

AES Announced as Federal Standard 267
chekhov writes: "Today NIST has finally announced AES (Advanced Encryption Standard) as a Federal Standard after 4 years of development. See the press release. AES is the replacement of DES and is expected to be used in financial systems and secure networks for up to 20 years. More information on the AES homepage."
Rijndael (Score:3, Funny)
Re:Rijndael (Score:2, Informative)
Re:Rijndael -- for linux only ! (Score:1)
Re:Rijndael (Score:2)
Completely unbreakable...? (Score:2, Redundant)
I can't help thinking that back when DES was new, they probably told us the same thing.
Moore's law and all that stuff, but betcha in a decade or so AES is suddenly breakable...!!!!
Re:Completely unbreakable...? (Score:1, Informative)
on cracking AES. Conventional computers will run out of steam long before they get fast enough to crack AES. Quantum computers on the other hand might be a different story.
However hopefully NIST will simplely issue a new standard if the AES becomes breakable. Like it did for DES.
Re:Completely unbreakable...? (Score:4, Interesting)
Your better bet is to work out how to solve NP hard problems (or any one) and map it back to the crypto algorithm. But of course you'll be able to do that easily once IBM releases it's first quantum computer....
Re:Completely unbreakable...? (Score:5, Insightful)
In addition, AES may have problems we don't even know yet. DES turned out not to require brute forcing.
Re:Completely unbreakable...? (Score:2, Insightful)
Re:Completely unbreakable...? (Score:2, Interesting)
But that is a huge "if".
I recently did a study of future trends with regard to processors. Let me sum up ....
Processing speeds are currently limited by charge dissipation (no pun intended). Charge dissipation is related to feature (transistor) size. It is a hard fact that feature size can only shrink at the Moore's Law rate for about another 12 years before we get transistors that are only a few molecules thick.
I'm not saying that it will be impossible to continue with efficiency gains beyond that point. But who's going to pay for the research to continue at such a break-neck pace?
Perhaps, I am being short-sighted, but I think we are starting to see a slowing of the demand for ever-faster technology.
Graphics-intensive games are staying on store shelves for years, instead of months. Even Microsoft is having a hard time making software that is bloated enough to demand the latest hardware.
Developing new processor technologies is horrendously expensive. Unless there is sufficient demand for faster processing speed, it will simply not be viable for companies to research the technology.
Okay, I spoke my mind. Flame on!
And your point is? (Score:2)
As for whether Moore's law will actually fail in 12 years or not, that remains to be seen. Looking at current processor designs tells you nothing about that: current processor and systems designs should have been abandoned decades ago. The only reason we still stick with them is because it has been easier to push processes than design. I very much hope we'll hit the limit on processes soon so that we can then focus on getting better performance through better overall systems design.
For crypto, transistor density == speed (Score:2)
Moores law says nothing about computer speed doubling. It refers to the transistor count doubling.
Distributed.net [distributed.net] relies on the fact that all other factors being equal, brute-forcing a key (decrypting a message with all possible keys) scales linearly with the number of processors involved because of the inherent parallelism. If transistor density doubles, the number of crypto datapaths you can put on a given-sized die doubles. Therefore, Moore's law of gate density translates directly into speed increases.
Re:Completely unbreakable...? (Score:2)
True, although those were effectively solved with 3DES; hopefully a 3AES won't be needed for a long while.
Then it's O(n*2^n); PGP practical problems (Score:2)
Also, the processor time and memory is roughly proportional to key length
In other words, the time to decrypt a message with an n-bit key is O(n). The time to bruteforce a message (decrypt a message with all n-bit keys) is thus O(n*2^n) which is still O(2^n) at high values of n. So you still lose a bit of key length to Moore's law of transistor density every 18 months.
So if you double the capabilities of your computer then you can double the key length without taking a performance hit.
But then you and everybody you communicate with would have to make new keys. And even then, you often can't use more than 128-bit keys across national borders.
Well computers probably got fast enough in the last 80s, but encryption-for-everybody still hasn't really taken off. I guess social factors are harder to model than CPU speeds!
Another problem is that PGP/GnuPG "web of trust" model requires you to know somebody face-to-face who is already part of the web of trust so that you can validate her key [gnupg.org] and gain access to the rest of the keys. In fact, there must be a path in the graph of PGP users that leads to Phil Zimmermann or to Richard M. Stallman (see also Oracle of Bacon [virginia.edu]).
Re:Completely unbreakable...? (Score:2)
Re:Completely unbreakable...? (Score:2)
Not with present theoretical work on quantum computing, as it's been reported. Yes, they can find factors very quickly, but factorisation is not NP-hard, and nor are any of the other (very few) problems that quantum computers have been demonstrated to be useful for.
If I recall correctly from my computer security subject at uni, one of the other things that quantum computers can do is help brute-forcing cyphers, but not by nearly as much as you think. I was told it makes the problem equivalent to brute-forcing a key half the length , so brute-forcing a 256-bit key with a quantum computer would take round about the same amount of work as cracking a 128-bit key with a conventional computer. Brute-forcing 128-bit keys is computationally infeasible and will remain so for decades, at least.
Quantum Computing (Score:2)
Does the computing power not increase in a similar way?
If it does, then to brute force a bigger key one just has to use more qbits!!!
Can anyone who really knows about this confirm or deny it????
