[Cryptography] cryptography Digest, Vol 16, Issue 11
Ryan Carboni
ryacko at gmail.com
Wed Aug 13 19:07:18 EDT 2014
>
> Given that the leading software break is still due to buffer overflows,
> and nobody's ever cracked a big-name crypto algorithm in living memory,
> you're probably better off focussing on the known roadkill not the
> zombies in hollywood movies.
As long as data isn't being manipulated, it is safe and secure. Problem is
that we aggregate files onto one drive, use a relatively low entropy
password to generate a key, and we have no idea if our hardware is secure,
or if the file encryption system is properly implemented.
Veracrypt is based on Truecrypt, but there's no backwards compatibility.
This lack of cross-compatibility forces you to trust a team of programmers,
no way to cross-check.
> Even if the numbers he cites are off by something like _ten orders of
> magnitude_, it doesn't matter. Brute force cracking of a 256-bit key
> just isn't practical, and likely never will be practical, for reasons
> of physics. The only way breaking a 256-bit key length cryptosystem
> will ever be practical is if it provides _far_ less than par security
> per bit of key material used, and the most obvious way to end up with
> that is that it's storing something that allows deducing the key, or
> the key is generated in a very un-random fashion (in which cases you'd
> very likely be just as hosed using 3AES256).
>
Novel forms of cryptography will be used to create new algorithms safe from
new methods of crypt-analysis. It's a guessing race, and partly why
Skipjack was found to be so vulnerable, a new form of cryptanalysis was
discovered. AES-2 is more likely to appear than triple AES, unless security
margins drop to 2^80 or something dangerous. Skein is a good example of the
new methods that are coming up, no S-boxes, simple implementation. To quote
Bruce Schneier: ``I have never been a TEA fan, although 64 rounds can cure
a lot of sins.''
<http://web.archive.org/web/20070112195402/http://www-users.cs.york.ac.uk/~matthew/TEA/>
Skein has 72 rounds, although most of the them are broken.
AES has an attack against it faster than brute force. There will be
improvements, there always will.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
http://imgs.xkcd.com/comics/pgp.png
-----END PGP SIGNATURE-----
On Tue, Aug 12, 2014 at 9:00 AM, <cryptography-request at metzdowd.com> wrote:
> Send cryptography mailing list submissions to
> cryptography at metzdowd.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.metzdowd.com/mailman/listinfo/cryptography
> or, via email, send a message with subject or body 'help' to
> cryptography-request at metzdowd.com
>
> You can reach the person managing the list at
> cryptography-owner at metzdowd.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cryptography digest..."
>
>
> Today's Topics:
>
> 1. Re: Many curves versus one curve (Jerry Leichter)
> 2. Dumb question -> 3AES? (Dan McDonald)
> 3. Re: IETF discussion on new ECC curves. (Stephen Farrell)
> 4. Re: IETF discussion on new ECC curves. (Jon Callas)
> 5. Re: All dice are loaded? (Arnold Reinhold)
> 6. Re: The role of the IETF in security of the Internet: for or
> against the NSA? for or against the security of users of the net?
> (Donald Eastlake)
> 7. ADMIN: (was The role of the IETF in security of the Internet)
> (Tamzen Cannoy)
> 8. Re: The role of the IETF in security of the Internet: for or
> against the NSA? for or against the security of users of the net?
> (Paul Wouters)
> 9. Re: Dumb question -> 3AES? (Natanael)
> 10. A post-spy world (John Young)
> 11. Re: Dumb question -> 3AES? (Dan McDonald)
> 12. Re: Dumb question -> 3AES? (Bernie Cosell)
> 13. Re: Dumb question -> 3AES? (Tony Arcieri)
> 14. Matasano Crypto Challenges (Steve Weis)
> 15. Re: Dumb question -> 3AES? (ianG)
> 16. Re: Dumb question -> 3AES? (Michael Kj?rling)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 Aug 2014 10:10:58 -0400
> From: Jerry Leichter <leichter at lrw.com>
> To: William Allen Simpson <william.allen.simpson at gmail.com>
> Cc: Mike Hamburg <mike at shiftleft.org>, "cryptography at metzdowd.com"
> <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] Many curves versus one curve
> Message-ID: <2C6BF95D-D667-43D7-9181-BA1935E1950C at lrw.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Aug 10, 2014, at 3:19 PM, William Allen Simpson <
> william.allen.simpson at gmail.com> wrote:
> >> Suppose that an unknown fraction of elliptic curves has some
> undesirable property. By using a large number of curves, we decrease the
> variance of our risk in expectation. Under a minimax cost model, this is a
> big gain. (A certainty of small loss, rather
> >> than a small chance of catastrophe.)
