Has anyone really cracked anything recently?
Mxsmanic
algorithms that yield one bit of the key, or a 50% probability that five
bits of the fourth block of plaintext are 10110, or half the last block
of inverted ciphertext with only 2^48 selected plaintexts, but I never
hear anything at all about any practical attacks against algorithms.
Has anyone successfully _broken_ an algorithm? That is, has anyone
actually cracked a modern algorithm well enough to provide complete
plaintext of ciphertext messages, in a way that would actually be useful
to someone in the real world, and not just interesting in a trade
journal?
Has anyone ever cracked DES in a real-world situation and derived useful
information by doing so? Has anyone ever really forged a message in a
useful way with MD5? Has anyone ever factored any RSA modulus actually
in use for production encryption? Or is it all just papers at
mathematical and cryptological conferences?
In the olden days, Enigma could actually be broken, more or less, in a
way that actually provided practical, useful information. Has anyone
done this since then? I know about Venona, but nothing was broken
there; it was just a compromise of the cryptosystem (that is, someone
used the same pads twice). At least part of Enigma was the same way,
but I think the algorithm was actually cracked the hard way in some
cases (?).
So what is the current status? If it's really so important to develop
secure algorithms, somebody must still be successfully cracking them.
Who is doing it?
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
No One
> So what is the current status? If it's really so important to develop
> secure algorithms, somebody must still be successfully cracking them.
> Who is doing it?
I would have thought it would be the NSA, and its counterparts in other
countries. Whoever it is, anyway, they are not going to publicize their
success rate, for obvious reasons.
Mxsmanic
> I would have thought it would be the NSA, and its counterparts in other
> countries. Whoever it is, anyway, they are not going to publicize their
> success rate, for obvious reasons.
My guess is that the NSA really isn't much more successful than anyone
else, at least as far as actually breaking the algorithms themselves is
concerned.
Joe Peschel
news:m72nmvg5r5j2mronb...@4ax.com:
> Has anyone successfully _broken_ an algorithm? That is, has anyone
> actually cracked a modern algorithm well enough to provide complete
> plaintext of ciphertext messages, in a way that would actually be useful
> to someone in the real world, and not just interesting in a trade
> journal?
>
Sure. I have and so have Gillogly, Randall Williams, Casimir, Bryan Olson,
David Wagner, Fauzan Mirza, Schneier, Ian Goldberg, Gwyn, and others, too.
Anyone else care to add to my short list?
J
--
__________________________________________
When will Bush come to his senses?
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
Rick Wash
> Has anyone successfully _broken_ an algorithm? That is, has anyone
> actually cracked a modern algorithm well enough to provide complete
> plaintext of ciphertext messages, in a way that would actually be useful
> to someone in the real world, and not just interesting in a trade
> journal?
The best example I can think of recently is the Fluhrer-Mantin-Shamir attack
on RC4. This allowed a practical break of the encryption in WEP for
wireless networks. There are tools out there (bsd-airtools, wepcrack, etc.)
that will use this cryptosystem attack to recover the WEP key used on a
wireless network.
Rick
Paul Rubin
> Has anyone ever cracked DES in a real-world situation and derived useful
> information by doing so? Has anyone ever really forged a message in a
> useful way with MD5? Has anyone ever factored any RSA modulus actually
> in use for production encryption?
If they did, they are not going to tell you.
> In the olden days, Enigma could actually be broken, more or less, in a
> way that actually provided practical, useful information.
The usefulness depended on the Germans not finding out that the
breaking was going on. If someone is breaking today's fielded
ciphers, the situation is exactly the same. The usefulness depends on
our not finding out, so they're not going to tell us.
Mailman
Have a look at the recently demonstrated break of GSM encryption - they
have succesfully broken the encryption on the link. This is a practical
break, not a theoretical one.
However, this publication is the exception rather than the rule: if you
stop to consider for a moment you'll conclude that achieving a (practical)
break is an advantage only as long as the adversary does not know you have
done it. The moment they find out (realistically: if they have a shadow of
a doubt about it, or just feel uncomfortable about how long a system has
been in use) they'll change it. It thus becomes vital to hide the break -
at least in real-life applications.
It should not come as any surprise that breaks are as little publicised as
they are...
--
Mailman
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Mxsmanic
> The best example I can think of recently is the Fluhrer-Mantin-Shamir attack
> on RC4. This allowed a practical break of the encryption in WEP for
> wireless networks. There are tools out there (bsd-airtools, wepcrack, etc.)
> that will use this cryptosystem attack to recover the WEP key used on a
> wireless network.
But that is theoretical again. Who has actually done this for material
gain?
For example, who has actually managed to, say, embezzle a large sum of
money by, say, cracking DES? Who has managed to forge a contract and
gain a substantial sum by cracking MD5? What government agency has put
a mobster in jail thanks to a crack of CAST?
Mxsmanic
> If they did, they are not going to tell you.
Their efforts might come to light.
Paul Rubin
> For example, who has actually managed to, say, embezzle a large sum of
> money by, say, cracking DES? Who has managed to forge a contract and
> gain a substantial sum by cracking MD5? What government agency has put
> a mobster in jail thanks to a crack of CAST?
Kevin Poulson was put in jail because the FBI seized his computer and
cracked the single-DES key by brute force search over several months
with a room full of PC's.
Mxsmanic
> Kevin Poulson was put in jail because the FBI seized his computer and
> cracked the single-DES key by brute force search over several months
> with a room full of PC's.
That's something, at least. But was the cracking of the key really
instrumental in convicting him? What did they obtain by cracking the
key?
Douglas A. Gwyn
> Has anyone successfully _broken_ an algorithm? That is, has anyone
> actually cracked a modern algorithm well enough to provide complete
> plaintext of ciphertext messages, in a way that would actually be useful
> to someone in the real world, and not just interesting in a trade
> journal?
(1) Yes, there have been successful breaks against some modern
encryption algorithms. You're not likely to hear about them.
(2) They're not "trade journals".
(3) Even an attack that requires a large number of known
plaintexts could be feasible under some circumstances, such as
when it is easy and fast to get the system to apply the same
key against plaintext of the attacker's choosing. Think smart
card.
(4) A variety of techniques are available to the cryptanalyst,
and any of them that succeeds has to be counted as a success
for the cryptanalyst. Why do things the hard way when an easy
attack will also work?
> In the olden days, Enigma could actually be broken, more or less, in a
> way that actually provided practical, useful information. Has anyone
> done this since then? I know about Venona, but nothing was broken
> there; it was just a compromise of the cryptosystem (that is, someone
> used the same pads twice). At least part of Enigma was the same way,
> but I think the algorithm was actually cracked the hard way in some
> cases (?).
(5) You don't know enough about even the cryptanalyses you
claim to know about, to be rendering judgment in this area.
CryptWolf
password system (Login 4.2) is completely busted. I didn't
publish the cracking tool, but one is written. Some of the details
of cracking the system were posted on sci.crypt by others. Someone
else beat me to posting the first step in cracking the system.
I recently was contacted through email about breaking an earlier
version of the login script It is also broken and I'm looking at modifying
my existing tool for login 4.2 for cracking that. It is broken the same
as the newer version. Just limits, constants and search methods
need to be changed a little.
I've been contacted several times about breaking or looking at the
security of home brew algorithms. Some of them are transparent.
All but a couple of them gave me source code to work with. Every one
of them agreed that I broke the algorithm though I didn't always supply
a complete break. Some were well within a 40 bit key space search limits
and that alone is a break these days. Quite often internal keys are smaller
that what they appear to be on the outside user interface.
I cracked a fun puzzle cipher posted by a regular poster to sci.crypt.
Jim Gilogly beat me to posting a solution. I had to be at work the
next day so couldn't stay up all night or I might have won that one.
I think I developed a more complete break with the extra time though.
Developed a nice cracking tool for it.
The list goes on...
Few "unbreakable" algorithms are much more than a few classic
systems munged together. Looking at the source code can quickly
eliminate a lot of work and I'll condemn them on the grounds that
the systems have already been broken for more than 100 years
in most cases. The WW1 German field cipher ADFGVX is based
on substitution, fractionation and transpostion. It was still broken.
There is no reason new systems based on a similar mixing of
just a few layers will be secure. People keep trying though.
Are there practical breaks of encrypted messages? I know of
at least one person who gets regular requests for assistance
in breaking various encrypted messages. Police departments
don't often have the skills or the resources to attack even simple
systems.
CryptWolf
Gregory G Rose
Mxsmanic <mxsm...@hotmail.com> wrote:
>But that is theoretical again. Who has actually done this for material
>gain?
That's a bogus argument if ever I've heard one.
The WEP break is completely undetectable, and
breaking into someone's network for industrial
espionage purposes is illegal. You think anyone
would crow about it? Do you seriously think it
hasn't been done?
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Crypto Mini-FAQ: http://www.schlafly.net/crypto/faq.txt
Qualcomm Australia: http://www.qualcomm.com.au
Jim Gillogly
> useful way with MD5? Has anyone ever factored any RSA modulus actually
> in use for production encryption? Or is it all just papers at
> mathematical and cryptological conferences?
Besides the examples that have been given, at least one RSA modulus
actually in use for production encryption has been factored: the
BlackNet key. Do a search on "BlackNet Leyland Lenstra Gillogly
Muffett" for details.
I would be very surprised if there hasn't been a great deal of
broken production single-DES traffic. It was well within the
reach of many medium-sized corporations long before its active
life tailed off, and within the reach of national crypto bureaus
well before that.
In general it doesn't make sense to advertise the fact that such
a key has been broken, so it shouldn't be surprising that you
don't hear of many of these things. It makes even less sense if
you are gaining useful financial or espionage data from the break.
--
Jim Gillogly
Mersday, 29 Halimath S.R. 2003, 03:44
12.19.10.10.17, 1 Caban 5 Chen, First Lord of Night
Francois Grieu
Mxsmanic <mxsm...@hotmail.com> wrote:
> Has anyone ever factored any RSA modulus actually
> in use for production encryption?
There is the well documented [*] case of the RSA modulus used
to sign French CB bank cards (including French Visa) getting
factored and used at least for demonstration purposes by an
individual circa 1998 (he got sentenced after contacting bank
authorities thru a lawyer to sell his expertise).
