[Cryptography] Dumb question -> 3AES?
Bill Stewart
billstewart at pobox.com
Tue Aug 12 19:04:54 EDT 2014
At 09:50 AM 8/12/2014, John Gilmore wrote:
> > Given that the leading software break is still due to buffer overflows,
> > and nobody's ever cracked a big-name crypto algorithm in living memory ...
>Are you losing your memory? Enigma? Purple? DES? MD4? MD5?
Sure, buffer overflows, subpoenas and other forms of social engineering,
phishing to get users to run dangerous things are popular attacks,
and correlating "separately harmless" data or metadata are also big wins.
But there are lots of very widely used non-big-name crypto algorithms
that were cracked in the last 25 years
- GSM's voice encryption (several versions)
- GSM's authentication encryption
- The early Microsoft Office encryption
- Cisco router password encryption
- Chip-and-pin systems
Then there are export-weakened things like
- 40-bit DES variants for export
- 40-bit RC4
- Qualcomm's original cell-phone encryption (which Phil Karn said was
deliberately trivial, because otherwise they wouldn't have been
allowed to use it at all, given the crypto regs of the time and
unofficial threats by TLAs. It was XOR or equivalent.)
Getting closer to real algorithms
- Anything allowing user-selected passwords (Most of which are
<20-bit entropy, and a high percentage <7-bit.)
- Unix password encryption, and anything else with <=8-char passwords
or written when 2**32 was a bit number
- RC4-128 is looking pretty weak
- PPTP's main problem was using the RC4 algorithm wrong, in ways
Rivest said never to do, rather than RC4 itself, but it had other problems
>I have been advocating that in RSA key generation, we should
>randomize not only the key, but the number of bits in the key
Is it more dangerous to have most people using 2048-bit keys,
or to leak metadata in the key length, given the small number of
conversations between users of key lengths $RANDOM1 and $RANDOM2?
>[...]
>but they'll strain their ingenuity and budgets to get to 1024 bits,
>whereupon they can crack 95% of the RSA keys in actual use.
Yup, and a big reason to push 2048-bit keys is to prevent that.
But is there a significant difference between cracking a 999-bit key
and cracking a 1024-bit key which has the top 25 bits == 0 ?
More information about the cryptography
mailing list