[Cryptography] Dumb question -> 3AES?
ianG
iang at iang.org
Thu Aug 14 07:46:56 EDT 2014
On 12/08/2014 17:50 pm, John Gilmore wrote:
>> Given that the leading software break is still due to buffer overflows,
>> and nobody's ever cracked a big-name crypto algorithm in living memory ...
>
> Are you losing your memory? Enigma? Purple?
I don't remember those at all ;)
> DES?
Not cracked, overtaken. Someone built a cruncher, recall ;)
> MD4? MD5?
Same same. I'm excluding stupidity in this. It is engineering, after
all, choose the tool that is appropriate for the job.
> (I admit that DES was deliberately weakened by NSA to make it
> crackable -- but what other big-name crypto algorithms do we use, that
> may also have that characteristic?)
What ifs are so seductive, but they don't write a line of code for us.
>> The conventional answer to not doing anything is that you are now doing
>> cryptography. So you have to explain to yourself why you think you can
>> do better than the people who spent their lives on this. Are you that good?
>
> Sometimes you have different motives than other people who spend all
> their days working on crypto.
>
> For example, many people in cryptography don't seem to think about
> developing societal resistance to mass surveillance attacks; they
> focus their efforts on preventing targeted attacks. I have been
> advocating that in RSA key generation, we should randomize not only
> the key, but the number of bits in the key (within safe and computable
> limits). This is because the current over-dependence on 1024-bit keys
> is a magnet for some large corrupt overfunded agency to build a brute
> force 1024-bit factoring machine. If instead society was actively
> using a broad range of key sizes between 1024 and 4800 bits, a
> 1024-bit RSA cracker would only get them <5% of the keys. And
> building a much more expensive 1100-bit RSA cracker would only get
> them <6% of the keys, etc. Today if they can build a 999-bit RSA
> cracker, they won't waste their money there, because they know the
> payoff is nil; but they'll strain their ingenuity and budgets to get
> to 1024 bits, whereupon they can crack 95% of the RSA keys in actual
> use.
>
> So why doesn't our popular RSA-based software randomize its key
> lengths at key generation time? It's a matter of where the designers
> and maintainers have focused. Diversity of focus can be useful
> against wily adversaries.
Seems like we need a Goldman approach: advocate that everyone employ
standard sizes like 1024 and 2048, but don't do that yourself.
iang
More information about the cryptography
mailing list