In 2000 the factorization of the same modulus got on
fr.misc.cryptologie, then counterfeit Smart Cards started to
appear; they threatened at least some automatic distribution
machines, and a few merchants. The modulus was 320 bits.
I suspect that in most cases, practical attacks against
cryptosystems are similarly far from the state of the art.
Francois Grieu
[*] in French: <http://parodie.com/monetique>
Mxsmanic
> That's a bogus argument if ever I've heard one.
> The WEP break is completely undetectable, and
> breaking into someone's network for industrial
> espionage purposes is illegal. You think anyone
> would crow about it? Do you seriously think it
> hasn't been done?
Do you see any evidence of anyone profiting from information that they'd
only be able to obtain through breaking WEP? Remember, one of the risks
of codebreaking is that you may reveal what you've done if you ever use
the information you obtain.
Mxsmanic
> (5) You don't know enough about even the cryptanalyses you
> claim to know about, to be rendering judgment in this area.
You have no idea what I know. You just said yourself that there are
many things that people are not likely to hear about.
Mxsmanic
> Are there practical breaks of encrypted messages? I know of
> at least one person who gets regular requests for assistance
> in breaking various encrypted messages.
And is he actually able to assist?
I know personally of one instance of deliberate cracking of password
protection, but the encryption involved was so trivial that I don't know
if it counts. It counted enough to concern the ITARs, though.
Mxsmanic
> Besides the examples that have been given, at least one RSA modulus
> actually in use for production encryption has been factored: the
> BlackNet key. Do a search on "BlackNet Leyland Lenstra Gillogly
> Muffett" for details.
Interesting. I'm glad it was only 384 bits, although 1995 was a long
time ago.
This is why I always generate keys at the maximum length the software
will allow.
> I would be very surprised if there hasn't been a great deal of
> broken production single-DES traffic. It was well within the
> reach of many medium-sized corporations long before its active
> life tailed off, and within the reach of national crypto bureaus
> well before that.
So why hasn't anything come to light? Corporations are very poor at
keeping secrets, in general. If it had been done with any frequency at
all, some information about it would have gotten out.
My guess is that _nobody_ in the private sector has been breaking any
DES keys for material gain. Either it does not occur to them, or they
don't consider it possible, or perhaps they just don't want to dedicate
resources to it.
I also suspect that the NSA rarely cracks DES keys, even though it can
easily do so. It's still a certain amount of trouble to go to, and
probably only a very tiny fraction of DES-encrypted information really
is sensitive enough to justify DES in the first place, so cracking it
all is a lot of wasted effort.
> In general it doesn't make sense to advertise the fact that such
> a key has been broken, so it shouldn't be surprising that you
> don't hear of many of these things. It makes even less sense if
> you are gaining useful financial or espionage data from the break.
That doesn't prevent other types of security breaches from rapidly
coming to light. I don't see anything special about encryption.
Mxsmanic
> There is the well documented [*] case of the RSA modulus used
> to sign French CB bank cards (including French Visa) getting
> factored and used at least for demonstration purposes by an
> individual circa 1998 (he got sentenced after contacting bank
> authorities thru a lawyer to sell his expertise).
I had never heard of it, but I see it now thanks to your link. Thanks.
Now, why would 37 million credit cards be trusted in the year 2000 to an
RSA key with a 320-bit modulus? A modulus that small has virtually
_never_ been secure; it's practically a demonstration modulus.
> In 2000 the factorization of the same modulus got on
> fr.misc.cryptologie, then counterfeit Smart Cards started to
> appear; they threatened at least some automatic distribution
> machines, and a few merchants. The modulus was 320 bits.
So has anything been done to fix this, or are cards still using this
modulus (or another similarly insecure modulus)?
Tom St Denis
"Mxsmanic" <mxsm...@hotmail.com> wrote in message
news:qtbomvc26609evug7...@4ax.com...
> Jim Gillogly writes:
>
> > Besides the examples that have been given, at least one RSA modulus
> > actually in use for production encryption has been factored: the
> > BlackNet key. Do a search on "BlackNet Leyland Lenstra Gillogly
> > Muffett" for details.
>
> Interesting. I'm glad it was only 384 bits, although 1995 was a long
> time ago.
>
> This is why I always generate keys at the maximum length the software
> will allow.
Which is certainly a good idea if you're on a desktop computer. For the
typical end user it doesn't matter if it takes 1 second to sign with a
4096-bit key or 20ms to sign with a 1024-bit key [or whatever... I haven't
timed a 4kbit key with LTM yet... :-)]
The problem is when you get down to the nitty gritty. E.g. I have to sign
packets on an 16Mhz ARM processor or something [e.g. not a 2Ghz P4] that's
where all these "academic" breaks come into play.
E.g. we [as in people with a math degree, e.g. not me specifically] can
factor 512-bit numbers. It isn't practical but at least it can be done.
This means at the least we must use 768-bit keys or higher [most suggest
1024-bit]. Just like we can brute force 56 bit keys rather easily and now
64-bit keys too [well we're at the stage where it's more feasible]. All
these "attacks" creep up on the lower bound.
You're right that these attacks are probably never used but they're useful
for setting a lower bound to work with when you can't just use a 8kbit RSA
key and a 1024-bit RC6 key, etc...
Tom
Jim Gillogly
> Jim Gillogly writes:
>
>> I would be very surprised if there hasn't been a great deal of
>> broken production single-DES traffic. It was well within the
>> reach of many medium-sized corporations long before its active
>> life tailed off, and within the reach of national crypto bureaus
>> well before that.
>
> So why hasn't anything come to light? Corporations are very poor at
> keeping secrets, in general. If it had been done with any frequency at
> all, some information about it would have gotten out.
Anybody cracking DES for corporate espionage would probably be
breaking some laws, which would give them incentives to compartmentalize
the wrongdoing and "incentivize" the participants to keep quiet. Do you
contend that we find out about all important cases of corporate
espionage, or that none exists?
> My guess is that _nobody_ in the private sector has been breaking any
> DES keys for material gain. Either it does not occur to them, or they
> don't consider it possible, or perhaps they just don't want to dedicate
> resources to it.
Aha! I worked out some constraints and tests for Simon Singh's
Code Book cipher challenge, part 9, and John Gilmore ran it on
his DES cracker. My team got 2nd place in the contest, and John
took his share as a contribution to EFF. There you are, material
gain, both for me and for the EFF. All your base are belong to us.
> I also suspect that the NSA rarely cracks DES keys, even though it can
> easily do so. It's still a certain amount of trouble to go to, and
That may (or may not) be true now, but DES used to be a relatively
high-grade cipher, and if they didn't get some intel from it they
should have.
> probably only a very tiny fraction of DES-encrypted information really
> is sensitive enough to justify DES in the first place, so cracking it
> all is a lot of wasted effort.
It's quite true that general encryption is the enemy of cryptanalysis.
>> In general it doesn't make sense to advertise the fact that such
>> a key has been broken, so it shouldn't be surprising that you
>> don't hear of many of these things. It makes even less sense if
>> you are gaining useful financial or espionage data from the break.
>
> That doesn't prevent other types of security breaches from rapidly
> coming to light. I don't see anything special about encryption.
Secrets are indeed kept. Skipjack wasn't leaked accidentally until
it was exposed intentionally, and that was (the?) one cryptological
prediction that David Sternlight was correct about. The Enigma
break has been discussed in this regard. Descending to the trivial,
even the codes used to program your vcr (is it called VCRplus?) have
been rather resistant to exposure -- so far as I know it hasn't been
leaked, but only gradually exposed over years by analysis.
And I *still* don't believe Oswald acted alone, despite the size of
the conspiracy that would be required to make me wrong.
--
Jim Gillogly
Mersday, 29 Halimath S.R. 2003, 14:29
12.19.10.10.18, 2 Edznab 6 Chen, Second Lord of Night
Mok-Kong Shen
Jim Gillogly wrote:
>
> Mxsmanic wrote:
[snip]
> > probably only a very tiny fraction of DES-encrypted information really
> > is sensitive enough to justify DES in the first place, so cracking it
> > all is a lot of wasted effort.
>
> It's quite true that general encryption is the enemy of cryptanalysis.
If only most people send every e-mail with secure encryption,
there would result an enormous headache, if not collapse,
for the agencies monitoring the world communications.
'Thanks' to the inertia/disinterest of the majority
of common people, that's never going to happen. (Were it
to happen, encryption would certainly be generally
forbidden by law.)
M. K. Shen
Francois Grieu
Mxsmanic <mxsm...@hotmail.com> wrote:
> Now, why would 37 million credit cards be trusted in the year
> 2000 to an RSA key with a 320-bit modulus? A modulus that small
> has virtually _never_ been secure; it's practically a
> demonstration modulus.
The system parameters where chosen circa 1983. Back then 320 bits
was considered reasonable, I guess. The rest was only a matter of
postponing a decision of change.
> > In 2000 the factorization of the same modulus got on
> > fr.misc.cryptologie, then counterfeit Smart Cards started to
> > appear; they threatened at least some automatic distribution
> > machines, and a few merchants. The modulus was 320 bits.
>
> So has anything been done to fix this, or are cards still using
> this modulus (or another similarly insecure modulus)?
Reportedly all cards with the 320 bits signature have expired,
and terminals accepting them eradicated.
Francois Grieu
Dan Mehkeri
> Rick Wash writes:
>
> > The best example I can think of recently is the Fluhrer-Mantin-Shamir
attack
> > on RC4. This allowed a practical break of the encryption in WEP for
> > wireless networks. There are tools out there (bsd-airtools, wepcrack,
etc.)
> > that will use this cryptosystem attack to recover the WEP key used on a
> > wireless network.
>
> But that is theoretical again. Who has actually done this for material
> gain?
>
> For example, who has actually managed to, say, embezzle a large sum of
> money by, say, cracking DES? Who has managed to forge a contract and
> gain a substantial sum by cracking MD5? What government agency has put
> a mobster in jail thanks to a crack of CAST?
Now I don't know if I'm remembering all this right, but I recall right here
on sci.crypt maybe a year (?) ago David Wagner's weakness in TEA's key
schedule was used to get around the protection in Microsoft XBOX to run
non-authorized code, which was using TEA as the basis for its hash algo. Now
the XBOX was selling for cheaper than the corresponding general purpose
hardware (I think?) So if I've got the details right, then take that amount
of savings and multiply by however many hordes of L33T HA><0Rs went and made
use of this, and I'd say it qualifies in the decent amount of financial gain
category.
