On Mon, 9 Nov 2009, Morlock Elloi wrote:
The cost of breaking even bad crypto can be quite high.
If you just take, for example, DES, and change all S boxes to different random values, then provide these values as pre-arranged secret key to the other party, and use them only with this single correspondent, and keep your algorithm secret, while using a single 1-character key "a" through "5" depending on the day of month, how long do you think it will take someone to break the cipher and how much would it cost?
First they have to get enough text for correlation and differential attacks. Then they are starting with quite long 2K-bit S boxes that need to be inferred. It would take a brilliant analyst more then few days to break this. Few days of a brilliant analyst at Ft. Mead are very expensive, when you include all the overhead. Say $0.1-0.5M.
Compare this cost to the cost of breaking a massively used crypto algorithm with a backdoor.
All well and good, but who among us is running a straight "a.out" compilation of _only_ DES (or AES or whatever) such that our threat model is simply the validity of the pure algorithm ? I sure am not. Whether it be SSH or SSL or duplicity or Tor, we're all using cryptosystems that most certainly receive far too much credit simply by virtue of being "open source". Open source is only useful if _you_ open it - and maybe not even then. Youngs point is, what do you know about who is writing or reading or proofing it ? Open source should indeed be a requirement - nobody here would argue against it. But it's never an assurance - especially not with a big project like OpenSSH and so on ...