> > That is the argument we've been making for over 20 years.
> I put this another way here not long ago: It's basic game theory. You
> have a bunch of alternative moves to choose from (each curve, or each
> cryptographic algorithm, is a move) and (initially) no way of knowing which
> move your opponent will make "in response" (i.e., which curve/algorithm he
> chooses to attack, or gets lucky in attacking - *how* he operates is
> irrelevant, all that matters is that he makes a move). Assuming all moves
> by your opponent are equally likely, your best approach is a mixed
> strategy, choosing among all (a priori equivalent) moves at random.
>
> If you have some kind of probability distribution on your opponents
> responses, you can adjust your probability distribution to maximum your
> expected results. This way, broken systems naturally get chosen less
> frequently - and ultimately not at all if the break is bad enough.
> -- Jerry
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4813 bytes
> Desc: not available
> URL: <
> http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/2c3fd6e8/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 11 Aug 2014 11:26:35 -0400
> From: Dan McDonald <danmcd at kebe.com>
> To: cryptography at metzdowd.com
> Subject: [Cryptography] Dumb question -> 3AES?
> Message-ID: <20140811152635.GA95686 at everywhere.office.omniti.com>
> Content-Type: text/plain; charset=us-ascii
>
> Diffie's EDE algorithm for a block cipher would apply to AES, correct?
>
> Apart from "further pounding the rubble", is there any reason one couldn't
> (or shouldn't) consider 3AES for, say, long-term offline storage
> encryption?
>
> Curious,
> Dan McD.
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 11 Aug 2014 10:47:40 +0100
> From: Stephen Farrell <stephen.farrell at cs.tcd.ie>
> To: Watson Ladd <watsonbladd at gmail.com>
> Cc: Cryptography <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] IETF discussion on new ECC curves.
> Message-ID: <53E8913C.20302 at cs.tcd.ie>
> Content-Type: text/plain; charset=utf-8
>
>
> Watson,
>
> On 10/08/14 18:55, Watson Ladd wrote:
> > Have you ever sat down, examined the output of WGs, and tried to go
> > back from that to the process that produced them?
>
> No. OTOH, I have been through the process a number of times.
> Coming to things fresh and having experience both have their
> pros and cons.
>
> > It's pretty clear
> > that IETF WGs lead in a lot of cases to very poor designs, for a
> > number of sociological reasons similar to those inherent in design by
> > committee.
>
> Well, feel free to propose a better way to do things at the
> scale at which the IETF works. Off this list is probably
> better for that if its IETF specific. I really would be
> interested in ways to improve things.
>
> I've seen your point about things designed by one person
> (or small teams) and it has some validity but is by no means
> a panacea.
>
> S.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 11 Aug 2014 11:03:30 -0700
> From: Jon Callas <jon at callas.org>
> To: ianG <iang at iang.org>
> Cc: John Kelsey <crypto.jmk at gmail.com>, Michael Kj?rling
> <michael at kjorling.se>, "cryptography at metzdowd.com"
> <cryptography at metzdowd.com>, Jon Callas <jon at callas.org>
> Subject: Re: [Cryptography] IETF discussion on new ECC curves.
> Message-ID: <686096A3-4E56-439D-8A80-C2FD9424C95F at callas.org>
> Content-Type: text/plain; charset="us-ascii"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Aug 8, 2014, at 9:28 AM, ianG <iang at iang.org> wrote:
>
> > Why do we pander to these organisations? People quote Russian and
> > Chinese ciphers, but I don't see why we should inflict the choice on the
> > rest of the net just because some organisation thinks they'd like to
> > push an agenda.