CryptWolf
> CryptWolf writes:
>
> > Are there practical breaks of encrypted messages? I know of
> > at least one person who gets regular requests for assistance
> > in breaking various encrypted messages.
>
> And is he actually able to assist?
>
> I know personally of one instance of deliberate cracking of password
> protection, but the encryption involved was so trivial that I don't know
> if it counts. It counted enough to concern the ITARs, though.
The surprising part is most of the encryption you'll find in local
criminal cases is trivial and a variant of or an actual classic system.
Occasionally it might be a diary or other set of records that might
hide some important information.
In several of the computer forensics related books I have
several cases were made by breaking encryption. In
the cases where good algorithms were used it was more
user error (weak passwords/keys) that allowed the break.
Some of the forensics cases were handled by the FBI and
I'm sure some serious effort is available there. In some cases,
"security experts" were called in and no criminal investigation
was ever conducted.
You don't normally hear about these things unless they make
the national news. Unfortunately, the corporations that were
attacked tend to like things quiet and minimize the publicity.
You never hear about them unless you dig through a lot of
court cases. After all, the thought that XYZ Corp. had an
employee that was poking around in records and doing
some things that might not be totally legal would be really
bad for business.
You'd be surprised how little you actually ever get exposed
to even when studying in a given field. Some fields can be
much larger than just a few books.
CryptWolf
Mxsmanic
> The surprising part is most of the encryption you'll find
> in local criminal cases is trivial and a variant of or an
> actual classic system.
And I think that is significant. Crytologists are splitting hairs over
whether X or Y is more secure when both are a trillion times more secure
than anyone is using in the field. About 99.9999% of the population is
still clueless with respect to crypto, IMO--and this includes a lot of
people who probably have a very real need for decent cryptography.
> Some of the forensics cases were handled by the FBI and
> I'm sure some serious effort is available there.
I'm not. Law-enforcement agencies tend to favor firepower and "brute
force" in the literal sense, and eschew math and logic and all those
pansy wimp ways of finding crooks and solving crimes. Attitudes at the
FBI and at the NSA are completely different; I'm surprised they even
manage to speak to each other.
Mxsmanic
> Which is certainly a good idea if you're on a desktop computer. For the
> typical end user it doesn't matter if it takes 1 second to sign with a
> 4096-bit key or 20ms to sign with a 1024-bit key [or whatever... I haven't
> timed a 4kbit key with LTM yet... :-)]
One concern I have is the randomness of the key generation, but I
haven't been able to find much information on that in real-world
implementations. (PGP is my main concern, predictably.)
> You're right that these attacks are probably never used but
> they're useful for setting a lower bound to work with when
> you can't just use a 8kbit RSA key and a 1024-bit RC6 key, etc...
It seems like it would make more sense to simply use the largest key
size you can practically implement on whatever platform you are using;
in other words, go for the maximum you can afford, not the minimum.
Mxsmanic
> Do you contend that we find out about all important cases
> of corporate espionage, or that none exists?
I content that real-world compromises of solid cryptographic algorithms
are _extraordinarily_ rare, and that most discussions today revolve
around very esoteric and theoretical "attacks" that have no real bearing
on the use of crypto in practical applications.
Even in spook agencies, I'd be surprised if anyone is successfully
cracking any of the better algorithms with any real frequency. Even DES
probably yields only to brute force in practice, and that's only because
it has such a lame key size.
> It's quite true that general encryption is the enemy
> of cryptanalysis.
Yes. Generalized encryption is crippling to the spooks; it doesn't
matter how trivial the encryption is. Decrypting traffic is a zillion
times harder than just scanning plaintext as it passes, even if you know
exactly how to decrypt and can do it with great efficiency. Generalized
encryption forces spooks to depend on traffic analysis in order to find
the messages they want to check; they can no longer just blindly scan
everything.
Fortunately for the spooks, generalized encryption is still just
blue-sky science fiction in most domains. Not because it can't be done,
but simply because people are too lazy to do it.
> Skipjack wasn't leaked accidentally until it was exposed
> intentionally, and that was (the?) one cryptological
> prediction that David Sternlight was correct about.
What ever happened to Skipjack? I know it was declassified and that the
NSA published it. Have people been looking at it? Is it better than
DES? Is anyone using it?
Mxsmanic
> If only most people send every e-mail with secure encryption,
> there would result an enormous headache, if not collapse,
> for the agencies monitoring the world communications.
I agree. But I don't think that the general public will ever be
interested enough in privacy and security to explicitly encrypt their
messages routinely (then again, I don't do this, either, so I guess I
can't point fingers). A completely automatic encryption (similar to
SSL) would help, but there is little motivation to provide that, and of
course it is a lot less secure.
Indeed, I simply cannot find people to communicate with using PGP. All
my friends and relatives are totally ignorant of cryptography; they
aren't even willing to experiment with it for fun. On the rare
occasions when I actually have to communicate something confidential to
them, I usually have to resort to postal mail or something, because they
can't be bothered to use or understand even the minimum necessary to use
encryption.
> 'Thanks' to the inertia/disinterest of the majority
> of common people, that's never going to happen.
Agreed.
> Were it to happen, encryption would certainly be generally
> forbidden by law.
I don't think so. If everyone were doing it, everyone would be in favor
of it, too. The rare spooks who might disagree would be outnumbered,
even among their own peers.
Mxsmanic
> Reportedly all cards with the 320 bits signature have expired,
> and terminals accepting them eradicated.
So how many bits do they use now?
Tom St Denis
> It seems like it would make more sense to simply use the largest key
> size you can practically implement on whatever platform you are using;
> in other words, go for the maximum you can afford, not the minimum.
What is the maximum when you have say 64 bytes of ram and a 1MIPS
processors?
That's the whole point [which you failed to grasp] I was trying to make.
Sometimes you don't have the resources to use huge keys and you have to make
due with smaller. The question is *how* small can you go before the system
is totally insecure.
Tom
CryptWolf
Nicely trimmed to try and make a point. Trivial stuff is often used by people
who never expect anyone to really want to read it. A diary would be encrypted
just enough so that casual snoops would have to work to hard to read it.
The author never expecting that it might be used in a criminal investigation.
The higher tech the criminal is, the more likely there was good encryption
used. Many of them still make beginner mistakes though. Some of them
even give up passwords. These are the cases that you probably won't
ever hear about. Some were never criminally investigated though most
lost their jobs. Various law enforcement agencies are hiring people to
deal with computer crimes internally though I still get the feeling they
are playing catch-up.
I'd suggest reading a lot of books. Several in the computer forensics
field give examples of strong encryption use by criminals. Quite a few
crypto books give examples of why some of those numbers are very
important. I think you could learn more and at a much faster pace than
posting to a news group.
CryptWolf
Mxsmanic
> What is the maximum when you have say 64 bytes of ram and a 1MIPS
> processors?
I don't know. I hardly remember the IBM 704.
> Sometimes you don't have the resources to use huge keys and you have to make
> due with smaller. The question is *how* small can you go before the system
> is totally insecure.
What does it matter? You go as large as you can. If that is so small
that the system is totally insecure, so what? You can't go any larger.
And if you _can_ go larger, you do.
Tom St Denis
> Tom St Denis writes:
>
> > What is the maximum when you have say 64 bytes of ram and a 1MIPS
> > processors?
>
> I don't know. I hardly remember the IBM 704.
What about things like smart cards? Would you rather pay 900$ for a smart
visa or the 0.05$ or so it costs to massproduce them?
> > Sometimes you don't have the resources to use huge keys and you have to
make
> > due with smaller. The question is *how* small can you go before the
system
> > is totally insecure.
>
> What does it matter? You go as large as you can. If that is so small
> that the system is totally insecure, so what? You can't go any larger.
> And if you _can_ go larger, you do.
We're talking money. If a 768-bit RSA key and a 80-bit symmetric key is
strong enough for a given task why waste money?
You seem to fail to grasp that the Athlon/P4's of the world represent but a
*SMALL* fraction of all processors in mass production. In fact 8-bit and
embedded 32-bit cores are thousands of times more prevalent....Sure we could
make smartcards out of Athlon XP 2800+ processors with 2GB of ram but that
would be hugely wasteful.
Tom
Andrew Swallow
news:ac82b7cf.03092...@posting.google.com...
[snip]
>
> And I *still* don't believe Oswald acted alone, despite the size of
> the conspiracy that would be required to make me wrong.
Oswald would only need a second person. Since he is
facing the death penalty this man is highly motivated to
keep his mouth shut.
Andrew Swallow
Mok-Kong Shen
Andrew Swallow wrote:
>
> "Jim Gillogly" <j...@acm.org> wrote:
> [snip]
> >
> > And I *still* don't believe Oswald acted alone, despite the size of
> > the conspiracy that would be required to make me wrong.
>
> Oswald would only need a second person. Since he is
> facing the death penalty this man is highly motivated to
> keep his mouth shut.
Has there been any official revelation of the secret
(the 25 year period being long expired)?
M. K. Shen
Mxsmanic
> What about things like smart cards?
What about them? They are an exceptional case.
> Would you rather pay 900$ for a smart
> visa or the 0.05$ or so it costs to
> massproduce them?
I'm already paying $500 for a smart Visa.
Tom St Denis
> Tom St Denis writes:
>
> > What about things like smart cards?
>
> What about them? They are an exceptional case.
HAHAHAHAHAHAHAHAHAHAHAHAHAHA.
Oh. You were serious. How sad. Thanks for the laugh.
You have an amazing misconception of computing. Do you own a cell phone?
Use smart card banking cards? Like digital cable [well for the cartoons
anyways]? Ever use a debit machine? etc, etc, etc. I suggest you go check
companies like Intel and ARM for the sales of particular processors.
Simply saying "why doesn't everyone use 4Kbit RSA keys" isn't realistic or
helpful. I mean why don't you just use 32Kbit RSA keys? Why not? Because
it would be hella costly.
Tom
Douglas A. Gwyn
> Douglas A. Gwyn writes:
>>(5) You don't know enough about even the cryptanalyses you
>>claim to know about, to be rendering judgment in this area.
> You have no idea what I know.
I know that what you posted was incorrect..
Scott Contini
> Paul Rubin <http://phr...@NOSPAM.invalid> writes:
>
> > If they did, they are not going to tell you.
