like
paranoia). But you probably have key management and data preservation
problems that are worse than the algorithm problems, not that anyone
can make guarantees about algorithms. A few things to think about:

1) How much data are you trying to encrypt? A few kilobytes of text
documents? A few megabytes? Your whole multi-GB hard drive? There's
not even a really reliable way to preserve GB's of data for 50 years
without needing regular attention by copying to new media once in a
while. If it's a few gb or mb, that's not as bad--you can print it
out on paper or microfilm or some such.

2) Unless you're planning to still be around in 50 years, your
intention must be for someone else to decrypt the data after you are
gone. What makes you think they will actually care about this data?
Why not just give it to them now instead of waiting 50 years?

Dimona

unread,
Jun 28, 2009, 2:48:05 PM6/28/09
to
> Sure, but he isn't going to be a cryptographer, just a user. So he
> needs wo know:
> 1. What program to use.
> 2. What options to use.
> 3. How to create the passphrase and/or the key file.
> 4. How to remember/store it.
>
> My (surely not precise as I'm no expert at all) answer is:
> 1. Truecrypt.
> 2. For more security than 256 bits you need a cascade cipher.
> 3. This requires a long answer and good understanding. Start e.g. with
> Diceware.
> 4. I can't imagine to remember a passphrase for 50 years.

That was very useful and easy to understand for a non technical
persorn, it seems the choice of software matches the one I had in mind.

Would a combination of AES-TWOFISH (included in Truecrypt) be
considered a cascade cipher?

I have googled this term and I mostly got definitions that I did not
understand (ie keys of the component ciphers are independent)

I have also come accross a Wikipedia term, "Superencryption"
(http://en.wikipedia.org/wiki/Superencipherment):

"Superencryption is the process of encrypting an already encrypted
message one or more times, either using the same or a different
algorithm."

They are basically suggesting that encrypting again something already
encrypted it is safer.


Dimona

unread,
Jun 28, 2009, 3:05:16 PM6/28/09
to
>
> 1) How much data are you trying to encrypt? A few kilobytes of text
> documents? A few megabytes? Your whole multi-GB hard drive? There's
> not even a really reliable way to preserve GB's of data for 50 years
> without needing regular attention by copying to new media once in a
> while. If it's a few gb or mb, that's not as bad--you can print it
> out on paper or microfilm or some such.

A 500GB external disk, I know, in as little as five years the eSata
connexion will be outdated, holographic data storage will probably be
the norm, and the HDD will certainly fail in less than 50 years, the
idea is to keep updating the media every ten years.

The whole point of encryption is to make sure that nobody will access
the data if for example, I lose it in 5 years, and then they try to
crack it in 40 years time with the new methods/computers available.

>
> 2) Unless you're planning to still be around in 50 years, your
> intention must be for someone else to decrypt the data after you are
> gone. What makes you think they will actually care about this data?
> Why not just give it to them now instead of waiting 50 years?

My thinking is that things never go according to plan, something
planned to resist 50 years secure will only last 20 years, better to
allow for a leeway, hence 50 years, but statiscally speaking
(country,age,obesity, smoking,etc) I should die in around 25 years.

I do not really need a 50 years encryption guarantee, I need the kind
of encryption that will last the longer uncracked, I took 50 years as
something ideal, did not go for 100 years because it probably would
have raised a few eyebrows.


Paul Rubin

unread,
Jun 28, 2009, 3:27:54 PM6/28/09
to
Dimona <m...@mmm.mmm> writes:
> Would a combination of AES-TWOFISH (included in Truecrypt) be
> considered a cascade cipher?

Yes.

> I have googled this term and I mostly got definitions that I did not
> understand (ie keys of the component ciphers are independent)

It just means use separately generated keys for the two ciphers. Don't
use the same key for both.

> I have also come accross a Wikipedia term, "Superencryption"
> (http://en.wikipedia.org/wiki/Superencipherment):

That article is pretty bad but it conveys the general idea ok.

Working cryptographers tend to be skeptical of superencryption. The
idea is that if one cipher isn't strong enough against some known or
foreseeable form of cryptanalysis, then rather than combining it with
another cipher for more strength, don't use it in the first place. On
the other hand, if you're concerned about unforeseen breakthroughs,
those breakthroughs might work on both ciphers so you're screwed
whether or not you use superencryption.

