[Cryptography] Dumb question -> 3AES?

ianG iang at iang.org
Thu Aug 14 07:46:56 EDT 2014 

On 12/08/2014 17:50 pm, John Gilmore wrote:
>> Given that the leading software break is still due to buffer overflows,
>> and nobody's ever cracked a big-name crypto algorithm in living memory ...
> 
> Are you losing your memory?  Enigma?  Purple?

I don't remember those at all ;)

>  DES?

Not cracked, overtaken.  Someone built a cruncher, recall ;)


> MD4?  MD5?

Same same.  I'm excluding stupidity in this.  It is engineering, after
all, choose the tool that is appropriate for the job.


> (I admit that DES was deliberately weakened by NSA to make it
> crackable -- but what other big-name crypto algorithms do we use, that
> may also have that characteristic?)


What ifs are so seductive, but they don't write a line of code for us.


>> The conventional answer to not doing anything is that you are now doing
>> cryptography.  So you have to explain to yourself why you think you can
>> do better than the people who spent their lives on this.  Are you that good?
> 
> Sometimes you have different motives than other people who spend all
> their days working on crypto.
> 
> For example, many people in cryptography don't seem to think about
> developing societal resistance to mass surveillance attacks; they
> focus their efforts on preventing targeted attacks.  I have been
> advocating that in RSA key generation, we should randomize not only
> the key, but the number of bits in the key (within safe and computable
> limits).  This is because the current over-dependence on 1024-bit keys
> is a magnet for some large corrupt overfunded agency to build a brute
> force 1024-bit factoring machine.  If instead society was actively
> using a broad range of key sizes between 1024 and 4800 bits, a
> 1024-bit RSA cracker would only get them <5% of the keys.  And
> building a much more expensive 1100-bit RSA cracker would only get
> them <6% of the keys, etc.  Today if they can build a 999-bit RSA
> cracker, they won't waste their money there, because they know the
> payoff is nil; but they'll strain their ingenuity and budgets to get
> to 1024 bits, whereupon they can crack 95% of the RSA keys in actual
> use.
> 
> So why doesn't our popular RSA-based software randomize its key
> lengths at key generation time?  It's a matter of where the designers
> and maintainers have focused.  Diversity of focus can be useful
> against wily adversaries.


Seems like we need a Goldman approach:  advocate that everyone employ
standard sizes like 1024 and 2048, but don't do that yourself.



iang

More information about the cryptography mailing list