>
> Their efforts might come to light.
Here's one example:
http://www.pele.org/english/smartcard.html
You would be surprised how often real world systems are insecure.
I've seen many such weaknesses, and so have many other people here.
Bruce Schneier has given a detailed account of the security blunders
he has found:
http://www.counterpane.com/real-world-security.html
This is all real stuff. It's not just some theoretical attack.
Most of the attacks you can do on secret systems are so simple that
nobody would ever get a publication out of them. The publications
you tend to see in crypto journals and conferences are much
more complicated attacks against well-thought-out crypto methods.
That's why you read so much about the theoretical attacks. If you
want to see practical attacks against real world systems, then first
learn the crypto and then get a job working for a company that claims
to know what they're doing. Some of those companies do know what they
are doing, but the vast majority make very simple mistakes.
Scott
Benjamin Choi
> I read regularly about arcane attacks against modern encryption
> algorithms that yield one bit of the key, or a 50% probability that five
> bits of the fourth block of plaintext are 10110, or half the last block
> of inverted ciphertext with only 2^48 selected plaintexts, but I never
> hear anything at all about any practical attacks against algorithms.
>
> Has anyone successfully _broken_ an algorithm? That is, has anyone
> actually cracked a modern algorithm well enough to provide complete
> plaintext of ciphertext messages, in a way that would actually be useful
> to someone in the real world, and not just interesting in a trade
> journal?
>
> Has anyone ever cracked DES in a real-world situation and derived useful
> information by doing so? Has anyone ever really forged a message in a
> useful way with MD5? Has anyone ever factored any RSA modulus actually
> in use for production encryption? Or is it all just papers at
> mathematical and cryptological conferences?
To tell the truth, you don't seem to know very much about cryptology
(like me).
Many snake-oil vendors (like Meganet) say:
"Theoretical breaks are useless. In the real world, it's actual
practical decrypting of ciphertext that counts."
For that reason, Meganet does not accept theoretical cryptanalyses of
VME.
In truth, theoretical breaks ARE important and significant. Although
no one might be able to break it now, tomorrow someone might find a
way to exploit that weakness or advancements in technology might make
it feasible to crack the cipher completely.
--
Benjamin Choi
Ulrich Wurst
news:m72nmvg5r5j2mronb...@4ax.com...
> In the olden days, Enigma could actually be broken, more or less, in a
> way that actually provided practical, useful information.
I am currently reading the book "seizing the enigma" by David Kahn (the book
is not too interesting - it is rather a book about the war, not one
specifically about cryptography) and as I read it the information gained by
being able to decrypt the enigma-ciphers was usually not too useful. Having
knowledge of the enemy's communication can be interesting and helpful but
this war wasn't won (or lost) by it as I understand.
Uli
Mxsmanic
> Here's one example:
>
> http://www.pele.org/english/smartcard.html
Already mentioned. I'm still amazed that the RSA modulus was so short.
> You would be surprised how often real world systems
> are insecure.
No, I wouldn't. I take for granted that they are insecure.
The amazing thing isn't that they are almost all insecure, the amazing
thing is that so few bad buys take advantage of it. I guess most people
are more honest than dishonest.
> This is all real stuff. It's not just some theoretical
> attack.
Mostly I see hypotheticals being discussed.
There are lots and lots of ways to attack a cryptosystem, and breaking
the crypto algorithms is often the least efficient attack. Similarly,
there are lots and lots of ways to commit fraud and other crimes, and
doing it by attacks on a cryptosystem are often the least efficient way
to accomplish that goal. Nobody attacks the strongest links, and a
cryptosystem is usually stronger than what it protects, and an algorithm
is usually stronger than the cryptosystem in which it is used.
In other words, nobody needs to crack algorithms, and so nobody does.
> Some of those companies do know what they
> are doing, but the vast majority make very simple mistakes.
In security, mistakes are legion, even outside of crypto.
Mxsmanic
> I know that what you posted was incorrect..
Even if it is, there are several possible explanations.
Mxsmanic
> ... as I read it the information gained by
> being able to decrypt the enigma-ciphers was usually
> not too useful. Having knowledge of the enemy's
> communication can be interesting and helpful but
> this war wasn't won (or lost) by it as I understand.
Most of the information isn't going to be very useful. But you only
need one juicy bit to make it all worthwhile. The battle of Midway, for
example, hinged on decryption of one key phrase.
Mxsmanic
> Many snake-oil vendors (like Meganet) say:
> "Theoretical breaks are useless. In the real world, it's actual
> practical decrypting of ciphertext that counts."
At least that much is correct.
> For that reason, Meganet does not accept theoretical
> cryptanalyses of VME.
That's not a reason to disregard theoretical cryptanalysis. Theoretical
cracks should not be disregarded, but neither should they incite panic.
Some theoretical attacks have no effect on real-world applications;
others signal the beginning of the end. Wait-and-see is often the best
policy.
> Although no one might be able to break it now, tomorrow
> someone might find a way to exploit that weakness or
> advancements in technology might make it feasible to crack
> the cipher completely.
So change the cipher tomorrow ... not today.
Troed Sångberg
> Now I don't know if I'm remembering all this right, but I recall right
> here
> on sci.crypt maybe a year (?) ago David Wagner's weakness in TEA's key
> schedule was used to get around the protection in Microsoft XBOX to run
> non-authorized code, which was using TEA as the basis for its hash algo.
> Now
> the XBOX was selling for cheaper than the corresponding general purpose
> hardware (I think?) So if I've got the details right, then take that
> amount
> of savings and multiply by however many hordes of L33T HA><0Rs went and
> made
> use of this, and I'd say it qualifies in the decent amount of financial
> gain
> category.
Correct. Although there were other holes, using TEA for hashing was one
way we got into Xbox v1.1. It has also been used recently to be able to
modify the RSA public key used for signing bioses (credits to Franz Lehner
for that idea) into a new known key with our own private key. This
simplified making modified bioses quite a lot since it didn't depend on
writing code to memory at boot.
It might also be possible to connect to XboxLive with a modified Xbox
since Microsoft (STILL) are using TEA as the hashing algorithm used to
detect modified bioses.
(I've myself come to the conclusion that Microsoft WANT us to hack the
Xbox since they keep on using algorithms broken since -97 and which we've
publically told them how to secure over a year ago)
___/
_/
Paul Rubin
> If you want to see practical attacks against real world systems,
> then first learn the crypto and then get a job working for a company
> that claims to know what they're doing. Some of those companies do
> know what they are doing, but the vast majority make very simple
> mistakes.
I've learned some crypto and worked for a company that (by some
reasonable standard) knew what it was doing. We made numerous simple
mistakes anyway. Just like even an expert programmer will sometimes
make simple bugs, even a knowledgable company carrying out a complex
procedure (e.g. loading keys into crypto application software on a
remote server without exposing them to the local network) can make an
error. It's possible to work past the errors by frequent practice,
but if it's something that's only done occasionally, errors are
inevitable. People in the company come and go, those who stay around
forget how to do things they haven't done in a long time, some
configuration or procedure changes requiring improvisation to deal
with, and some new type of error becomes possible as a result.
I realized after a while that there are hardly any civilian
organizations with enough discipline to deploy cryptography without
simple mistakes, even if they have plenty of pure knowledge. That's
one reason I came to believe in HSM's for key containment--not because
of attackers who might try to get the keys out with lab equipment, but
because it's way too easy on general purpose computers to spill keys
by accident (e.g. they end up on a backup tape that gets cycled into
some workgroup server). HSM's are very helpful at preventing a
certain class of mistakes. But of course there are many other kinds
of mistakes to make.
Having no military experience, I have no idea whether military
organizations do any better. The story about the laptop hard disk
full of H-bomb secrets being left behind a Los Alamos xerox machine
doesn't make me too optimistic. One kind of civilian organization
that might have a chance of secure crypto deployment is an outfit like
Verisign, which does basically the same procedures the exact same way
every day of the week, so the procedures and staff training can be
made very rigorous. If the crypto is just one component in a big
complicated software product that changes all the time, things are a
lot trickier.
Dan Mehkeri
news:oprvunhp...@news.usenetserver.com...
> On Sat, 20 Sep 2003 12:21:37 -0400, Dan Mehkeri <fool...@yahoo.ca> wrote:
>
> > Now I don't know if I'm remembering all this right, but I recall right
> > here
> > on sci.crypt maybe a year (?) ago David Wagner's weakness in TEA's key
> > schedule was used to get around the protection in Microsoft XBOX to run
> > non-authorized code, which was using TEA as the basis for its hash algo.
> Correct. Although there were other holes, using TEA for hashing was one
> way we got into Xbox v1.1. It has also been used recently to be able to
> modify the RSA public key used for signing bioses (credits to Franz Lehner
> for that idea) into a new known key with our own private key. This
> simplified making modified bioses quite a lot since it didn't depend on
> writing code to memory at boot.
>
Now it's interesting to notice that this particular attack against TEA deals
with four bits of a 128 bit key, and if you read the first message in this
thread, it might be classified as a break with no practical value.
David Hopwood
Mxsmanic wrote:
> [...] Has anyone ever factored any RSA modulus actually in use for
> production encryption?
Yes, for the "GIE cartes bancaires" system used in France (well, IIRC
it was a signature rather than an encryption key). See for example
<http://www.parodie.com/english/smartcard.htm>.
- --
David Hopwood <david....@zetnet.co.uk>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBP2xekjkCAxeYt5gVAQG5TAf+J3msI6I4y9lwD1eEIzZyCuwrJ/FqJvKz
kiqECasnyzETo2vmaHgcP8q19wcx0Tbu2NhlrdhPTnQpZVs//g8AJwf/Yu6k/7Xh
ooIJ/bdAQsddvBEC/55rMfhisGsoRwfMK+eua5NMzlTwhdgOOAhFIrzA2CNosL0x
ANOuZzRXPIvydx8wD/zf6IaKoBK+5HTlo/uwArzYvqr3g91G3jEH8VSCFUDXLVLj
lbAY+e8OH+X1Gd21bAp5RJ4GycRvhIMOaSgFDRjUKcoYgImk2C3SUyezSgIsLK0j
qoWohM4QzJbk9iAEkCB/I8BuPg6j+XQ0EBhCYfzVEAx3fgX3Ew08VQ==
=o2Co
-----END PGP SIGNATURE-----
Simon Johnson
Yep and also the (but often under expressed) problem of where you get
the entropy from. Small keys are good because if our RNG is bad.. it
does us less damage..
