[gentoo-user] loop-aes + extra-ciphers...

[gentoo-user] loop-aes + extra-ciphers...

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thanks to all who replied to my previous question.  This question is related.
Has anyone gotten the 'extra-ciphers' (you can get them from the loop-aes site)
to compile with the loop-aes kernel patch in place?  If so, could you give me a
hint on how to do this?

Also, someone said that it was possible to encrypt using multiple passphrases
using dm-crypt.  To be clear are we talking about the same type of multiple
passphrases that can be used with AES and Serpent with loop-aes?  In other
words, you set up a number pg passphrases (64 or 65), and the first block uses
the first passphrase, the second block uses the second one, etc.  The 65th
passpharse is added to the hash of the encryption passphrase.  Also (as if that
weren't enough), is it possible to encrypt the passphrases  or keys in dm-crypt
with gnupg, like it is with loop-aes?  If so, please give examples.

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYatgAAoJEIAhA8M9p9DAcpkQAIwEuT/aVkYSSEXhoYgE0nMb
I4A/F4eyd/vUi7/uxgKjcB/zpepgpuidzBU+K3skKiEl8ktWqPmWdFrEYg0h2Wbj
NfTrPDpCycKfHv3ikIRF492PhFmIGf8JbmRGRNr9q93suITVpXdOE0mfqZp90dwR
c3yo/2rKPM4/uRSt3WzL1UutblBaaA7Z7PpuzrYfB3QFrCZWgCPmW8bdqohWibpv
kY9N15O2dsB9Fm0c1De/teWoF6tVLEsCFOKLS8tDuwAMnabFWV4AveTMjk3xxOgx
hjO3MbwSTBpjICX+xXOUItvqRI9hfh/bY5BWyxx3iTxY0HnonAiWcyXXaJpnqxUf
0FfbGKO8NVvDiFfCuvfXg7tYLM84yYrZtYIqk9WhjxzSGtZVoBRXlDO3VbsPyTf7
Im34qLzqlqLMpLYUh2w22yhAKo/Um2OEiC1/52HyZX5nPgxxMDbefOe0/Bb/Ua82
OW/TqFymuTvcq3QTUOeKCLnk1PEB6iHjDzUb24Sbhr/5y+WFTblLipCECwJENFD4
iRhUpeIOSr9wiOrrErQat8O7N30+NLLaTIYrMI21QgNlEPEfFIvFxLEP+PnMPRzY
V9UjhYyBxBZyTVPEDjMvUPrTFJdgGFyw1kEnlu6znbSrtMMtH0+95bmOdJvCg1fH
Fx0XyMbEsWMm8GpbjU0H
=PrSp
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] loop-aes + extra-ciphers...

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 819 bytes --]

Am Mittwoch, 25. Juni 2008 schrieb ext Chris Walters:

> Also, someone said that it was possible to encrypt using multiple
> passphrases using dm-crypt.

That was me. To be correct: I wrote that with LUKS (which is based on 
dm-crypt) it is possible to use multiple keys (a key may be a passphrase or 
a keyfile on disk). LUKS does this by rserving the first block of an 
encrypted volume for meta data. Again: see http://luks.endorphin.org for 
the details.

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68      | Web:  http://www.capgemini.com
D-40468 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: wwwkeys.pgp.net

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] loop-aes + extra-ciphers...

[Daniel Iliev]

On Tue, 24 Jun 2008 22:20:20 -0400
Chris Walters <cjw2004d@comcast.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Thanks to all who replied to my previous question.  This question is
> related. Has anyone gotten the 'extra-ciphers' (you can get them from
> the loop-aes site) to compile with the loop-aes kernel patch in
> place?  If so, could you give me a hint on how to do this?


Perhaps they appear as kernel modules? I'm just guessing.


> Also, someone said that it was possible to encrypt using multiple
> passphrases using dm-crypt.  To be clear are we talking about the
> same type of multiple passphrases that can be used with AES and
> Serpent with loop-aes?

Yes, you can have multiple passwords with dm-crypt-luks.


> In other words, you set up a number pg
> passphrases (64 or 65), and the first block uses the first
> passphrase, the second block uses the second one, etc.  The 65th
> passpharse is added to the hash of the encryption passphrase.


Never bothered to go so deep in the internals, but...

I had a busyness laptop with non-sensitive (in my opinion) data, but
the managers were quite paranoid about that, so I had to encrypt the
drives to save myself the administrative trouble in case it was stolen.
I followed the gentoo-wiki how-to [1] and found out that encrypting the
hdd visibly slowed down the system.

Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
etc) can break those algorithms relatively easy. On the other hand even
weaker algorithms can protect your data against laptop thieves.

What I'm saying is that it is pointless to get very crazy about strong
and heavy algorithms. After all if your enemies are not after your
hardware, but after your data, they could always physically force you
to reveal the password.


> Also (as if that weren't enough), is it possible to encrypt the
> passphrases  or keys in dm-crypt with gnupg, like it is with
> loop-aes?  If so, please give examples.
> 

Yes, you could do something like:

head /dev/urandom | gpg --symmetric -a > key.gpg
gpg --decrypt key.gpg | cryptsetup luksFormat /dev/some-block-device
gpg --decrypt key.gpg | cryptsetup luksOpen /dev/some-block-device


(The above commands are not correct, their sole purpose is to show the
idea)


[1] System Encryption DM-Crypt with LUKS: http://tinyurl.com/clrk6

[2] M.A.V.O.: http://tinyurl.com/4badqs ; http://tinyurl.com/4chhph :D



-- 
Best regards,
Daniel
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] loop-aes + extra-ciphers...

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Daniel Iliev wrote:
| On Tue, 24 Jun 2008 22:20:20 -0400
| Chris Walters <cjw2004d@comcast.net> wrote:
[snip]
| Perhaps they appear as kernel modules? I'm just guessing.

I think that is how they are supposed to appear, but I can't seem to get them
to compile, and the instructions are not too helpful.

[snip]

| Yes, you can have multiple passwords with dm-crypt-luks.

That is good.
[snip

| Never bothered to go so deep in the internals, but...
|
| I had a busyness laptop with non-sensitive (in my opinion) data, but
| the managers were quite paranoid about that, so I had to encrypt the
| drives to save myself the administrative trouble in case it was stolen.
| I followed the gentoo-wiki how-to [1] and found out that encrypting the
| hdd visibly slowed down the system.
|
| Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
| etc) can break those algorithms relatively easy. On the other hand even
| weaker algorithms can protect your data against laptop thieves.

