My main concern is that computer hardware and software advances will
have been overwhelming in 20 years from now on, and I am concerned
about brute force attacks, I have of course choosen a long passphrase
but even so, my question is.
Will key files guarantee me protection agains brute force attacks for
the next 50 years?
My thinking is that while the alphabet has a limit, keyfiles do not,
they are infinite, therefore any brute force attack will be useless
unless they know what keyfiles to use, with the alphabet however there
are only so many letters that can be used.
I am using Truecrypt with the AES algorythm and Whirlpool for this.
And also, if you are storing the information on any media like DVD, USB
keys etc. then what if they break/become corrupt etc. which could happen
in 50 years. You would have to make new copies every few years or something.
Most of your post is meaningless or gibberish. For example -
> Will key files guarantee me protection agains brute force attacks for
> the next 50 years?
is meaningless, and -
> My thinking is that while the alphabet has a limit, keyfiles do not,
> they are infinite, therefore any brute force attack will be useless
> unless they know what keyfiles to use, with the alphabet however there
> are only so many letters that can be used.
is high class gibberish.
You will need to learn some basic crypto concepts so you can both see
the problem correctly and ask a meaningful question.
Nobody knows. And even if they do, how will you keep the key file
secret for 50 years? If you have a method to keep the key file secret
for that long, why not just use the same method to keep the plaintext
secret, and not bother with encryption?
Worse, the DVD, USB stick, etc. could be perfectly fine: and you have
nothing that can read it. Memory crystals don't use electricity.
>You would have to make new copies every few years or something.
You'll probably have that problem ANYWAY, even if you change the security
requirement to a data preservation requirement and start by sending a
copy to everyone, and putting copies on every space launch..
Taken in isolation, that question can be answered, a 384-bit key is
sufficient to resist a brute-force attack for the entire existence of the
universe (actually its about 330-bits, but 384 is rounder for computers).
But this does not answer your real question. Your real question is, what
will be secure in 50 years? History is not kind to this question. Looking
back to the absolute state-of-the-art knowledge just 32 years ago (DES and
original RSA publication), very little of that safety exists today.
> I am using Truecrypt with the AES algorythm and Whirlpool for this.
The odds are VERY high that neither of those will last 50 years, in truth we
have little confidnce of what will be necessary to last the next 5 years
undisturbed.
What I would recommend is to perform an analysis based on the value of the
information, build a depreciation/appreciation schedule for it, assume a
cost and computation model for the future of computers, assume an erosion
rate for th cipher(s). From there that will tell you how which ciphers will
be safe enough.
Good luck or lots of money, you'll need at least one.
Joe
I am making the conclusion that the claims that certain algorythms make
to be uncrackable it is actually bullshit then.
A real quality encryption algorythm will be made future proof against
the expected computer power improvements.
My point of view is that brute force attacks will be the weakest point
of the chain per excellence, by using a secret keyfile I eliminate that
weak point, now what I need to establish is if the AES algorythm is
good enough to resist 50 years. I thought it was because everyone says,
but then they said the same of DES.
Brute force attacks use dictionary words, if a given encryption
software can have a maximum of for example, 64 characters, given enough
time to try all combinations you will crack it.
But you can not succesfully brute force a password unless you have a
list of the possible passwords, if you hide the keyfile you thwart all
brute force attacks because the keyfile will always be missing from the
possible combinations.
Some sensitive information? The quantity of it makes all the
difference. There are many ways to be really secure for a limited
amount of information, less for more generally speaking. Then, there
are other ways...
Both of your choices you gave yourself tend to be bad ones. Then,
there are other ways...
The One Time Pad can make this claim. Others (AES, DES, RSA,
Adacrypt, etc.) can't.
>A real quality encryption algorythm will be made future proof against
>the expected computer power improvements.
Assume your secret is 1GB long.
Take N 1GB USB sticks (N >= 2). Using truly random processes,
generate 1GB of truly random bits for each of N-1 memory sticks.
