Has anyone successfully _broken_ an algorithm? That is, has anyone
actually cracked a modern algorithm well enough to provide complete
plaintext of ciphertext messages, in a way that would actually be useful
to someone in the real world, and not just interesting in a trade
journal?
Has anyone ever cracked DES in a real-world situation and derived useful
information by doing so? Has anyone ever really forged a message in a
useful way with MD5? Has anyone ever factored any RSA modulus actually
in use for production encryption? Or is it all just papers at
mathematical and cryptological conferences?
In the olden days, Enigma could actually be broken, more or less, in a
way that actually provided practical, useful information. Has anyone
done this since then? I know about Venona, but nothing was broken
there; it was just a compromise of the cryptosystem (that is, someone
used the same pads twice). At least part of Enigma was the same way,
but I think the algorithm was actually cracked the hard way in some
cases (?).
So what is the current status? If it's really so important to develop
secure algorithms, somebody must still be successfully cracking them.
Who is doing it?
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
I would have thought it would be the NSA, and its counterparts in other
countries. Whoever it is, anyway, they are not going to publicize their
success rate, for obvious reasons.
> I would have thought it would be the NSA, and its counterparts in other
> countries. Whoever it is, anyway, they are not going to publicize their
> success rate, for obvious reasons.
My guess is that the NSA really isn't much more successful than anyone
else, at least as far as actually breaking the algorithms themselves is
concerned.
> Has anyone successfully _broken_ an algorithm? That is, has anyone
> actually cracked a modern algorithm well enough to provide complete
> plaintext of ciphertext messages, in a way that would actually be useful
> to someone in the real world, and not just interesting in a trade
> journal?
>
Sure. I have and so have Gillogly, Randall Williams, Casimir, Bryan Olson,
David Wagner, Fauzan Mirza, Schneier, Ian Goldberg, Gwyn, and others, too.
Anyone else care to add to my short list?
J
--
__________________________________________
When will Bush come to his senses?
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
The best example I can think of recently is the Fluhrer-Mantin-Shamir attack
on RC4. This allowed a practical break of the encryption in WEP for
wireless networks. There are tools out there (bsd-airtools, wepcrack, etc.)
that will use this cryptosystem attack to recover the WEP key used on a
wireless network.
Rick
If they did, they are not going to tell you.
> In the olden days, Enigma could actually be broken, more or less, in a
> way that actually provided practical, useful information.
The usefulness depended on the Germans not finding out that the
breaking was going on. If someone is breaking today's fielded
ciphers, the situation is exactly the same. The usefulness depends on
our not finding out, so they're not going to tell us.
Have a look at the recently demonstrated break of GSM encryption - they
have succesfully broken the encryption on the link. This is a practical
break, not a theoretical one.
However, this publication is the exception rather than the rule: if you
stop to consider for a moment you'll conclude that achieving a (practical)
break is an advantage only as long as the adversary does not know you have
done it. The moment they find out (realistically: if they have a shadow of
a doubt about it, or just feel uncomfortable about how long a system has
been in use) they'll change it. It thus becomes vital to hide the break -
at least in real-life applications.
It should not come as any surprise that breaks are as little publicised as
they are...
--
Mailman
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
> The best example I can think of recently is the Fluhrer-Mantin-Shamir attack
> on RC4. This allowed a practical break of the encryption in WEP for
> wireless networks. There are tools out there (bsd-airtools, wepcrack, etc.)
> that will use this cryptosystem attack to recover the WEP key used on a
> wireless network.
But that is theoretical again. Who has actually done this for material
gain?
For example, who has actually managed to, say, embezzle a large sum of
money by, say, cracking DES? Who has managed to forge a contract and
gain a substantial sum by cracking MD5? What government agency has put
a mobster in jail thanks to a crack of CAST?
> If they did, they are not going to tell you.
Their efforts might come to light.
Kevin Poulson was put in jail because the FBI seized his computer and
cracked the single-DES key by brute force search over several months
with a room full of PC's.
> Kevin Poulson was put in jail because the FBI seized his computer and
> cracked the single-DES key by brute force search over several months
> with a room full of PC's.
That's something, at least. But was the cracking of the key really
instrumental in convicting him? What did they obtain by cracking the
key?