That's more than a rumor.  Another three letter agency (NSA) has networks of
supercomputers that can brute force a passphrase is little time.  I am majoring
in mathematics, and plan to specialize in cryptology.  I doubt they'd let me
publish an algorithm that is very hard to break...  It is not that I'm terribly
paranoid about people getting my data, I just want to make it a little harder.
Of course, it is always possible to insert code that will send the unencrypted
data, once you've logged on - not easy for the casual user, but for the guru,
an easy thing.

| What I'm saying is that it is pointless to get very crazy about strong
| and heavy algorithms. After all if your enemies are not after your
| hardware, but after your data, they could always physically force you
| to reveal the password.

Yes, I suppose that they could do that, using torture or something like that.

[snip]
| Yes, you could do something like:
|
| head /dev/urandom | gpg --symmetric -a > key.gpg
| gpg --decrypt key.gpg | cryptsetup luksFormat /dev/some-block-device
| gpg --decrypt key.gpg | cryptsetup luksOpen /dev/some-block-device
|
|
| (The above commands are not correct, their sole purpose is to show the
| idea)

Thanks for the ideas, and for the links.  I will be checking them out.

| [1] System Encryption DM-Crypt with LUKS: http://tinyurl.com/clrk6
|
| [2] M.A.V.O.: http://tinyurl.com/4badqs ; http://tinyurl.com/4chhph :D

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYmDJAAoJEIAhA8M9p9DA0skQAOOPam7lkhP6q+8XstmaUX5s
O0zIyEHyIjxi6o2cln60UVXFzac89VvJ4fXYWgA9KcagedGsbWCljp/92Xynyqng
3lnZUWPZPkr0+M5khbO8EKMfEOlx4klWkbXX7kbyNWiSs1b9uWoJJqcb7fpU0mc8
6/Z/4v2EmkTCML1UHdNYaJkeJL7Tr0OxfK0gt9V8xadcZAyJQbF1YpZCqtlBEpdn
Fom/tSwgpNn8Lxj5KdbFuNimflDDs4MlOfIsPUTm95mxlTw79YvTg2zqKEzmEvFE
Zu3q9867JbStBLUzWJ/sB1WdTWmULm8q1N4tgGC/si02lTHHkpNoX9Sey2fw/w2x
CrGBqALNyl3Buh2jMZY4+ALEr+YKnKIZFEybQtKlj971vtrj9s6m6yQM0GUoy41g
zzjuIBarrr0NYwZI2rGSF/9aSoksD7GD8JIeLlDuJMpRowwsuU50IwR7cBZ2LfpX
heNoxLdUfCdzeXeKOtyoPJNIvDv1LxwuUvlcxXT9vbU/ufvznCzOXlpKyoOWuL29
+aKJVKtzM4wCX+suqJZqva3npyXQMWnk45MjhE7KNvFA8k/OfBZkdxJ9F187iJi1
UoVNeenYgwogC4Y5jXKXdPNdaiFfe+byrIAmdWZOFYhPMBKY5OXO/pVcgp6kfAMe
DJDh7m7neS1/8IPmfmG0
=SUZm
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] loop-aes + extra-ciphers...

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 1555 bytes --]

Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 17:14:20

> | Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
> | etc) can break those algorithms relatively easy. On the other hand even
> | weaker algorithms can protect your data against laptop thieves.

You had better used the acronym FUD instead of the word "rumor".  US 
government itself has declared Rijndael 256 sufficient for classified 
information up to top secret.  This level of security is shared among all 
AES finalists like RC6 or Serpent.

> That's more than a rumor.  Another three letter agency (NSA) has networks
> of supercomputers that can brute force a passphrase is little time.

Bruteforcing a _passphrase_ is not the same as bruteforcing a key.  An both 
of these don't have nothing to do with the algorithm itself.  They are 
side-attacks ...  a weak passphrase is user idiocity, not a cipher 
weakness.

> It is not that I'm terribly paranoid about people getting my data, I just
> want to make it a little harder.

What's the point in making the impossible even harder?

> Of course, it is always possible to insert code that will send the
> unencrypted data, once you've logged on - not easy for the casual user,
> but for the guru, an easy thing. 

That's operating system security and has nothing to do with cryptology.  
Someone having only your hard disk can't inject a rootkit into the system.

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] loop-aes + extra-ciphers...

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sebastian Wiesner wrote:
| Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 17:14:20
|
|> | Rumor has it that the three-letter agencies (CIA, KGB, M.A.V.O. [2],
|> | etc) can break those algorithms relatively easy. On the other hand even
|> | weaker algorithms can protect your data against laptop thieves.
|
| You had better used the acronym FUD instead of the word "rumor".  US
| government itself has declared Rijndael 256 sufficient for classified
| information up to top secret.  This level of security is shared among all
| AES finalists like RC6 or Serpent.
|
|> That's more than a rumor.  Another three letter agency (NSA) has networks
|> of supercomputers that can brute force a passphrase is little time.
|
| Bruteforcing a _passphrase_ is not the same as bruteforcing a key.  An both
| of these don't have nothing to do with the algorithm itself.  They are
| side-attacks ...  a weak passphrase is user idiocity, not a cipher
| weakness.
|
|> It is not that I'm terribly paranoid about people getting my data, I just
|> want to make it a little harder.
|
| What's the point in making the impossible even harder?
|
|> Of course, it is always possible to insert code that will send the
|> unencrypted data, once you've logged on - not easy for the casual user,
|> but for the guru, an easy thing.
|
| That's operating system security and has nothing to do with cryptology.
| Someone having only your hard disk can't inject a rootkit into the system.

Are you a cryptology expert?  By the way, nothing is impossible.  The only
thing that cryptography attempts to do is reduce the **probability** of
cracking the key and gaining access to the data as low as possible.

As for brute forcing a passphrase:  Since most implementations of AES
(Rijndael) use a hash of the passphrase to form the key, it amounts to the same
thing, in practice, as cracking the key.

Cryptology is, at least partly about finding the weakest link, because that is
what is likely to be attacked in any cryptosystem.  If the weakest link is
system security or a weak passphrase, then that weakness translates to a
weakness in anything encrypted in such an environment.

The US Government only keeps classified information on non-networked computers
in secure environments, so the cipher used does not matter as much as the other
security measures taken to ensure that the data does not fall into the wrong hands.

A final thought:  It is a fact that both the US Navy and the NSA are *very*
interested in cryptology and data security.  The NSA also does have large
networks of supercomputers that, using parallel, distributed or concurrent
computing principles can crack keys more quickly than you may think.