(Note: computers do not generate random bits, although they might
have hardware peripherals that can generate random bits.) Bitwise
XOR your secret with each of the sets of random bits on the N-1
memory sticks, and put the result on the last memory stick. Put
these memory sticks in widely-dispersed places, preferably those
under the combined control of more than 10 unique governments, and
if you can arrange it, don't put them all on Earth.
To decrypt, bitwise XOR all N of the memory sticks (lose one and
you're screwed!) together, in no particular order. You get the
secret back.
No amount of computer power will be able to determine which of
2**(8*1GB) possible messages were stored given less than all N of
the memory sticks if you used truly random bits.
Use of more than 2 memory sticks tends to cover possible slight
biases in your random-number generation, and it makes it much harder
to steal all the memory sticks.
>My point of view is that brute force attacks will be the weakest point
>of the chain per excellence, by using a secret keyfile I eliminate that
>weak point, now what I need to establish is if the AES algorythm is
>good enough to resist 50 years. I thought it was because everyone says,
>but then they said the same of DES.
The One Time Pad can. Do not accept substitutes pushed by "adacrypt".
I'm sorry if that is hard for you to take - but it is true.
> I am making the conclusion that the claims that certain algorythms make to
> be uncrackable it is actually bullshit then.
That much is true, the only exception is the One Time Pad, but that is
generally considered completely impractical.
> My point of view is that brute force attacks will be the weakest point of
> the chain
That will absolutely be incorrect. In a different sub-thread you said "Brute
force attacks use dictionary words" that could be the source of the
misunderstanding. Brute force attacks try every key until they reach the
correct one, cryptanalysis can be considered to be simply a method of
determining an optimum order to test keys in. Dictionary attacks use
dictionary words, and are one optimization that can be used.
Any reasonable attack on the system will not be brute force, if your
passphrase is the weakest point, then a dictionary attack will be used, if
whirlpool has weaknesses then the attacker will begin there, if AES has
holes the attacker will attack AES directly. One of the fundamental rules is
that the attacker will do what is best for the attacker, very often this is
what is worst for you.
> per excellence, by using a secret keyfile I eliminate that weak point,
All you do is move the problem, how do you protect the keyfile?
> now what I need to establish is if the AES algorythm is good enough to
> resist 50 years. I thought it was because everyone says, but then they
> said the same of DES.
Until you do the analysis, there is no way of knowing.
Joe
>> > My thinking is that while the alphabet has a limit, keyfiles do not,
>> > they are infinite, therefore any brute force attack will be useless
>> > unless they know what keyfiles to use, with the alphabet however there
>> > are only so many letters that can be used.
>>
>> is high class gibberish.
>>
>> You will need to learn some basic crypto concepts so you can both see the
>> problem correctly and ask a meaningful question.
>
>Brute force attacks use dictionary words,
No. A Dictionary Attack uses dictionary words, and common variants
thereof: pillow, p1llow, pill0w, ...
A Brute Force attack uses all possible bit patterns without reference
to any dictionary: 0x000...000, 0x000...001 -> 0xFFF...FFF
As others have said you need to learn more about baasic cryptography.
rossum
Unless you work for some company that needs to protect some trade
secrets or similar, I can not come up with a single thing that is worth
preserving for 50 years unless it is memorabilia - but then why encrypt it?
Sensitive data is usually handled by governments and agencies who are
more capable of - and have protocols for this.
If it is to keep others from knowing about some secret. Then why not
just destroy it. Problem solved. I can't imagine anything on a computer
that is in use today - as still being useful in 50 years.
So Either it is not even nessecary to keep the data for 50 years, or it
is something illegal =)
Are you kidding? Would your really trust any bank? For 50 years?
> > Will key files guarantee me protection agains brute force attacks for
> > the next 50 years?