Simon.
Simon Johnson
> cracks should not be disregarded, but neither should they incite panic.
> Some theoretical attacks have no effect on real-world applications;
> others signal the beginning of the end. Wait-and-see is often the best
> policy.
The problem is that once a cipher starts is shown not to behave in an
ideal way it starts becoming a burden to cryptographers.
Take RC4. RC4 is secure provided you throw away the first thousand or
so bytes. Imagine your trying to design a system where the user can
choose the cipher they use. You'd have to write special code to handle
RC4 .. something you wouldn't have to do with other ciphers.. we're
adding complexity for the sakes of a dodgy cipher.
Complexity breeds insecurity, so it's much better to dump the cipher
at the first signs of weakness just to be safe..
In this industry... the burden on proof is not on the cryptanalyst but
on the designer. The designer must prove that they're design is worth
using.. They start on the assumption that a design is insecure until
they see evidence of the opposite.
Simon.
Scott Contini
> > You would be surprised how often real world systems
> > are insecure.
>
> No, I wouldn't. I take for granted that they are insecure.
>
> The amazing thing isn't that they are almost all insecure, the amazing
> thing is that so few bad buys take advantage of it. I guess most people
> are more honest than dishonest.
>
> > This is all real stuff. It's not just some theoretical
> > attack.
>
> Mostly I see hypotheticals being discussed.
>
> There are lots and lots of ways to attack a cryptosystem, and breaking
> the crypto algorithms is often the least efficient attack. Similarly,
> there are lots and lots of ways to commit fraud and other crimes, and
> doing it by attacks on a cryptosystem are often the least efficient way
> to accomplish that goal. Nobody attacks the strongest links, and a
> cryptosystem is usually stronger than what it protects, and an algorithm
> is usually stronger than the cryptosystem in which it is used.
>
Well, then maybe you would be surprised how often the crypto is exceptionally
weak. I have seen many examples of this, but I have to be careful about
which ones I cite. Here's one:
One so-called cryptographer used Diffie Hellman without authentication. The
designer thought that if he was able to be sure that the parameters were
kept secret (if you are wondering why somebody is using public key
crypto with secret parameters rather than symmetric crypto, then you
have already thought more than the original designer), then man-in-the-middle
attack was not possible. He implemented his own text-book version of
Diffie Hellman. Show that man-in-the-middle still can work.
This is quite an elementary example which is easy to break. I've seen
lots of stuff like this where people miss basic crypto concepts when they
try to do it themselves. I have seen lots of attempts at building some
type of encryption method - both public key and private key - where the
encryption is exceptionally easy to break. I have seen patented methods
of this form. There are MANY stupid crypto mistakes in the real world.
99% of these are so trivial that they are not worthy of publication.
Another example is the 802.11 protocol. The security flaws in it were
completely trivial.
Scott
Mxsmanic
> I realized after a while that there are hardly any civilian
> organizations with enough discipline to deploy cryptography without
> simple mistakes, even if they have plenty of pure knowledge.
Once the bad guys have physical access to your computers, it becomes
extraordinarily difficult to maintain any kind of security, even with a
boatload of state-of-the-art crypto tools. There are holes everywhere,
and plugging them all makes a system almost impossible to use in any
practical way.
> One kind of civilian organization that might have
> a chance of secure crypto deployment is an outfit like
> Verisign ...
Verisign handed a Microsoft signing key to a complete stranger a few
years ago, just for the asking. I wrote them off the day I heard about
that, and I have not trusted them since.
> If the crypto is just one component in a big complicated
> software product that changes all the time, things are a
> lot trickier.
Which is why I question whether cracking crypto algorithms ever makes
much of a difference in the real world, or even whether anyone actually
bothers to attempt it. There are much easier ways to compromise
security. It's hard to imagine any non-military environment in which
the _easiest_ attack is a direct attack on a crypto algorithm.
Mxsmanic
> Complexity breeds insecurity, so it's much better to dump the cipher
> at the first signs of weakness just to be safe..
But is it really? Is it more secure to use a cipher that has been
around for ages and has shown no major weaknesses (even if a few minor
attacks have shown some defects), or is it more secure to use a much
newer cipher that has had no successful attacks against it at all as yet
but hasn't been cryptanalyzed to nearly the depth of the older cipher?
For example, DES is ancient and has some known defects, but it is much
more of a known quantity than many newer ciphers are. What are the
chances that DES will _suddenly_ be broken in the foreseeable future, as
compared with a newer algorithm that has not withstood thirty years of
attacks?
This is why I am using 3DES at the moment. It may not be perfect, but
it is at least a fairly well quantified risk.
Michael Amling
>>That's not a reason to disregard theoretical cryptanalysis. Theoretical
>>cracks should not be disregarded, but neither should they incite panic.
>>Some theoretical attacks have no effect on real-world applications;
>>others signal the beginning of the end. Wait-and-see is often the best
>>policy.
>
>
> The problem is that once a cipher starts is shown not to behave in an
> ideal way it starts becoming a burden to cryptographers.
>
> Take RC4. RC4 is secure provided you throw away the first thousand or
> so bytes. Imagine your trying to design a system where the user can
> choose the cipher they use. You'd have to write special code to handle
> RC4 .. something you wouldn't have to do with other ciphers.. we're
> adding complexity for the sakes of a dodgy cipher.
I don't think you'd need special treatment for RC4. Just add a loop
at the end of the RC4 key scheduling code to generate and discard n
bytes. The key scheduling code is unique to each cipher anyway.
--Mike Amling
Tom St Denis
I'll let you in on a secret. 30 yrs will pass whether you decide to let it
or not.
Now what the heck does that mean? ... throw yourself back 30 years when DES
was new. Should we have ignored it completely because it was new then?
That's a little zen for ya.
Tom
Tom St Denis
> > If the crypto is just one component in a big complicated
> > software product that changes all the time, things are a
> > lot trickier.
>
> Which is why I question whether cracking crypto algorithms ever makes
> much of a difference in the real world, or even whether anyone actually
> bothers to attempt it. There are much easier ways to compromise
> security. It's hard to imagine any non-military environment in which
> the _easiest_ attack is a direct attack on a crypto algorithm.
People still try to attack ciphers because
a) New attacks are invented
and
b) Old attacks are improved.
State of the art doesn't always mean "being used right this minute". For
example, Intel has a 5Ghz ALU that they aren't using right now. Does that
mean Intel should stop research on high speed parts? Similarly we find
attacks that aren't practical yet. Does that mean we stop?
Also you seem to be overlooking the vast realm of protocol analysis that
goes on. Like most recently the GSM break(s) [one of which had nothing todo
with the cipher details].
Tom
Mxsmanic
> Now what the heck does that mean? ... throw yourself back 30 years when DES
> was new. Should we have ignored it completely because it was new then?
It had no competition.
Tom St Denis
> Tom St Denis writes:
>
> > Now what the heck does that mean? ... throw yourself back 30 years when
DES
> > was new. Should we have ignored it completely because it was new then?
>
> It had no competition.
And your point is?
Essentially you're [or at least were, we'll wait for you to make a cogent
point....] saying "don't use AES, it has no history." I'm saying everything
at some point doesn't have history. And it isn't as if people haven't tried
to break AES.
Yeah I agree using 3DES is a good idea. So is [can be] AES.
Tom
Gregory G Rose
Mxsmanic <mxsm...@hotmail.com> wrote:
>Verisign handed a Microsoft signing key to a complete stranger a few
>years ago, just for the asking. I wrote them off the day I heard about
>that, and I have not trusted them since.
You trusted them for *that* long?
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Crypto Mini-FAQ: http://www.schlafly.net/crypto/faq.txt
Qualcomm Australia: http://www.qualcomm.com.au
Douglas A. Gwyn
> Having no military experience, I have no idea whether military
> organizations do any better.
At one time they did, with cryptosystem designs being vetted
by having experienced cryptanalysts attack them, and security
monitors and "tiger teams" continually probing the security
of ongoing operations.
> The story about the laptop hard disk
> full of H-bomb secrets being left behind a Los Alamos xerox machine
> doesn't make me too optimistic.
Don't believe much of what you read in the so-called news media.
Joe Peschel
KY...@comcast.com:
> Don't believe much of what you read in the so-called news media.
>
I respect your technical opinions, Doug, but I certainly wish you'd get
over this blame-the-messenger business.
J
--
__________________________________________
When will Bush come to his senses?
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
Mxsmanic
> You trusted them for *that* long?
Well, Microsoft trusted them, and given how much Microsoft stood to lose
if Verisign screwed up, I figured I could trust them, too. But then
Verisign _did_ screw up, so I stopped trusting them. Microsoft,
strangely, has not--although there really isn't any other place to turn,
I suppose.
For higher security, I've always preferred PGP instead, as I don't need
or trust a third party to manage any part of my key structure.
As it is, though, I can't even find any correspondents who understand
and use the very simple Verisign security in Outlook Express, much less
PGP. Even when I have a good reason to encrypt something confidential,
my recipient typically doesn't understand enough to be able to decrypt
it, so it has to be sent in the clear or by postal mail or something.
Mxsmanic
> At one time they did, with cryptosystem designs being vetted
> by having experienced cryptanalysts attack them, and security
> monitors and "tiger teams" continually probing the security
> of ongoing operations.
Has something changed?
Mxsmanic
> And your point is?
If it had no competition, there would be no point in ignoring it because
it was new, because it was either DES or nothing.
> Yeah I agree using 3DES is a good idea. So is [can be] AES.
Well, when AES has been around long enough, maybe I'll switch to that.
I think the public-key part of a cryptosystem may be considerably more
vulnerable, though. Who knows what size of numbers are being factored
in basement computer rooms somewhere?
John E. Hadstate
> Douglas A. Gwyn writes:
>
> > At one time they did, with cryptosystem designs being vetted
> > by having experienced cryptanalysts attack them, and security
> > monitors and "tiger teams" continually probing the security
> > of ongoing operations.
>
> Has something changed?
>
Yes.
Mxsmanic
> Yes.
So now even the military doesn't attack its own codes to test them?
Gee, that makes me feel secure.