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYqmqAAoJEIAhA8M9p9DAIo8P/A17VwmkVsscVgfFzpCVDQbw
69WHMmoUvn5GasVRiM2JUi2UeEDpzCuLNxYlQglFWhyvsbplV3aiJmtzVdbEitsK
hpf7Jt0wNvzi25Cye/j2DJlkGh7PTGRCkrMkoirgg+JTSFC21TzAnJZSUQH3Zhv8
Inb1C53jl8/RV1KTdPOX2W/hNo1VCPfpFnhxhad8fzj59pM1UwMVktwAQtO1JmOW
fQm3/mSbeLyr0L5ZKPlc5shao/QVZ7Zo9xTDU8PFrBCmmt93MODGdbaOY7IsCmsl
6vWfWi1suV1a9ptPpU9ohn7YZtHlEboRMb4/mHCsj46SsI9cOo1KVLpqfiQZxd1t
U1niZU8Cb67+cvEDcQ/q1eIGDMza01NR8UxtF66vHB8WrGKpLYs+ckHqJg9+hgF5
nUiY2RHeyNd3lh4vUWCY15Kh9OfK/LlL9IvGZV2Vpc066aa/EfC3AyiSSc+cMMx9
r4GQijL3wfKaDY9OUh6hJZcSZpBNTZezQ1sNZNMOm0TgDLGtJNMv5ltHjtZnxmbC
Fus0IRrQVYvXT8ADZW80Ic256RWtUvn73WjBevYswa2T/Oc3o/NWc2sMrxEg8FVs
a7nCa4ErSKIWRbMHTuTZLO3l6+XXjXm0sHk0qQ4JfFNkoV4gyMZq36HelAb2GsRu
7NJKaZIXlOCuNiYByLfp
=wp+F
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] loop-aes + extra-ciphers...

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 3569 bytes --]

Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 22:25:18
> Are you a cryptology expert?

Are you then?

> The only thing that cryptography attempts to do is reduce the 
> **probability** of cracking the key and gaining access to the data as low 
> as possible.  

No news.  That's, why cryptology defines "security" not as "being impossible 
to crack", but as "being sufficiently improbable to crack".  The only 
cipher, that can't be "brute-forced", is the OTP, which is 
considered "perfectly secure".

> As for brute forcing a passphrase:  Since most implementations of AES
> (Rijndael) use a hash of the passphrase to form the key, it amounts to
> the same thing, in practice, as cracking the key.

First of all, you can perform hard disk encryption _without_ a passphrase.  
You can store keyfiles on smart cards, usb sticks, etc.  In this case, you 
can generate a _truely random_ key. 

Using a passphrase is the most insecure approach, but still, with a 
sufficiently random passphrase, you can gain a level of security, that even 
the NSA will find difficult to come around.

The randomness of a 30-char passphrase does of course by far not match the 
randomness of a 256-bit key, so there is a real chance, that it can be 
guessed by brute force.  Still it will take much cpu time, which is not 
endless, even to the NSA.  

In such a case, the question is, if the data, you ciphered, is really worth 
the effort of putting a super computer into work for a long time to try any 
possible passphrase.

> Cryptology is, at least partly about finding the weakest link, because
> that is what is likely to be attacked in any cryptosystem.

Of course, absolutely true.  Hard disk encryption is by far not perfect, 
just look at the cold boot attacks that gained public interest in the last 
time.  But you didn't talk of _cryptosystems_ in your previous posts, you 
did talk about _algorithms_.  

Summarizing, the modern ciphers themselves are secure, as there is mostly no 
way to crack them save a brute-force attack on the key.  On the other hand, 
cryptosystems built around these algorithms can of course contain 
weaknesses and holes, like weak passphrases, unsecure key storage, etc.

> The US Government only keeps classified information on non-networked
> computers in secure environments, so the cipher used does not matter as
> much as the other security measures taken to ensure that the data does
> not fall into the wrong hands.

May be.  I do not know, which restrictions apply to US classified data, I 
only know about official statements, the US government made towards the 
security of AES.

> A final thought:  It is a fact that both the US Navy and the NSA are
> *very* interested in cryptology and data security.  The NSA also does
> have large networks of supercomputers that, using parallel, distributed
> or concurrent computing principles can crack keys more quickly than you
> may think.

You can use simple mathematics to find out, that even the largest super 
computers, having one peta flop, needs millions of years to perform an 
exhaustive search through AES key space.  

Anyway, you may believe, what you want to believe, I'm just reflecting, what 
real experts like Bruce Schneier have been telling for years:  It's wrong 
to trust into simple ciphers, but it's equally wrong, to believe, that 
anything can be broken.

my 2 cents

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] loop-aes + extra-ciphers...

[Jason Rivard]

[-- Attachment #1: Type: text/plain, Size: 5075 bytes --]

On Wed, Jun 25, 2008 at 9:24 PM, Sebastian Wiesner <basti.wiesner@gmx.net>
wrote:

> Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 22:25:18
> > Are you a cryptology expert?
>
> Are you then?


  I doubt that either of you are cryptology experts. I've known a few, and I
am a crypto-expert, who has worked for the government of the US.

>
> > The only thing that cryptography attempts to do is reduce the
> > **probability** of cracking the key and gaining access to the data as low
> > as possible.
>
> No news.  That's, why cryptology defines "security" not as "being
> impossible
> to crack", but as "being sufficiently improbable to crack".  The only
> cipher, that can't be "brute-forced", is the OTP, which is
> considered "perfectly secure".


There is no such thing as perfectly secure, but a cipher algorithm that
would take *all* the computers on Earth a year or more to crack is pretty
secure.

>
> > As for brute forcing a passphrase:  Since most implementations of AES
> > (Rijndael) use a hash of the passphrase to form the key, it amounts to
> > the same thing, in practice, as cracking the key.
>
> First of all, you can perform hard disk encryption _without_ a passphrase.
> You can store keyfiles on smart cards, usb sticks, etc.  In this case, you
> can generate a _truely random_ key.
>
> Using a passphrase is the most insecure approach, but still, with a
> sufficiently random passphrase, you can gain a level of security, that even
> the NSA will find difficult to come around.
>
> The randomness of a 30-char passphrase does of course by far not match the
> randomness of a 256-bit key, so there is a real chance, that it can be
> guessed by brute force.  Still it will take much cpu time, which is not
> endless, even to the NSA.


I don't think I can really comment on this, except to say that smart cards
and usb thumb drives are the way to go for security. As long as you can keep
control of the device.