> is meaningless, and -
I disagree slightly. The question shows that he doesn't understand
much, but can be answered:
1. Yes: The number of entropy in a 1kB key file is more than
sufficient until the universe collapses, provided the file is
generated really randomly.
2. No: For the guarantee you need to use it properly. For example,
with AES you use only 256 key bits, which may be enought for 50 years
or not.
3. No: For any guarantee you need some understanding of the subject.
> > are only so many letters that can be used.
> is high class gibberish.
Right. But he probably means that using an alphabet means less
information.
That's obviously wrong, one letter contains less information than 1
byte, but sufficiently long random passphrase is as strong as a
keyfile.
He only needs to know how long the passphrase shoud be in order to get
the 330 bits mentioned below.
> > I am using Truecrypt with the AES algorythm and Whirlpool for this.
> The odds are VERY high that neither of those will last 50 years
IMHO, you'd need a very heavy weakness in the hash in order to get
problems with it in Truecrypt.
Maybe somebody'll correct me, but I can't imagine it could happen.
> if you hide the keyfile you thwart all
> brute force attacks because the keyfile will always be missing from the
> possible combinations.
You surely mean dictionary attacks.
> > I am making the conclusion that the claims that certain algorythms make to
> > be uncrackable it is actually bullshit then.
It depends on what uncrackable mean.
Do you want me to give you all my passwords and PINs in an encrypted
file?
No problem, you can try to find somebody to crack it, but the cost'll
be much higher than the gain.
> I can not come up with a single thing that is worth preserving for 50 years
Neither I can, but I can easily imagine many things which I don't want
to be REVEALED, even not in 50 years.
> Straightening out your faulty concepts would take a long time
Sure, but he isn't going to be a cryptographer, just a user. So he
needs wo know:
1. What program to use.
2. What options to use.
3. How to create the passphrase and/or the key file.
4. How to remember/store it.
My (surely not precise as I'm no expert at all) answer is:
1. Truecrypt.
2. For more security than 256 bits you need a cascade cipher.
3. This requires a long answer and good understanding. Start e.g. with
Diceware.
4. I can't imagine to remember a passphrase for 50 years.
I read your first reply and I decided to ignore it because that is not
the point, if you feel I am after something illegal then simply skip
the question that is it, but I will make an exception so you stop
insisting over this.
First of all it could be perfectly possible that I live in under some
oppresive regime (Iran,China,etc) and I want to protect data from them
for the rest of my life..
But the reality is that I live in a relatively free speech country, my
reason for wanting to protect private data for 50 years is simple,
PARANOIA, I am entitled to have it as much as you are entitled to have
your own personal paranoia about someone using encryption because
he/she is up to something bad.
Nothing wrong with paranoia (at least here on sci.crypt, where we like
paranoia). But you probably have key management and data preservation
problems that are worse than the algorithm problems, not that anyone
can make guarantees about algorithms. A few things to think about:
1) How much data are you trying to encrypt? A few kilobytes of text
documents? A few megabytes? Your whole multi-GB hard drive? There's
not even a really reliable way to preserve GB's of data for 50 years
without needing regular attention by copying to new media once in a
while. If it's a few gb or mb, that's not as bad--you can print it
out on paper or microfilm or some such.
2) Unless you're planning to still be around in 50 years, your
intention must be for someone else to decrypt the data after you are
gone. What makes you think they will actually care about this data?
Why not just give it to them now instead of waiting 50 years?
That was very useful and easy to understand for a non technical
persorn, it seems the choice of software matches the one I had in mind.
Would a combination of AES-TWOFISH (included in Truecrypt) be
considered a cascade cipher?
I have googled this term and I mostly got definitions that I did not
understand (ie keys of the component ciphers are independent)
I have also come accross a Wikipedia term, "Superencryption"
(http://en.wikipedia.org/wiki/Superencipherment):
"Superencryption is the process of encrypting an already encrypted
message one or more times, either using the same or a different
algorithm."