Dimona

unread,
Jun 28, 2009, 4:00:00 PM6/28/09
to
It happens that Paul Rubin formulated :

> Dimona <m...@mmm.mmm> writes:
>> Would a combination of AES-TWOFISH (included in Truecrypt) be
>> considered a cascade cipher?
>
> Yes.
>

Would a combination of three ciphers (maximum allowed by Truecrypt) be
better than two?


Peter Lind

unread,
Jun 28, 2009, 5:41:28 PM6/28/09
to
Dimona wrote:
> I read your first reply and I decided to ignore it because that is not
> the point, if you feel I am after something illegal then simply skip the
> question that is it, but I will make an exception so you stop insisting
> over this.
>
> First of all it could be perfectly possible that I live in under some
> oppresive regime (Iran,China,etc) and I want to protect data from them
> for the rest of my life..
>
> But the reality is that I live in a relatively free speech country, my
> reason for wanting to protect private data for 50 years is simple,
> PARANOIA, I am entitled to have it as much as you are entitled to have
> your own personal paranoia about someone using encryption because he/she
> is up to something bad.
>
>

Well, if you're paranoid then why not just get rid of it? The best way
to protect someone from getting at some data is to destroy it. You make
it sound as though that data will stay encrypted and unusued. =)

I'm just curious as to what might be so important as to have it
withstand 50 years (which I think = nothing). So excuse me if I am being
too agressive.

Peter Lind

unread,
Jun 28, 2009, 5:45:51 PM6/28/09
to
Dimona wrote:
>...

> The whole point of encryption is to make sure that nobody will access
> the data if for example, I lose it in 5 years, and then they try to
> crack it in 40 years time with the new methods/computers available.
>...

Who "they"? You make it sound like a james bond movie. Are you sure you
should be handling this supposed information if it indeed is SO
SENSITIVE? How can you yourself, be trusted with it?

BTW: None of my comments are to be taken as attacks, I am merely writing
my thoughts on this =)

Maaartin

unread,
Jun 28, 2009, 6:40:23 PM6/28/09
to graj...@seznam.cz
> Would a combination of AES-TWOFISH (included in Truecrypt) be considered a cascade cipher?

Sure, http://www.truecrypt.org/docs/?s=cascades

> I have googled this term and I mostly got definitions that I did not
> understand (ie keys of the component ciphers are independent)

That's simple:
1. In case of Truecrypt: The keys are independent only in the sense
that they're all derived by a secure method from you key.
But that should be fine.
2. Only in case of independent keys there's a proof that cascade is at
least as good as the best cipher included.

> Would a combination of three ciphers (maximum allowed by Truecrypt) be
> better than two?

Sure, but according to
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security
+ The design and strength of all key lengths of the AES algorithm
(i.e., 128, 192 and 256) are sufficient to protect classified
information up to the SECRET level. TOP SECRET information will
require use of either the 192 or 256 key lengths.
So, are you sure, you need more than top secret?
Do you think, there's no point weaker than the cipher?
OTOH, on my new computer there's no need to use anything weaker than
three ciphers in chain, the CPU is mostly idle, anyway.

> I'm just curious as to what might be so important as to have it
> withstand 50 years (which I think = nothing).

Maybe I haven't read it carefully enough, but I see no statement about
the necessity of *preservation* of the data in 50 years.
The OP only requires it to stay *secret* that long. Or did I
misunderstood him or you?

A simple example: Imagine I get some personal data of my customers.
I'm forced by law to keep it secret and there's no mitigation allowing
me to publish it after 10 years. Well, using encryption good enough
for top secret must be good enough, but there's an old german saying
"we are all in the hands of God, whether at sea or in court".

Peter Lind

unread,
Jun 28, 2009, 8:22:16 PM6/28/09
to

You cant have a secret without preserving it also. Otherwise it gets lost.

He stated that he need it to be very secure (he used 50 years as a gauge
of something being very secure) because he is paranoid about people
decrypting the data. So it can't be because he is forced to by law.

He also mentioned "they" which leads one to believe that someone has an
interest in what he has encrypted. I don't believe a normal everyday
person has anything that "they" would really want to spend years of
effort to crack. Unless it is something that you are not supposed to be
in possession of in the first place...

Message has been deleted

Dimona

unread,
Jun 29, 2009, 12:28:50 AM6/29/09
to
Maaartin was thinking very hard :

>> Would a combination of AES-TWOFISH (included in Truecrypt) be considered a
>> cascade cipher?
>
> Sure, http://www.truecrypt.org/docs/?s=cascades
>

In case anyone is interested, while researching the subject I came
accross a useful link: "Risks of using cryptographic software and
possible ways of data leaks"

http://diskcryptor.net/index.php/CryptoUsageRisks_en

Extract:

" However, speaking in regards to the well studied ciphers, such as
AES, Twofish, Serpent, there is extremely little chance, that they will
be broken in the next 10 years"

I have also now remembered that Truecrypt full disk encryption of your
OS does not allow for cascade mode, only AES256 is possible.


