On Wed, Jun 25, 2008 at 9:24 PM, Sebastian Wiesner <basti.wiesner@gmx.net> wrote:
Chris Walters <cjw2004d@comcast.net> at Wednesday 25 June 2008, 22:25:18
> Are you a cryptology expert?

Are you then?

  I doubt that either of you are cryptology experts. I've known a few, and I am a crypto-expert, who has worked for the government of the US. 

> The only thing that cryptography attempts to do is reduce the
> **probability** of cracking the key and gaining access to the data as low
> as possible.

No news.  That's, why cryptology defines "security" not as "being impossible
to crack", but as "being sufficiently improbable to crack".  The only
cipher, that can't be "brute-forced", is the OTP, which is
considered "perfectly secure".

There is no such thing as perfectly secure, but a cipher algorithm that would take all the computers on Earth a year or more to crack is pretty secure.

> As for brute forcing a passphrase:  Since most implementations of AES
> (Rijndael) use a hash of the passphrase to form the key, it amounts to
> the same thing, in practice, as cracking the key.

First of all, you can perform hard disk encryption _without_ a passphrase.
You can store keyfiles on smart cards, usb sticks, etc.  In this case, you
can generate a _truely random_ key.

Using a passphrase is the most insecure approach, but still, with a
sufficiently random passphrase, you can gain a level of security, that even
the NSA will find difficult to come around.

The randomness of a 30-char passphrase does of course by far not match the
randomness of a 256-bit key, so there is a real chance, that it can be
guessed by brute force.  Still it will take much cpu time, which is not
endless, even to the NSA.

I don't think I can really comment on this, except to say that smart cards and usb thumb drives are the way to go for security. As long as you can keep control of the device.

In such a case, the question is, if the data, you ciphered, is really worth
the effort of putting a super computer into work for a long time to try any
possible passphrase.

Mr. Walters' claim is not that they would put a single super-computer to decrypting it, but a "network of supercomputers". I truly don't think you have to worry about that occurring, unless you are deemed a danger to US National Security. Even then, AES is very hard to crack. The major weakness is the person who encrypts the data. Under questioning, most will give up their keys.

> Cryptology is, at least partly about finding the weakest link, because
> that is what is likely to be attacked in any cryptosystem.

Of course, absolutely true.  Hard disk encryption is by far not perfect,
just look at the cold boot attacks that gained public interest in the last
time.  But you didn't talk of _cryptosystems_ in your previous posts, you
did talk about _algorithms_.

By themselves algorithms are relatively useless. It is only the application of those algorithms that make them useful. In this case, Mr. Walters pointed out how NOT to apply cipher algorithms. Some of the ways, anyway.

Summarizing, the modern ciphers themselves are secure, as there is mostly no
way to crack them save a brute-force attack on the key.  On the other hand,
cryptosystems built around these algorithms can of course contain
weaknesses and holes, like weak passphrases, unsecure key storage, etc.

> The US Government only keeps classified information on non-networked
> computers in secure environments, so the cipher used does not matter as
> much as the other security measures taken to ensure that the data does
> not fall into the wrong hands.

May be.  I do not know, which restrictions apply to US classified data, I
only know about official statements, the US government made towards the
security of AES.

I can neither confirm nor deny Mr. Walters' statement. I will state that the United States Government does, in fact, use ciphers to communicate with Embassies, Military Camps and Bases abroad, and Naval vessels. That hardly fits Mr. Walters' statement.

> A final thought:  It is a fact that both the US Navy and the NSA are
> *very* interested in cryptology and data security.  The NSA also does
> have large networks of supercomputers that, using parallel, distributed
> or concurrent computing principles can crack keys more quickly than you
> may think.

You can use simple mathematics to find out, that even the largest super
computers, having one peta flop, needs millions of years to perform an
exhaustive search through AES key space.

Anyway, you may believe, what you want to believe, I'm just reflecting, what
real experts like Bruce Schneier have been telling for years:  It's wrong
to trust into simple ciphers, but it's equally wrong, to believe, that
anything can be broken.

It is equally wrong to believe that any cipher is immune to attack, but it is not nearly as easy as Mr. Walters would have you believe.


my 2 cents

My nickel... Jase