40-bit RC5 crack meaningless??
(A gem off sci.crypt. Schwartau's mailing list is turning into the most amazing source of misinformation or disinformation about cryptography on the Net. And he's probably got the most influential audience in Washington re crypto policy. Go figure;-) ---------------- Subject: 40-bit RC5 crack meaningless?? Date: 6 Feb 1997 11:43:58 -0500 From: nobody@REPLAY.COM (Anonymous) Organization: Replay and Company UnLimited Newsgroups: sci.crypt Strassmann, the author of this denunciation of RSADS and Ian Goldberg, is the former Director of Defense Information (i.e., CIO,) of the Bush DoD and an often-insightful commentator on business culture and computing. Strange is the logic that channels the mind of the American Defense Intellectual... or, maybe he just doesn't know squat about cryptography??? (Reposted from Infowar Digest, Winn Schwartau's moderated mailing list <mail to: infowar@infowar.com> without permission.)
Date: Thu, 30 Jan 1997 20:10:36 -0500 To: "Wright Larry" <Wright_Larry@bah.com> From: "Paul A. Strassmann" <paul@strassmann.com> Subject: Further to Goldberg's Cracking Accomplishments Gentlemen:
As I suspected (see earlier private comment), the highly promoted RSA cracking contest offered a number of clues that ordinarly would not be volunteered by info-terrorists or info-criminals to IW Defense teams.
These clues made the cracking significantly easier, because it made it possible to eliminate an enormous range of possible searches.
The following was extracted verbatim from the <The RSA Data Security Secret-Key Challenge> posted on <http://www.rsa.com/rsalabs/97challenge/>:
Clue #1:
" ...all the RC5 contests posted as part of the RSA Secret-Key Challenge will use 12-round RC5 with a 32-bit word size. "
Clue #2:
" ...The first RC5 contest will consist of some unknown plaintext encrypted using a 40-bit key;."
Clue #3: (a giveway!)
" ... For each contest, the unknown plaintext message is preceded by three known blocks of text that contain the 24-character phrase "The unknown message is: .....".
In summary: The claim of exportable cryptography being totally insecure, because it can be cracked in 3.5 hours is not realistic. The three clues announced in the contest would not apply under infowar conditions.
What other clues may have been provided to Goldberg to support private agendas and gain shrill headlines is also a matter of speculation, but I rest my case.
I certainly cannot assert that a 40 bit key cannot be decyphered. However, I do not think that the RSA unqualified claims offer full and appropriate disclosure.
Paul
At 10:21 AM -0500 1/30/97, Wright Larry wrote:
Following provided for your information.
EXPORTABLE CRYPTOGRAPHY TOTALLY INSECURE: CHALLENGE CIPHER BROKEN IMMEDIATELY
January 28, 1997 - Ian Goldberg, a UC Berkeley graduate student, announced today that he had successfully cracked RSA Data Security Inc.'s 40-bit challenge cipher in just under 3.5 hours.
RSA challenged scientists to break their encryption technology, offering a $1000 award for breaking the weakest version of the code. Their offering was designed to stimulate research and practical experience with the security of today's codes.
The number of bits in a cipher is an indication of the maximum level of security the cipher can provide. Each additional bit doubles the potential security level of the cipher. A recent panel of experts recommended using 90-bit ciphers, and 128-bit ciphers are commonly used throughout the world, but US government regulations restrict exportable US products to a mere 40 bits.
Goldberg's announcement, which came just three and a half hours after RSA started their contest, provides very strong evidence that 40-bit ciphers are totally unsuitable for practical security. "This is the final proof of what we've known for years: 40-bit encryption technology is obsolete," Goldberg said.
<...Rest of the nnouncement from UC Berkeley snipped>
Paul A. Strassmann 55 Talmadge Hill Road, New Canaan, CT. 06840 Telephone: 203-966-5505; Fax: 203-966-5506 INTERNET: paul@strassmann.com WorldwideWeb: http://www.strassmann.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The alway-informed Prof. Froomkin <froomkin@law.miami.edu> asked:
This would be the same Strassmann who stated in public at Harvard early in 1995 that most remailers were run by intelligence agencies such as the KGB, then denied saying it when asked for substantiation? And cut it from his paper?