Mateusz Stankiewicz

unread,
Jun 29, 2009, 10:35:25 AM6/29/09
to
Dimona writes:
> Would a combination of three ciphers (maximum allowed by Truecrypt) be
> better than two?

I think that answer above your post is also valid for this question. In
my opinion it would be much slower but I think it wouldn't matter for
storing data for very long time.
Let's say that we use three ciphers each with separate 128bit key which
gives us 384 bits. Quite unbreakeable by brute-forcing but why use three
ciphers? Is one not enough?

Joseph Ashwood

unread,
Jun 29, 2009, 5:23:11 AM6/29/09
to
"Dimona" <m...@mmm.mmm> wrote in message news:h29ftv$7va$1...@news.mixmin.net...

> http://diskcryptor.net/index.php/CryptoUsageRisks_en
>
> Extract:
>
> " However, speaking in regards to the well studied ciphers, such as AES,
> Twofish, Serpent, there is extremely little chance, that they will be
> broken in the next 10 years"

And just to throw doubt on the whole thing "AES-256 is Not Ideal" Alex
Biryukov, et al
Eurocrypt 2009 Rump session
28 April 2009

So there is already some leverage on AES-256, until you actually do the
math, you won't know if this matters.
Joe

Jean-Marc Desperrier

unread,
Jul 3, 2009, 5:33:16 AM7/3/09
to
Joseph Ashwood wrote:
> Looking back to the absolute state-of-the-art knowledge just 32 years
> ago (DES and original RSA publication), very little of that safety
> exists today.
>
>> I am using Truecrypt with the AES algorythm and Whirlpool for this.
>
> The odds are VERY high that neither of those will last 50 years

I disagree with your consideration. If she had encrypted that text 35
years ago with the original Lucifer implementation with a 128 bits key,
it would still be secure today, under the reasonable scenario that the
attacker would not have available the number of "clear text"/"encrypted
text" pairs needed to use a differential attack on it.

If we have gained something during those years, it's a much better
understanding of the key size needed for long term cryptography, but
even back then, the weakest point of DES, the use of 56 bits keys, the
one that would be used if we were to break it today was a *deliberate*
weakening of the algorithm.

And for RSA, we're still using it today, and we'll still be using it 50
years after the publication, so the only problem is the proper choice of
key size.

Joseph Ashwood

unread,
Jul 3, 2009, 6:06:48 AM7/3/09
to
"Jean-Marc Desperrier" <jmd...@alussinan.org> wrote in message
news:h2kiq7$sp8$1...@writer.imaginet.fr...

> Joseph Ashwood wrote:
>> Looking back to the absolute state-of-the-art knowledge just 32 years
>> ago (DES and original RSA publication), very little of that safety
>> exists today.
>>
>>> I am using Truecrypt with the AES algorythm and Whirlpool for this.
>>
>> The odds are VERY high that neither of those will last 50 years
>
> I disagree with your consideration.

Actually I can safely say that 256-bit AES did not remain unbroken for even
50 hours from my statement, let alone 50 years. I didn't expect it to be so
fast, but it certainly proves my point that it was very unlikely that it
would survive for 50 years. It may still be secure enough, but it still did
not last 50 years before being broken.
Joe

Kristian Gj�steen

unread,
Jul 3, 2009, 7:10:04 AM7/3/09
to
Joseph Ashwood <ash...@msn.com> wrote:
>Actually I can safely say that 256-bit AES did not remain unbroken for even
>50 hours from my statement, let alone 50 years.

As far as I can tell, AES-256 is "broken" in the sense that it does not
behave like an ideal cipher. This is interesting, because as far as I've
understood, this was essentially one of the design goals. It is not broken
in the sense that it can be distinguished from pseudo-random permutations.

And for most practical applications, we only need AES to look like a
pseudo-random permutation.

--
Kristian Gj�steen

Tom St Denis

unread,
Jul 3, 2009, 8:26:24 AM7/3/09
to

This is a very selective interpretation though. It's broken in the
unlikely scenario that you

a) allow someone to encrypt/decrypt with 4 highly related keys
b) allow someone to send through 2^61 texts
c) have the memory and time to handle all this. Remember that with
large memories as time goes up the probability of failing to complete
the attack goes up as well.
d) Have 2^119 time to process the results.