>
> In such a case, the question is, if the data, you ciphered, is really worth
> the effort of putting a super computer into work for a long time to try any
> possible passphrase.


Mr. Walters' claim is not that they would put a single super-computer to
decrypting it, but a "network of supercomputers". I truly don't think you
have to worry about that occurring, unless you are deemed a danger to US
National Security. Even then, AES is very hard to crack. The major weakness
is the person who encrypts the data. Under questioning, most will give up
their keys.

>
> > Cryptology is, at least partly about finding the weakest link, because
> > that is what is likely to be attacked in any cryptosystem.
>
> Of course, absolutely true.  Hard disk encryption is by far not perfect,
> just look at the cold boot attacks that gained public interest in the last
> time.  But you didn't talk of _cryptosystems_ in your previous posts, you
> did talk about _algorithms_.


By themselves algorithms are relatively useless. It is only the application
of those algorithms that make them useful. In this case, Mr. Walters pointed
out how *NOT* to apply cipher algorithms. Some of the ways, anyway.

>
> Summarizing, the modern ciphers themselves are secure, as there is mostly
> no
> way to crack them save a brute-force attack on the key.  On the other hand,
> cryptosystems built around these algorithms can of course contain
> weaknesses and holes, like weak passphrases, unsecure key storage, etc.
>
> > The US Government only keeps classified information on non-networked
> > computers in secure environments, so the cipher used does not matter as
> > much as the other security measures taken to ensure that the data does
> > not fall into the wrong hands.
>
> May be.  I do not know, which restrictions apply to US classified data, I
> only know about official statements, the US government made towards the
> security of AES.


I can neither confirm nor deny Mr. Walters' statement. I will state that the
United States Government does, in fact, use ciphers to communicate with
Embassies, Military Camps and Bases abroad, and Naval vessels. That hardly
fits Mr. Walters' statement.

>
> > A final thought:  It is a fact that both the US Navy and the NSA are
> > *very* interested in cryptology and data security.  The NSA also does
> > have large networks of supercomputers that, using parallel, distributed
> > or concurrent computing principles can crack keys more quickly than you
> > may think.
>
> You can use simple mathematics to find out, that even the largest super
> computers, having one peta flop, needs millions of years to perform an
> exhaustive search through AES key space.
>
> Anyway, you may believe, what you want to believe, I'm just reflecting,
> what
> real experts like Bruce Schneier have been telling for years:  It's wrong
> to trust into simple ciphers, but it's equally wrong, to believe, that
> anything can be broken.


It is equally wrong to believe that any cipher is immune to attack, but it
is not nearly as easy as Mr. Walters would have you believe.

>
>
> my 2 cents
>

My nickel... Jase

[-- Attachment #2: Type: text/html, Size: 6872 bytes --]

Re: [gentoo-user] loop-aes + extra-ciphers...

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 3317 bytes --]

"Jason Rivard" <jase.rivard@gmail.com> at Wednesday 25 June 2008, 23:53:23
> > > The only thing that cryptography attempts to do is reduce the
> > > **probability** of cracking the key and gaining access to the data as
> > > low as possible.
> >
> > No news.  That's, why cryptology defines "security" not as "being
> > impossible
> > to crack", but as "being sufficiently improbable to crack".  The only
> > cipher, that can't be "brute-forced", is the OTP, which is
> > considered "perfectly secure".
>
> There is no such thing as perfectly secure,

A OTP cannot be broken using brute force, so the term "perfectly secure" 
fits here, imho, at least a bit ;)

> > In such a case, the question is, if the data, you ciphered, is really
> > worth the effort of putting a super computer into work for a long time
> > to try any possible passphrase.
>
> Mr. Walters' claim is not that they would put a single super-computer to
> decrypting it, but a "network of supercomputers".

Does that difference really matter for ciphers like AES or at least for 
brute-force attacks on random 256-bit keys?

> I truly don't think you 
> have to worry about that occurring, unless you are deemed a danger to US
> National Security. Even then, AES is very hard to crack. The major
> weakness is the person who encrypts the data. Under questioning, most
> will give up their keys.
>
> > > Cryptology is, at least partly about finding the weakest link,
> > > because that is what is likely to be attacked in any cryptosystem.
> >
> > Of course, absolutely true.  Hard disk encryption is by far not
> > perfect, just look at the cold boot attacks that gained public interest
> > in the last time.  But you didn't talk of _cryptosystems_ in your
> > previous posts, you did talk about _algorithms_.
>
> By themselves algorithms are relatively useless. It is only the
> application of those algorithms that make them useful.

Still, there is a difference between the algorithm as such and a 
cryptosystem applying this algorithm.

Btw, apart from general stuff like weak passphrases, that apply to most 
cryptosystems, really bad leaks often came from weak algorithms.  Consider 
WEP. 

> > > A final thought:  It is a fact that both the US Navy and the NSA are
> > > *very* interested in cryptology and data security.  The NSA also does
> > > have large networks of supercomputers that, using parallel,
> > > distributed or concurrent computing principles can crack keys more
> > > quickly than you may think.
> >
> > You can use simple mathematics to find out, that even the largest super
> > computers, having one peta flop, needs millions of years to perform an
> > exhaustive search through AES key space.
> >
> > Anyway, you may believe, what you want to believe, I'm just reflecting,
> > what
> > real experts like Bruce Schneier have been telling for years:  It's
> > wrong to trust into simple ciphers, but it's equally wrong, to believe,
> > that anything can be broken.
>
> It is equally wrong to believe that any cipher is immune to attack

I don't and I did not say so, things like the Debian disaster bring you back 
to reality from dreams ...

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] My last words on cryptology and cryptography.

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sebastian Wiesner wrote:
| "Jason Rivard" <jase.rivard@gmail.com> at Wednesday 25 June 2008, 23:53:23
[snip]
| A OTP cannot be broken using brute force, so the term "perfectly secure"
| fits here, imho, at least a bit ;)

A OTP cipher would be *theoretically* impossible to crack, even given infinite
computing power.  I use the word "theoretically" here because this "perfect
security" of OTP depends on a purely theoretical perfect setting.

http://en.wikipedia.org/wiki/One-time_pad

| Does that difference really matter for ciphers like AES or at least for
| brute-force attacks on random 256-bit keys?

The key word here is "random".  Nothing generated by your computer can generate
pure entropy, only a good representation of it.  Now if you have a computer
network at your disposal, and can get the computers working in parallel or in a
distributed manner, you will notice that tasks are completed much faster than
with one computer working on that task.  A network of supercomputers would be
able to, in a sense, either work on breaking a single key at a time (assuming
CBC with keys >= blocks), then you could decrypt the message one block at a
time.  I did not say it would be very fast, just faster than many people would
like to assume.

