[Cryptography] I broke a cipher this week.

ianG iang at iang.org
Sat May 23 06:29:47 EDT 2015


On 23/05/2015 00:41 am, Ray Dillinger wrote:
>
>
> On 05/22/2015 04:27 PM, Bertrand Mollinier Toublet wrote:
>> It must be lack of imagination, but I can’t think of a single good reason why AES would not be an appropriate choice where this cipher-attempt might have been used… Why did that company entertain the idea of a non-standard cipher in the first place?!
>> -—
>> Bertrand
>>
>
>
> There is a certain degree of Hubris and a certain
> degree of "Not Invented Here" involved.  Which,
> unfortunately, is typical of certain industries.


There's obviously something wrong with the message that is out there. 
Why is it that an apparently good engineer doesn't get the message that 
it's better to work with the known good stuff?

This is a seriously interesting question, in that we keep coming back to 
it.  If we can't even convince the programming world that something like 
AES is orders of magnitude more secure than a home-built cipher, ... 
what does this say about slightly more complicated decisions?

Of which there are many.  Case in point being cipher suites, which can 
be hard to understand, and a wrong choice can leave it totally open.



I wonder if there is an experiment that could be run.  Take 100 good 
engineers, give them a box of algorithms and a cheat-sheet on how they 
work and why they are bad ... tell them to pick one.  Then see how many 
decide to start from scratch?

I just last night watched _The Imitation Game_.  Apparently WWII was won 
because one man had a girlfriend, so didn't follow orders.  Yes, 
whatever, it was fiction, but the story is indicative.

What is the chance that any decision is bungled for reasons we can't 
rationally predict?  If that chance is X what does this do to our security?

How many decisions N need we introduce into a system before it becomes 
worthless because the combined chance of a breach exceeds some threshold?


> In fact I'm surprised they allowed anyone outside
> the company to examine their cipher before
> deploying it.  But glad they did.


Yes, brave.  If the press gets hold of it, they will write the wrong story.



iang


More information about the cryptography mailing list