Mok-Kong Shen
"John E. Hadstate" wrote:
>
> "Mxsmanic" <mxsm...@hotmail.com> wrote:
> > Douglas A. Gwyn writes:
> >
> > > At one time they did, with cryptosystem designs being vetted
> > > by having experienced cryptanalysts attack them, and security
> > > monitors and "tiger teams" continually probing the security
> > > of ongoing operations.
> >
> > Has something changed?
> >
>
> Yes.
I guess that in modern combat situations voice encryption
plays a bigger role than text encryption and that
issues like jamming etc. must be well addressed. Could
that be right? Thanks.
M. K. Shen
Mxsmanic
> I guess that in modern combat situations voice encryption
> plays a bigger role than text encryption and that
> issues like jamming etc. must be well addressed. Could
> that be right? Thanks.
It's all just bit streams, so whether the original plaintext is voice or
data shouldn't matter.
Simon Johnson
> Tom St Denis writes:
>
> > And your point is?
>
> If it had no competition, there would be no point in ignoring it because
> it was new, because it was either DES or nothing.
>
> > Yeah I agree using 3DES is a good idea. So is [can be] AES.
>
> Well, when AES has been around long enough, maybe I'll switch to that.
> I think the public-key part of a cryptosystem may be considerably more
> vulnerable, though.
On what grounds do you base that? There is strong evidence to suggest
that public key algorithms have intrinsic strength. I'd argue, it's
got a far stronger grounding than AES or DES.. factoring has been
studied for thousands of years.
> Who knows what size of numbers are being factored
> in basement computer rooms somewhere?
1024-bit keys? unlikely. 2048-bit keys. No chance. Quantum computer
attack? infinitesimally small but non-zero.
Simon.
Mxsmanic
> On what grounds do you base that?
It all hinges on a few hard problems, such as factorization or discrete
logs. If someone, somewhere, has found fast ways to do these things,
practically all public-key systems become useless.
Personally, I hope that there _isn't_ a way to do these things, which
would ensure that public-key systems as they now exist will remain
secure and useful indefinitely. Perhaps spooks feel the same way,
although that won't stop them from trying to come up with new factoring
algorithms and such, unless someone _proves_ that the problem is
intractable.
> There is strong evidence to suggest that public key algorithms
> have intrinsic strength.
As long as the hard problems stay hard, yes.
> I'd argue, it's got a far stronger grounding than AES
> or DES.. factoring has been studied for thousands of years.
Yes. One can hope that it really will stay difficult.
> 1024-bit keys? unlikely. 2048-bit keys. No chance. Quantum computer
> attack? infinitesimally small but non-zero.
Just to be at the safe side, I set my key sizes to the largest allowed.
I do have some worries about the actual randomness of the keys
generated, but I haven't found any comments on that with respect to PGP.
The commercial 8.x version seems to generate 4096-bit keys suspiciously
fast.
Mok-Kong Shen
Mxsmanic wrote:
>
> Mok-Kong Shen writes:
>
> > I guess that in modern combat situations voice encryption
> > plays a bigger role than text encryption and that
> > issues like jamming etc. must be well addressed. Could
> > that be right? Thanks.
>
> It's all just bit streams, so whether the original plaintext is voice or
> data shouldn't matter.
But the technical aspects for voice and text encryption
are not identical in my humble viw. To exaggerate, there
is difference in the construction principles between
automobiles and airplanes, though all are based on
the fundamental laws given by Newton at the end.
M. K. Shen
Bob
I just read two papers over the weekend. "A Chosen Ciphertext Attack
Against Several E-Mail Encryption Protocols" by Katz and Schneier and
"Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG" by
Jallad, Katz and Schneier.
Does this qualify as a crack in this thread?
Bob.
Mxsmanic
> Does this qualify as a crack in this thread?
Depends. How realistic is a chosen-cipertext attack?
To me a realistic attack is one that actually gives you a complete key
or a complete plaintext within a reasonable amount of time. This means
that you tap the network connection, you pull the ciphertext of the
message you want, you plug it into your NSA-spec HAL 9900, and twenty
minutes later the key and/or the plaintext pops out. Now, that's a
useful crack.
Here are some signs that the crack is not really meaningful:
-- Any parameter of the cracking method is expressed in exponential
notation.
-- The crack does not produce the entire key or an appreciable chunk of
plaintext.
-- The target message concerns a terrorist attack due within 48 hours,
and the crack requires six months of processing on a distributed network
of computers.
-- The target message is useless if it cannot be decrypted in real time,
and the crack does not provide results in real time.
There are other signs, too.
It's kinda like the endless series of Windows security problems. Lots
of problems discovered and documented, but virtually no evidence that
the majority of them have ever actually been exploited.
Tom St Denis
> Bob writes:
>
> > Does this qualify as a crack in this thread?
>
> Depends. How realistic is a chosen-cipertext attack?
>
> To me a realistic attack is one that actually gives you a complete key
<snip>
Shut up already. Nobody has said [e.g.] 2^50 chosen plaintexts [or
whatever] would be something you can go out and do each day. The point is
if "academic" breaks exist they exist and in the grand scheme of things it's
the best ranking system we have. I mean if you have two ciphers one with an
attack in 2^40 time and another in 2^60 time you'd have to pick the 2^60
[assuming all else is equal].
You seem to be rather obvlious to quite a few things which I think we can
just attribute to age [my guess is your between 14 and 17]. The point of
all these "academic" breaks is that what is impractical now often filters
down to practical later.
As an aside [and further examples], some of the talks at crypto'03 that I
attended were rather dry and really theoretical. I sat through a few
thinking "why would anyone care about things like this?". Then I recalled
that theory filters into practical. For instance, elliptic curves were just
an algebraic oddity for about 100 years before Koblitz [et al.] decided to
make a PK system out of them in 1985.
You can't simply discount any theoretical knowledge because you "Mxmanic"
cannot apply it to some point and click GUI application *right now*. Can
you just stop posting in this thread under the assumption you don't know
what you're talking about?
Tom
M.S. Bob
<DAG...@null.net> wrote:
>Paul Rubin wrote:
>> Having no military experience, I have no idea whether military
>> organizations do any better.
>
>At one time they did, with cryptosystem designs being vetted
>by having experienced cryptanalysts attack them, and security
>monitors and "tiger teams" continually probing the security
>of ongoing operations.
Now they just download them from the Internet? (This is meant to be a
joke. :-)
What I see from my vantage point gives me the impression that adequate
resources are simply not there any more, with the additional pressure
to reduce costs by using COTS product whenever possible (a la MS
Windows OS) regardless of being appropriate or not, and the often
misguided mantra of "do more with less" makes it hard to get things
done right and things are left broken. As somewhat more open display
of this is the pressure that NASA faces with massive cutbacks in their
budgets, and increased pressure to make their milestones on time with
whatever they do get for a budget. Ignoring problems does not make
them go away.
>> The story about the laptop hard disk
>> full of H-bomb secrets being left behind a Los Alamos xerox machine
>> doesn't make me too optimistic.
>
>Don't believe much of what you read in the so-called news media.
Unfortunately even intelligent people in the public do not know who to
believe always. Blind trust of elected politicians and unelected civil
servants has failed them repeatedly in the past, so it is
understandable that they turn to sources that at least attempt to
provide details. The usage of PR staff by agencies such as the NSA or
FBI set off alarm bells with the public, because of the standard
operating procedure of using PR staff in the private sector when
attempting to cover up or deny a event or mishap.
I realize that agencies such as the NSA, CSE, GCHQ, etc. cannot be a
fully transparent organization with all of their details in the public
knowledge, but that is not a justification for little to no
accountability to the public. I think that intelligence agencies have
had their transparency and declassification of their history stalled,
and I worry that does not help them, or the nation they serve.
Best of luck,
Mxsmanic
> Shut up already.
No.
> The point is if "academic" breaks exist they exist and in
> the grand scheme of things it's the best ranking system we have.
Only if you are using cryptography exclusively for academic purposes.
For example, if you can convince a secretary to give you a PGP password,
then academic attacks against the algorithms incorporated into the
program are moot. If a 100% successful attack against an algorithm
exists, but it requires that the entire mass of the sun be converted to
disk drives in order to hold the necessary number of chosen plaintexts,
then that attack is moot as well.
If you become too preoccupied with academic viewpoints, you may miss the
bad guys slipping through the back door.
> I mean if you have two ciphers one with an
> attack in 2^40 time and another in 2^60 time you'd have to pick the 2^60
> [assuming all else is equal].
[But all else is never equal.]
> You seem to be rather obvlious to quite a few things which I think we can
> just attribute to age [my guess is your between 14 and 17]. The point of
> all these "academic" breaks is that what is impractical now often filters
> down to practical later.
Much, much later, or perhaps never. What has become of attacks against,
say, eight-round DES, for example? Any practical results from that?
DES is normally 16 rounds, as I recall. Who cares about attacks against
only eight rounds?
To some extent, some cryptologists are arguing about the number of NSA
cryptographers that can dance on the package of a microchip.
> You can't simply discount any theoretical knowledge because you "Mxmanic"
> cannot apply it to some point and click GUI application *right now*.
I live and work with computers _right now_, so _today's_ attacks are my
concern. When the arcane theory filters into practice, if it ever does,
I'll make the necessary adaptations then.
Tom St Denis
> Tom St Denis writes:
>
> > Shut up already.
>
> No.
>
> > The point is if "academic" breaks exist they exist and in
> > the grand scheme of things it's the best ranking system we have.
>
> Only if you are using cryptography exclusively for academic purposes.
>
> For example, if you can convince a secretary to give you a PGP password,
> then academic attacks against the algorithms incorporated into the
> program are moot. If a 100% successful attack against an algorithm
> exists, but it requires that the entire mass of the sun be converted to
> disk drives in order to hold the necessary number of chosen plaintexts,
> then that attack is moot as well.
That's not the point. I suggest you read up on cryptanalysis specially from
the late 80s and early 90s. Specifically look up FEAL, DES and IDEA.
Attacks only get better is a very meaningful thing if you actually spend the
time to research...
> If you become too preoccupied with academic viewpoints, you may miss the
> bad guys slipping through the back door.
I don't think that's the case either. I think you're overdramatizing
things.
Also keep in mind that most of the time when security bugs are found in
software it is because they hired a non-cryptographer todo a security
related task.