If I send you a message encrypted with AES-256-CTR that is 1000 bytes
long, currently there is no break [on the algorithm] faster than brute
force. At most, if people really cared [which I don't suggest they
should] they could replace the key schedule with something a bit more
secure.

Tom

Jean-Marc Desperrier

unread,
Jul 3, 2009, 9:49:32 AM7/3/09
to
Joseph Ashwood wrote:
> Actually I can safely say that 256-bit AES did not remain unbroken for
> even 50 hours from my statement, let alone 50 years.

https://cryptolux.org/mediawiki/uploads/1/1a/Aes-192-256.pdf
ᅵ both our attacks are still mainly of theoretical
interest and do not present a threat to practical applications using AES. ᅵ

> It may still be secure enough, but it still did not last 50 years before being broken.

My response was very clearly oriented toward practical, and not
theoretical attacks.

Joseph Ashwood

unread,
Jul 3, 2009, 11:20:07 PM7/3/09
to

"Kristian Gj�steen" <kristi...@math.ntnu.no> wrote in message
news:h2kouc$v1u$1...@orkan.itea.ntnu.no...
"Tom St Denis" <t...@iahu.ca> wrote in message
news:85e57b7d-00a4-49bb...@l31g2000yqb.googlegroups.com...


"Jean-Marc Desperrier" <jmd...@alussinan.org> wrote in message

news:h2l1qm$3i2$1...@writer.imaginet.fr...
> [it's theoretical, requires extra assumptions, etc]

Yes, the new attack is theoretical for now, but it is still now weaker than
128-bit AES. This does not affect the fact that 256-bit AES now cannot be
considered as secure for 50 years, a week ago it could be speculated, today
it is known to not be enough. We can debate all day about whether or not
2^119 is sufficient for todays needs, or if the extra needs of the attack
are sufficient to ignore the reality, but the general recommendations are
that the equivalent of a 119 bit key is only good until 2030 to 2040, well
before the 2059 target, and it is below the current recommendations for
security (generally 128-bit).

Based on the overwhelming evidence, I conclude that for new implementations
it should be considered broken. It does not need to be removed from current
implementations, but it did not last even 50 hours from my referenced
comment.
Joe

Andrew Swallow

unread,
Jul 5, 2009, 4:43:09 PM7/5/09
to

119 bits of password is insufficient to protect US (and British)
Government TOP SECRET military and diplomatic messages.
There is no evidence that existing messages have been
compromised.

AES-256 is probably still adequate for SECRET messages.

Over the next couple of years the National Security Agency needs to
a) officially strip AES-256 of its TOP SECRET authorisation and
b) develop a replacement. (Possibly by competition.)

DES was replaced by 3DES. As a temporary measure can
3AES-256 be used?

Andrew Swallow

Paul Rubin

unread,
Jul 5, 2009, 4:54:38 PM7/5/09
to
Andrew Swallow <am.sw...@btinternet.com> writes:
> DES was replaced by 3DES. As a temporary measure can 3AES-256 be used?

Huh? This AES attack is a related-key attack. Sensible crypto
applications use random keys, not related keys. Has any even
certificational weakness been found in AES as a pseudorandom
permutation, assuming the keys are random?

Maaartin

unread,
Jul 6, 2009, 9:06:48 AM7/6/09
to graj...@seznam.cz
On Jul 4, 5:20 am, "Joseph Ashwood" <ashw...@msn.com> wrote:
> Yes, the new attack is theoretical for now, but it is still now weaker than
> 128-bit AES.

Is it? I don't know, it is applicable only under some very special
conditions. AES128 has no such weakness, but in general I'd suppose
AES256 to be still stronger (when used properly). Am I right?

Thomas Pornin

unread,
Jul 6, 2009, 11:41:22 AM7/6/09
to
According to Maaartin <graj...@seznam.cz>:

> Is it? I don't know, it is applicable only under some very special
> conditions. AES128 has no such weakness, but in general I'd suppose
> AES256 to be still stronger (when used properly). Am I right?

Both AES-128 and AES-256 are resilient to today's knowledge and
technology. Is AES-256, that you cannot practically break, really
"stronger" than AES-128, which you cannot practically break either ?

