Modern History of Cryptography Techniques 204
Heather writes "The encryption scheme you rely on today might be full of holes just a few years down the road. Learn how far we've come in the last few decades, and why your apps need to be ready for change. This article builds on a previous article about Enigma, Germany's WWII-era encryption system."
What? (Score:5, Funny)
They always seem to be written in a way that makes them incomprehensible.
Re:What? (Score:5, Insightful)
Re:What? (Score:3, Funny)
Alice ("A") writes a story about Cryptography ("C") to the IBM Developerworks site ("D"). Bob ("B") is watching over her shoulder, essentially intercepting the photons ("-->P")
Bob, then submits the story to the Slashdot ("S")
Anonymous Coward Reader ("R") is confused because they are written in a way (encrypted "+*+") to make them incomprehensible.
So essentially, you are saying you don't understand:
R ?= A(D)--->P(B)+*+"--->S
What could be simpler than that???
Re:What? (Score:2)
Why a few years down the road? (Score:5, Insightful)
If is will be full of holes just a few years down the road, wouldn't it then be correct to say it's full of holes now?!
Re:Why a few years down the road? (Score:5, Funny)
Re:Why a few years down the road? (Score:5, Insightful)
One of the key decisions to make when choosing an encryption scheme is for how long the information is to be protected. If the answer is "until release date", then you can often get away with a very low-end encryption scheme. If the answer is "forever", then go for one time pad and it'll be secure until doomsday. Of course, one time pad is considerably more expensive in terms of administration, but as is so often the case, you get what you pay for
About OTP (Score:5, Informative)
There are two BIG problems with OTP:
1) You need a lot of random bits (the good stuff, like this [fourmilab.ch], not your cheap pseudo random numbers). You need exactly as many as your plaintext.
2) You need to securely send a copy to the intended receiver, and make sure the pads are destroyed once used.
Basically, no one does it because it's a real bitch to implement correctly (pad creation) and it's not worth the effort (unless you're using them in a hotline from Washington to Moscow or something like that).
You probably don't want a OTP. If you want something to encrypt your files and recover them with a password, you CERTAINLY don't want a OTP (in fact, you can't have one because the pad is not random, it's pseudo random, generated from the password and thus lacks the important properties of an OTP).
And very important: most companies that sell "One time pad" software usually sell snake [interhack.net] oil [wikipedia.org], so be very careful.
And if you think you can get away with a pseudo random pad, the soviets spent some big time making pads for diplomatic and espionage messages, and made the little mistake of using the pads more than once, you can see the results here [nsa.gov].
Re:Why a few years down the road? (Score:2)
I suspect all current encryption schemes have weaknesses that will be epxloitable in the future. It's just a question of when. Is the NSA still 10 years ahead of the state of the art?
Civilian crypto has come a long way and that's a good thing.
Rich...
Re:Why a few years down the road? (Score:2, Funny)
No no. Encryption is like a pair of socks. Just like socks over time encryption wears out and develops holes. The holes can be fixed by darning er patching but they aren't ever as comfy as before.
Related earlier slashdot story (Score:5, Informative)
Mod parent up (Score:5, Funny)
Now I just need the US Army Guide To Understanding The US Army Guide To Code Breaking
I just encrypt disks full of white noise nowadays (Score:2, Funny)
Re:I just encrypt disks full of white noise nowada (Score:5, Funny)
WHITE NOISE DRINKING GAME:
Ingredients:
BSD-based systems with random number generators, need to be the same or it's just unfair.
Your favorite method of compression.
Alcohol
Steps:
1) each of you dd if=/dev/urandom of=./noise.txt for however big you want the file to be. Bigger is better, imho.
2) bzip2 noise.txt or your favorite compression algorithm
3) whoever's file size is the highest has to drink.