They are basically suggesting that encrypting again something already
encrypted it is safer.
A 500GB external disk, I know, in as little as five years the eSata
connexion will be outdated, holographic data storage will probably be
the norm, and the HDD will certainly fail in less than 50 years, the
idea is to keep updating the media every ten years.
The whole point of encryption is to make sure that nobody will access
the data if for example, I lose it in 5 years, and then they try to
crack it in 40 years time with the new methods/computers available.
>
> 2) Unless you're planning to still be around in 50 years, your
> intention must be for someone else to decrypt the data after you are
> gone. What makes you think they will actually care about this data?
> Why not just give it to them now instead of waiting 50 years?
My thinking is that things never go according to plan, something
planned to resist 50 years secure will only last 20 years, better to
allow for a leeway, hence 50 years, but statiscally speaking
(country,age,obesity, smoking,etc) I should die in around 25 years.
I do not really need a 50 years encryption guarantee, I need the kind
of encryption that will last the longer uncracked, I took 50 years as
something ideal, did not go for 100 years because it probably would
have raised a few eyebrows.
Yes.
> I have googled this term and I mostly got definitions that I did not
> understand (ie keys of the component ciphers are independent)
It just means use separately generated keys for the two ciphers. Don't
use the same key for both.
> I have also come accross a Wikipedia term, "Superencryption"
> (http://en.wikipedia.org/wiki/Superencipherment):
That article is pretty bad but it conveys the general idea ok.
Working cryptographers tend to be skeptical of superencryption. The
idea is that if one cipher isn't strong enough against some known or
foreseeable form of cryptanalysis, then rather than combining it with
another cipher for more strength, don't use it in the first place. On
the other hand, if you're concerned about unforeseen breakthroughs,
those breakthroughs might work on both ciphers so you're screwed
whether or not you use superencryption.
Would a combination of three ciphers (maximum allowed by Truecrypt) be
better than two?
Well, if you're paranoid then why not just get rid of it? The best way
to protect someone from getting at some data is to destroy it. You make
it sound as though that data will stay encrypted and unusued. =)
I'm just curious as to what might be so important as to have it
withstand 50 years (which I think = nothing). So excuse me if I am being
too agressive.
Who "they"? You make it sound like a james bond movie. Are you sure you
should be handling this supposed information if it indeed is SO
SENSITIVE? How can you yourself, be trusted with it?
BTW: None of my comments are to be taken as attacks, I am merely writing
my thoughts on this =)
Sure, http://www.truecrypt.org/docs/?s=cascades
> I have googled this term and I mostly got definitions that I did not
> understand (ie keys of the component ciphers are independent)
That's simple:
1. In case of Truecrypt: The keys are independent only in the sense
that they're all derived by a secure method from you key.
But that should be fine.
2. Only in case of independent keys there's a proof that cascade is at
least as good as the best cipher included.
> Would a combination of three ciphers (maximum allowed by Truecrypt) be
> better than two?
Sure, but according to
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security
+ The design and strength of all key lengths of the AES algorithm
(i.e., 128, 192 and 256) are sufficient to protect classified
information up to the SECRET level. TOP SECRET information will
require use of either the 192 or 256 key lengths.
So, are you sure, you need more than top secret?
Do you think, there's no point weaker than the cipher?
OTOH, on my new computer there's no need to use anything weaker than
three ciphers in chain, the CPU is mostly idle, anyway.
> I'm just curious as to what might be so important as to have it
> withstand 50 years (which I think = nothing).
Maybe I haven't read it carefully enough, but I see no statement about
the necessity of *preservation* of the data in 50 years.
The OP only requires it to stay *secret* that long. Or did I
misunderstood him or you?
A simple example: Imagine I get some personal data of my customers.
I'm forced by law to keep it secret and there's no mitigation allowing
me to publish it after 10 years. Well, using encryption good enough
for top secret must be good enough, but there's an old german saying
"we are all in the hands of God, whether at sea or in court".
