Re: Predicting cipher life / NSA rigged DES? / Destroying encrypted data (Tangent to Re: Burning papers)
Randall Farmer skribis:
Been thinking, most applications for ciphers assume solely based on cipher x's keysize that data will be secure for a certain length of time. ... My idea ... is averaging the remaining lifetimes in analysis-hours of broken ciphers which survived as many person-hours of attack as the one in question.
Doesn't seem terribly likely. Typically ciphers will look strong until someone discovers a chink. The chink will sometimes lead to a serious break, but not always, and not always quickly -- but at that point the cipher looks weak. Your best chance at encrypting stuff that needs a long shelf life is with a cipher that's had a lot of analysis and plenty of intrinsic key, like 3DES.
Am I just going crazy, or is it kind of obvious that NSA knew the s-boxes they provided for DES weren't secure?
The former. The S-boxes they replaced were bogus, and the ones they came up with were good against differential cryptanalysis -- better than random ones. There's no a priori reason to believe they knew about linear cryptanalysis, and in any case Matsui's l.c. attack on DES is better than brute force only in situations where you have a great deal of known or chosen plaintext. So how come you claim they aren't secure? DES isn't suitable for long-archived info, but is still OK for short-lifetime data against a not-too-motivated attacker: its only known weakness for this application is its key-length, not its S-boxes.
Anyhow, these two (or three) values are XORed together to form the key used to encrypt the volume. When your adversaries, armed with their trusty rubber hoses, come knocking at and/or down your door, you hit a hotkey to start destroying those 24 bytes on disk, which can be done faster and more effectively than a wipe of every sector in the volume. The folks with the
I like it! Jim Gillogly Trewesday, 8 Solmath S.R. 1998, 00:27 12.19.4.15.17, 8 Caban 15 Muan, Second Lord of Night
At 4:26 PM -0800 1/28/98, Jim Gillogly wrote:
Doesn't seem terribly likely. Typically ciphers will look strong until someone discovers a chink. The chink will sometimes lead to a serious break, but not always, and not always quickly -- but at that point the cipher looks weak. Your best chance at encrypting stuff that needs a long shelf life is with a cipher that's had a lot of analysis and plenty of intrinsic key, like 3DES.
Carl Ellison talks about his strategy for chaining several ciphers. I'm surprised more emphasis isn't given to doing this. For example, suppose one chains 3DES, Blowfish, MISTY, IDEA, and GHOST together (I haven't checked Schneier on these, but you all presumably get the idea). Then if any one of these ciphers is shown to be weak, the overall chain remains strong. The overall chain is as strong as its strongest link, not its weakest link. I don't think 3DES is weak, but chaining-in additional ciphers can't hurt. (Just a minor slowdown in encipherment speed, presumably not important for some critical uses.) -- Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Your best chance at encrypting stuff that needs a long shelf life is with a cipher that's had a lot of analysis and plenty of intrinsic key, like 3DES.
Yes, I think that's what my (inaccurate) model would suggest you do, if my guesses as to break probability are close; real, practical cipher breaks get rarer after more analysis-hours pass -- i.e., ciphers are more likely to be broken in the first year of analysis than the tenth -- so expected lifetimes would increase with the amount of analysis survived. Of course, like TcM said, chaining ciphers only cuts speed by a little and helps security a lot.
Am I just going crazy, or is it kind of obvious that NSA knew the s-boxes they provided for DES weren't secure?
The former.
That shouldn't surprise anyone who's seen my posts. :)
The S-boxes they replaced were bogus, and the ones they came up with were good against differential cryptanalysis -- better than random ones. There's no a priori reason to believe they knew about linear cryptanalysis, and in any case Matsui's l.c. attack on DES is better than brute force only in situations where you have a great deal of known or chosen plaintext. So how come you claim they aren't secure? DES isn't suitable for long-archived info, but is still OK for short-lifetime data against a not-too-motivated attacker: its only known weakness for this application is its key-length, not its S-boxes.
Perhaps I should say that the S-boxes weren't as secure as they could/should have been. We know how to construct better ones now (s^5 DES is just that -- DES w/better [?] S-boxes), and I'd venture to say that if NSA wasn't 21 years ahead, they either spent most of their cash on computers, not crypto whizzes, or else the cryptographers spent too much time on coffee breaks... As to their knowledge of linear attacks back then, the same thing applies; although we have no solid evidence, assuming they were up to today's level of analysis is not exactly going out on a limb. Now, this *is* going out on a limb (while contradicting my original statement :), but there's always the possibility that those S-boxes *were* as good as they could have been for 16 rounds, and there was an even more vile attack against DES with S-boxes which we think are more secure. ...
Jim Gillogly Trewesday, 8 Solmath S.R. 1998, 00:27 12.19.4.15.17, 8 Caban 15 Muan, Second Lord of Night
--------------------------------------------------------------------------- Randall Farmer rfarmer@hiwaay.net http://hiwaay.net/~rfarmer
I had tended to not take too seriously the posts of someone who signs himself as "Uhh...this is Joe," but the reasoning he displays below makes me take him more seriously: At 5:26 PM -0800 1/30/98, Uhh...this is Joe [Randall Farmer] wrote:
Yes, I think that's what my (inaccurate) model would suggest you do, if my guesses as to break probability are close; real, practical cipher breaks get rarer after more analysis-hours pass -- i.e., ciphers are more likely to be broken in the first year of analysis than the tenth -- so expected lifetimes would increase with the amount of analysis survived.
Just so. With one minor caveat: the amount of time should be replaced by "effort expended." Clearly there are a lot of flaky algorithms which have been given scant attention. It would be wrong to assume that the first year spent trying to break Blowfish is comparable to the first year spent trying to attack Virtual Matrix Superunbreakable Amazing Algorithm. But I generally like your intuition. --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
I had tended to not take too seriously the posts of someone who signs himself as "Uhh...this is Joe,"
That was probably a good idea.
but the reasoning he displays below makes me take him more seriously:
Ooh, bad move! :)
...the amount of time should be replaced by "effort expended."
That was what I meant, although my wording of it was sort of ambiguous; "years of analysis," "analysis-hours," etc. refer to the time the cryptographers actually spent on studying the cipher, not the time elapsed since the cipher's release. [...]
--Tim May
The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
--------------------------------------------------------------------------- Randall Farmer rfarmer@hiwaay.net http://hiwaay.net/~rfarmer
participants (3)
-
jim@mentat.com -
Tim May -
Uhh...this is Joe [Randall Farmer]