[snip]

| Still, there is a difference between the algorithm as such and a
| cryptosystem applying this algorithm.
|
| Btw, apart from general stuff like weak passphrases, that apply to most
| cryptosystems, really bad leaks often came from weak algorithms.  Consider
| WEP.

An algorithm is just a "recipe" - a set of steps to achieve a task.  The
implementation is the *only* thing that counts.  A weak implementation of
AES256 would lead to a weak cryptosystem.  While a strong implementation would,
theoretically, lead to a strong cryptosystem.  I will state my view as a
programmer.  An algorithm is next to useless without a working application that
uses it.

As an aside, let us say you use a USB thumb drive or the like to store a master
key, from which cryptographically random quality keys are derived.  There would
be two weak points in that system.  You, and the thumb drive.  If any entity
can get you, your computer and your thumb drive, your data could be decrypted
without the need for a supercomputer.

[snip]

|>> Anyway, you may believe, what you want to believe, I'm just reflecting,
|>> what
|>> real experts like Bruce Schneier have been telling for years:  It's
|>> wrong to trust into simple ciphers, but it's equally wrong, to believe,
|>> that anything can be broken.
|> It is equally wrong to believe that any cipher is immune to attack
|
| I don't and I did not say so, things like the Debian disaster bring you back
| to reality from dreams ...

With desktop computing power and speed growing at the rate that it currently
is, does it stretch the imagination so much that supercomputer power and speed
is also growing at a similar rate.  Even if an AES256 key cannot be broken "in
a million years" by one supercomputer (*I* would like to see a citation for
that), there will soon be a time when it will be able to be cracked in a much
shorter time - with one supercomputer.

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIYv1LAAoJEIAhA8M9p9DAK44P/2ikcuihfTj6OgArcNvJUHNK
m1qwKpk8dRkkeeLQsNZJzZtd00Gv03dkV0pD3sEfzVlKl9TIaoMheJ4D+XqHuorA
ojFfWjcV7eFs5C5rMpvyb96fQ+m98bfRuGNlwnb3Jwy82ehGsxdM3VuVQEgojsyi
TmFIuoS9moZrecLn+Smap5SxSvFmSdHpZ/sy0vbN78+58vvP/Fuq+uoqdz5fZcJH
HwPu+8euaabBOiiPBXInRYYCfSdDqS/X9VuUzetRIhU15B+yijBesDmeo9BjB3oi
ING3XFtbXiQ94/Kjzfz3Bx5MGotm2npM4H8TIr1SQSpB57j8+VHy+EepFWEjN3Dj
hh8D3d4hpw64oBi6Gj+P0b/4QYkot1yBdQvXXeAt7oappQ0QsFXv1CDvGS8tDQ9f
WWv9IXQ/1EaeQYPLVEv8kSuTxgqte4EcvpUJpIZ9Ku4Z8PGh50Bc2Y2AGlszezxk
IIk7eI/Z2wJquQ7+A8QLGpiuM2+2WDfrfdh/kvX4AZS6mYm/a2V95K9oPPGTqDgp
R5HwGW69hANARhdJAQg/GZFMrsi3BFGMDtj1EIVnWwXS1W3cAFZFIWJHWuBf0c06
5aQjYQNq055eUe1QvsIf0v3eyuG1QiOazb+0FaDJ1u9wrgsYQ7G1hR9uVBCxyWz7
moYaBh171qt40nMFrp8u
=ond2
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] My last words on cryptology and cryptography.

[Alan McKinnon]

On Thursday 26 June 2008, Chris Walters wrote:
> Sebastian Wiesner wrote:

> | I don't and I did not say so, things like the Debian disaster bring
> | you back to reality from dreams ...

This is the favoured method of cracking encryption - misuse by the user. 
The canonical example is of course Enigma and the stupid mistake that 
let the Allies crack it. This is entirely analogous to the Debian 
fiasco.

> With desktop computing power and speed growing at the rate that it
> currently is, does it stretch the imagination so much that
> supercomputer power and speed is also growing at a similar rate. 
> Even if an AES256 key cannot be broken "in a million years" by one
> supercomputer (*I* would like to see a citation for that), there will
> soon be a time when it will be able to be cracked in a much shorter
> time - with one supercomputer.

No-one has ever seriously said that it will take X time to crack a key. 
The possibility exists that the first key randomly selected in a brute 
force attack will match which gives you a time to crack in the 
millisecond range.

The calculation is quite simple - measure how quickly a specific 
computer can match keys. Divide this into the size of the keyspace. The 
average time to brute force a key is half that value. AFAIK this still 
averages out at enormous numbers of years, even at insane calculation 
rates like what RoadRunner can achieve.

All this presupposes that the algorithm in question has no known 
cryptographic weaknesses so brute force is the only feasible method of 
attack currently.


-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] My last words on cryptology and cryptography.

[kashani]

Alan McKinnon wrote:
> The calculation is quite simple - measure how quickly a specific 
> computer can match keys. Divide this into the size of the keyspace. The 
> average time to brute force a key is half that value. AFAIK this still 
> averages out at enormous numbers of years, even at insane calculation 
> rates like what RoadRunner can achieve.

256 bit keys. The 
115792089237316195423570985008687907853269984665640564039457584007913129639936 
keys are quite a lot to check (although, if all the atoms in the 
universe [estimated 10^78] were to test 1 key/sec, it'd only take about 
0.1157920892 seconds). However.. 512 bit keys with all the atoms testing 
a trillion keys/second would take about 
(2^512)/(10^78)/60/60/24/(36525/100)/(10^12) or 4.2486779507765473608e56 
years..

	I submit that brute forcing an AES key of reasonably length is 
currently impossible in an amount of time that would matter to the human 
race.

kashani
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] My last words on cryptology and cryptography.

[Steven Lembark]

>     I submit that brute forcing an AES key of reasonably length is 
> currently impossible in an amount of time that would matter to the human 
> race.

On average yes.

As already pointed out, however, there is nothing
to prevent the first guess from matching a key and
cracking one particular example of the cipher in
0.0001 seconds.

Therefore, brute forcing an AES key of any length
is quite possible, even if it is unlikely. q.e.d.

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] My last words on cryptology and cryptography.

