RE: Phil Zimmerman and voice encryption; a Skype problem?
Hi Paul, You left out one option: that Tony Rutkowski was misquoted by the Times. I checked with Tony, and this is, in fact, what happened. Here is his full response: Since the external security lists seem to be buzzing with discourse about Phil Zimmerman's VoIP encryption product as covered by John Markoff in the NY times on Monday, and my quote about German capabilities to decrypt, let me explain the context and what was actually said. John (who I've known for several decades) called my cellphone Sunday morning and said he was writing an article on Zimmerman's software and his making it available, and asked from a CALEA standpoint, whether this was covered. I explained that the recent FCC CALEA orders on VoIP presently exempted P2P VoIP, so that Zimmerman's product was outside the requirements. In multiple roles, including formal filings and legal forums, I deal with this subject all the time. I also mentioned, however, that CALEA requirements exist worldwide, and that German officials at a recent Cyprus standards conference on lawful interception had stated that they "have a Skype solution." I explained to John that most other countries have far more extensive CALEA like requirements, and that Germany among others were likely to impose their "solutions." In the article that was published, my domestic coverage explanation was attributed to someone else, and my "German solution" explanation was morphed into a statement that they can decrypt Skype content. The context of the actual discussion, however, was regulatory requirements. Whether the German government can or cannot decrypt Skype content is not known, and indeed the details of their regulatory requirements are also unknown. --tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hoffman Sent: Monday, May 22, 2006 8:19 AM To: Steven M. Bellovin; cryptography@metzdowd.com Subject: Re: Phil Zimmerman and voice encryption; a Skype problem? At 10:19 AM -0400 5/22/06, Steven M. Bellovin wrote: >There's an article in today's NY Times (for subscribers, it's at >http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1&oref=s >login ) on whether Phil Zimmerman's Zfone -- an encrypted VoIP package >-- will invite government scrutiny. There doesn't seem to be any >imminent threat in the U.S.; the one concrete example mentioned -- the >British plan to give police the power to compel individuals to disclose >keys -- doesn't threaten Zfone, because it uses Diffie-Hellman for >(among other things) perfect forward secrecy and doesn't even have any >long-term keys. (See draft-zimmermann-avt-zrtp-01.txt for protocol >details.) > >The fascinating thing, though, was this sentence near the end of the >article: > > But at a conference last week in Cyprus, German officials said > they had technology for intercepting and decrypting Skype phone > calls, according to Anthony M. Rutkowski, vice president for > regulatory affairs and standards for VeriSign, a company that > offers security for Internet and phone operations. > >The Berson report says that Skype uses AES-256. NSA rates that as >suitable for Top Secret traffic, so it's presumably not the cipher. >Berson analyzed a number of other possible attack scenarios; the only >one that seems to be possible is an active attack plus forged certificates. >If Berson's analysis was correct -- and we all know how hard it is to >verify cryptographic protocols -- that leaves open the possibility of a >protocol change that implemented some sort of Clipper-like functionality. Please don't forget that the VeriSign spokesperson may be mistaken, or purposely lying (possibly in order to drum up business for the company). Neither would be a first for VeriSign. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Algebraic Attacks on Block Ciphers
This may interest some list members: http://eprint.iacr.org/2006/168 Cryptology ePrint Archive: Report 2006/168 How Fast can be Algebraic Attacks on Block Ciphers ? Nicolas T. Courtois Abstract. In this paper we give a specification of a new block cipher that can be called the Courtois Toy Cipher (CTC). It is quite simple, and yet very much like any other known block cipher. If the parameters are large enough, it should evidently be secure against all known attack methods. However, we are not proposing a new method for encrypting sensitive data, but rather a research tool that should allow us (and other researchers) to experiment with algebraic attacks on block ciphers and obtain interesting results using a PC with reasonable quantity of RAM. For this reason the S-box of this cipher has only 3-bits, which is quite small. Ciphers with very small S-boxes are believed quite secure, for example the Serpent S-box has only 4 bits, and in DES all the S-boxes have 4 output bits. The AES S-box is not quite as small but can be described (in many ways) by a very small systems of equations with only a few monomials (and this fact can also be exploited in algebraic cryptanalysis). We believe that results on algebraic cryptanalysis of this cipher will have very deep implications for the security of ciphers in general. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Re: Is AES better than RC4