Qbits and power (Score:2)
The basic idea with quantum computing is that you can do compuations on all of the possible inputs simultaneously. It appears that some of the problems we'd like to solve with quantum computers may not be able to be expressed efficiently with the quantum operations at our disposal. Someone mentioned in another post that quantum computers don't seem to be able to break block ciphers as efficiently as they can factor large numbers.
If everything is working properly, the Qbits probably aren't exactly ones or zeroes until you look at them. (In the world of quantum mechanics, particles act differently when you look at them. Look up Schrodinger's Cat on Google if you're not familiar with the basic idea of quantum.) The state of each qbit is a pair of complex numbers, called amplitudes. The square of a magnitude (vector length squared for the spatial thinkers among you. The dot product of a vector and its complex conjugate for those of you that prefer linear algebra.) is a probability.
The qbit is most likely not totally a 1 or a zero. The qbit is partially a one and partially a zero and these parts are represented as amplitudes. This indertiminant state is called a quantum superposition. In Ket notation we say a qbit is alpha |0> + beta |1> where alpha and beta are those complex amplitudes I mentioned earlier.
Stay with me. I'm almost done with the stuff that makes your head swell.
When you observe the qbit, it magically becomes exactly a one or exactly a zero, with probability determined by the amplitudes. Therefore, the sum of the squares of the magnitudes of alpha and beta always add up to one, sonce the probabilities of the qbit being observed as a zero or one must sum to 100%.
So, what does this all mean? It means that all of your computations are done with the qbits being BOTH zero and one at the same time. (Okay, so you set come of the qbits to specific values in order to control the quantum gates.) This means that with n qbits, it's like doing computation on 2^n data points simultaneously. You set up your computations so that in the end when you look at your qbits, you have a high probability of seeing the correct answer.
There's a big problem keeping very many qbits in quantum superposition for very long. A random neutrino or other minor disturbance has the same effect as looking at the qbits in mid computation.
Re:Completely unbreakable...? (Score:2)
Untrue.
Each bit of key size doubles the computational cost of brute force attack. So AES is 2^(128-56) = 2^72 times harder to break than DES.
If Moores law continues and computing power doubles every 18 months AES will be broken in precisely 105 years (it being 2 years since the DES cracks).
I don't know about you, but I have no plans to use AES personally after 2075.
In practice the quantum limits of silicon computing will be reached earlier, although it may prove possible to move from 2D slices to 3D systems...
Re:Completely untrue...! (Score:4, Informative)
DES was never expected to have a lifetime longer than 25 years or so. The cryptanalysts who designed DES never heard of Moore's law, and wouldn't have cared about it if they had. They knew that the most important factor was algorithm efficiency, not the raw computing power.
In fact, a study in Programming Pearls a while back compared the effects of improved algorithms vs. improved hardware speed for several historically hard problems. The results were clear - hardware is getting faster, but you could still run circles around the latest supercomputer running 1960s era algorithms with your PDA running current algorithms. (Okay, the original article compared Crays to TRS-80s, but kids today may not know what a trash-80 is.)
The only reason computers seem slower is that they're used to solve far bigger problems. People tend to be willing to spend the same amount of time solving problems, and for a given time O(nlg(n)) has a far larger value of 'n' than O(n^3).
Re:Completely unbreakable...? (Score:5, Informative)
>make the algorithm easy to break for someone who
>knew the secret.
Yes, this is what was _thought_.
When differential cryptanalysis was discovered in 1991, many DES 'replacements' were completely broken, but DES itself was only weakened, not broken.
It turned out to be those NSA-picked S-boxes that made it much more secure than the alternatives. So, they actualy made the algorithm stronger, not weaker.
(and they had appearently knew about differential cryptanalysis some 20 years before the academic world did. scary, isn't it?)
--
GCP
Re:Completely unbreakable...? (Score:2)
The original paper by Biham and Shamir is available at CiteSeer:
[nec.com]
Differential Cryptanalysis of DES-like Cryptosystems. It's a classic paper that everyone interested in the field should read. There are some wonderful analyses of systems which people had suggested as alternatives to DES. For example (from page 72):
Re:Completely unbreakable...? (Score:2, Interesting)
Very true; it's commonly believed that the way that DES withstood differential encryption shows that the NSA knew about that technique in the '70s.
Also interesting, though, is the evidence that the NSA didn't know about linear cryptanalysis; DES was weakened quite a bit more under that method of attack.
That's not to insult IBM or the NSA; you can't predict what sort of an attack people are going to throw at you two decades in the future. That it stood up as well as it did is a monstrously huge accomplishment.
I'm just fascinated how we can deduce what the NSA knew and didn't know so many years ago, by judging how well things withstand attacks today.
Terrorists? (Score:2, Funny)
The AES is now an approved encryption algorithm that can be used by U.S. government organizations to protect sensitive, unclassified information.
...
Commercial and other non-federal organizations are invited-but not required-to adopt and implement the AES and NIST's other cryptographic standards.
If I read this correctly, terrorist cells qualify as "other organizations". I couldn't find any mention of export limitations, civilian key strength limitations, or bans on use by criminal organizations.
What have we done?
Re:Terrorists? (Score:1)
Re:Terrorists? (Score:3, Insightful)
This really is no big deal. There a many high-quality hard crypto techniques around. If al-Queda really want strong crypto they can just FTP it from ssh.com like anyone else. Or PGP. Or OpenBSD.