> >
> > It seems to be a logical absurdity. NIST has a standards suite that
> > people think highly of. So we have to accept NIST.
> >
> > So, if we accept NIST, we now must let the Russians GOSTs in. And the
> > Chinese. ... We're back then at the same place of vanity ciphers, 'cept
> > on a national level. Absurd.
>
> We're already there, Ian.
>
> If you want to do serious work in Russia (banking, government) you must do
> a number of GOST things. If you want to work in Korea, you need to do SEED.
> If you want to work in Japan, you don't *have* to do Camellia etc., you can
> do AES, it's just that they'll pick a product that has those over yours.
>
> Jon
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.3.0 (Build 9060)
> Charset: us-ascii
>
> wsBVAwUBU+jajOfO+cB4rhcsAQgulgf/RJVvRhw3CnZ2lJuIc8efjBK/Jf6ASEWy
> 2+v1+1TLIUpBXDc0RU7YBFoTshiTJGEBhxWBuUA8m0NODCMYM8crnKWzlvj/7Vsp
> ZxZyJKDa2r+p35PZCSSkLvvI1ASv5Nn9IVFp4t/x0dl2XJo0KiyZENngP/BbQqzu
> GNwWBzEOtLmrvDbZYk2tsZRGg78QquwaBjnpVLhOMCkOsFxovSJDkRzN/q8j6aIx
> KKGYLPzRmJr6uiP1tZj8/UMtpkLc/CWiwzOJtq7cIftQHgnW3wru9yvC0QS3gT2P
> 8US9FCwNDsTyV0UMjwu9y6IQXHXFPqMbmKG2tkf5sT3Dt1i1f+y3rw==
> =Im7Q
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 11 Aug 2014 14:10:51 -0400
> From: Arnold Reinhold <agr at me.com>
> To: Hugo Lombard <hal at elizium.za.net>
> Cc: Cryptography Mailing List <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] All dice are loaded?
> Message-ID: <829AAC59-B9AC-4648-A02A-5BB75691794C at me.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 9, 2014, at 3:00 AM, Hugo Lombard <hal at elizium.za.net> wrote:
>
> > On Fri, Aug 08, 2014 at 04:55:59PM -0400, Arnold Reinhold wrote:
> >>
> >> [...]
> >>
> >> If this effect still concerns you, I list several sources of casino
> >> dice on my Diceware FAQ at
> >> http://www.diceware.com/dicewarefaq.html#casino.
> >>
> >
> > Hi
> >
> > I'll probably not be the only one to tell you this, but your redirect on
> > the URL above seems to be broken:
> ...
>
> My bad. Here is the correct link to my list of Casino Dice suppliers:
> http://world.std.com/~reinhold/dicewarefaq.html#casino
>
> Arnold Reinhold
>
> ------------------------------
>
> Message: 6
> Date: Mon, 11 Aug 2014 07:32:53 -0400
> From: Donald Eastlake <d3e3e3 at gmail.com>
> To: jamesd at echeque.com
> Cc: "cryptography at metzdowd.com" <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] The role of the IETF in security of the
> Internet: for or against the NSA? for or against the security of
> users
> of the net?
> Message-ID:
> <CAF4+nEETQ4i5DLtE=
> aSSGs-4gH1fzacmObKXfGV-zpVpowGdMA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I am reminded of multiple blind men describing an elephant from
> tactilely interacting with various parts of it.
>
> "participation" .ne. "successful participation"
>
> There are usually between 100 and 150 Working Groups active in the
> IETF. And that's ignoring individual and independent submissions which
> can also progress to being an RFC. They really don't all work the same
> way in the sense that you used the word "work". My statement is based
> on my experience in chairing five different IETF WGs in three
> different areas, participating in many more, and currently being the
> sixth most prolific RFC author or all time.