You can mix it up and write a shell script that does the following:
TIME=`date +%s`
bzip2 $1
TIME=`date +%s`-$TIME
echo $TIME sec. elapsed
Re:I just encrypt disks full of white noise nowada (Score:2, Interesting)
Re:I just encrypt disks full of white noise nowada (Score:2)
It's like the kids game "Chutes and Ladders." You have no opportunity to do anything that will affect the outcome. You might as well not be playing it.
Re:I just encrypt disks full of white noise nowada (Score:2)
This is actually a pretty good measurement of how random your input is. If it's sufficient close to random then you can't compress it at all.
Re:I just encrypt disks full of white noise nowada (Score:2)
True. In fact, in some cases, using compression on a random file will increase the size of the file rather than decrease it.
Re:I just encrypt disks full of white noise nowada (Score:2)
Drink.
TIMEFMT='%E'; time /home > /tmp/du.out
Adjust to suit if using an older shell. You're welcome.
why no encryption by default? (Score:5, Insightful)
The net is a very public network considering, and especially considering how many protocols are plaintext cheap encryption (pref in hardware) seems like it should be required. It's past the proof of concept stage, just having it work at all isn't enough anymore.
Re:why no encryption by default? (Score:2, Insightful)
Because IPsec is the One True Way of doing IP encryption, and IPsec is basically unusable for opportunistic encryption.
There are lots of encryption options out there if you look for them. Protocols like email (OpenPGP and SMTP over SSL), IM (numerous IM encryption options, ranging from crap to decent), and obviously HTTP have encryption already standard and built into common implementations.
Re:why no encryption by default? (Score:2)
Re:why no encryption by default? (Score:5, Informative)
Another reason for not having a default level of encryption at the network layer is that it takes a long time to get everyone to upgrade. Poor encryption can be worse than none in the sense that non-security-geeks don't know the difference and may assume that their connections are secure. It's better to start with the assumption that they are insecure and if that is not acceptable, mitigate against that risk with an appropriate level of encryption in the application.
Re:why no encryption by default? (Score:2)
if nobody knows how is it more secure than bad encryption?
otherwise i'd agree.
Re:why no encryption by default? (Score:3, Informative)
Because there is really no need to. I don't need to have all the public webpages I request to be sent to me over an encrypted link. Nor the publicly accessible ISO images I download. Nor the files I access over NFS. Etc. Encryption is there when I need it, but I don't need to burden myself, my computer, and the whole network infrastructure with it when I don't need it.
``the client side load is negligable''
I really don't agree with that. T
Re:why no encryption by default? (Score:2)
Re:why no encryption by default? (Score:2)
Re:why no encryption by default? (Score:2)
Re:why no encryption by default? (Score:2)
I've read "Cracking DES". DES is still useful for many applications.
Re:why no encryption by default? (Score:3, Interesting)
Premise is nonsense (Score:5, Informative)
The history of cryptography is not simply one of algorithms thought uncrackable being cracked. It is one of consistent refinement of our understanding and technique, but to imagine that the history of DES means we'll be breaking open 256-bit AES-encrypted messages in a few years is delusion.
Re:Premise is nonsense (Score:5, Informative)
IIRC, when she demonstrated it, they decrypted something like 5,000 passwords from a nearby
She made a point of telling us that the NSA has a copy of her work and her database.
Re:Premise is nonsense (Score:3, Interesting)
The email I'm referring to is down a little ways.
Re:Premise is nonsense (Score:2)
I googled a bit, and found several pages with the same short bio text about her:
Hopefully that helps you in your googling.
Re:Premise is nonsense (Score:2)
Mullin, R., Nemeth, E. and Weidenhofer, N., "Will Public Key Crypto Systems Live up to Their Expectations? HEP Implementation of the Discrete Log Codebreaker", Proc. of the 1984 Intl Conf on Parallel Processing, Aug. 21-24, 1984, pp. 193-196.
This information from Evi Nemeth's bio [caida.org] page. Evi appears to have an e-mail address (on the same page)--you could try contacting her directly.
Re:Premise is nonsense (Score:2)
I'm not taking credit for the lowercase letters however.
