[Cryptography] new wiretap resistance in iOS 8?
ianG
iang at iang.org
Tue Sep 23 12:50:50 EDT 2014
On 22/09/2014 06:48 am, Jerry Leichter wrote:
> ... What made the EFF DES cracker valuable was that it was a real, working machine - there was no longer any place of argument about what was *possible*.
Big concur.
> ... (BTW, the EFF reports that they *budgeted* $210,000, which prove too low by $40,000 - about 20%. It's not easy getting accurate cost estimates even fairly close in to actual design/build time.)
Nothing to be ashamed of there!
> There's also the question of *what algorithm to use*. People keep repeating the story that the NSA "weakened" DES by reducing the key to 56 bits; but in fact we now know, and have known for years, that given the basic DES algorithm (a) the S-boxes NSA specified are the strongest possible against differential cryptography; (b) the inherent strength of the DES algorithm against DC is only about 56 bits.
We also know that NSA argued for a 40 bit key, and the compromise was 56
bits.
> If the NSA, at that moment in time, had wanted to reserve the ability to break DES to itself, it could have simply left the 64-bit keys in place. Everyone else would be looking at strength against brute force attack, and would conclude that with a 64 bit key (well, 63 because of the complement property) things were safe for a while; but NSA could use DC and get a roughly 55-bit attack. (A few years later, when NSA had begun to see the degree of penetration public use of encryption was starting to have, I have no doubt they would have done just that - at least in a hypothetical world where DC was not yet publicly known. But I think they just missed what was coming down the road - they though that crypto would move from the realm of spies to big banks and some of the largest corporations, which they could penetrate easily enough in other ways. So at that moment in time, my guess is they really wanted to get a strong system fielded for those giants.)
Which suggests that they didn't actually have the confidence that they
could crack 64 bits even with DC. Maybe DC didn't scale?
(I think it is important to keep mining this 'event' because how the
threat actor acted with DES gives us a window on how they will act in
the future. Given the spook tendency to slap a secrecy order over
everything up to and including trips to the bathroom, we can only
reasonably construct plausible threat models by reconstructing events
that have entered the public domain with sufficient facts. Same for
DUAL_EC.)
iang
More information about the cryptography
mailing list