(1) Yes, there have been successful breaks against some modern
encryption algorithms. You're not likely to hear about them.
(2) They're not "trade journals".
(3) Even an attack that requires a large number of known
plaintexts could be feasible under some circumstances, such as
when it is easy and fast to get the system to apply the same
key against plaintext of the attacker's choosing. Think smart
card.
(4) A variety of techniques are available to the cryptanalyst,
and any of them that succeeds has to be counted as a success
for the cryptanalyst. Why do things the hard way when an easy
attack will also work?
> In the olden days, Enigma could actually be broken, more or less, in a
> way that actually provided practical, useful information. Has anyone
> done this since then? I know about Venona, but nothing was broken
> there; it was just a compromise of the cryptosystem (that is, someone
> used the same pads twice). At least part of Enigma was the same way,
> but I think the algorithm was actually cracked the hard way in some
> cases (?).
(5) You don't know enough about even the cryptanalyses you
claim to know about, to be rendering judgment in this area.
I recently was contacted through email about breaking an earlier
version of the login script It is also broken and I'm looking at modifying
my existing tool for login 4.2 for cracking that. It is broken the same
as the newer version. Just limits, constants and search methods
need to be changed a little.
I've been contacted several times about breaking or looking at the
security of home brew algorithms. Some of them are transparent.
All but a couple of them gave me source code to work with. Every one
of them agreed that I broke the algorithm though I didn't always supply
a complete break. Some were well within a 40 bit key space search limits
and that alone is a break these days. Quite often internal keys are smaller
that what they appear to be on the outside user interface.
I cracked a fun puzzle cipher posted by a regular poster to sci.crypt.
Jim Gilogly beat me to posting a solution. I had to be at work the
next day so couldn't stay up all night or I might have won that one.
I think I developed a more complete break with the extra time though.
Developed a nice cracking tool for it.
The list goes on...
Few "unbreakable" algorithms are much more than a few classic
systems munged together. Looking at the source code can quickly
eliminate a lot of work and I'll condemn them on the grounds that
the systems have already been broken for more than 100 years
in most cases. The WW1 German field cipher ADFGVX is based
on substitution, fractionation and transpostion. It was still broken.
There is no reason new systems based on a similar mixing of
just a few layers will be secure. People keep trying though.
Are there practical breaks of encrypted messages? I know of
at least one person who gets regular requests for assistance
in breaking various encrypted messages. Police departments
don't often have the skills or the resources to attack even simple
systems.
CryptWolf
That's a bogus argument if ever I've heard one.
The WEP break is completely undetectable, and
breaking into someone's network for industrial
espionage purposes is illegal. You think anyone
would crow about it? Do you seriously think it
hasn't been done?
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Crypto Mini-FAQ: http://www.schlafly.net/crypto/faq.txt
Qualcomm Australia: http://www.qualcomm.com.au
Besides the examples that have been given, at least one RSA modulus
actually in use for production encryption has been factored: the
BlackNet key. Do a search on "BlackNet Leyland Lenstra Gillogly
Muffett" for details.
I would be very surprised if there hasn't been a great deal of
broken production single-DES traffic. It was well within the
reach of many medium-sized corporations long before its active
life tailed off, and within the reach of national crypto bureaus
well before that.
In general it doesn't make sense to advertise the fact that such
a key has been broken, so it shouldn't be surprising that you
don't hear of many of these things. It makes even less sense if
you are gaining useful financial or espionage data from the break.
--
Jim Gillogly
Mersday, 29 Halimath S.R. 2003, 03:44
12.19.10.10.17, 1 Caban 5 Chen, First Lord of Night
> Has anyone ever factored any RSA modulus actually
> in use for production encryption?
There is the well documented [*] case of the RSA modulus used
to sign French CB bank cards (including French Visa) getting
factored and used at least for demonstration purposes by an
individual circa 1998 (he got sentenced after contacting bank
authorities thru a lawyer to sell his expertise).
In 2000 the factorization of the same modulus got on
fr.misc.cryptologie, then counterfeit Smart Cards started to
appear; they threatened at least some automatic distribution
machines, and a few merchants. The modulus was 320 bits.
I suspect that in most cases, practical attacks against
cryptosystems are similarly far from the state of the art.