She seems like a really nice and smart person. She co-wrote what I've heard is one of the Best UNIX administration books ever. So use a fo
Re:Premise is nonsense (Score:2)
Re:Premise is nonsense (Score:3, Informative)
Also, searching reveals Evi Nemeth talking about implementing a break of a DES keyexchange using Diffie-Hellmann: Date: Fri, 30 Oct 87 19:32:32 MST From: evi@bould
Parent is total bollocks (Score:3, Informative)
DES at launch (Score:2)
Re:DES at launch (Score:2)
Re:Premise is nonsense (Score:2)
Yeah, I was thinking the same thing. I remember learning in my Cryptography class back in school that DES wasn't considered very secure by many cryptographers back in the 80's and how surprising it really is that it took so long to come up with another standard. In fact, the known insecurity of DES is the reason that people started doing DES multiple times: 3DES. Here is some more information on 3DES: http://en.wikipedia.org/wiki/3DES [wikipedia.org] and http://kingkong.me.berkeley.edu/~kenneth/courses/s ims250/des.html [berkeley.edu]
Re:Premise is nonsense (Score:2, Insightful)
Re:Premise is nonsense (Score:2)
That's not quite true. In the case of a one-time pad (OTP), properly-encrypted plaintext will remain hidden forever as long as certain requirements are met (the pad is never used twice, the media containing the pad is not physically captured by the enemy, the pad was sufficiently random to begin with, etc.).
Now, I know some lamer is going to come up and say, "That's not true! Given enough time, SOMEONE will eventuall
AES Far from Secure (Score:3, Interesting)
Read more: http://cr.yp.to/antiforgery/cachetiming-20050414.
Re:AES Far from Secure (Score:2)
why your apps need to be ready for change (Score:2)
Hmmm...I didn't see that part, just another Crypto 101 thing with a pitch for some harware gizmo at the end. Is there another article that should be linked in?
Author appears ignorant about cryptography (Score:5, Insightful)
IBM has considerable cryptographic expertise; it's a shame none of it was brought to bear on this article.
Re:Author appears ignorant about cryptography (Score:2)
In addition to the errors you rightly point out, TFA repeatedly mischaracterizes the machine the EFF built to crack DES. In the sidebar, the author refers to an "accelerator card used in a standard PC." Later on in the article, he refers to the system as using FPGA's to crack DES in 3 hours. The EFF's machine, described in their very good book, was comprised of several racks of custom-built boards with ASIC's, not FPGA's, controlled by one PC. Though that PC was certainly "
Re:Author appears ignorant about cryptography (Score:5, Insightful)
It is also interesting to note the bias they give PGP here. Basically, there are two good asymmetric key distribution schemes in the world: PGP and PKI.
PGP is very useful if you have a small group or feel you can rely on out of band mechanisms for key distribution. For example, if I have been talking to you on the phone, and say I am going to email you my public key, you can be pretty sure it came from me when it arrives a little later.
In a large organization though, key distribution is more problematic, and this is where PKI excells. For example if I receive a message that purports to be from the CIO telling me to install a patch how can I be sure it is really him and not some random dude(ette)? Ah! because the certificate that contains his public key is digitally signed by an entity that I trust (because they told me that I will trust it when I took the job ). PGP is good for dealing with people you know personally or have met in some fashion. PKI is good for dealing with both people you have met personally, and people that you have not met, but need to be able to exchange secure communication with anyway.
On the other hand PGP is free.
Re:Author appears ignorant about cryptography (Score:5, Informative)
PKI just means "public key infrastructure" and can refer to any method for managing and exchanging public keys. X.509 certificates and the entire framework of trusted authorities surrounding them are just one implementation of a PKI. PGP is another, more simplistic implementation.
So you can't really compare PGP, which is a specific application, to PKI, which is just a broad term for key management infrastructures.
And what about "PKI" (in the sense you seem to mean it) isn't free? OpenSSL can do everything with certificates that you'd ever want to do.