You cant have a secret without preserving it also. Otherwise it gets lost.
He stated that he need it to be very secure (he used 50 years as a gauge
of something being very secure) because he is paranoid about people
decrypting the data. So it can't be because he is forced to by law.
He also mentioned "they" which leads one to believe that someone has an
interest in what he has encrypted. I don't believe a normal everyday
person has anything that "they" would really want to spend years of
effort to crack. Unless it is something that you are not supposed to be
in possession of in the first place...
In case anyone is interested, while researching the subject I came
accross a useful link: "Risks of using cryptographic software and
possible ways of data leaks"
http://diskcryptor.net/index.php/CryptoUsageRisks_en
Extract:
" However, speaking in regards to the well studied ciphers, such as
AES, Twofish, Serpent, there is extremely little chance, that they will
be broken in the next 10 years"
I have also now remembered that Truecrypt full disk encryption of your
OS does not allow for cascade mode, only AES256 is possible.
I think that answer above your post is also valid for this question. In
my opinion it would be much slower but I think it wouldn't matter for
storing data for very long time.
Let's say that we use three ciphers each with separate 128bit key which
gives us 384 bits. Quite unbreakeable by brute-forcing but why use three
ciphers? Is one not enough?
And just to throw doubt on the whole thing "AES-256 is Not Ideal" Alex
Biryukov, et al
Eurocrypt 2009 Rump session
28 April 2009
So there is already some leverage on AES-256, until you actually do the
math, you won't know if this matters.
Joe
I disagree with your consideration. If she had encrypted that text 35
years ago with the original Lucifer implementation with a 128 bits key,
it would still be secure today, under the reasonable scenario that the
attacker would not have available the number of "clear text"/"encrypted
text" pairs needed to use a differential attack on it.
If we have gained something during those years, it's a much better
understanding of the key size needed for long term cryptography, but
even back then, the weakest point of DES, the use of 56 bits keys, the
one that would be used if we were to break it today was a *deliberate*
weakening of the algorithm.
And for RSA, we're still using it today, and we'll still be using it 50
years after the publication, so the only problem is the proper choice of
key size.
Actually I can safely say that 256-bit AES did not remain unbroken for even
50 hours from my statement, let alone 50 years. I didn't expect it to be so
fast, but it certainly proves my point that it was very unlikely that it
would survive for 50 years. It may still be secure enough, but it still did
not last 50 years before being broken.
Joe
As far as I can tell, AES-256 is "broken" in the sense that it does not
behave like an ideal cipher. This is interesting, because as far as I've
understood, this was essentially one of the design goals. It is not broken
in the sense that it can be distinguished from pseudo-random permutations.
And for most practical applications, we only need AES to look like a
pseudo-random permutation.
--
Kristian Gj�steen
This is a very selective interpretation though. It's broken in the
unlikely scenario that you
a) allow someone to encrypt/decrypt with 4 highly related keys
b) allow someone to send through 2^61 texts
c) have the memory and time to handle all this. Remember that with
large memories as time goes up the probability of failing to complete
the attack goes up as well.
d) Have 2^119 time to process the results.
If I send you a message encrypted with AES-256-CTR that is 1000 bytes
long, currently there is no break [on the algorithm] faster than brute
force. At most, if people really cared [which I don't suggest they
should] they could replace the key schedule with something a bit more
secure.
Tom
https://cryptolux.org/mediawiki/uploads/1/1a/Aes-192-256.pdf
ᅵ both our attacks are still mainly of theoretical
interest and do not present a threat to practical applications using AES. ᅵ
> It may still be secure enough, but it still did not last 50 years before being broken.
My response was very clearly oriented toward practical, and not
theoretical attacks.
"Kristian Gj�steen" <kristi...@math.ntnu.no> wrote in message
news:h2kouc$v1u$1...@orkan.itea.ntnu.no...