>
> Thanks,
> Donald
> =============================
> Donald E. Eastlake 3rd +1-508-333-2270 (cell)
> 155 Beaver Street, Milford, MA 01757 USA
> d3e3e3 at gmail.com
>
>
> On Mon, Aug 11, 2014 at 1:40 AM, James A. Donald <jamesd at echeque.com>
> wrote:
> > The way the IETF works is:
> >
> > A predetermined decision is announced.
> >
> > Various people on the mailing lists point out this is quite obviously a
> bad
> > idea.
> >
> > Various sock puppets on the mailing list repetitiously endorse the
> > predetermined position and assert that objections to the decision are
> out of
> > scope, as if totally deaf.
> >
> > After a while the predetermined decision is proclaimed to be the
> consensus,
> > even if it obviously is not.
> >
> > Joining the mailing list is revealed to be a complete waste of time.
> >
> > _______________________________________________
> > The cryptography mailing list
> > cryptography at metzdowd.com
> > http://www.metzdowd.com/mailman/listinfo/cryptography
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 11 Aug 2014 11:16:49 -0700
> From: Tamzen Cannoy <tamzen at cannoy.org>
> To: "cryptography at metzdowd.com" <cryptography at metzdowd.com>
> Subject: [Cryptography] ADMIN: (was The role of the IETF in security
> of the Internet)
> Message-ID: <92A33D66-386F-401C-BAEB-C14E79C1DAC5 at cannoy.org>
> Content-Type: text/plain; charset="us-ascii"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We all know we're at layer 8 in this discussion. Since this isn't the
> place to debate how to change the IETF and we seem to be dividing into
> heated camps rather than discussion, I'm putting a hold on this thread.
>
> Please remember to debate the issue, and not attack your fellow list
> members.
>
> Thanks.
>
> Tamzen
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.3.0 (Build 9060)
> Charset: us-ascii
>
> wj8DBQFT6N2r5/HCKu9Iqw4RAsoTAJ9oAZu5vEFfAEEcL15rQO9Yij9dGwCg1qaJ
> pTxtHxqMKrWuhP0QU6kZdnw=
> =zPjk
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 8
> Date: Mon, 11 Aug 2014 10:30:33 -0400 (EDT)
> From: Paul Wouters <paul at cypherpunks.ca>
> To: "James A. Donald" <jamesd at echeque.com>
> Cc: "cryptography at metzdowd.com" <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] The role of the IETF in security of the
> Internet: for or against the NSA? for or against the security of
> users
> of the net?
> Message-ID: <alpine.LFD.2.10.1408111015280.25009 at bofh.nohats.ca>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>
> On Mon, 11 Aug 2014, James A. Donald wrote:
>
> >> Can you give an examples of such deception?
> >
> >
> http://www.theregister.co.uk/2014/01/08/nsa_bod_crypto_standard_co_chair_controversy/
> >
> > A clear consensus was clearly ignored.
>
> If that was consensus ignored, then the cryptography lists themselves are
> one
> consensus posting after the other :)
>
> You are clearly confusing loud groupies with consensus.....
>
> The IETF/CRFG process caught the mistake of dragonfly. So isn't this a
> success story? The IETF/IRTF is one the most open organisation I've ever
> worked with. It allows the enemies to join in, but collectively we have
> the best chance of defeating any cryptography attacks against our open
> proposals. Once you start filtering people based on affiliation, where
> does it end? NSA? USG? Russia? China? Israel? Cisco? Huawei? Checkpoint?
> How about former NSA people like Roger Dingledine, Dave Aitel or Snowden?
>
> I completely fail to see your "clear consensus".
>
> If you start to exclude everyone that disagrees with your opinion,
> you'll end up with an empty group to make decisions. Of course, that
> group of one will make the perfect decisions for _your_ world.
>
> I mean, the "crypto community" can't even form a consensus on a single
> mailing list to use, so I'm not very tempted to suggest IETF change
> towards this crypto-anarchist model :)
>
> Paul
>
>
> ------------------------------
>
> Message: 9
> Date: Mon, 11 Aug 2014 22:45:37 +0200
> From: Natanael <natanael.l at gmail.com>
> To: Dan McDonald <danmcd at kebe.com>
> Cc: Cryptography Mailing List <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] Dumb question -> 3AES?