But historically, they have relied on codes (as opposed to cyphers), trusted intermediaries and one time pads.
Here's a free clue for you: terrorists and other criminals, by definition, don't obey laws. So what if there's a "civilian key strength limitation" when you can download the source, change a #define and type make. So what if there's a ban, that's trivial to people who destroy skyscrapers just to make a point. So what if the algorithm is a secret, the US govt. doesn't have a monopoly on talented mathematicians.
This genie is already out of the bottle. Trying to put it back will only help the terrorists by disrupting and harming the commercial interests of the West further.
<rant>
The Feds never really had a chance of keeping crypto out of the hands of anyone, but they were too stupid to realize it, too busy banning metal cutlery in airports and nonsense like that. I am English, have you ever tried to eat a proper English breakfast with plastic cutlery?!
</rant>
Re:Terrorists? (Score:2)
The Feds never really had a chance of keeping crypto out of the hands of anyone, but they were too stupid to realize it, too busy banning metal cutlery in airports and nonsense like that. I am English, have you ever tried to eat a proper English breakfast with plastic cutlery?!
Nonsense. The Federal government accomplished as much as they could, within the constitutional limits by which they were constrained. They have successfully delayed mass-marked crypto to this day.
Sure, a bad guy can download a crypto package. A bad-guy organization can download a dozen different cryptosystems in less time than it'll take me to write this.
But my brother-in-law with Windows ME still doesn't use it. And neither does your mom, or your car salesman, or the guy who drives the gas tanker truck for BP.
As long as 99+% of the worlds e-mail travels unencrypted, Echelon can watch it. Carnivore can watch it. And encrypted e-mail is still easily recognizable for what it is, so it stands out, making traffic analysis easier (which is also legal without a warrant under the PATRIOT act.)
The DOJ and FBI have so far succeeded masterfully at accomplishing their common goal of preventing a global encryption infrastructure. IPSec, SSL, https:, PGP, etc. are all fine and secure products and protocols, but nothing today is all-pervasive. Encryption only happens on an ad-hoc basis, which has been their goal ever since the genie got let out of the bottle. They have very successfully kept encryption from protecting us to its fullest potential.
John
Re:Terrorists? (Score:2)
Or code it themselves. Rijndael/AES is a fairly simple algorithm, and only relies on a few "magic numbers" (the 256-byte S-box is generated mathematically). It would be easy for someone with a math or electrical engineering background to memorize the algorithm, then implement it from scratch at a later date without any source code or reference material. It took me an evening to write an AES implementation based on the PDF specification on the NIST website, and it would be faster to re-do it now that I understand how the algorithm works. Does that now make me a "controlled munition"?
There is no good way to control or restrict the *distribution* of strong crypto. All that can be done is to restrict the *use* of strong crypto, by widespread wiretapping combined with severe penalties for anyone sending messages that can't be cracked or don't correspond to the copy of your private key that you "voluntarily" registered with the government. The government doesn't have to be able to break a terrorist's message, if that encrypted message itself is sufficient cause to throw the "terrorist" in jail with no further communication to the outside world.
Not that I approve of this, mind you, but it could be done. It might even work, in a theoretical world where law-enforcement officials were all 100% free from corruption or the possibility of bribery/blackmail.
European Technology (Score:2)
Heads up for choosing the best solution from a cryptography viewpoint!
Re:European Technology (Score:2)
Re:European Technology (Score:3, Insightful)
Re:European Technology (Score:1)
Re:European Technology (Score:2)
I dont know about Poland, but I think it's safe to assume they don't have anything bigger than the NSA either!
Re:European Technology (Score:2)
Ofcause they are smaller, but the important thing to is to be able to mount the effort when its needed. NSA on the other hand is just "Yet another US goverment office out of control" or in selfcontrol - but out of reach from gov.hill. Nobody in the US goverment dare to touch NSA. Both the NSA and the CIA failed completely 11.sep.
So what do they need NSA for when cryptography is retreived in Europe, creating secure Linux distributions?
Re:European Technology (Score:2)
Basically - yes - that is with "all other things being equal". Even if the NSA is "Yet another US goverment office out of control", I don't see (for example) that GCHQ would be any different - except for being smaller
Both the NSA and the CIA failed completely 11.sep.
That's true. However, it's not like GCHQ knew exactly what was going on but didn't bother telling the Americans is it?! Everybody failed.
Re:European Technology (Score:2)
But what are we discussion? My primary point was the its nice that the algorithm was thoosing for its design/features rather than what country it was from. One of the analysts (cant remember who) said that no matter who got choosen (from round 2) they would all be a excellent AES, but Rijndael would be the bold choice based on its pure/simple matematical base.
Re:European Technology (Score:2)
I think both agencies have successfully delayed or prevented similar activities more times than we can count. Because one set of fucking psychos slipped through shouldn't lessen our appreciation for the other schemes they've stopped so far.
Not that I'm going to let them take PGP away from me, mind you... :-)
John
Re:European Technology (Score:5, Informative)
However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.
Note however, that the 3rd Reich trusted Enigma utterly. They fell into the trap of thinking they were completely secure, and that was the downfall of Enigma, as it would be of any trusted encryption. Encryption by definition is breakable in a certain length of time. The problem with Enigma was that there were backdoors, such as the fact it never encrypted any letter as itself. The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.