> > I mean if you have two ciphers one with an
> > attack in 2^40 time and another in 2^60 time you'd have to pick the 2^60
> > [assuming all else is equal].
>
> [But all else is never equal.]
>
> > You seem to be rather obvlious to quite a few things which I think we
can
> > just attribute to age [my guess is your between 14 and 17]. The point
of
> > all these "academic" breaks is that what is impractical now often
filters
> > down to practical later.
>
> Much, much later, or perhaps never. What has become of attacks against,
> say, eight-round DES, for example? Any practical results from that?
DC didn't break 16 rounds of DES originally.
> DES is normally 16 rounds, as I recall. Who cares about attacks against
> only eight rounds?
Because attacks against fewer rounds can [and do] extend to more rounds by
refining the attack.
I strongly urge you stop using your usenet reader and spend more time using
your PS/PDF viewer. Read some of the freely available papers on the web and
actually learn about what you are trying to talk about.
> To some extent, some cryptologists are arguing about the number of NSA
> cryptographers that can dance on the package of a microchip.
What the heck does that mean?
> > You can't simply discount any theoretical knowledge because you
"Mxmanic"
> > cannot apply it to some point and click GUI application *right now*.
>
> I live and work with computers _right now_, so _today's_ attacks are my
> concern. When the arcane theory filters into practice, if it ever does,
> I'll make the necessary adaptations then.
I don't get what your point of this thread is. You openly deny the
usefulness of academia then say you want practical results. Well sorry to
burst your bubble but practical almost always comes from theory.
It really depends on your goals. If you just want to design/analyze
protocols chances are things like differential and linear cryptanalysis
won't have a bearing on your work. Just plug in AES and that puzzle is
sovled. However, just because you can make assumptions like that doesn't
mean a lot of work didn't go into it.
If you don't care for academia just leave it at that. There is no point in
trying to make a futile argument that theory is useless.
Tom
Douglas A. Gwyn
> "Douglas A. Gwyn" <DAG...@null.net> wrote ...
> > Don't believe much of what you read in the so-called news media.
> I respect your technical opinions, Doug, but I certainly wish you'd get
> over this blame-the-messenger business.
If you think that the report (disk with nuclear secrets) to
which I was responding was an accurate representation of the
facts, you've been hoodwinked. It has nothing to do with me.
Mxsmanic
> Attacks only get better is a very meaningful thing if you actually spend the
> time to research...
Flat-panel displays only get better, too, but it has been forty years
since they first went into use and I'm still using a CRT today.
> I don't think that's the case either. I think you're overdramatizing
> things.
I've just had to deal with lots of problems in real-world situations.
They are never where you expect to find them.
> Also keep in mind that most of the time when security bugs
> are found in software it is because they hired a non-cryptographer
> todo a security related task.
Cryptographers are not especially gifted with respect to security in
general; they just know a lot about cryptography.
> I strongly urge you stop using your usenet reader and spend
> more time using your PS/PDF viewer. Read some of the freely
> available papers on the web and actually learn about what you
> are trying to talk about.
Nah. I have to give you some fodder for personal attacks, don't I?
> What the heck does that mean?
Never mind.
> I don't get what your point of this thread is. You openly
> deny the usefulness of academia then say you want practical
> results.
No, I put the academic stuff in perspective, by comparing it with
real-world results and requirements. I hear way too much about theory
these days, and not nearly enough about practical applications.
Tom St Denis
> Tom St Denis writes:
>
> > Attacks only get better is a very meaningful thing if you actually spend
the
> > time to research...
>
> Flat-panel displays only get better, too, but it has been forty years
> since they first went into use and I'm still using a CRT today.
What is your point? Tons of TFT screens [which are not 40 years old] are in
use world wide. CRT is popular because it's cheap.
> > I don't think that's the case either. I think you're overdramatizing
> > things.
>
> I've just had to deal with lots of problems in real-world situations.
> They are never where you expect to find them.
And your point is?
> > Also keep in mind that most of the time when security bugs
> > are found in software it is because they hired a non-cryptographer
> > todo a security related task.
>
> Cryptographers are not especially gifted with respect to security in
> general; they just know a lot about cryptography.
That's kinda vague. Cryptography has more than mixing bits up. Protocol
analysis [and implementation] is a HUGE part of cryptography.
That's like saying "doctors are not specially gifted at healing, they just
know medicine".
> > I strongly urge you stop using your usenet reader and spend
> > more time using your PS/PDF viewer. Read some of the freely
> > available papers on the web and actually learn about what you
> > are trying to talk about.
>
> Nah. I have to give you some fodder for personal attacks, don't I?
Why?
> > I don't get what your point of this thread is. You openly
> > deny the usefulness of academia then say you want practical
> > results.
>
> No, I put the academic stuff in perspective, by comparing it with
> real-world results and requirements. I hear way too much about theory
> these days, and not nearly enough about practical applications.
Then stop reading sci.crypt. If you don't like theory, don't participate in
theory groups. There are other more practical groups like comp.security.
Tom
Mok-Kong Shen
Mxsmanic wrote:
>
[snip]
> I live and work with computers _right now_, so _today's_ attacks are my
> concern. When the arcane theory filters into practice, if it ever does,
> I'll make the necessary adaptations then.
The sad fact is however that one can never be certain
of knowing all of today's attacks, let alone guessing
the future. Douglas Gwyn hinted earlier in the group that
certain analysis techniques known to some agencies several
decades back are still not yet in the knowledge base
of the open community. So the best one gets in security
evaluation could be nothing but a more or less subjective
conjecture (which may well be different from person to
person), I suppose.
M. K. Shen
Joe Peschel
news:3F6F7A8F...@null.net:
Hoodwinked? Me? It's you, my friend, who is indulging in a bit of
hoodwinking. Your comment wasn't at all responsive, and it wasn't meant to
be.
Paul wrote: "The story about the laptop hard disk full of H-bomb secrets
being left behind a Los Alamos xerox machine doesn't make me too
optimistic."
You took that as an opportunity to heckle the news media, by advising,
"don't believe much of what you read" and referring to it as "so-called."
Paul doesn't say which report he's referring to, so it's difficult to
ascertain much about the original story. But you have, as I've said, blamed
the messenger, and you've done so without even knowing which story Paul was
talking about.
Douglas A. Gwyn
> Paul wrote: "The story about the laptop hard disk full of H-bomb secrets
> being left behind a Los Alamos xerox machine doesn't make me too
> optimistic."
> You took that as an opportunity to heckle the news media, by advising,
> "don't believe much of what you read" and referring to it as "so-called."
It *is* so called the "news media". And their coverage is
largely driven these days by concern over *entertainment
value* at the expense of insight and conveying an accurate
impression of the facts, as has often been remarked (and
usually deplored) by many people who work in that business.
> Paul doesn't say which report he's referring to, so it's difficult to
> ascertain much about the original story. But you have, as I've said, blamed
> the messenger, and you've done so without even knowing which story Paul was
> talking about.
I'm quite familiar with the story he was referring to, as
well as having inside information about what actually went
on, which differs from the impression left on Paul and the
rest of the general public by the so-called "news media".
This kind of thing happens over and over, in various forms;
The splashy coverage that catches the public eye tends to
leave a public impression of the events that is misleading
and/or inaccurate, with any corrections (when they occur at
all, which is rare for television media) buried in tiny
items deep within the newspaper with nothing like the
fanfare of the original story. Examples are all over the
place; indeed in practically every one of the hundreds of
cases where I've had in-depth information about the events
being reported, such distortion of the truth has occurred.
That is not to say that there aren't some decent reporters
or even that all the misreporting is intentional, just that
it is common enough that one should not believe everything
that one hears in the so-called news media. I am certainly
not the first person to make such an observation.
Francois Grieu
bob.gr...@echostar.com (Bob) wrote:
> I just read two papers over the weekend. "A Chosen Ciphertext Attack
> Against Several E-Mail Encryption Protocols" by Katz and Schneier and
> "Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG" by
> Jallad, Katz and Schneier.
>
> Does this qualify as a crack in this thread?
Chosen Ciphertext Attack involves an adversary
(a) obtaining the ciphertext,
(b) altering the ciphertext,
(c) obtaining the corresponding (altered) plaintext,
(d) deducing the original plaintext
(a) Is the standard hypothesis in classic crypto and is definetly
practical.
(b) Is an active attack, and is often practical, except
that most of the time it will be detected.
(c) Largely amounts to social engineering or compromise of the
receiving end. Social engineering is easier in the presence of
fault (your PDF won't open? send it to me I'll see what I can do).
Compromise of reveiver may be practical, but makes the attack moot
it will equaly well recover the original plaintext.
(d) Is computational, and practical in the case of the article.
In summary: the attack makes social engineering more likely to
suceed, and thus is somewhat practical IMHO.
François Grieu
Paul Schlyter
>> Tom St Denis writes:
>>
>>> Now what the heck does that mean? ... throw yourself back 30 years
>>> when DES was new. Should we have ignored it completely because it
>>> was new then?
>>
>> It had no competition.
>
> And your point is?
>
> Essentially you're [or at least were, we'll wait for you to make a cogent
> point....] saying "don't use AES, it has no history." I'm saying everything
> at some point doesn't have history. And it isn't as if people haven't tried
> to break AES.
>
> Yeah I agree using 3DES is a good idea. So is [can be] AES.
for sure until AES has gotten some history too: within the next few
decades a new attack to AES, unknown today, may appear. However,
since there are so many more cryptoanalysts today than 30 years ago,
we probably won't have to wait for 30 years; 10 years may be enough.
This is a matter of judging unknown risks: we have no data since
there is no statistics available. And ultimately it's about how
sensitive the information you want to protect is: do you want to
subject your sensitive information to the risk that AES may become
broken within the next decade? And if that's a concern, you should
also of course ask yourself: which OTHER risks are you subjecting
your sensitive data to?
However, if you're really paranoid about your data, DES is preferable
over AES, because DES has a history. And 30 years ago, e.g. Enigma
could very well have been considered preferable to the newly released
DES..... remember that back then, breaking a particular Enigma
encryption involved considerable manual labor. Of course back then
there were hardly any software implementations of DES either -- you
were supposed to implement DES directly in hardware.