"Tom St Denis" <t...@iahu.ca> wrote in message
news:85e57b7d-00a4-49bb...@l31g2000yqb.googlegroups.com...
"Jean-Marc Desperrier" <jmd...@alussinan.org> wrote in message
news:h2l1qm$3i2$1...@writer.imaginet.fr...
> [it's theoretical, requires extra assumptions, etc]
Yes, the new attack is theoretical for now, but it is still now weaker than
128-bit AES. This does not affect the fact that 256-bit AES now cannot be
considered as secure for 50 years, a week ago it could be speculated, today
it is known to not be enough. We can debate all day about whether or not
2^119 is sufficient for todays needs, or if the extra needs of the attack
are sufficient to ignore the reality, but the general recommendations are
that the equivalent of a 119 bit key is only good until 2030 to 2040, well
before the 2059 target, and it is below the current recommendations for
security (generally 128-bit).
Based on the overwhelming evidence, I conclude that for new implementations
it should be considered broken. It does not need to be removed from current
implementations, but it did not last even 50 hours from my referenced
comment.
Joe
119 bits of password is insufficient to protect US (and British)
Government TOP SECRET military and diplomatic messages.
There is no evidence that existing messages have been
compromised.
AES-256 is probably still adequate for SECRET messages.
Over the next couple of years the National Security Agency needs to
a) officially strip AES-256 of its TOP SECRET authorisation and
b) develop a replacement. (Possibly by competition.)
DES was replaced by 3DES. As a temporary measure can
3AES-256 be used?
Andrew Swallow
Huh? This AES attack is a related-key attack. Sensible crypto
applications use random keys, not related keys. Has any even
certificational weakness been found in AES as a pseudorandom
permutation, assuming the keys are random?
Is it? I don't know, it is applicable only under some very special
conditions. AES128 has no such weakness, but in general I'd suppose
AES256 to be still stronger (when used properly). Am I right?
Both AES-128 and AES-256 are resilient to today's knowledge and
technology. Is AES-256, that you cannot practically break, really
"stronger" than AES-128, which you cannot practically break either ?
To consider AES-128 as strictly stronger, or strictly weaker, than
AES-256, then you must be using a technology setup which can break one
and not the other (or not as fast). By definition, such hypothetical
technology is considerably more advanced than what we have right now,
and betting on what that technology looks like is kind of risky. In
other words, as of 2009 and for the foreseeable future, AES-128 and
AES-256 have exactly the same "strength", i.e. they cannot be broken in
any practical situation (which means that if an AES-based system is
successfully attacked, then the weakness is not in the AES itself, but
in the way it is used).
On the other hand, AES-256 is 40% slower than AES-128 for the same
amount of processed data, and there are real and practical situations
where those 40% are both measurable and important.
--Thomas Pornin
In general, you'll be better off if you actually read what I write.
[snip nonsense response]
--
Kristian Gj�steen
I assume you mean a suitably unbiased physical RNG not a
pseudo-RNG. Using a pseudo-RNG would be the same as a stream
cipher after all.
> and (what is more demanding) it needs
> the key is securely handled and never reused during the entire life
> span of the encrypted data...
Therein lies the rub. Now you have *two* pieces of data such that the
possession of both allows recovery of the data and the loss of either
negates the possibility of recovering it. Assuming that one (the
encrypted
data) is protected by publication/replication, the OTP must be guarded
as carefully as the original plain text. In essence, you are no more
secure
than before -- in fact slightly less so.
Thus an OTP is most useful when data must be transferred via an
insecure
exchange between two parties who also have (a) at some point in the
past had a
secure channel to exchange the OTP, and (b) physical security of the
OTP.
Protecting data across time is a slightly different problem. For that
a
stream cipher (or multiple composed stream ciphers with differing
keys)
seems more appropriate. Check out the ECRYPT/eSTREAM project for
Salsa20, Rabbit, HC-256, et al.