Re:European Technology (Score:5, Interesting)
The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.
Key length is, of course, vitally important. Understand the Rijndael spec. [nist.gov] before you continue your speculation. Also, many "idiots" try to brute force it [distributed.net]. Effort required to force a key is proportional to the cipher's weakness.
Less generally, by employing lack of symmetry and a non-linear layer in the cipher, AES pretty much gurantees that you'll simply be searching the key-space at random. If you can come up with a way to do better than a brute force, you should quit your current job.
The 2^255 Rijandel iterations required to force a 32 byte key is certainly sufficiently secure by todays standards, but historically consistent increases in computing power coupled with increased distributed processing ability due to networked computer proliferation means that keys will have to keep growing to stay resonably secure.
Re:European Technology (Score:2, Interesting)
The German Navy, on the other hand, was notably more disciplined in the use Enigma. That, more than any other single factor, made it harder to read naval intercepts.
Useful lesson, in my humble opinion; the encryption method (DES, AES, PGP, Enigma, whatever) is less of a vulnerability than the habits of the person using the method. If my messages always begin with "Dear Mom," and always end with my name, I've introduced an exploitable flaw.
Re:European Technology (Score:2, Interesting)
The German naval Enigma machines were the most secure, yes, but they had eight scramblers, not four. Also, the navy machines' reflectors could change position, unlike other Enigma boxen. The German navy basically had their shit together where the Enigma machine was concerned. They probably took it more seriously than the other branches, since it was their one and only secure link to the Reich while they were out to sea.
However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.
This is plain not true. The German naval ciphers were cracked by continually stealing the code books. Right up to the end of the war, the cryptanalysts at Bletchley Park were completely dependent on codebooks to make sense of the Kriegsmarine messages. That was the only Enigma implementation that wasn't "cracked."
Yes, Enigma had backdoors. But it was only after Enigma had already been cracked due to poor message construction and not enough scrambler wheels that this was discovered. So that wasn't why Enigma was initially cracked. It was initially cracked thanks to the cryptanalytic genius of Marian Rejewski, a name that is unknown even in many crypto circles.
Only an idiot would try to brute force it though,
It WAS Martin Hellman who said "God rewards fools."
Re:yeah (Score:3, Interesting)
The Germans changed the wheel order, start positions, and reflector positions on the Enigma machines nightly, but that wasn't enough. The operators often used the same start codes over and over again, they sent predictable messages, and, like I said, there were issues with the Enigma itself. The UK RAF set up 'traps' by mining specific locations of the English Channel, and then Bletchly Park knew that the messages from specific lookout posts would contain the coordinates of the mines.. a very useful crib.
Try books such as Station X, Engima, Seizing The Enigma, and The Code Book for a readable history..
(The Code Book even has a nice challenge at the end (although the prize has been claimed))
The other pages... (Score:3, Informative)
Find out all about it (including how to say it
Rijndael popular acceptance (Score:2)
It seems to be open, and acceptable to alot of people. More information on the cipher is to be found here [kuleuven.ac.be].
Standard ? (Score:3, Interesting)
Will I have to pay royalties if I intend to write AES-compliant programs then sell related services?
I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public?
Re:Standard ? (Score:5, Informative)
It's a US government standard, meaning that all government-related (whatever that means) should use it (or something like that). It's just another algorithm instead of DES/3DES to be used as The Official US Government Encryption Standard.
Some pieces-o'-software, both free and commercial, use Rijndael, but it's not a standard (ISO or ANSI or whatever).
> Will I have to pay royalties if I intend to write AES-compliant programs then sell related services ?
Probably not. There are plenty of free implementations of the Rijndael algorithm, and from what I can figure out, there doesn't seem do be any restrictions to it. From the authour's page [kuleuven.ac.be]:
Rijndael is available for free. You can use it for whatever purposes you want, irrespective of whether it is accepted as AES or not.
Even if the US government puts some kind of export restriction on software using it, it's still very available (in several free (of some kind) implementations) outside US.
NIST too [nist.gov], provide their own reference implementation [nist.gov].
> I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public ?
The algorithm was invented by "the public" (two guys in Belgium), not by NIST or the US government. NIST just selected the one algorithm they considered the most appropriate from the whole lot of available encryption algorithms out there.
Re:Standard ? (Score:2, Informative)
Definitely not. This was an important consideration for defining the standard. NIST only accepted unencumbered submissions - meaning:
So - not only can you use the algorithm, you can even use their implementation, no questions asked. They actually released two implementations, a "basic" and an "optimised" one. I don't remember whether having two versions was a NIST requirement.
Re:Insightful/Informative/Interesting MOD THIS UP (Score:4, Interesting)
Now, if I happen to successfully develop an AES "decryptor", may I publish its source code without infringing the DMCA [tompox.com] ?
The inventors of Rijndael, who seem to be exceptionally intelligent and sane people, would probably be more than happy to be challenged with a real attack on the algorithm. Unless you have a PHD in Mathematics specializing cryptoanalysis you probably needn't waste your breath though.
Of course, if the media industry has had time to implement AES in one of their ridiculous UHT (User Hostile Tech) schemes, you may well end up under legal attack, as could, very possibly, the authors of the algorithm themselves should they find a flaw. It has been noted that the media industries will probably not go after "academics" in the short term considering how the Felten affair blew up on them (Russian's apparently don't count).
