New Attack Against Multiple Encryption Functions 130
An anonymous reader sends word of a paper presented a few days back by Adi Shamir, the S in RSA, that promises a new form of mathematical attack against a broad range of cryptographic ciphers. The computerworld.com.au report leans heavily on Schneier's blog entry from the Crypto 2008 conference and the attached comments. Shamir's paper has not been published yet. "[The new attack could affect] hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES) at the Crypto 2008 conference. The new method of cryptanalysis has been called a 'cube attack' and formed part of Shamir's invited presentation at Crypto 2008 — 'How to solve it: New Techniques in Algebraic Cryptanalysis.' The new attack method isn't necessarily going to work against the exact ciphers listed above, but it offers a new generic attack method that can target basically formed ciphers irrespective of the basic cipher method in use, provided that it can be described in a 'low-degree polynomial equation'... What may be the biggest outcome from this research is the range of devices in widespread use that use weaker cryptographic protection, due to power or size limitations, that are now vulnerable to a straightforward mathematical attack."
The synopsis stated "low grade" crypto (Score:5, Interesting)
An order of magnitude improvement in cracking a 56bit key would be significant. However, most of us use far greater key-spaces and only flaws in the crypto itself or the container is the real threat. It is however interesting when anybody can make a massive improvement in cryptoanalysis. A 10x improvement would make cracking 40bit 'consumer-grade' (such as GSM and DECT) crypto trivial on the latest processors. The most likely application is to give governments easy access to snoop 'private' phone and data conversations.
This is not threatening to me at all. I don't really see the need to encrypt phone calls in the first place. It is absolutely essential to encrypt other data. This seems to be because there is a social taboo about tapping phones, but not so much so with data. Therefore all system admins must use SSH and others should consider it too.
The real threat is the quantum computer, if it exists in a practical form. If that is the case, there is one complete solution -- The awkward 'one-time pad'.
Re:Correct the summary/FUD (Score:3, Interesting)
Here's the bane of reliable internet news. I now predict have a kazillion stories like "OMG the sky is falling" on the news sites I visit because they produce way more hits than "completely irrelevant theoretical crypto-attack found". It's really that simple, I think even if they KNOW the story is bogus it's better to get the headliner and then make a "correction" later.
Re:Correct the summary/FUD (Score:4, Interesting)
That said, the algebraic degree associated with modern block codes is far beyond this.
Would not a modern block cipher, AES for example, be of at least order 128 or possibly higher with at least as many variables? It was also mentioned in the summary of TFA that older or lower power devices might be vulnerable, but really where are these devices being used right now? It has been my experience that if something is encrypted at all (i.e. someone actually bothered to think about security) then a stronger algorithm is generally selected (AES, 3-DES, Twofish, etc...); otherwise, and this happens all too often, encryption is simply not employed even though it easily could have been and probably should have been.
Re:ehm (Score:3, Interesting)
There was a rump session talk on Gpcode, actually. It was suggested that if you had enough porn and/or music on your computer (tens of thousands of files with known headers, I believe), an attack on RC4 would recover your disk. It's related to the attack that breaks WEP. I don't know if it's been implemented.