[kashani]

Steven Lembark wrote:
> 
>>     I submit that brute forcing an AES key of reasonably length is 
>> currently impossible in an amount of time that would matter to the 
>> human race.
> 
> On average yes.
> 
> As already pointed out, however, there is nothing
> to prevent the first guess from matching a key and
> cracking one particular example of the cipher in
> 0.0001 seconds.
> 
> Therefore, brute forcing an AES key of any length
> is quite possible, even if it is unlikely. q.e.d.
> 

	This is not interesting data nor particularly relevant. That said, the 
chances of your key is not randomly guessed are far far better than 
average. Getting lucky is not the same as being able to evaluate a 
significant portion of the key space in a short period of time.

kashani
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] My last words on cryptology and cryptography.

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

Steven Lembark <lembark@wrkhors.com> at Thursday 26 June 2008, 23:52:17
> >     I submit that brute forcing an AES key of reasonably length is
> > currently impossible in an amount of time that would matter to the
> > human race.
>
> On average yes.
>
> As already pointed out, however, there is nothing
> to prevent the first guess from matching a key and
> cracking one particular example of the cipher in
> 0.0001 seconds.

A probability of something like 1 / 50000 to die in a car accident does not 
one prevent from driving a car.  But a probability of 1 / (2^256) of 
finding the first key right away at the first guess is easily held up 
against key security of AES ...  now that's a very strange mismatch.

Apparently you consider the security of your life much, much less worth than 
security of your encrypted hard disk ...

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] My last words on cryptology and cryptography.

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

Alan McKinnon <alan.mckinnon@gmail.com> at Thursday 26 June 2008, 10:54:43
> The calculation is quite simple - measure how quickly a specific
> computer can match keys. Divide this into the size of the keyspace. The
> average time to brute force a key is half that value. AFAIK this still
> averages out at enormous numbers of years, even at insane calculation
> rates like what RoadRunner can achieve.

According to Wikipedia RoadRunner is designed for 1.7 petaflops in peak.  
Assuming for the sake of simplicity, that decryption can be performed 
within a single flop:

(2^256) / (1.7 * 10^15) / 2 ~= 3.5 * 10^61

In years: 

3.5 * 10^61 / 3600 / 24 / 356 ~= 10^54

Correct me if I'm wrong, but it seems impossible to me, to reduce this get 
the required amount somewhere near to the life time of a human being ;)

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] My last words on cryptology and cryptography.

[Alan McKinnon]

On Thursday 26 June 2008, Sebastian Wiesner wrote:
> Alan McKinnon <alan.mckinnon@gmail.com> at Thursday 26 June 2008,
> 10:54:43
>
> > The calculation is quite simple - measure how quickly a specific
> > computer can match keys. Divide this into the size of the keyspace.
> > The average time to brute force a key is half that value. AFAIK
> > this still averages out at enormous numbers of years, even at
> > insane calculation rates like what RoadRunner can achieve.
>
> According to Wikipedia RoadRunner is designed for 1.7 petaflops in
> peak. Assuming for the sake of simplicity, that decryption can be
> performed within a single flop:
>
> (2^256) / (1.7 * 10^15) / 2 ~= 3.5 * 10^61
>
> In years:
>
> 3.5 * 10^61 / 3600 / 24 / 356 ~= 10^54
>
> Correct me if I'm wrong, but it seems impossible to me, to reduce
> this get the required amount somewhere near to the life time of a
> human being ;)

Even with your ultra-liberal assumptions, it still comes out to:

1000000000000000000000000000000000000

times longer than the entire universe is believed to have existed thus 
far (14 billion years). That is an unbelievable stupendously long 
period of time. Yeah, I'd agree that brute force is utterly unfeasible 
as a vector of attack. Not even the almighty NSA could ever pull that 
one off as there simply aren't enough atoms in the universe to make a 
supercomputer big enough.

Numbers don't lie.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] h

[Volker Armin Hemmann]

On Donnerstag, 26. Juni 2008, Alan McKinnon wrote:
> On Thursday 26 June 2008, Sebastian Wiesner wrote:
> > Alan McKinnon <alan.mckinnon@gmail.com> at Thursday 26 June 2008,
> > 10:54:43
> >
> > > The calculation is quite simple - measure how quickly a specific
> > > computer can match keys. Divide this into the size of the keyspace.
> > > The average time to brute force a key is half that value. AFAIK
> > > this still averages out at enormous numbers of years, even at
> > > insane calculation rates like what RoadRunner can achieve.
> >
> > According to Wikipedia RoadRunner is designed for 1.7 petaflops in
> > peak. Assuming for the sake of simplicity, that decryption can be
> > performed within a single flop:
> >
> > (2^256) / (1.7 * 10^15) / 2 ~= 3.5 * 10^61
> >
> > In years:
> >
> > 3.5 * 10^61 / 3600 / 24 / 356 ~= 10^54
> >
> > Correct me if I'm wrong, but it seems impossible to me, to reduce
> > this get the required amount somewhere near to the life time of a
> > human being ;)
>
> Even with your ultra-liberal assumptions, it still comes out to:
>
> 1000000000000000000000000000000000000
>
> times longer than the entire universe is believed to have existed thus
> far (14 billion years). That is an unbelievable stupendously long
> period of time. Yeah, I'd agree that brute force is utterly unfeasible
> as a vector of attack. Not even the almighty NSA could ever pull that
> one off as there simply aren't enough atoms in the universe to make a
> supercomputer big enough.
>
> Numbers don't lie.

and this is why nobody uses brute force.

There a better ways to crack keys. NSA has tons of experts in mathematics and 
cryptoanalysis. Plus very sophisticated hardware. I am sure for most ciphers 
they use something much more efficient than stupid brute force.

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Sebastian Günther]

[-- Attachment #1: Type: text/plain, Size: 1093 bytes --]

* Volker Armin Hemmann (volker.armin.hemmann@tu-clausthal.de) [27.06.08 00:12]:
> and this is why nobody uses brute force.
> 
> There a better ways to crack keys. NSA has tons of experts in mathematics and 
> cryptoanalysis. Plus very sophisticated hardware. I am sure for most ciphers 
> they use something much more efficient than stupid brute force.
> 

The thing about this keys is, that there is no better way than to brute 
force such keys. The algorithm uses a function which inverse is a known 
hard problem which resides in NP, which is a class of functions equal to 
just guessing. If the NSA had a sufficient algorithm, that is capable of 
reducing the time that much, they should also be able to prove P=NP. 
This is worth 1.000.000$ iirc and somehow you should get a Nobel Prize 
for it.

For deeper and better insight, take some courses in cryptography and 
theoretical computer sience, they are quiet good at Clausthal.