Just because the enemy has usurped the term "secure" for their UHT does not mean that you should confuse all encryption with DMCA etc. These algorithms really are secure, based on real math that most people agree not even the NSA can break, and do not rely on stupid "gun in mouth" schemes to keep people from breaking them as UHT invariably does.
Re:It is also very interesting, please, MOD UP TOO (Score:2, Interesting)
Yes, pretty much.
So this once again makes me wonder whether there is or not a bug in the DMCA :
If some technologies are based upon some free algorithm which get broken, (*breathe here*) why should the happy-genious-hacker be sued as he just pointed out some flaw in a "public" technology?
Don't try to apply logic to law, it will lead you nowhere. The reason the happy-genious-hacker gets sued is because he is a convenient target, who can easily be painted as a villian in the eyes of courts, politicians, and the public.
Actually, as he'll make the technology improve and thus get rid of the given flaw, it'd rather be the fault of the suing organization as they accepted to use a flawed1 algorithm...
You are missing a vital point that a lot of technologists seem to miss, but that has not been lost on the international media cartels. It is this: there is no non-flawed implementation of UHT.
Because UHT relies on your computer controlling you (what "user hostile" means) and in at least some sense your computer is always actually under your control, regardless of implementation it will always be possible to crack it. Hackers like Sklyarov and Beale Screamer are not helping improve the UHT technology because whatever is done it will always stay vulnerable, and the vulnerablilities they exposed were undoubtably known by the implementors. If you support the existance of UHT (or copyright law, with doubtlessly requires UHT to be enforced) then the DMCA is not only a justified, but a necessary law. In fact, the DMCA does not go nearly far enough, which is why laws like the 'SS'SCA are very necessary as well.
I guess the DMCA seriously sucks because of its lack of consistance :
They should rather not use any protection at all than inventing some stupid placebo and whining it's been broken into by some clever hacker.
The DMCA provides the international media cartels with a weapon to harrass technologists who want to use computers freely as they see fit rather than under the control of the cartels' authority. It may not be too helpful against software hackers, though it has certainly slowed down many projects, but it certainly works for other purposes (consider why you will never see a CD-ROM drive that by default ignores the broken error-correction codes on those new "copy-proof" CDs).
1 : though this argumentation is purely 100% hypothetical, I assume there are flaws until one mathematically demonstrates there aren't...
Unfortunately that puts you in a quite a bad place, as to my knowledge there are no(*) current ciphers that are mathematically proven to be uncrackable. There are a couple of, at least hypothetical, asymmetric ciphers that have been shown to be "NP-complete" meaning, roughly, that if they can be cracked then a whole class of problems nobody has found any answers to yet can be solved as well (you may have heard of the N != NP conjecture), but the common ones (RSA, DSA, ElGamal) are not even that. Newly designed ciphers like Rijndael/AES (which is a symmetric cipher, so should not be confused with those mentioned before) are not proved to be mathematically secure, but simply engineered to be secure against all currently known attack vectors.
(*) In order to avoid the obligatory lamer responding with ("There is a provably secure cipher, it's called One Time Tap"), I digress that there is a provably secure cipher called a one time pad, which uses keys as large as the messages that can only be used once. OTP can only be used as a type of secrecy delay - if you have a secure channel between two parties at one point in time, they can exchange random key data that will allow them to securely communicate the exact same amount of data securely over an insecure channel later. There is also the algorithm that I believe came from a student of Adi Shamir last year which hid the data in a stream of random data so large there would be no way to cache it long enough to crack the cyrpto (in theory anyways).
Re:As usual : MOD PARENT UP ;-) (Score:2)
And that's why satellite TV hackers have gone to the lengths of ion-beam analysis of the smart card chips to decode what's stored in them.
And as many people have pointed out before, information can be spread much easier than most other commodities. (Which is why they're trying to protect this stuff in the first place!) So once hacker A has disassembled the chip, and hacker B has written a chip emulator for the PC, all non-hackers C-Z have to do is download the emulator and they're ( watching free porn && stealing TV service ).
IBM has proposed addressing this with "secure" hard drives and "digital monitors". Sony and others have pushed for SDMI music players. Retailers have used this for more than 10 years with the ubiquitous Verifone PIN pads you see at retailers and gas stations everywhere.
John
Goverment Sponsored Attacks (Score:5, Interesting)
Interesting that the US government was busy asking people to try to crack an encryption standard, while at the same time upholding a law [slashdot.org] to make breaking encryption illegal.
So, now that this encryption method is officially accepted, will it be illegal to try to crack it?
340 undecillion (Score:3, Interesting)
One of the perks of cryptography seems to be the chance to make up words for big numbers! 1 undecillion = 10^36
10^3 = Thousand
10^6 = Million
10^9 = Billion
10^12 = Trillion
10^15 = Zillion(?)
...
