[Cryptography] Dumb question -> 3AES?

John Gilmore gnu at toad.com
Tue Aug 12 12:50:47 EDT 2014


> Given that the leading software break is still due to buffer overflows,
> and nobody's ever cracked a big-name crypto algorithm in living memory ...

Are you losing your memory?  Enigma?  Purple?  DES?  MD4?  MD5?

(I admit that DES was deliberately weakened by NSA to make it
crackable -- but what other big-name crypto algorithms do we use, that
may also have that characteristic?)

> The conventional answer to not doing anything is that you are now doing
> cryptography.  So you have to explain to yourself why you think you can
> do better than the people who spent their lives on this.  Are you that good?

Sometimes you have different motives than other people who spend all
their days working on crypto.

For example, many people in cryptography don't seem to think about
developing societal resistance to mass surveillance attacks; they
focus their efforts on preventing targeted attacks.  I have been
advocating that in RSA key generation, we should randomize not only
the key, but the number of bits in the key (within safe and computable
limits).  This is because the current over-dependence on 1024-bit keys
is a magnet for some large corrupt overfunded agency to build a brute
force 1024-bit factoring machine.  If instead society was actively
using a broad range of key sizes between 1024 and 4800 bits, a
1024-bit RSA cracker would only get them <5% of the keys.  And
building a much more expensive 1100-bit RSA cracker would only get
them <6% of the keys, etc.  Today if they can build a 999-bit RSA
cracker, they won't waste their money there, because they know the
payoff is nil; but they'll strain their ingenuity and budgets to get
to 1024 bits, whereupon they can crack 95% of the RSA keys in actual
use.

So why doesn't our popular RSA-based software randomize its key
lengths at key generation time?  It's a matter of where the designers
and maintainers have focused.  Diversity of focus can be useful
against wily adversaries.

	John


More information about the cryptography mailing list