To consider AES-128 as strictly stronger, or strictly weaker, than
AES-256, then you must be using a technology setup which can break one
and not the other (or not as fast). By definition, such hypothetical
technology is considerably more advanced than what we have right now,
and betting on what that technology looks like is kind of risky. In
other words, as of 2009 and for the foreseeable future, AES-128 and
AES-256 have exactly the same "strength", i.e. they cannot be broken in
any practical situation (which means that if an AES-based system is
successfully attacked, then the weakness is not in the AES itself, but
in the way it is used).

On the other hand, AES-256 is 40% slower than AES-128 for the same
amount of processed data, and there are real and practical situations
where those 40% are both measurable and important.


--Thomas Pornin

Kristian Gj�steen

unread,
Jul 6, 2009, 6:11:51 PM7/6/09
to
Joseph Ashwood <ash...@msn.com> wrote:
>"Kristian Gj�steen" <kristi...@math.ntnu.no> wrote in message
>news:h2kouc$v1u$1...@orkan.itea.ntnu.no...
>> [it's theoretical, requires extra assumptions, etc]

In general, you'll be better off if you actually read what I write.

[snip nonsense response]

--
Kristian Gj�steen

giorgio.tani

unread,
Jul 7, 2009, 9:40:08 AM7/7/09
to
As other rightly pointed out, the most years we try to look in the
future the less accurate the guess may be, and 50 years in information
technology is a huge time span... a lot of unthinkable (but
mathematically posible!) things may happen, and a lot of thinkable,
known technologies can bring predicatble or less predictable fruits.
The first challange here is to guarantee you will have all what is
needed to handle the data in 2059, which means working hardware and
software, the password and the keyfile: it's not trivial at all.
As for the encryption, the only future-proof algorithm, because it is
provably unconditionally secure, is OTP, but it needs a good RNG
hardware to generate the pad, and (what is more demanding) it needs
the key is securely handled and never reused during the entire life
span of the encrypted data... and it is not trivial at all because if
we think to theoretical attackers capable of multibillion investiments
to attempt to computationally crack the encryption, they can do a lot
of things in physical world to get the pad with far less money!
For simmetric encryption as used in Truecrypt, for what we may guess
(which means, it is not guaranteed in any way!) in 50 years 128 bit
simmetric encryption MAY be not enough, but 256 bit MAY still be ok
providing the algorithm is not broken or badly weakened (attacks
exists, and are feasible on your data, which reduces the complexity of
attack to a computationally feasible amount), triple encryption should
guarantee a good increase of security, even not as much as a cypher
with triple key size.
But the weakest link in the chain of security, as you correctly
guessed, is in first place keying the encryption with enough matherial
to withstand some cracking: passwords are generally not very good at
that, because can be rubberhoused, guessed with social enginering,
forced by dictionary attacks etc.
Chosing a good password in first place is a good security measure,
something long enough, not easy to be related to the user, and not to
be found on a dictionary... but since it must be remebered (for 50
years!) it should also be simple and meaningful enough, o so keyfile
can be helpful here, providing you can store them secretly for the
needed time (the size, unlike OTP's pad, make it somewhat easier to
hide it).
But after the 50 years you will need both to be able to recover the
keyfile AND to remember the password, since none of the two factors of
authentication will be suffcient alone to decrypt the data!

jandersonlee

unread,
Jul 8, 2009, 12:37:08 PM7/8/09
to
On Jul 7, 6:40 am, "giorgio.tani" <giorgiot...@interfree.it> wrote:
> As for the encryption, the only future-proof algorithm, because it is
> provably unconditionally secure, is OTP, but it needs a good RNG
> hardware to generate the pad,

I assume you mean a suitably unbiased physical RNG not a
pseudo-RNG. Using a pseudo-RNG would be the same as a stream
cipher after all.

> and (what is more demanding) it needs
> the key is securely handled and never reused during the entire life
> span of the encrypted data...

Therein lies the rub. Now you have *two* pieces of data such that the
possession of both allows recovery of the data and the loss of either
negates the possibility of recovering it. Assuming that one (the
encrypted
data) is protected by publication/replication, the OTP must be guarded
as carefully as the original plain text. In essence, you are no more
secure
than before -- in fact slightly less so.

Thus an OTP is most useful when data must be transferred via an
insecure
exchange between two parties who also have (a) at some point in the
past had a
secure channel to exchange the OTP, and (b) physical security of the
OTP.

Protecting data across time is a slightly different problem. For that
a
stream cipher (or multiple composed stream ciphers with differing
keys)
seems more appropriate. Check out the ECRYPT/eSTREAM project for
Salsa20, Rabbit, HC-256, et al.

0 new messages