> Message-ID:
> <CAAt2M18n3Y=nh7aGTXXuRXqmQ5xxp=
> RFc1eWiTh3xARuiHhs9w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Den 11 aug 2014 19:59 skrev "Dan McDonald" <danmcd at kebe.com>:
> >
> > Diffie's EDE algorithm for a block cipher would apply to AES, correct?
> >
> > Apart from "further pounding the rubble", is there any reason one
> couldn't
> > (or shouldn't) consider 3AES for, say, long-term offline storage
> encryption?
>
> It is possible, but maybe won't have the effect you're looking for. The
> reason for going with 3DES was that DES was strong for its keylength, but
> the keylength and thus keyspace was too small = crackable with bruteforce.
> Since it wasn't considered likely to fall to cryptoanalysis in a relatively
> short period of time, and people demanded something compatible with
> existing hardware implementations, 3DES was created rather than ditching
> DES for another cipher. 3DES provided acceptable strength without massive
> re-engineering.
>
> And what about AES? It has a far greater strength, even with AES128 which
> actually even have a smaller keyspace (3DES has 3*56 =168 bit keys but 112
> bit strength due to attacks like meet-in-the-middle, but AES128 has close
> to 128 bits in strength). And AES256 just isn't close to being cracked EVER
> unless there's a massive cryptographic flaw found. So what is the worry?
> Remember that it is because DES with 56 bit keys provides close to 56 bits
> of security even still today that 3DES was considered strong enough.
> However, a potential break in AES would not necessarily "just" reduce the
> effective strength to above 50 bits per layer of AES (providing a similar
> strength for 3AES which 3DES does today), it could trash it completely.
> Which means your long term encryption failed.
>
> So 3AES isn't good enough for hedging against flaws found in AES in the
> future, unless your ONLY worry is for a PARTIAL reduction in strength. If
> there's a total break, 3AES won't help you.
>
> A much better option, if your plan is too hedge against individual
> algorithms being cracked, is to use several different types of ciphers.
> AES, blowfish, some stream cipher like ChaCha, or whatever else. Even if
> you still don't get much more strength in total than the single strongest
> cipher provides, all you need is for just one of them to not get broken (or
> for the layers of encryption to make known-plaintext attacks impossible in
> the worst case scenario where they all break).
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/b92eb830/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 10
> Date: Mon, 11 Aug 2014 16:52:19 -0400
> From: John Young <jya at pipeline.com>
> To: cypherpunks at cpunks.org,cryptography at randombit.net,
> cryptography at metzdowd.com
> Subject: [Cryptography] A post-spy world
> Message-ID: <E1XGwYA-0004Z3-DQ at elasmtp-scoter.atl.sa.earthlink.net>
> Content-Type: text/plain; charset="us-ascii"; Format="flowed"
>
> "We are moving toward a post-spy world, according to the guy that
> runs the CIA's venture capital arm."
>
> <http://t.co/5eYfbRYU8k>
> http://www.defenseone.com/technology/2014/08/10-ways-make-internet-safe-cyber-attacks/90866/?oref=d-channelriver
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/b84e1581/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 11
> Date: Mon, 11 Aug 2014 16:50:21 -0400
> From: Dan McDonald <danmcd at kebe.com>
> To: Natanael <natanael.l at gmail.com>
> Cc: Cryptography Mailing List <cryptography at metzdowd.com>, Dan
> McDonald <danmcd at kebe.com>
> Subject: Re: [Cryptography] Dumb question -> 3AES?
> Message-ID: <20140811205021.GB95686 at everywhere.office.omniti.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Mon, Aug 11, 2014 at 10:45:37PM +0200, Natanael wrote:
> <SNIP!>
> > So 3AES isn't good enough for hedging against flaws found in AES in the
> > future, unless your ONLY worry is for a PARTIAL reduction in strength. If
> > there's a total break, 3AES won't help you.
>
> I'm less worried about the AES algorithm being broken (and yes, I
> understand
> about 3des's effective key strength) as I am against Moore's law (and yes,
> I
> also understand that the 9nm node may be the last one using current
> technologies) and long periods of time. I may be (unnecessarily) worried
> about someone brute-forcing the data over decades.