Re:Author appears ignorant about cryptography (Score:2)
Compare this with the trust architecture built with assistance from a VeriSign or an Entrust. They have a known trust level based on established practices which filter down through t
Re:Author appears ignorant about cryptography (Score:2)
That wasn't at all the sort of model I was suggesting. Imagine a group of family and friends who want to securely email each other. They select one individual, probably the most resp
It is also worth noting... (Score:2)
(At least, they were in the middle of doing studies on modes the last time I looked, and I've not heard anything on new mode standards since.)
Or how about this quote? (Score:2)
The linked article is of negative value and you're better off skipping it.
Re:Author appears ignorant about cryptography (Score:2, Interesting)
Exactly, and this because the asymmetric part (RSA) is very slow compared to a symmetric algorithm. So we use the asymmetric part only to perform a key agreement protocol, in other words to agree on a new key to be used in the followi
I'm fond of Rabin (Score:2)
Re:I'm fond of Rabin (Score:2)
ECC is probably appropriate in a lot more circumstances than it is used, but I can see reasons why one might choose to use Rabin instead - if one needs the PK operation to be very fast (eg signature verification, see Bernstein's trick for insanely fast Rabin signature verification) or if you are more conf
It is an advert for their co-processors (Score:2)
If one were interested in the history of cryptography, one would read The Code Breakers [amazon.com], by David Kahn (very thick book, yet very interesting). Or, if one were interested in how to utilize cryptography into business processes, one would probably have read Secrets and Lies [schneier.com], by Bruce Schneier.
One does that only because public-key algo
What happened to IDEA encryption method? (Score:3, Interesting)
from my research so far it hasn't been cracked. it was a european standard, so I guess it's not favorable in the US or north america.
it's still my favorite. and maybe it enjoys a bit of "security through obscurity" these days. But I'd really like to know.
and oh, if you're going to say it was cracked, please provide reliable references with links.
Seriously, I'd really like to know.
IDEA is patented (Score:5, Informative)
-paul
unbroken != unbreakable (Score:2)
Careful with that logic. While it's true that no-one has published a "break" for IDEA, that doesn't prove that such a break doesn't exist, waiting to be discovered. It's quite possible that, with other ciphers being much more popular, cryptanalysis is being focused on the "bigger targets," by both black and white hats.
My copy of Applied Cryptography is in storage right now, so I can't look up the details of IDEA (is it a Feistel network? what size are the S-box
Re:unbroken != unbreakable (Score:2)
No SBoxen or anything 'magic' like that.
Re:What happened to IDEA encryption method? (Score:2)
Is /. getting astroturfed again? (Score:5, Insightful)
On the other hand, it does go into cheerful detail on why IBM's Exciting New Coprocessor (r) is the right solution for your enterprise encryption needs!
I know IBM are the 'Good Guys' and all, but that doesn't make advertising for them (especially in the form of a front-page slashdot article) any more palatable than advertising for anyone else...
HA! (Score:5, Funny)
I just used MD5 as my encryption mechanism and the files will NEVER be recovered.
This "joke" such as it is was based on a real world experience where the "smart" IT chap at a company I helped had in his words...
"Tried a number of different compression and encryption approaches and MD5 consistently gave the smallest files"
I asked if they had ever done a recovery, and strangely they had not... it was fun watching them try.
Re:HA! (Score:5, Funny)
"WHAT?"
"It just finished digesting!"
Thank you, I'll be here all week.
Re:HA! (Score:2)
And even better: If you replace -f by -rf, you even can compress whole directories in one go!
Lal!! (Score:2, Funny)
Re:Lal!! (Score:2)
Recommended reading for those with an interest... (Score:5, Interesting)
Neal Stephenson - Cryptonomicon [amazon.com]
Then to explain how Enoch Root lives so long, you'll need to read
Neal Stephenson - The Baroque Cycle Trilogy [wikipedia.org]
Re:Recommended reading for those with an interest. (Score:2)
Anything other than OTP is weak encryption (Score:3, Interesting)
The rest are algorithmic, and therefore susceptible to decryption by algorithmic attacks. Decryption of them is a matter of being clued to the nature of the algorithm, and perhaps in possession of the knowledge of a secret constant with which the decryption algorithm can be generated. And once the constant is guessed, all messages based on it are decrypted.