Francois Grieu
[*] in French: <http://parodie.com/monetique>
> That's a bogus argument if ever I've heard one.
> The WEP break is completely undetectable, and
> breaking into someone's network for industrial
> espionage purposes is illegal. You think anyone
> would crow about it? Do you seriously think it
> hasn't been done?
Do you see any evidence of anyone profiting from information that they'd
only be able to obtain through breaking WEP? Remember, one of the risks
of codebreaking is that you may reveal what you've done if you ever use
the information you obtain.
> (5) You don't know enough about even the cryptanalyses you
> claim to know about, to be rendering judgment in this area.
You have no idea what I know. You just said yourself that there are
many things that people are not likely to hear about.
> Are there practical breaks of encrypted messages? I know of
> at least one person who gets regular requests for assistance
> in breaking various encrypted messages.
And is he actually able to assist?
I know personally of one instance of deliberate cracking of password
protection, but the encryption involved was so trivial that I don't know
if it counts. It counted enough to concern the ITARs, though.
> Besides the examples that have been given, at least one RSA modulus
> actually in use for production encryption has been factored: the
> BlackNet key. Do a search on "BlackNet Leyland Lenstra Gillogly
> Muffett" for details.
Interesting. I'm glad it was only 384 bits, although 1995 was a long
time ago.
This is why I always generate keys at the maximum length the software
will allow.
> I would be very surprised if there hasn't been a great deal of
> broken production single-DES traffic. It was well within the
> reach of many medium-sized corporations long before its active
> life tailed off, and within the reach of national crypto bureaus
> well before that.
So why hasn't anything come to light? Corporations are very poor at
keeping secrets, in general. If it had been done with any frequency at
all, some information about it would have gotten out.
My guess is that _nobody_ in the private sector has been breaking any
DES keys for material gain. Either it does not occur to them, or they
don't consider it possible, or perhaps they just don't want to dedicate
resources to it.
I also suspect that the NSA rarely cracks DES keys, even though it can
easily do so. It's still a certain amount of trouble to go to, and
probably only a very tiny fraction of DES-encrypted information really
is sensitive enough to justify DES in the first place, so cracking it
all is a lot of wasted effort.
> In general it doesn't make sense to advertise the fact that such
> a key has been broken, so it shouldn't be surprising that you
> don't hear of many of these things. It makes even less sense if
> you are gaining useful financial or espionage data from the break.
That doesn't prevent other types of security breaches from rapidly
coming to light. I don't see anything special about encryption.
> There is the well documented [*] case of the RSA modulus used
> to sign French CB bank cards (including French Visa) getting
> factored and used at least for demonstration purposes by an
> individual circa 1998 (he got sentenced after contacting bank
> authorities thru a lawyer to sell his expertise).
I had never heard of it, but I see it now thanks to your link. Thanks.
Now, why would 37 million credit cards be trusted in the year 2000 to an
RSA key with a 320-bit modulus? A modulus that small has virtually
_never_ been secure; it's practically a demonstration modulus.
> In 2000 the factorization of the same modulus got on
> fr.misc.cryptologie, then counterfeit Smart Cards started to
> appear; they threatened at least some automatic distribution
> machines, and a few merchants. The modulus was 320 bits.
So has anything been done to fix this, or are cards still using this
modulus (or another similarly insecure modulus)?
Which is certainly a good idea if you're on a desktop computer. For the
typical end user it doesn't matter if it takes 1 second to sign with a
4096-bit key or 20ms to sign with a 1024-bit key [or whatever... I haven't
timed a 4kbit key with LTM yet... :-)]
The problem is when you get down to the nitty gritty. E.g. I have to sign
packets on an 16Mhz ARM processor or something [e.g. not a 2Ghz P4] that's
where all these "academic" breaks come into play.
E.g. we [as in people with a math degree, e.g. not me specifically] can
factor 512-bit numbers. It isn't practical but at least it can be done.
This means at the least we must use 768-bit keys or higher [most suggest
1024-bit]. Just like we can brute force 56 bit keys rather easily and now
64-bit keys too [well we're at the stage where it's more feasible]. All
these "attacks" creep up on the lower bound.
You're right that these attacks are probably never used but they're useful
for setting a lower bound to work with when you can't just use a 8kbit RSA
key and a 1024-bit RC6 key, etc...
