-----BEGIN PGP SIGNED MESSAGE----- [ To: cypherpunks ## Date: 03/04/96 07:59 pm ## Subject: Re: Numbers don't lie... ]

Date: Sun, 18 Feb 1996 11:18:57 -0500 (EST) From: "A. Padgett Peterson P.E. Information Security" Subject: Numbers don't lie...

In their figures, they do seem to gloss over a couple of minor points:

The most compelling to me is "how do you know when you broke it ?". Bruce has always used the "known plaintext" approach, however using modern techniques for messaging, *every* message has a different session key, negotiated using assymetric keying so the only message that will be broken is one that you already have - not terribly helpful.

Coming up with a short length of known plaintext isn't usually a big problem. For example, attacking DES, you need to know one 64-bit block. In many cases, this is easy to do. While it is possible (and a good idea) to build communications software so that it's relatively hard to get known plaintext, this shouldn't be necessary to use a cipher securely. And in any case, if you're encrypting ASCII text, the bit distributions give you a big clue about whether this is a reasonable key guess or not, after just a few decrypted plaintexts. This increases the cost of the search machines, but I'm not convinced that this will be an enormous increase in all cases.

This means that the strength of cryptography should be appropriate to the value of the information protected. If less than U$10,000, the message is individually encrypted, and has value only today, then DES is probably "good enough".

True, DES is probably good enough for the very lowest-value messages. But why use something that's barely acceptable, when it costs you almost nothing at all to make it really secure against keysearch attacks. Blowfish, SAFER-SK128, GOST, and 3DES are all apparently quite hard to break, and they are all far more resistant to keysearch attacks than DES.

Strategic information of higher value arguably needs "more" but how much ? 64 bits is 256 times stronger than DES. This would indicate effective security up to say U$2.5 million. More is better but I would not be quite so alarmist nor would I dismiss the cost of engineering. Non-trivial.

The problem here is that it's not really reasonable to expect the users of a secure e-mail package to know what the state of the art is in terms of keysearch machines, and it's not always reasonable to expect the person that's sending some piece of information to know whether this is "you-bet-your-company" material. There's no excuse for leaving yourself vulnerable to keysearch attacks, when there are so many good, unpatented ciphers with key lengths of more than 100 bits. It's like building a car with an engine that you know will catch fire if it's ever run at more than 80 MPH, but justifying it by saying "well, most trips don't require more than 80 MPH to get where they're going anyway. In those special cases where greater speed is necessary, they'll just have to take a bullet train."

Still, at what point is it simply easier/cheaper to buy someone who knows the secret ?

Limiting your key to 56 bits means that an attacker has more options--if he can't bribe, blackmail, or threaten his way into your private communications, he can spend some money, and still get in. (Escrowing your key adds to the list, because he now has more people to bribe/threaten/blackmail, and he may also be able to carry out protocol attacks against the key escrow mechanism.)

Warmly, Padgett

--John Kelsey, jmkelsey@delphi.com / kelsey@counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTujGkHx57Ag8goBAQElEwP/ZpzwCpwGUhbHJvEl+EiuseNEgy9To5yl RyX3VkdX+Xx6jksZeuLlSuRoMlahxyMHdH7uDY/8GFW2uxh8dFAJfwNdBCf3k0W8 aYml2Z/CCVadeuiSrKgZEMvE3F/LlDSCXQwuIde1Su7ICxQz9pd8ZbAqvOdQQWyZ ZQPr9TPCo/s= =zM5N -----END PGP SIGNATURE-----