>
> Pardon the parentheses,
> Dan
>
>
> ------------------------------
>
> Message: 12
> Date: Mon, 11 Aug 2014 19:55:14 -0400
> From: "Bernie Cosell" <bernie at fantasyfarm.com>
> To: Cryptography Mailing List <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] Dumb question -> 3AES?
> Message-ID: <53E957E2.3771.42C1E4D1 at bernie.fantasyfarm.com>
> Content-Type: text/plain; charset=US-ASCII
>
> On 11 Aug 2014 at 22:45, Natanael wrote:
>
> > It is possible, but maybe won't have the effect you're looking for. The
> > reason for going with 3DES was that DES was strong for its keylength,
> > but
> > the keylength and thus keyspace was too small = crackable with
> > bruteforce. Since it wasn't considered likely to fall to cryptoanalysis
> > in a relatively short period of time, and people demanded something
> > compatible with existing hardware implementations, 3DES was created
> > rather than ditching DES for another cipher. 3DES provided acceptable
> > strength without massive re-engineering.
>
> > And what about AES? It has a far greater strength, even with AES128
> > which
> > actually even have a smaller keyspace (3DES has 3*56 =168 bit keys but
> > 112 bit strength due to attacks like meet-in-the-middle, but AES128 has
> > close to 128 bits in strength).
>
> What about. say, 5DES?
>
> /Bernie\
>
> --
> Bernie Cosell Fantasy Farm Fibers
> mailto:bernie at fantasyfarm.com Pearisburg, VA
> --> Too many people, too few sheep <--
>
>
>
>
>
> ------------------------------
>
> Message: 13
> Date: Mon, 11 Aug 2014 18:27:23 -0700
> From: Tony Arcieri <bascule at gmail.com>
> To: Dan McDonald <danmcd at kebe.com>
> Cc: Cryptography Mailing List <cryptography at metzdowd.com>, Natanael
> <natanael.l at gmail.com>
> Subject: Re: [Cryptography] Dumb question -> 3AES?
> Message-ID:
> <CAHOTMV+tBOEy0QE=
> b+WBDqULW9nzdGqDO4XSQxfQvy+mMzUW5g at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Mon, Aug 11, 2014 at 1:50 PM, Dan McDonald <danmcd at kebe.com> wrote:
>
> > I'm less worried about the AES algorithm being broken (and yes, I
> > understand
> > about 3des's effective key strength) as I am against Moore's law (and
> yes,
> > I
> > also understand that the 9nm node may be the last one using current
> > technologies) and long periods of time.
>
>
> If that's all you're worried about, you can relax. keylength.com estimates
> (in broad strokes) that becoming a problem for AES-256 around the year
> 2200.
>
> You should be much more worried about a cryptanalysis of AES. AES is not
> proven secure, but rather relies on the fact that nobody presently knows
> how to break AES for security.
>
> As Natanael said, you could combine AES and some other cipher for added
> security. Two stream ciphers can be combined into a product cipher which is
> provably at least as strong as the strongest of the two.
>
> --
> Tony Arcieri
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/70c87d59/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 14
> Date: Mon, 11 Aug 2014 17:46:20 -0700
> From: Steve Weis <steveweis at gmail.com>
> To: cryptography <cryptography at metzdowd.com>
> Subject: [Cryptography] Matasano Crypto Challenges
> Message-ID:
> <
> CACJAJ58khF4JDfeOV77r69qRFrrV3gGYjqq2MB4b03j4LVHorA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Matasano Security posted 6 sets of their crypto challenges online:
> http://cryptopals.com/
>
> The challenges start with basics and move through a variety of attacks.
> It's a great learning tool as they've provided solutions implemented in 10
> different programming languages.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.metzdowd.com/pipermail/cryptography/attachments/20140811/7d723535/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 15
> Date: Tue, 12 Aug 2014 10:43:22 +0100
> From: ianG <iang at iang.org>
> To: cryptography at metzdowd.com
> Subject: Re: [Cryptography] Dumb question -> 3AES?