Tom
Anybody cracking DES for corporate espionage would probably be
breaking some laws, which would give them incentives to compartmentalize
the wrongdoing and "incentivize" the participants to keep quiet. Do you
contend that we find out about all important cases of corporate
espionage, or that none exists?
> My guess is that _nobody_ in the private sector has been breaking any
> DES keys for material gain. Either it does not occur to them, or they
> don't consider it possible, or perhaps they just don't want to dedicate
> resources to it.
Aha! I worked out some constraints and tests for Simon Singh's
Code Book cipher challenge, part 9, and John Gilmore ran it on
his DES cracker. My team got 2nd place in the contest, and John
took his share as a contribution to EFF. There you are, material
gain, both for me and for the EFF. All your base are belong to us.
> I also suspect that the NSA rarely cracks DES keys, even though it can
> easily do so. It's still a certain amount of trouble to go to, and
That may (or may not) be true now, but DES used to be a relatively
high-grade cipher, and if they didn't get some intel from it they
should have.
> probably only a very tiny fraction of DES-encrypted information really
> is sensitive enough to justify DES in the first place, so cracking it
> all is a lot of wasted effort.
It's quite true that general encryption is the enemy of cryptanalysis.
>> In general it doesn't make sense to advertise the fact that such
>> a key has been broken, so it shouldn't be surprising that you
>> don't hear of many of these things. It makes even less sense if
>> you are gaining useful financial or espionage data from the break.
>
> That doesn't prevent other types of security breaches from rapidly
> coming to light. I don't see anything special about encryption.
Secrets are indeed kept. Skipjack wasn't leaked accidentally until
it was exposed intentionally, and that was (the?) one cryptological
prediction that David Sternlight was correct about. The Enigma
break has been discussed in this regard. Descending to the trivial,
even the codes used to program your vcr (is it called VCRplus?) have
been rather resistant to exposure -- so far as I know it hasn't been
leaked, but only gradually exposed over years by analysis.
And I *still* don't believe Oswald acted alone, despite the size of
the conspiracy that would be required to make me wrong.
--
Jim Gillogly
Mersday, 29 Halimath S.R. 2003, 14:29
12.19.10.10.18, 2 Edznab 6 Chen, Second Lord of Night
Jim Gillogly wrote:
>
> Mxsmanic wrote:
[snip]
> > probably only a very tiny fraction of DES-encrypted information really
> > is sensitive enough to justify DES in the first place, so cracking it
> > all is a lot of wasted effort.
>
> It's quite true that general encryption is the enemy of cryptanalysis.
If only most people send every e-mail with secure encryption,
there would result an enormous headache, if not collapse,
for the agencies monitoring the world communications.
'Thanks' to the inertia/disinterest of the majority
of common people, that's never going to happen. (Were it
to happen, encryption would certainly be generally
forbidden by law.)
M. K. Shen
> Now, why would 37 million credit cards be trusted in the year
> 2000 to an RSA key with a 320-bit modulus? A modulus that small
> has virtually _never_ been secure; it's practically a
> demonstration modulus.
The system parameters where chosen circa 1983. Back then 320 bits
was considered reasonable, I guess. The rest was only a matter of
postponing a decision of change.
> > In 2000 the factorization of the same modulus got on
> > fr.misc.cryptologie, then counterfeit Smart Cards started to
> > appear; they threatened at least some automatic distribution
> > machines, and a few merchants. The modulus was 320 bits.
>
> So has anything been done to fix this, or are cards still using
> this modulus (or another similarly insecure modulus)?
Reportedly all cards with the 320 bits signature have expired,
and terminals accepting them eradicated.
Francois Grieu
Now I don't know if I'm remembering all this right, but I recall right here
on sci.crypt maybe a year (?) ago David Wagner's weakness in TEA's key
schedule was used to get around the protection in Microsoft XBOX to run
non-authorized code, which was using TEA as the basis for its hash algo. Now
the XBOX was selling for cheaper than the corresponding general purpose
hardware (I think?) So if I've got the details right, then take that amount
of savings and multiply by however many hordes of L33T HA><0Rs went and made
use of this, and I'd say it qualifies in the decent amount of financial gain
category.