Sebastian

-- 
 " Religion ist das Opium des Volkes. "      Karl Marx

 SEB@STI@N GÜNTHER         mailto:samson@guenther-roetgen.de

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] h

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]

On Fri, 27 Jun 2008 00:47:34 +0200, Sebastian Günther wrote:

> If the NSA had a sufficient algorithm, that is capable of 
> reducing the time that much, they should also be able to prove P=NP. 
> This is worth 1.000.000$ iirc and somehow you should get a Nobel Prize 
> for it.

I'm sure the NSA would be happy to forego the prize and keep quiet about
being able to break a secure cipher. Just like our GCHQ came up with
public key cryptography several years before Rivest, Shamir and Adleman
published RSA but kept it secret for over 30 years.


-- 
Neil Bothwick

If I save time, when do I get it back?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] h

[Stroller]

On 27 Jun 2008, at 00:37, Neil Bothwick wrote:

> On Fri, 27 Jun 2008 00:47:34 +0200, Sebastian Günther wrote:
>
>> If the NSA had a sufficient algorithm, that is capable of
>> reducing the time that much, they should also be able to prove P=NP.
>> This is worth 1.000.000$ iirc and somehow you should get a Nobel  
>> Prize
>> for it.
>
> I'm sure the NSA would be happy to forego the prize and keep quiet  
> about
> being able to break a secure cipher.

I can't help wondering if - since P=NP is such a big problem - the  
advantages of having this knowledge in the public domain might  
override the advantages of mere spying.

Stroller.

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 647 bytes --]

On Fri, 27 Jun 2008 10:44:00 +0100, Stroller wrote:

> > I'm sure the NSA would be happy to forego the prize and keep quiet  
> > about
> > being able to break a secure cipher.  
> 
> I can't help wondering if - since P=NP is such a big problem - the  
> advantages of having this knowledge in the public domain might  
> override the advantages of mere spying.

I'm sure the holy grail for the NSA is a cipher that everyone thinks is
totally secure but they can break. These agencies aren't interested in the
greater good, only furthering their own goals.


-- 
Neil Bothwick

Tagline file empty. Please refill the bit bucket.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] h

[Alan McKinnon]

On Friday 27 June 2008, Neil Bothwick wrote:
> On Fri, 27 Jun 2008 10:44:00 +0100, Stroller wrote:
> > > I'm sure the NSA would be happy to forego the prize and keep
> > > quiet about
> > > being able to break a secure cipher.
> >
> > I can't help wondering if - since P=NP is such a big problem - the
> > advantages of having this knowledge in the public domain might
> > override the advantages of mere spying.
>
> I'm sure the holy grail for the NSA is a cipher that everyone thinks
> is totally secure but they can break. These agencies aren't
> interested in the greater good, only furthering their own goals.

This is the spooks we are talking about so I'm sure Neil is right and 
they are having wet dreams about this very thing.

All I can say is, thank $DEITY for open/free software and open 
algorithms.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Chris Walters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alan McKinnon wrote:
| On Friday 27 June 2008, Neil Bothwick wrote:
|> On Fri, 27 Jun 2008 10:44:00 +0100, Stroller wrote:
|>>> I'm sure the NSA would be happy to forego the prize and keep
|>>> quiet about
|>>> being able to break a secure cipher.
|>> I can't help wondering if - since P=NP is such a big problem - the
|>> advantages of having this knowledge in the public domain might
|>> override the advantages of mere spying.
|> I'm sure the holy grail for the NSA is a cipher that everyone thinks
|> is totally secure but they can break. These agencies aren't
|> interested in the greater good, only furthering their own goals.
|
| This is the spooks we are talking about so I'm sure Neil is right and
| they are having wet dreams about this very thing.
|
| All I can say is, thank $DEITY for open/free software and open
| algorithms.

Somehow I doubt that the NSA has a magic bullet to crack AES encryption.  If
they did, it wouldn't be a part of the FIPS.  I'd bet dollars to doughnuts that
the US Navy has more cryptologists, etc. than the NSA - just a guess here.  It
would make perfect sense, though - since they have to use radios and satellites
to communicate with their ships at sea, they would be most interested in data
security - we wouldn't want our enemies ordering our ships or nuclear missile
subs to make attacks that weren't ordered by the President...

Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIZWL8AAoJEIAhA8M9p9DAX68QAJaNlRGoASZmMcscX014NPWB
R14tkXaOK/ZEcxT3GbbcUTnH8vy4ipbdelw1yGb9s76Rak1/cCXNk8NSSvGtp9J2
yqio2RTXdVy7Jd0luFDsZx+J6tAiMN5P69VUgT/0vjhAt2FDHRiI+93WHAvgh+si
3qyqjv1dP4yS0RCv1hAEB5Kl37okMAvzYWmYQXBrTD5lBpiPNgYmwMr+TRRme6vs
SEKFHwSBv8/zDByN1hCNdJ9af1eUSX77fFkT3Ghh5/UTg5dMe1h1oOhHT42k09+d
YKII2f7ENYzpEQ5XvZhZGVrEKIAiXc00+1eNt4GSDZufUuOm3IssOQTuhCT/PUDP
jAPIdIRN1jyOT+oZhROIWX1jJBfKPZyHGx7ijXACqCqe+7ByusHPduM5yw+9GpH7
ZfM3Jmv22Xdd8oljOxGHTg0mWBp+yyJC7BNFnKDSbkF7UPrRcS8NdNQjtNP78ec7
V25lBTvl6MyVUIu7T+9U9OYlApPSap+D2nJqfwjJyBJ8MlMos3xbPIJzBfUNjOf+
3PnP9ApUMp98JwYuOe8FCYbwAp/8Gw5DzT1fDOFgAMkYqqBTduy8Gw4itHGegTIY
p/584QRpadwKbsBcCpEBJ7FyKGYqOjG2nmf08lq8vUX4Y60ofbVRSoIU1tXV7CWp
NWwS0QnnE5ykHpIG1d0/
=LGqw
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Daniel Iliev]

On Fri, 27 Jun 2008 11:08:04 +0100
Neil Bothwick <neil@digimed.co.uk> wrote:

> On Fri, 27 Jun 2008 10:44:00 +0100, Stroller wrote:
> 
> > > I'm sure the NSA would be happy to forego the prize and keep
> > > quiet about
> > > being able to break a secure cipher.  
> > 
> > I can't help wondering if - since P=NP is such a big problem - the  
> > advantages of having this knowledge in the public domain might  
> > override the advantages of mere spying.
> 
> I'm sure the holy grail for the NSA is a cipher that everyone thinks
> is totally secure but they can break. These agencies aren't
> interested in the greater good, only furthering their own goals.
> 
> 