> Message-ID: <53E9E1BA.70600 at iang.org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 11/08/2014 16:26 pm, Dan McDonald wrote:
> > Diffie's EDE algorithm for a block cipher would apply to AES, correct?
> >
> > Apart from "further pounding the rubble", is there any reason one
> couldn't
> > (or shouldn't) consider 3AES for, say, long-term offline storage
> encryption?
>
>
> The conventional answer to not doing anything is that you are now doing
> cryptography. So you have to explain to yourself why you think you can
> do better than the people who spent their lives on this. Are you that
> good?
>
> In practice, you are far better off using their work as described in the
> manual. And spending the spare time on writing better software.
>
> Given that the leading software break is still due to buffer overflows,
> and nobody's ever cracked a big-name crypto algorithm in living memory,
> you're probably better off focussing on the known roadkill not the
> zombies in hollywood movies.
>
>
>
> iang
>
>
>
> ------------------------------
>
> Message: 16
> Date: Tue, 12 Aug 2014 08:50:48 +0000
> From: Michael Kj?rling <michael at kjorling.se>
> To: cryptography at metzdowd.com
> Cc: Dan McDonald <danmcd at kebe.com>
> Subject: Re: [Cryptography] Dumb question -> 3AES?
> Message-ID: <20140812085048.GC30789 at yeono.kjorling.se>
> Content-Type: text/plain; charset=utf-8
>
> On 11 Aug 2014 16:50 -0400, from danmcd at kebe.com (Dan McDonald):
> > I'm less worried about the AES algorithm being broken (and yes, I
> understand
> > about 3des's effective key strength) as I am against Moore's law
>
> If that's your worry, then I'd say don't worry.
>
> Copying Bruce Schneier [1]:
>
> > Now, the annual energy output of our sun is about 1.21?10^41 ergs.
> > This is enough to power about 2.7?10^56 single bit changes on our
> > ideal computer; enough state changes to put a 187-bit counter
> > through all its values. **If we built a Dyson sphere around the sun
> > and captured all its energy for 32 years, without any loss, we could
> > power a computer to count up to 2^192. Of course, it wouldn't have
> > the energy left over to perform any useful calculations with this
> > counter.**
> >
> > But that's just one star, and a measly one at that. A typical
> > supernova releases something like 10^51 ergs. (About a hundred times
> > as much energy would be released in the form of neutrinos, but let
> > them go for now.) If all of this energy could be channeled into a
> > single orgy of computation, **a 219-bit counter could be cycled
> > through all of its states.**
> >
> > These numbers have nothing to do with the technology of the devices;
> > they are the maximums that thermodynamics will allow. And they
> > strongly imply that brute-force attacks against 256-bit keys will be
> > infeasible until computers are built from something other than
> > matter and occupy something other than space."
>
> Even if the numbers he cites are off by something like _ten orders of
> magnitude_, it doesn't matter. Brute force cracking of a 256-bit key
> just isn't practical, and likely never will be practical, for reasons
> of physics. The only way breaking a 256-bit key length cryptosystem
> will ever be practical is if it provides _far_ less than par security
> per bit of key material used, and the most obvious way to end up with
> that is that it's storing something that allows deducing the key, or
> the key is generated in a very un-random fashion (in which cases you'd
> very likely be just as hosed using 3AES256).
>
> Anyone targeting a cryptosystem that uses 256-bit keys will
> _certainly_ choose some attack vector other than trying a brute force
> search for the key. Hiring a few dozen thugs would be almost
> infinitely cheaper, and vastly more likely to yield the desired
> results (gaining access to the plaintext within a reasonable timeframe).
>
> [1] https://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html
>
> --
> Michael Kj?rling ? https://michael.kjorling.se ? michael at kjorling.se
> OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
> ?People who think they know everything really annoy
> those of us who know we don?t.? (Bjarne Stroustrup)
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
> ------------------------------
>
> End of cryptography Digest, Vol 16, Issue 11
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140813/3de577ae/attachment.html>
More information about the cryptography
mailing list