The surprising part is most of the encryption you'll find in local
criminal cases is trivial and a variant of or an actual classic system.
Occasionally it might be a diary or other set of records that might
hide some important information.
In several of the computer forensics related books I have
several cases were made by breaking encryption. In
the cases where good algorithms were used it was more
user error (weak passwords/keys) that allowed the break.
Some of the forensics cases were handled by the FBI and
I'm sure some serious effort is available there. In some cases,
"security experts" were called in and no criminal investigation
was ever conducted.
You don't normally hear about these things unless they make
the national news. Unfortunately, the corporations that were
attacked tend to like things quiet and minimize the publicity.
You never hear about them unless you dig through a lot of
court cases. After all, the thought that XYZ Corp. had an
employee that was poking around in records and doing
some things that might not be totally legal would be really
bad for business.
You'd be surprised how little you actually ever get exposed
to even when studying in a given field. Some fields can be
much larger than just a few books.
CryptWolf
> The surprising part is most of the encryption you'll find
> in local criminal cases is trivial and a variant of or an
> actual classic system.
And I think that is significant. Crytologists are splitting hairs over
whether X or Y is more secure when both are a trillion times more secure
than anyone is using in the field. About 99.9999% of the population is
still clueless with respect to crypto, IMO--and this includes a lot of
people who probably have a very real need for decent cryptography.
> Some of the forensics cases were handled by the FBI and
> I'm sure some serious effort is available there.
I'm not. Law-enforcement agencies tend to favor firepower and "brute
force" in the literal sense, and eschew math and logic and all those
pansy wimp ways of finding crooks and solving crimes. Attitudes at the
FBI and at the NSA are completely different; I'm surprised they even
manage to speak to each other.
> Which is certainly a good idea if you're on a desktop computer. For the
> typical end user it doesn't matter if it takes 1 second to sign with a
> 4096-bit key or 20ms to sign with a 1024-bit key [or whatever... I haven't
> timed a 4kbit key with LTM yet... :-)]
One concern I have is the randomness of the key generation, but I
haven't been able to find much information on that in real-world
implementations. (PGP is my main concern, predictably.)
> You're right that these attacks are probably never used but
> they're useful for setting a lower bound to work with when
> you can't just use a 8kbit RSA key and a 1024-bit RC6 key, etc...
It seems like it would make more sense to simply use the largest key
size you can practically implement on whatever platform you are using;
in other words, go for the maximum you can afford, not the minimum.
> Do you contend that we find out about all important cases
> of corporate espionage, or that none exists?
I content that real-world compromises of solid cryptographic algorithms
are _extraordinarily_ rare, and that most discussions today revolve
around very esoteric and theoretical "attacks" that have no real bearing
on the use of crypto in practical applications.
Even in spook agencies, I'd be surprised if anyone is successfully
cracking any of the better algorithms with any real frequency. Even DES
probably yields only to brute force in practice, and that's only because
it has such a lame key size.
> It's quite true that general encryption is the enemy
> of cryptanalysis.
Yes. Generalized encryption is crippling to the spooks; it doesn't
matter how trivial the encryption is. Decrypting traffic is a zillion
times harder than just scanning plaintext as it passes, even if you know
exactly how to decrypt and can do it with great efficiency. Generalized
encryption forces spooks to depend on traffic analysis in order to find
the messages they want to check; they can no longer just blindly scan
everything.
Fortunately for the spooks, generalized encryption is still just
blue-sky science fiction in most domains. Not because it can't be done,
but simply because people are too lazy to do it.
> Skipjack wasn't leaked accidentally until it was exposed
> intentionally, and that was (the?) one cryptological
> prediction that David Sternlight was correct about.
What ever happened to Skipjack? I know it was declassified and that the
NSA published it. Have people been looking at it? Is it better than
DES? Is anyone using it?
> If only most people send every e-mail with secure encryption,
> there would result an enormous headache, if not collapse,
> for the agencies monitoring the world communications.
I agree. But I don't think that the general public will ever be
interested enough in privacy and security to explicitly encrypt their
messages routinely (then again, I don't do this, either, so I guess I
can't point fingers). A completely automatic encryption (similar to
SSL) would help, but there is little motivation to provide that, and of
course it is a lot less secure.