Sounds like AES fits the description :D

-- 
Best regards,
Daniel
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Volker Armin Hemmann]

On Freitag, 27. Juni 2008, Sebastian Günther wrote:
> * Volker Armin Hemmann (volker.armin.hemmann@tu-clausthal.de) [27.06.08 
00:12]:
> > and this is why nobody uses brute force.
> >
> > There a better ways to crack keys. NSA has tons of experts in mathematics
> > and cryptoanalysis. Plus very sophisticated hardware. I am sure for most
> > ciphers they use something much more efficient than stupid brute force.
>
> The thing about this keys is, that there is no better way than to brute
> force such keys. The algorithm uses a function which inverse is a known
> hard problem which resides in NP, which is a class of functions equal to
> just guessing. If the NSA had a sufficient algorithm, that is capable of
> reducing the time that much, they should also be able to prove P=NP.
> This is worth 1.000.000$ iirc and somehow you should get a Nobel Prize
> for it.

I now that AES is pretty good - but there are more ciphers out there - and a 
lot of them are fishy at best. Some of them nobody really knows, because they 
are closed and some are known weak. There are good ones and there are bad ones 
- and I don't doubt that the NSA is pretty good at analyzing the not-so-good-
ones.
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[kashani]

Sebastian Günther wrote:
> * Volker Armin Hemmann (volker.armin.hemmann@tu-clausthal.de) [27.06.08 00:12]:
>> and this is why nobody uses brute force.
>>
>> There a better ways to crack keys. NSA has tons of experts in mathematics and 
>> cryptanalysis. Plus very sophisticated hardware. I am sure for most ciphers 
>> they use something much more efficient than stupid brute force.
>>
> 
> The thing about this keys is, that there is no better way than to brute 
> force such keys. The algorithm uses a function which inverse is a known 
> hard problem which resides in NP, which is a class of functions equal to 
> just guessing. 

I don't believe this is true. The algorithm uses a function which is 
*assumed* to be a hard problem. You assume the problem is hard because 
you and anyone you know have not been able to make it easy. That does 
not mean that someone has not discovered some math that does make it easy.

Here's a reference to the interesting meet-in-the-middle attack which 
reduced 3DES key space down to 112 bits from 192. Obviously that was 
unknown when 3DES was built.
http://en.wikipedia.org/wiki/Triple_DES#Security

kashani
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Alan McKinnon]

On Friday 27 June 2008, kashani wrote:
> > The thing about this keys is, that there is no better way than to
> > brute force such keys. The algorithm uses a function which inverse
> > is a known hard problem which resides in NP, which is a class of
> > functions equal to just guessing.
>
> I don't believe this is true. The algorithm uses a function which is
> *assumed* to be a hard problem. You assume the problem is hard
> because you and anyone you know have not been able to make it easy.
> That does not mean that someone has not discovered some math that
> does make it easy.

It's more than a thumb-suck assumption. In maths, "assume" is overloaded 
to have an entirely different meaning to what it has in everyday life, 
much like "theory" in science.

The assumption comes from all the solid maths surrounding the NP 
problem. As any decent mathematician/cryptologist will tell you, 
cracking this one is the current holy grail in their field and the 
amount of man-power being applied to solving it is staggering. Neil 
mentioned GCHQ developing public key several years before RSA, but do 
note that RSA still had the same bright idea that GCHQ had, only a few 
short years later. There are thousands of examples in math and science 
of the same huge advances being made by two parties independently - 
because they are working from the same known base. I feel quite 
confident that the NP problem will be no different.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] h

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 614 bytes --]

On Fri, 27 Jun 2008 10:51:57 +0200, Alan McKinnon wrote:

> Neil 
> mentioned GCHQ developing public key several years before RSA, but do 
> note that RSA still had the same bright idea that GCHQ had, only a few 
> short years later.

The important point was that they kept quiet about it. Even after RSA
entered the public domain, they let everyone think it was news to them.

Mind you, the UK government kept quiet about breaking Enigma after WWII
was over, so they could sell these "secure" systems to their Commonwealth
"friends".


-- 
Neil Bothwick

Top Oxymorons Number 2: Exact estimate

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] h

[Sebastian Wiesner]

[-- Attachment #1: Type: text/plain, Size: 1285 bytes --]

kashani <kashani-list@badapple.net> at Friday 27 June 2008, 02:28:21
> Here's a reference to the interesting meet-in-the-middle attack which
> reduced 3DES key space down to 112 bits from 192. 
3DES always had an effective key size of 112 bits, because it uses the 
original DES algorithm applied in the following scheme E1(D2(E1(M)) with 
two different 56-bit DES keys.  3DES never had 192 bit keys.

The meet-in-the-middle attack has nothing to do with 3DES.  In fact, 3DES 
was designed the way it works now to _prevent_ meet-in-the-middle attacks.  
Such attacks can be applied to ciphers, that apply a single algorithm with 
two different keys:  E1(E2(M))  

Mathematical, the key size of the latter cipher is equal to 3DES:  56+56 = 
112.  But the latter cipher is vulnerable to meet-in-the-middle attacks, 
which is why 3DES uses the second key to apply the DES decryption function 
with a different key right between the consecutive DES encryptions.

> Obviously that was unknown when 3DES was built.
I doubt.  If meet in the middle was unknown at the time of 3DES development, 
we wouldn't have 3DES today, but 2DES, being as simple as E1(E2(M)).

-- 
Freedom is always the freedom of dissenters.
                                      (Rosa Luxemburg)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] h

[Alan McKinnon]

On Friday 27 June 2008, Volker Armin Hemmann wrote:
> > Numbers don't lie.
>
> and this is why nobody uses brute force.
>
> There a better ways to crack keys. NSA has tons of experts in
> mathematics and cryptoanalysis. Plus very sophisticated hardware. I
> am sure for most ciphers they use something much more efficient than
> stupid brute force.

Like what for example? Decent algorithms tend to have no known published 
weaknesses and their output is randomly distributed. Which brings us 
back to relying on stupid user input errors (Debian, anyone?)

If anyone does know of weaknesses in the good algorithms, they are 
certainly not telling. I doubt anyone could ever keep that genie in a 
bottle for very long as it would be the mathematical coup of the 
millenium.

So the reasonable real-world view of this to me is that not even the 
almighty NSA can crack it yet. I'm betting they still use good 
old-fashioned tried-and-proven social engineering and hosepipe 
techniques for their successes.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list