New vs Old (was Snake Oil)

bear bear at sonic.net
Tue Jun 3 11:53:17 EDT 2003 


On Tue, 3 Jun 2003 Jill.Ramonsky at Aculab.com wrote:

>
>I confess to being confused - though admittedly part of the blame for this
>is my own ignorance.
>
>I remember a time when PGP was a command line application. The only
>algorithms it used were IDEA (symmetric), RSA (assymetric) and MD5 (hash). I
>came to trust these algorithms.
>
>Now these once-'standard' algorithms are no longer encouraged. The new
>versions of PGP seem to prefer CAST instead of IDEA, DH/DSS instead of RSA,
>and SHA-1 instead of MD5.
>
>So, could someone please tell me:
>
>(1) What is the justification for using these "new" algorithms instead of
>the old ones? (A cynic might suggest that, since the "powers that be"
>couldn't break the old algorithms, they encouraged the use of new ones that
>they could. This probably isn't true, but I'm sure you can understand why
>someone might think that).

Well - Hans Dobbertin found hash collisions in MD5 and while I haven't
heard much more, that's a toehold that somebody might be able to use
to break it, and makes it vulnerable in some applications.  SHA-1 is
now considered better.

IDEA is still a good cipher as far as I know, but PGP has been driven
away from it in the US due to intellectual-property issues.  Rather than
continue with incompatible versions for use inside/outside the USA, they're
switching to CAST (although this is causing more, rather than less, version
incompatibilities).

RSA is still good, as far as I know, and has been in the public domain
worldwide since September 2001.  But it had the same kind of IP issues
as IDEA until that point, and several versions of PGP had to be
produced that used a different asymmetric cipher for that reason.  I
don't know enough about DH/DSS specifically to comment further on its
relative security, but RSA has had several scares and people are
concerned that custom hardware (such as a million-qubit quantum
computing device or Bernstein's matrix hardware factoring device)
might cause insecurity in RSA _and_ be possible for someone to keep
secret.  And lots of people quit using RSA because they don't like
the "big block of key" that it requires.

>(2) What actually _IS_ DH/DSS? (I don't mean what do the initials it stand
>for, I mean what actually is the algorithm?). I ask because I can understand
>RSA, and implement it myself relatively straightforwardly, but I have not
>been able to find an explanation, simple or otherwise, of what the DH/DSS
>algorithm actually is, or of why it's hard to break.
>
>(3) Ditto CAST and SHA-1.

for a good complete description of SHA-1 and a few others, try

http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

(warning: link may be outdated).

I don't have pointers to the other two offhand.

				Bear


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list