[Cryptography] ratcheting DH strengths over time
Perry E. Metzger
perry at piermont.com
Mon Nov 16 15:51:42 EST 2015
On Mon, 16 Nov 2015 15:34:58 -0500 Jerry Leichter <leichter at lrw.com>
wrote:
>
> >> Our symmetric cryptography, on the other hand, is based on
> >> algorithms that we believe cannot be attacked using anything
> >> significantly better than a brute-force attack.
> >
> > However, it is frequently the case that this proves false. See
> > again RC4,
> [Funny, I've often argued the opposite side on this question.]
>
> I don't believe anyone ever saw RC4 as in a class with modern block
> encryption algorithms.
Whether they saw it that way or not, a lot of RC4 is still out there
being used to protect traffic right now.
> DES has been subject to public attacks for forty years now. (It
> was subject to more attacks internally at IBM, and by NSA (take
> that for what you will) for several years before that.) To this
> day, there are no attacks significantly better than brute force.
But brute force is quite doable for 1DES and there's a surprising
(and sad) amount of it in the field.
> > various hash functions, etc., and even various cryptographic
> > modes (like various block cipher modes) that prove less secure
> > than was previously believed.
>
> Hash functions have indeed been problematic. Note, however, where
> attacks on them are the most hazardous: When they are used as part
> of signature algorithms.
Regardless, the overall point stands. We are well aware that crypto
appears to be something that needs to be field replaceable, and yet
we more or less have no clue how to do that in deployed embedded
hardware. Indeed, we seem to have a very poor idea in general on how
to maintain the software on field deployed embedded hardware. (To
give another common example, the world's home "routers" are an
astonishingly large pool of highly insecure systems.)
> The fancier cryptographic modes that try to provide too much have
> gotten hit. The basic modes - CBC, CTR - continue to provide the
> guarantees they always did. You do have to be careful about
> understanding *exactly what* they guarantee.
We didn't understand what they guaranteed. CBC in particular has
proven much more problematic than was assumed 25 years ago.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list