I seem to remeber Douglas Adams invented a 'grillion' but don't know how big that was supposed to be
Re:340 undecillion (Score:2, Interesting)
10^6 million
10^9 billion (bi=2)
10^12 trillion (tri=3)
10^15 quadrillion (quad=4)
10^18 quintillion (5)
10^21 hex/sextillion (6)
10^24 hept/septillion (7)
10^27 octillion (8)
10^30 nonillion (nona = 9)
10^33 decillion (deca = latin for 10)
10^36 undecillion
(undec=latin for one and ten = 11)
10^39 dodecillion (12, do and deca = 2+10 = 12)
see? it works. centillion is biiig. by simple math 3 * 100 + 3 (thousand = "0") = 10^303
sextillion is my favourite (though im sure its really hextillion)
mod up the AC!
my math may be wrong. ditto with the latin. but the naming convention is right.
Re:340 undecillion (Score:2)
10^6 million
10^9 milliard
10^12 billion
10^15 billiard
10^18 trillion
10^21 trilliard
French and British number systems (Score:2)
wow, for once the US has a consistent, well thought out naming scheme, and the rest of the world uses something equally bizzare as the imperial system of measures...
They're both pretty well defined. Given n as the prefix-number (mi=1, bi=2, tri=3, quadri=4, quinti=5...):
The U.S. system: n-llion == 10^(3n+3).
The continental system: n-llion == 10^(6n); n-lliard == 10^(6n+3).
Re:340 undecillion (Score:2)
four millinillitrillion and 14 is 4*10^{3000012} + 14 (American) and 4*10^{6000018} + 15 (British).
It's Greek to me! (Score:2)
If we use our familiar SI prefixes:
deca: decillion: 1e30
hecto: hectillion: 1e300
kilo: kilillion: 1e3000
mega: megillion: 1e3000000
giga: gigillion: 1e3000000000
tera: terillion: 1e3000000000000
exa: exillion: 1e3000000000000000
and so forth. (In other words, what comes after exa-?)
And never forget
triskadillion: 1e39
Oops! (Score:2)
So a gigillion is 1e3000000003, etc.
Re:340 undecillion (Score:2)
--- Reference 1, located 45% into the book ---
"And how many guys zilched out?"
"Two grillion, m'lud." The Clerk sat down. A hydrospectic photo of him at this point would have revealed that he was steaming slightly.
---
--- Reference 2, located 84% into the book ---
"Which means, I suppose," said Marvin, requiring only one ten thousand million billion trillion grillionth part of his mental powers to make this particular logical leap, "that you're not going to release me or anything like that."
---
Re:340 undecillion (Score:2, Funny)
The most famous j-iga quote of all time (Score:2)
Re:/. poll comments (Score:2)
Super K (Score:4, Interesting)
I couldn't find the paper (damnit) but Knuth says in Things a Computer Scientist Rarely Talks About
"If you don't agree that Super K is so large as to be beyond human comprehension, I can at least prove conclusively that if you consider all the numbers less than or equal to Super K, almost all of them are impossible to describe in any way in the univerise"
I dunno, is that bigger than a googleplex? I wouldn't be surprised if the Guinness people spent less than 30 seconds researching this - in fact I suspect this was just some piece of useless trivia someone who happened to be in the office that day happened to know
Re:Super K (Score:2)
IIRC, the Ackerman function (and relatives) do a relatively good job of describing very large numbers.
serpant is more secure IMHO (Score:3, Interesting)
the sooner AES is used widely the better though
regards
john 'keys ? no sir I forget things' jones
Re:serpant is more secure IMHO (Score:2)
Security not the only consideration (Score:2, Informative)
I'd guess that Rijndael was more efficient on more types of devices than serpent and that led to its being accepted as the standard.
IMO, that doesn't take anything away from the other top five candidates in terms of their usefullness at hiding information.
used in PGP? (Score:1)
Re:used in PGP? (Score:5, Informative)
RFC2440 [gnupg.org], which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).
Gnupg [gnupg.org] already supports AES in all 3 block sizes and so does 'official' PGP v7.0x [pgp.com].
PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds [ipgpp.com] by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.
I mad? No. You mad. (Score:2)
Oh great. Here's a site that calls itself "I mad".
Poll: Would you use software from a site called "I mad"?
Radical opinion, on Slashdot (Score:2)
Please don't sound superior about this.
If I lived in Iran, I would change my name to Moshen. Why? Because I don't want to sound Christian in a country where that is not favored. (Because Christians killed Muslims during the Crusades.)
I suggested to a friend of mine whose name is Mohammad that he pick another name for use in the U.S., since someone named Mohammad had bombed a TWA flight, and Mohammad Salameh bombed the World Trade Center the first time it was bombed. He strongly agreed, and now calls himself Mike when communicating with people who don't understand his culture.
I had a Japanese-Brazilian acquaintance whose last name is Asso, which is pronounced to rhyme with asshole. When he says his last name, it sounds like he is saying asshole. If he came here, I would recommend he adopt a different name.
I heard about a German man, now living in the U.S., who changed his last name. Before the change, it was Raper, a perfectly good name in German.
Un-intentional communication has killed many Open Source Software projects, and commercial companies, too. I have found that this is a very radical opinion on Slashdot, but it is the standard opinion of professional communicators and marketing people. My opinion is that OSS must adopt good communication methods to avoid silly problems like this.
I'm not saying that someone who is named Imad should change his name. He should arrange his communication, however, so people who are new to knowing him don't read it as "I mad", which is what a native English speaker is likely to do.
--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]
A 19-year-old Korean woman understands this issue. (Score:2)
It's amazing how difficult this concept is on Slashdot.