The only ways to decipher OTP-encrypted messages are to physically access the encryption or decryption pads, or steal the cleartext before it's encrypted or after it's decrypted.
(Note: since VENONA [google.com] was not used only once, it's not actually OTP.)
Re:Anything other than OTP is weak encryption (Score:2)
It might be that that could change for algorithmic though.
But on the other hand, OTP is typically so much more vulnerable to key stealing that you might really be better off using algorithmic.
There's also quantum encryption for unbreakable secure transfer of
Re:Anything other than OTP is weak encryption (Score:2)
Properly used that is true. The Russians used this system during the cold war. Unfortunately, every now and then, a cryptographer would re-use a pad even though procedures dictated never to do so. It wasn't until after Russian spies in the US government reported this to the KGB did they enforce the procedures. It goes to show that sometimes the weakest link involves the humans.
Re:Anything other than OTP is weak encryption (Score:2)
The problem with OTP, is that if you need to encrypt a gig of data, you need a gig of key bytes. A human cannot remember a gig of key bytes, so it mus
Re:Anything other than OTP is weak encryption (Score:2, Interesting)
True, but incomplete -- under the right circumstances, even an OTP can be broken.
To ensure that an OTP is unbreakable, you not only have to ensure that the key is used only once, but you also have to ensure that the key is completely unpredictable. This means starting with a truly random source, and ensuring against introducing bias in sampling that random source.
The problem with this is that most random sources have relatively low bandwidth.
World War II encryption tech (Score:4, Insightful)
Re:World War II encryption tech (Score:4, Insightful)
There's some interesting parallel here. Pre-WWII Polish cryptography (its less known success was breaking the Soviet codes during the war of 1920 [wikipedia.org] - Polish victory helped to save the entire Western world from communism) was so strong thanks to polyethnic character of Polish culture. It was not really difficult to find bilingual Polish mathematicians - fluently speaking the language of the enemy, be it Russia or Germany. Pre-WWII Japan was - and to some extent, still is - a very closed society, with little interest in the world outside. It was difficult to find anyone with any interest in other cultures or languages - not even truly bilingual, among the Japanese mathematicians. In code breaking, victory belongs to the open - not just open algorithms, but also open minded, open societies. This is also why I think that right now, the Western world needs MORE interest in islamic cultures and MORE attempts to understand them - if not for any better reason, just for better decryption of intercepted messages.
Re:World War II encryption tech (Score:2, Informative)
I can guarantee you that the Polish would have been just as stymied by the Navajo "Code-talkers" as the Japanese were.
Re:World War II encryption tech (Score:4, Interesting)
But there were anthropologists, researchers, people who studied Navajo language etc. Japan "closedness" resulted in comparatively low interest in anthropology in general - while in pre-WWII European countries, including Poland, there were people studying alien cultures just for sake of interest in otherness as such. There are no native Nambikwara speakers outside Brasil but in case of war between Brasil and France, French code breakers could break the "Nambikwara code" thanks to works done on Nambikwara by Claude Levi-Strauss. The point is that there were no Levi-Strausses in Japan.
Re:World War II encryption tech (Score:3, Funny)
Re:World War II encryption tech (Score:2)
Its called security by obscurity and is generally considered not cool.
Consider though; there's nothing obscure about a guard with a gun standing by a door, and most people would agree that that door is pretty secure. Imagine if behind that door was a key to unlock a vault someplace that contained a whole lot of money - the fact that the key shape is 'obscure' is secondary to the fact that to discover the key shape you're likely to risk being shot at.