Indeed, I simply cannot find people to communicate with using PGP. All
my friends and relatives are totally ignorant of cryptography; they
aren't even willing to experiment with it for fun. On the rare
occasions when I actually have to communicate something confidential to
them, I usually have to resort to postal mail or something, because they
can't be bothered to use or understand even the minimum necessary to use
encryption.
> 'Thanks' to the inertia/disinterest of the majority
> of common people, that's never going to happen.
Agreed.
> Were it to happen, encryption would certainly be generally
> forbidden by law.
I don't think so. If everyone were doing it, everyone would be in favor
of it, too. The rare spooks who might disagree would be outnumbered,
even among their own peers.
> Reportedly all cards with the 320 bits signature have expired,
> and terminals accepting them eradicated.
So how many bits do they use now?
What is the maximum when you have say 64 bytes of ram and a 1MIPS
processors?
That's the whole point [which you failed to grasp] I was trying to make.
Sometimes you don't have the resources to use huge keys and you have to make
due with smaller. The question is *how* small can you go before the system
is totally insecure.
Tom
Nicely trimmed to try and make a point. Trivial stuff is often used by people
who never expect anyone to really want to read it. A diary would be encrypted
just enough so that casual snoops would have to work to hard to read it.
The author never expecting that it might be used in a criminal investigation.
The higher tech the criminal is, the more likely there was good encryption
used. Many of them still make beginner mistakes though. Some of them
even give up passwords. These are the cases that you probably won't
ever hear about. Some were never criminally investigated though most
lost their jobs. Various law enforcement agencies are hiring people to
deal with computer crimes internally though I still get the feeling they
are playing catch-up.
I'd suggest reading a lot of books. Several in the computer forensics
field give examples of strong encryption use by criminals. Quite a few
crypto books give examples of why some of those numbers are very
important. I think you could learn more and at a much faster pace than
posting to a news group.
CryptWolf
> What is the maximum when you have say 64 bytes of ram and a 1MIPS
> processors?
I don't know. I hardly remember the IBM 704.
> Sometimes you don't have the resources to use huge keys and you have to make
> due with smaller. The question is *how* small can you go before the system
> is totally insecure.
What does it matter? You go as large as you can. If that is so small
that the system is totally insecure, so what? You can't go any larger.
And if you _can_ go larger, you do.
What about things like smart cards? Would you rather pay 900$ for a smart
visa or the 0.05$ or so it costs to massproduce them?
> > Sometimes you don't have the resources to use huge keys and you have to
make
> > due with smaller. The question is *how* small can you go before the
system
> > is totally insecure.
>
> What does it matter? You go as large as you can. If that is so small
> that the system is totally insecure, so what? You can't go any larger.
> And if you _can_ go larger, you do.
We're talking money. If a 768-bit RSA key and a 80-bit symmetric key is
strong enough for a given task why waste money?
You seem to fail to grasp that the Athlon/P4's of the world represent but a
*SMALL* fraction of all processors in mass production. In fact 8-bit and
embedded 32-bit cores are thousands of times more prevalent....Sure we could
make smartcards out of Athlon XP 2800+ processors with 2GB of ram but that
would be hugely wasteful.
Tom
Oswald would only need a second person. Since he is
facing the death penalty this man is highly motivated to
keep his mouth shut.
Andrew Swallow
Andrew Swallow wrote:
>
> "Jim Gillogly" <j...@acm.org> wrote:
> [snip]
> >
> > And I *still* don't believe Oswald acted alone, despite the size of
> > the conspiracy that would be required to make me wrong.
>
> Oswald would only need a second person. Since he is
> facing the death penalty this man is highly motivated to
> keep his mouth shut.
Has there been any official revelation of the secret
(the 25 year period being long expired)?
M. K. Shen
> What about things like smart cards?
What about them? They are an exceptional case.
> Would you rather pay 900$ for a smart
> visa or the 0.05$ or so it costs to
> massproduce them?
I'm already paying $500 for a smart Visa.
HAHAHAHAHAHAHAHAHAHAHAHAHAHA.
Oh. You were serious. How sad. Thanks for the laugh.
You have an amazing misconception of computing. Do you own a cell phone?
Use smart card banking cards? Like digital cable [well for the cartoons
anyways]? Ever use a debit machine? etc, etc, etc. I suggest you go check
companies like Intel and ARM for the sales of particular processors.