I'm not "judging people by their name". I'm NOT judging a person at all. I'm saying don't call your web site or open source software product by a name that has any possible unfortunate meanings or connotations.
I did not invent this idea. It is universally used by people who design professional communication.
Why avoid side communication? Because long experience has shown that products with such communication don't do well in the marketplace.
I repeat. This has NOTHING to do with "judging people by their name".
I have a Korean woman friend whose name is "Go-oon". I suggested that, if she stayed in the U.S., she call herself "Susan". "Go-oon" sounds like "Goon" and is difficult to pronounce correctly for English speakers.
She didn't accept my suggestion; she didn't stay in the U.S. long. But she certainly did not take my suggestion as anything negative. She was 19. Why is it that a 19-year-old Korean woman understands this issue, but not many Slashdot readers? (Incidentally, she ran Linux. So, she is an above-average 19-year-old Korean woman. But still.)
Re:used in PGP? (Score:3, Interesting)
You still use crypto software you have to pay for? [Yes, this was a joke, maybe you only use crypto "for personal use".]
GnuPG [gnupg.org], on the other hand, developed AES capability less than 2 days after NIST originally approved Rijndael last year. The next public release wasn't for a week or two, but still.... (Well, NIST officially "approved" it just now, but they "recommended it for approval" just over a year ago.) I remember seeing a message from the GnuPG development list about an hour after the NIST announcement saying "I'm working on it."
GnuPG is similar to the command-line version of PGP and supports the same file formats / protocols, but is free for all uses and isn't affiliated with Phil Zimmerman or Computer Associates. I don't know if it has the same depth of plugin support for third-party apps, but hey, it's supported by all the Linux apps I need it for.
Coming in OpenSSL soon... (Score:4, Informative)
Re:Coming in OpenSSL soon... (sig) (Score:2)
Of course. It depends on how selective one is about which truths are allowed.
.
[Nitpick] AES isn't 100% of Rijndael (Score:3, Informative)
The AES has selected the variable key lengths of 128, 192, 256 to be used with a 128 bit block
BouncyCastle [bouncycastle.org] has had a full implementation of Rijndael since 1.0 beta 4 (now at 1.10)
Disclaimer: I'm a BouncyCastle author.
OSS authors: Don't pick self-destructive names. (Score:4, Insightful)
BouncyCastle.
It amazes me how often open source authors pick self-destructive names. A serious effort should not be limited by a humorous or trick name.
A name like BouncyCastle will limit the number of people who adopt the software. People are afraid there is a hidden joke they don't understand.
There are times when it is appropriate to be 100 percent serious.
I am NOT saying anything negative about the software. The ONLY negative thing I am saying about the authors is that they are obviously not professional communicators.
Open Source Software needs marketing communication like any product that wants to reach a large number of people.
Re:OSS authors: Don't pick self-destructive names. (Score:2)
Says you, but why the hell should I believe a bloke called FuturePower?
At least it is not a joke. (Score:2)
Power for the Future
At least it is not a joke. Back before IBM sold PCs, I was selling Morrow Microdecision PCs, that ran the CP/M operating system. Back then it was unusual that someone would own a computer. 4.77 Megahertz for $2,300. No hard drive, 13 inch monochrome monitor.
I chose that trademark to signify exactly what it says.
Windows was a carefully selected name. (Score:2)
Windows was a carefully selected name. At the time Microsoft picked it, windowing was an advanced ability for a PC.
These ideas about avoiding the chance of miscommunication are completely accepted by the people who sell all the consumer products you use. I'm surprised these ideas are so difficult for Slashdot readers to accept. My posts about this have consistently been modded down.
Re:Windows was a carefully selected name. (Score:2)
As you point out, it is a geeky name. At the time Microsoft picked it, no consumer would know about "windowing" (an advanced ability for a PC). They'd hear the name Windows and draw their own conclusion. Now, it's a catchy name, but consumers would have connotations of "fragile", "breakable", "something I look through", "something transparent", "something I open and close", "something that keeps things out", etc. It's a catchy name. With lots of bad connotations, admit it. Thank goodness not everyone follows the rules.
I argue that few are hackers. (Score:2)
Re:OSS authors: Don't pick self-destructive names. (Score:2)
"Linux" is a great name that follows all the rules. It communicates what it was intended to communicate, and nothing more. It's a Unix work-alike that is still guided by a man named Linus. The name couldn't be better.
I'm not saying that companies with humorous names don't ever have customers. I'm saying that, in my experience, these companies don't last. They either go out of business or they change their name.
I can give only one counter-example: The Beatles. Sounds like an insect. This shows that, if you have an absolutely revolutionary product, and George Martin as a producer, you can overcome unfortunate connotations. But it doesn't happen often. If you disagree with this, can you give me counter-examples?
My quick impression when I visited your web site was that it was a good product. My comments have NOTHING to do with you or your product. My comments are only about unfortunate connotations.
Quoting your post:
"We (authors of BouncyCastle) have already gone through this with somebody who mailed us directly, who's boss didn't want to use it because the name was funny."
How many people had this reaction, but didn't communicate with you?
P.S.: Here is another example. Don't call yourself a geek. It carries the connotation that you have difficulty communicating with others, and avoid communicating by immersing yourself in technical things. After seeing your website, I very much doubt that is true.
