[Cryptography] Which big-name ciphers have been broken in living memory?

[Jerry Leichter]

On Aug 17, 2014, at 3:49 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> Just for the record: CAST5 is only used by default for symmetric only
>> encryption.  This is hopefully only rarely used 
> 
> There's a lot of people using GPG for file encryption, which means CAST5.  I
> found this out the hard way a few years ago when I removed CAST5 support (I
> was unable to identify anything other than GPG that still used it), and then
> had to quickly back out the change when people complained that they couldn't
> decrypt GPG-encrypted files any more.
*File* encryption is the easy case, since one can move the code into a "legacy support" state in which it will *decrypt* files created with any cipher at all, but will only *encrypt* with new, safe ciphers.

Unfortunately that doesn't work for communications - although it does suggest an interesting approach.  Suppose you allowed each side to pick its own cipher.  You connect to me and say "Hey, I still like CAST5".  I turn around and say, "Fine, I guess you're willing to leak what you send - which you can do in a million ways, certainly with my own data, and even with data you send me.  But even so, I choose to use AES."  Certainly nowhere near ideal, but at least half the communications channel is protected - and I can use my safe connection back to you to send a message saying "Hey, idiot - how about upgrading that antique piece of leaky software?"
                                                        -- Jerry