--
----------------------------------------------------------------
Paul Schlyter, Grev Turegatan 40, SE-114 38 Stockholm, SWEDEN
e-mail: pausch at stockholm dot bostream dot se
WWW: http://www.stjarnhimlen.se/
http://home.tiscali.se/pausch/
Mxsmanic
> What is your point? Tons of TFT screens [which are not 40 years old] are in
> use world wide. CRT is popular because it's cheap.
Flat-panel screens have been around at least since the early Sixties,
and since the early Sixties people have been predicting that they'd
replace CRTs Real Soon Now--but they haven't.
CRTs are not popular simply because they are cheap. They are popular
for high-end applications because they provide better quality displays
than flat panels. If you are manipulating photos, for example, a CRT
display is preferable.
So anyone who rushed to adopt flat panels years ago is _still_ using a
technology inferior to CRTs. The point being, why not just wait until
flat panels truly _are_ better? Nothing is gained by adopting them
while they are still inferior.
The same is true in many other domains: digital photography and TV come
to mind, along with MP3. And of course it applies to cryptography: why
rush to adopt a new algorithm that _looks_ like it _might_ be secure if
an older algorithm has withstood decades of attacks and is _known_ to be
at least adequately secure?
> And your point is?
That people tend to concentrate on securing what they know how to
secure, instead of securing the things that the bad guys will actually
attack. A cryptographic algorithm is usually the _least_ vulnerable
part of a cryptosystem, and a cryptosystem is usually the _least_
vulnerable part of an overall security policy. Try locking the door to
the computer room, first.
> That's kinda vague. Cryptography has more than mixing bits up.
> Protocol analysis [and implementation] is a HUGE part of cryptography.
But cryptography is not a huge part of information-systems security.
> Why?
Because as you become upset over the points I make, you'll feel the need
to attack me, in the absence of more cogent and objective arguments.
It's an outlet for emotional responses.
Mxsmanic
> The sad fact is however that one can never be certain
> of knowing all of today's attacks, let alone guessing
> the future. Douglas Gwyn hinted earlier in the group that
> certain analysis techniques known to some agencies several
> decades back are still not yet in the knowledge base
> of the open community. So the best one gets in security
> evaluation could be nothing but a more or less subjective
> conjecture (which may well be different from person to
> person), I suppose.
I agree. But in this case, there still isn't any reason to leap to
adopt new algorithms if the old algorithms are solid. The fact that an
attack has been found against an old algorithm does _not_ mean that it
will yield completely at some future point, and the fact that a new
algorithm _looks_ solid does not mean that it will prove to be so.
About all you can do in cryptography is avoid algorithms that are known
to yield completely (that is, in a realistically useful way) to attacks.
All else concerning other algorithms is mainly conjecture. They all
look secure, until and unless they are proven otherwise.
Mxsmanic
> In summary: the attack makes social engineering more likely to
> suceed, and thus is somewhat practical IMHO.
But this also means that the weak point is the social engineering; close
that hole, and this attack becomes extraordinarily difficult and
impractical.
Tom St Denis
> Tom St Denis writes:
>
> > What is your point? Tons of TFT screens [which are not 40 years old]
are in
> > use world wide. CRT is popular because it's cheap.
> for high-end applications because they provide better quality displays
> than flat panels. If you are manipulating photos, for example, a CRT
> display is preferable.
What are you talking about? It wasn't until just recently that CRTs were of
high quality and decently cheap. Or are you forgetting the 320x200 CGA days
of early computing?
There are certainly other technologies that have followed this flaw. The
difference is AES was bred out of a real requirement for an improved
algorithm. People actually need AES.
> The same is true in many other domains: digital photography and TV come
> to mind, along with MP3. And of course it applies to cryptography: why
> rush to adopt a new algorithm that _looks_ like it _might_ be secure if
> an older algorithm has withstood decades of attacks and is _known_ to be
> at least adequately secure?
You're forgetting that the theory that AES is based on is nearly a decade
old already. You're also forgetting that more attacks against block ciphers
are known now than when DES was developed. I'd argue that we don't need
"another 30 years" for AES to get reasonable security. Again it isn't as if
people have not tried to break AES.
> > And your point is?
>
> That people tend to concentrate on securing what they know how to
> secure, instead of securing the things that the bad guys will actually
> attack. A cryptographic algorithm is usually the _least_ vulnerable
> part of a cryptosystem, and a cryptosystem is usually the _least_
> vulnerable part of an overall security policy. Try locking the door to
> the computer room, first.
Nobody is saying otherwise.... I think you're preaching to the choir here.
AES wasn't invented to "solve all cryptographic problems". It was invented
to have a standard block cipher that has a larger keyspace and better
performance. For example, my AES C code hits around 28 cycles per byte
[certainly not the fastest code] when optimized for speed. DES hits 66
cycles per byte [and 3DES much worse]. I may want to conserve power on an
encrypted link which means using fewer cycles == better, etc.
> > Why?
>
> Because as you become upset over the points I make, you'll feel the need
> to attack me, in the absence of more cogent and objective arguments.
> It's an outlet for emotional responses.
What are you talking about? You're the one who openly stated you don't want
to read any references out of an arrogant need to reply first, learn later.
And I'm not attacking you personally, if anything I'm attacking your
approach to this discussion. You really ought todo some research because
quite frankly you're not making convincing or relevent arguments.
Tom
Tom St Denis
> I agree. But in this case, there still isn't any reason to leap to
> adopt new algorithms if the old algorithms are solid. The fact that an
> attack has been found against an old algorithm does _not_ mean that it
> will yield completely at some future point, and the fact that a new
> algorithm _looks_ solid does not mean that it will prove to be so.
>
> About all you can do in cryptography is avoid algorithms that are known
> to yield completely (that is, in a realistically useful way) to attacks.
> All else concerning other algorithms is mainly conjecture. They all
> look secure, until and unless they are proven otherwise.
Wow I bet you think you're original....
You seem to be forgetting that AES is more efficient to DES. There are many
reasons to choose AES over DES.
Tom
Simon Johnson
> would ensure that public-key systems as they now exist will remain
> secure and useful indefinitely. Perhaps spooks feel the same way,
> although that won't stop them from trying to come up with new factoring
> algorithms and such, unless someone _proves_ that the problem is
> intractable.
I'd be willing to bet my house that factoring, on average, can't be
solved in polynomial time. I'd also say that the number of bit
operations required to factor a n-bit (where n>500) number will only
drop by around 5% in the next 15 years.
> As long as the hard problems stay hard, yes.
Factoring is an NP problem. If P!=NP, which most people suspect it
does, then factoring looks reasonably safe. Even if P=NP, it may not
write off systems based upon factoring. The number of bit operations
required to factor a number may still be prohibitively large. O(n^130)
is still a polynomial time complexity but it's clear than an algorithm
with this complexity would get bogged down quickly as n gets large.
Factoring may be similar.
Simon.
Simon.
Lassi Hippeläinen
> What are you talking about? It wasn't until just recently that CRTs were of
> high quality and decently cheap. Or are you forgetting the 320x200 CGA days
> of early computing?
Hey kid... the 'early' days of computing are a bit older than your
childhood. Computer monitors were better than TV already in the sixties.
The CGA was limited by processing power and memory, not CRT.
-- Lassi
Douglas A. Gwyn
> Flat-panel screens have been around at least since the early Sixties,
> and since the early Sixties people have been predicting that they'd
> replace CRTs Real Soon Now--but they haven't.
Actually they are now well on their way to displacing CRTs.
> CRTs are not popular simply because they are cheap. They are popular
> for high-end applications because they provide better quality displays
> than flat panels. If you are manipulating photos, for example, a CRT
> display is preferable.
Wrong. The best and most controllable image quality comes
from flat panel displays, at least using certain technologies.
Few people will pay much extra for image quality, however, and
the price difference has certainly delayed the widespread use
of flat-pane displays.
The market for HDTV is expected to bring the price down,
just as the NTSC market drove development of affordable
high-quality color CRTs.
> The same is true in many other domains: digital photography and TV come
> to mind, along with MP3. And of course it applies to cryptography: why
> rush to adopt a new algorithm that _looks_ like it _might_ be secure if
> an older algorithm has withstood decades of attacks and is _known_ to be
> at least adequately secure?
HDTV is so obviously superior to NTSC that one wonders
about your eyesight.
I don't know what cryptographic technology you refer to;
presumably you mean DES, which is not very secure against
modern capabilities. It is *certain* that the *kind* of
attack against DES that is generally known is not feasible
against AES.
Of course the $64,000 question is what their relative
resistance is to the *best* cryptanalytical attacks,
which (probably) do not use methods that have been
generally published. Lacking sufficient information,
one cannot reasonably apply that criterion.
> But cryptography is not a huge part of information-systems security.
It needs to be.
Mxsmanic
> It wasn't until just recently that CRTs were of
> high quality and decently cheap.
Top-quality CRTs have been available for _decades_, and have been the
acme of display technology for as long a time. If you have critical
display work to do, you use a high-end CRT.
> Or are you forgetting the 320x200 CGA days
> of early computing?
CRTs are used in many applications besides cheap home PCs.
> The difference is AES was bred out of a real requirement
> for an improved algorithm. People actually need AES.
What improvements did AES bring that, say, 3DES did not?
> You're forgetting that the theory that AES is based
> on is nearly a decade old already.
It's not the old part that creates the risk, it's the changes that make
the algorithm new. I can cook up a new algorithm based on the proven
sturdiness of DES and yet still make a minor change that breaks the
whole thing. The fact that it might be 98% DES won't help.
Mxsmanic
> Hey kid... the 'early' days of computing are a bit older than your
> childhood. Computer monitors were better than TV already in the sixties.
> The CGA was limited by processing power and memory, not CRT.
Exactly. CRTs were brought to a high state of art long, long ago.
Indeed, even excellent flat panel displays existed four decades ago.
There isn't that much new under the sun. For those whose first
encounter with CRTs was a CGA display, it might seem that CRTs of that
era were primitive, but they were not. Only the CGA displays were
primitive, just as the cheapest TV sets remain today.
Mxsmanic
> Wow I bet you think you're original....
On the contrary, I know that I'm not. That's important in security,
too.
> You seem to be forgetting that AES is more efficient
> to DES.
So is XOR. But I also remember that the computer sitting on my desk is
ten times faster than its predecessor.
> There are many reasons to choose AES over DES.
Maybe. I'll stick with 3DES for a while yet.