- Original Message - From: "Ed Gerck" <[EMAIL PROTECTED]> Subject: [!! SPAM] Re: Is AES better than RC4 Please note that my email was way different in scope. My opening sentence, where I basically said that it does not make much sense to compare RC4 with AES, was cut in your quote -- but here it is: "AES has more uses and use modes than RC4, in addition to the fact that it encrypts more than one byte at once. Having said that, it is curious to note the following misconceptions:" Yes I did snip that out. I figured everything we agreed on could be left out easily enough. I apologize for removing something you considered core to your view. BTW, discarding the first 100's of bytes in RC4 is easy, fast, and has nothing to with lack of "key agility". And, if you do it, you don't even have to hash the key (ie, you must EITHER hash the key OR discard the first bytes). From my view it does. Every extra clock cycle has an impact on key agility, even 1 byte of RC4 discards slows the rekeying process, and as a result it does affect the effective key agility. That only 256 discards are necessary does not mean that those extra 256*(clock cycles per pull) clock cycles don't affect key agility. At what point do we say "This affects key agility" when it increases the time by 1%? 10%? 100%? If we don't consider every cycle to reduce key agility it's all just a matter of scale. This does mean that different implementations will have different key agilities, but if you look hostorically RC2 makes a great example of where the attacker has substantially more key agility than the legitimate user, so it is not without precedent. Joe Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Is AES better than RC4
JA, Please note that my email was way different in scope. My opening sentence, where I basically said that it does not make much sense to compare RC4 with AES, was cut in your quote -- but here it is: "AES has more uses and use modes than RC4, in addition to the fact that it encrypts more than one byte at once. Having said that, it is curious to note the following misconceptions:" BTW, discarding the first 100's of bytes in RC4 is easy, fast, and has nothing to with lack of "key agility". And, if you do it, you don't even have to hash the key (ie, you must EITHER hash the key OR discard the first bytes). Cheers, Ed Gerck Joseph Ashwood wrote: - Original Message - From: "Ed Gerck" <[EMAIL PROTECTED]> Subject: [!! SPAM] Re: Is AES better than RC4 ... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Re: Is AES better than RC4
- Original Message - From: "Ed Gerck" <[EMAIL PROTECTED]> Subject: [!! SPAM] Re: Is AES better than RC4 Joseph Ashwood wrote: SOP: discard first 100's of bytes This is part of the lack of key agility. Using it securely requires so much in the way of heroic efforts SOP: hash the key There is far more to using RC4 securely than sumply hashing the key. Hashing the key only prevents recovering the original key (to the limits of the hash used) it does not provide for anything close to all the heroic efforts. If you look at the design of SSL/TLS a very significant portion of the effort that has gone into design of the frame/cell/whatever they call them is specifically to address issues like those seen in RC4. [Slow rekeying speed makes RC4] unusable for any system that requires rekeying. Code RC4 in a way that makes it easy. You simply cannot code around the fact that the RC4 key processing is dog slow, and that even after the original keying design there is the necessity to discard the first several bytes of data. So just in the keying you have to deviate substantially from the original design. It's only redeeming factors are that the cipher itself is simple to write, and once keyed it is fast. simple to code/verify is good for security too. This is a major point. A Viginere cipher is easier to code, we don't recommend it. Just as with a Viginere cipher, building a secure protocol (even for storage) with RC4 quickly becomes an arms race requiring heroic efforts on the design side along with huge amounts of compute cycles on the execution side to avoid a PFY with a laptop. The same amount of effort in design with AES leads to a simpler, more compact design of approximately the same speed. And exactly as Ed noted : "simple to ... verify is good for security too." The truth is that because AES is so much simpler to build a secure protocol around the end result is actually easier to analyse. Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]