Don't know that one, but it seems feasible. Strassmann had the status to speak at Harvard; probably the K school. (He's also an interesting author, really worth a read; despite this recent balderdash.) I kept a clip from an interview with him for years: after the bomb attack on the World Trade Tower he proclaimed that a "Electronic Pearl Harbor" attack on the US was inevitable. The only question, he said, was when. Not if. (It was a usefully overheated hook for some article on compsec, but I don't think I ever used it. Reminded me too much of warnings that someone was bound to someday taint the city water reservoir with LSD;-) As I recall, that piece also quoted him as saying that he knew of an incident where some group had held a major banking institution ransom with a threat to destroy their data files somehow. He refused to identify the institution or otherwise give any further details about the incident. Came to mind a few months back, when Winn Schwartau was firing off (also overheated) missives from Europe reporting, with scant detail, that several UK or European banking institutions had paid off millions when subjected to similar blackmail.
{...} there is some debate about the extent to which in *intelligence gathering* as opposed to, say, trying to crack a banking protocol, one can reasonably count on a known plaintext. And much debate about the processing costs of not having one, especially when one doesn't know what kind of document is being encrypted (e.g. is it ASCII plaintext? a spreadsheet? a jpeg? etc.). I think that's his (misdirected) point.
The latter is a interesting debate -- but, as you note, not really relevant in this case, where Strassmann proclaims:
In summary: The claim of exportable cryptography being totally insecure, because it can be cracked in 3.5 hours is not realistic. The three clues announced in the contest would not apply under infowar conditions.
Now, an international institution which buys and bets the bank upon US-exportable (40-bit) cryptography probably deserves what it has bought: espionage-enabled software designed for fast and cheap decryption by spooks and sundry college kids with access to a handful of machines. The original annoucement of the RSA Secret Key Challenge declared forthrightly that even 56-bit keys -- whatever the algorithm! -- offer only "minimal" security. (What Goldberg did in hours, many could do in a days or weeks with much less equipment. A 40-bit key length offers a universe of about, what? a trillion possible keys.) And while there might be debate as to how hard it is to attack cyphertext when the attacker doesn't know _anything_ about the message (not its data format; not the language being used; nothing!) there is really none about the fact that -- with virtually any piece of that puzzle -- the attack becomes relatively straightforward. A big job for a little machine, but conceivable: grab a key, decrypt, and then match for the right stats. Rare indeed is the commercial message, or even the typical government transmission, where its original digital format is not easily guessed -- if not known for certain. That is the contemporary, real-world, infowar/infocrime environment. To a machine -- which is, after all, looking for a statistical pattern in the results, not "meaning" -- knowing that the message is in English (and/or coded in ASCII) is functionally equivalent to an old-fashioned human codebreaker being given a matched plaintext/cyphertext sample. Given that much, the computer doesn't need the plaintext! It's counterintuitive to the layman, but one would expect a savvy systems guy like Strassmann to know this cold. Even my son, at 4, understands that a computer manipulates the fodder fed it only in terms of ones and zeros. Statistics, not the "plaintext" clue, reveal who dun it... to the machine. Clue #3 -- "the giveaway." Lord help us! Paul Strassmann has probably taught a generation of the DC InfoWar accolytes how to think about this stuff!!! Hopefully their kids can re-educate them. Suerte, _Vin Vin McLellan + The Privacy Guild + <vin@shore.net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
This would be the same Strassmann who stated in public at Harvard early in 1995 that most remailers were run by intelligence agencies such as the KGB, then denied saying it when asked for substantiation? And cut it from his paper? On Thu, 6 Feb 1997, Vin McLellan wrote:
Strassmann, the author of this denunciation of RSADS and Ian Goldberg, is the former Director of Defense Information (i.e., CIO,) of the Bush DoD and an often-insightful commentator
Having said that, there is some debate about the extent to which in *intelligence gathering* as opposed to, say, trying to crack a banking protocol, one can reasonably count on a known plaintext. And much debate about the processing costs of not having one, especially when one doesn't know what kind of document is being encrypted (e.g. is it ASCII plaintext? a spreadsheet? a jpeg? etc.). I think that's his (misdirected) point. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.
participants (2)
-
Michael Froomkin - U.Miami School of Law -
Vin McLellan