--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]
Re:OSS authors: Don't pick self-destructive names. (Score:2)
Well, if designing a name that results in several common (incorrect) pronunciations is one of the rules, then yes. There are 2 common variations on the "i" and 3 on the "u" that I hear in this part of the world. Sure, many constructed names suffer from this problem, but it can be minimized in the name design process. For a little fiver-letter name, it's pronounced incorrectly an impressive amount, even by the old Unix crowd where you'd think it would be closest to its roots. Nice name, but room for improvement.
Something related about the name "Linux" that I notice... I commonly need to repeat and spell the name for people the first time they hear it. Now, this isn't critical in business and it probably won't break any deals. But having it written down incorrectly by receptionists, bankers, etc. is an annoyance. Again, nice name once you get to know it, but the first introduction is difficult.
My point here is simply to show that something doesn't have to follow any rules to be a great name. Linux is great. But not because it "follows all the rules" or "couldn't be better".
Give me examples of truly bad names... (Score:2)
I see your point. Part of the problem was that Linus did not care how it was pronounced until people began asking him.
Please, however, give me examples of truly bad names of commercial products.
Re:Give me examples of truly bad names... (Score:2)
Okay, thoroughly offtopic here now, but it's time to burn off some karma. And product naming is something I've been involved with...
That's a nicely constructed challenge you issue, since any name I give you can be retorted with "it's unique/politically incorrect/irreverant/offensive/bizarre/funny/horr
I won't cite this as a "bad" example, because it actually works, but something that still amuses me is the way Ikea names its products. There are thousands of nearly interchangable names for their stuff. Now, functionally they might as well just use model numbers, but the crazy Swedish names apparently sound sexy or exotic to non-Swedish buyers, so they work. They communicate nearly nothing and are frequently impossible to pronounce, spell, or remember to non-Swedes. But they do the job in the store and catalog and are quickly forgotten since the product itself is good enough. I don't know the name of any of my Ikea products, and I've got a bunch. And I couldn't use those names to give to a friend for a referral. There's simply nothing "good" about any of those names, but as a naming scheme it's good. So I suppose you'll say that's a "meta-rule" in action.
The best thing about rules is that there are so many to choose from and we can always make more!
Enough Rounds? (Score:2, Interesting)
Points for whoever can produce the explanation why the apparent weakness doesn't matter, and why we shouldn't be jimmying our Rijndaels to do a few more rounds, and calling the variant "RWS" (for Rijndael With Suspenders) or something.
Remember that it was the suspenders added to MD4 to make MD5 that made the cracking of MD4 something other than a disaster.
Why bother.. (Score:3, Funny)
I prefer (Score:2)
In other news, AG Ashcroft jailed all 857 employes (Score:5, Funny)
sPh
Chaining (Score:2)
What is almost never mentioned in discussions of cryptography is that brute force or most mathematical attacks require that the method of encryption be known.
If the method of encryption is not known, then it can be impossible to decrypt a message. For example, if several kinds of strong encryption are used, and the kinds and order are not known, then brute force or mathematical attacks don't work. (Using several methods of encryption together is called "chaining".)
This is of limited use since, in many cases, it is impossible or impractical or difficult to keep the methods of encryption secret.
Nevertheless, software that used several encryption methods and varied the methods depending on the passphrase would have value in some cases where there is plenty of computing power.
--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]
If the software chose the methods of encryption... (Score:2)
If the software chose the methods of encryption, and the sequence in which the methods were used, based on the password, then chaining would be secure.
The problem with this is that it does not allow public key encryption. So, some independent way must be found to distribute the password. In many cases, however, there is no difficulty with distributing passwords. For example, if employees of a company often visit the home office, they can receive new passwords.
How To Write A Press Release (Score:4, Funny)
149 trillion years? and it's not good enough for.. (Score:3, Interesting)
Q: What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.
A: Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.
snip...
The Advanced Encryption Standard (AES) will be a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.
averages and exceptions (Score:2)
It doesn't take into acoung advance in algorithms and hardware.
it should have read 2^55 keys per second... (Score:2)
;-)
Standard (Score:1)
"also is completing arrangements so that vendors can have their implementations of AES validated under the Cryptographic Module Validation Program, jointly led by NIST and the Government of Canada's Communications Security Establishment" Cryptographic Module Validation Program is going to put that Backdoors?
Not if it's your implementation and your company name.(Or is going to pay a lot of money) "They have agreed that their algorithm may be used without royalty fees.
So can be done under the GNU/GPL.
Re:Standard (Score:2)
You're right, the algorithm AES (a subset of Rijndael [rijndael.com]) does not have any backdoors. Therefore it may be secure. And to the best of anyone's knowledge it is secure and free of any backdoors.
The NIST [nist.gov]'s FIPS [nist.gov] standards are used to tendor commercial equipment from suppliers for the US government own use, so it is in the US government's own best interest to make as certain as reasonable possible, using the Cryptographic Module Validation Program, that those products used by the government are safe and secure.
Re:Standard (Score:2)
How does Rijndael's 256-bit key compare to PGP's 4,096-bit key (assuming a well-chosen passphrase)? Can I assume that my PGP key is safer than Rijndael from brute-forcing? Or is there something about PGP's crypto that reduces the key/search space?
IOW, just how does PGP compare? Thanks!
GTRacer
- I'll stick with Enigma, thanks.
Re:One Word... (Score:1, Offtopic)