Simply saying "why doesn't everyone use 4Kbit RSA keys" isn't realistic or
helpful. I mean why don't you just use 32Kbit RSA keys? Why not? Because
it would be hella costly.
Tom
I know that what you posted was incorrect..
Here's one example:
http://www.pele.org/english/smartcard.html
You would be surprised how often real world systems are insecure.
I've seen many such weaknesses, and so have many other people here.
Bruce Schneier has given a detailed account of the security blunders
he has found:
http://www.counterpane.com/real-world-security.html
This is all real stuff. It's not just some theoretical attack.
Most of the attacks you can do on secret systems are so simple that
nobody would ever get a publication out of them. The publications
you tend to see in crypto journals and conferences are much
more complicated attacks against well-thought-out crypto methods.
That's why you read so much about the theoretical attacks. If you
want to see practical attacks against real world systems, then first
learn the crypto and then get a job working for a company that claims
to know what they're doing. Some of those companies do know what they
are doing, but the vast majority make very simple mistakes.
Scott
To tell the truth, you don't seem to know very much about cryptology
(like me).
Many snake-oil vendors (like Meganet) say:
"Theoretical breaks are useless. In the real world, it's actual
practical decrypting of ciphertext that counts."
For that reason, Meganet does not accept theoretical cryptanalyses of
VME.
In truth, theoretical breaks ARE important and significant. Although
no one might be able to break it now, tomorrow someone might find a
way to exploit that weakness or advancements in technology might make
it feasible to crack the cipher completely.
--
Benjamin Choi
I am currently reading the book "seizing the enigma" by David Kahn (the book
is not too interesting - it is rather a book about the war, not one
specifically about cryptography) and as I read it the information gained by
being able to decrypt the enigma-ciphers was usually not too useful. Having
knowledge of the enemy's communication can be interesting and helpful but
this war wasn't won (or lost) by it as I understand.
Uli
> Here's one example:
>
> http://www.pele.org/english/smartcard.html
Already mentioned. I'm still amazed that the RSA modulus was so short.
> You would be surprised how often real world systems
> are insecure.
No, I wouldn't. I take for granted that they are insecure.
The amazing thing isn't that they are almost all insecure, the amazing
thing is that so few bad buys take advantage of it. I guess most people
are more honest than dishonest.
> This is all real stuff. It's not just some theoretical
> attack.
Mostly I see hypotheticals being discussed.
There are lots and lots of ways to attack a cryptosystem, and breaking
the crypto algorithms is often the least efficient attack. Similarly,
there are lots and lots of ways to commit fraud and other crimes, and
doing it by attacks on a cryptosystem are often the least efficient way
to accomplish that goal. Nobody attacks the strongest links, and a
cryptosystem is usually stronger than what it protects, and an algorithm
is usually stronger than the cryptosystem in which it is used.
In other words, nobody needs to crack algorithms, and so nobody does.
> Some of those companies do know what they
> are doing, but the vast majority make very simple mistakes.
In security, mistakes are legion, even outside of crypto.
> I know that what you posted was incorrect..
Even if it is, there are several possible explanations.
> ... as I read it the information gained by
> being able to decrypt the enigma-ciphers was usually
> not too useful. Having knowledge of the enemy's
> communication can be interesting and helpful but
> this war wasn't won (or lost) by it as I understand.
Most of the information isn't going to be very useful. But you only
need one juicy bit to make it all worthwhile. The battle of Midway, for
example, hinged on decryption of one key phrase.
> Many snake-oil vendors (like Meganet) say:
> "Theoretical breaks are useless. In the real world, it's actual
> practical decrypting of ciphertext that counts."
At least that much is correct.
> For that reason, Meganet does not accept theoretical
> cryptanalyses of VME.
That's not a reason to disregard theoretical cryptanalysis. Theoretical
cracks should not be disregarded, but neither should they incite panic.
Some theoretical attacks have no effect on real-world applications;
others signal the beginning of the end. Wait-and-see is often the best
policy.
> Although no one might be able to break it now, tomorrow
> someone might find a way to exploit that weakness or
> advancements in technology might make it feasible to crack
> the cipher completely.
So change the cipher tomorrow ... not today.