My understanding was that the Navajo code talkers were al
All this shows is (Score:4, Interesting)
Why isn't this standard? A better question is, why can I send a MIME encoded attachement anywhere, but not a PGP encoded plain text email? Imagine the spam you could filter if you had a list of the PGP keys of all your friends and family. Imgaine if they moved email address, but there PGP key stayed the same.
If this is because Zimmerman want his 2 cents (which I can't blame him for) can't it be included in the cost of Windows and Macs, and let the rest of us download it for free? We need authenticatable (if there is such a word) emails, IMs etc yesterday. We have the technology!
Re:All this shows is (Score:2)
What, pray tell, is wrong with the S/MIME standard? Nobody says your certificate has to be signed by Verisign. Jeez, set up your own Trusted Authority for you own group of friends and contacts, and self-sign your certificates.
Who the hell would use PGP...
Re:All this shows is (Score:2)
Verisign deals in x.509 certs, not PGP keys. You can generate your own if you like, but it's much more awkward. Personally, I dislike x.509 certs, not so much because of the technology (it's fundamentally not much different from PGP) but because every implementation I've seen is a pain to work with (e.g. doesn't let you change email address
Re:All this shows is (Score:2)
Anyway, you had one good point:
``how useless popular comms software is.''
I fully agree with you there. PGP has existed for a loooong time. Spam filters have existed for a long time, too. Both can easily be used with mutt. I also believe the Mozilla mail client does a good job here. How long
Re:All this shows is (Score:2)
I understand the point of a trusted third party. What I also understand is that, as you proved to yourself, you just don't need one. As long as you generated the keys yourself, for a large enough key space, the chances of anyone having, or calculating your key pair approaches 0. This is about the same as someone intercepting the transmission of my private key to a trusted third party, but much, much lower than the chance
Re:All this shows is (Score:2)
``I understand the point of a trusted third party. What I also understand is that, as you proved to yourself, you just don't need one. As long as you generated the keys yourself, for a large enough key space, the chances of anyone having, or calculating your key pair approaches 0.''
The issue is not whether someone can or can't generate a key pair identical to yours. The issue is that when you receive a message
Re:All this shows is (Score:3)
Sure, fine, we all know that. But the practical question is how do you start up such a communication in the first place? In other words, how do two parties share a secret without communicating it, and thereby risking its exposure?
The answer is not to share a secret, but instead to use an asymmetric key pair and only communicate the public key. But this only solves part of the problem. Now you can communicate in secret, but y
Re:All this shows is (Score:2)
Except if you don't have a common CA, you can't verify that the message you received is actually the one that was sent.. it's trivial to fake a key without verification.
Even PGP has a CA of sorts (the public key repositories).
Re:All this shows is (Score:2)
Re:All this shows is (Score:2)
I tried out one of the free certificates from one of the trusted companies. What it proved is that even the paid for sol
humans are better (Score:2, Interesting)
Simon Singh's Codebook (Score:2, Informative)
The encryption methods are covered in layman's terms(I think!).
Re:Simon Singh's Codebook (Score:2)
Very interesting, even to this layman.
Time to increase GPG default keysize? (Score:2, Interesting)
Is it time to increase the default keysize in GPG?
Currently, the default key generation method in GPG is to create a 1024 bit DSA master key and Elgamal subkeys. The GNU Privacy Handbook admits [gnupg.org] that a key size of 1024 bits is "not especially good given today's factoring technology."
If the authors of GPG know that 1024 bits is not a good key length for an asymmetric cipher, why not set the default length for the master key at 2048 bits? If that would require switching to RSA as the default signing al
And if it gets cracked... (Score:4, Funny)
Re:OpenSSH has problems right now (Score:2)
You still use passwords? Any publicly accessible server that I use ssh on doesn't allow password authentication anymore. Kinda hard to brute force a password that way. All of us just use our keys for authentication. Then again I don't have to support tons of users doing this as we don't provide shell accounts any more. I only have to support myself and a set of friends who have accounts.
Re:Pet Peeve (Score:3, Funny)