RE: [303] If you're sick of crypto talk don't read this (fwd)
At 10:01 AM 4/17/02 -0400, Trei, Peter wrote: >I'd argue that a nightmare scenario for the statists and snoops would be >for commonly used applications to use crypto by default, ... This would >make distinguishing interesting from uninteresting traffic much more >difficult. If that app is a cell-phone, the S&S will need new underwear.
Re: [303] If you're sick of crypto talk don't read this (fwd)
> at the time but perhaps others. One might imagine, in the > paranoid spirit of good cryptologists, that the release was > intended to divert attention away from X, for example, to > encourage public trust in PK as with the Germans and > Enigma. This is probably the sanest method of estimating capabilities - by observing the behaviour. For example, look at the apparent collapse of crypto export controls; there were never any real working ones in the first place, yet resources were spent to maintain the illusion. Why ? > What though might be the Achilles heel of PK that is not > protected by any key strength? That increase of key strength > is meant to enhance false confidence about? And what if There could be transforms which make key extraction trivial; I certainly don't know of any. For any cypher, there could be a specific (per cipher) plaintext that leaks the key in some convoluted way when enciphered. Majority of Rijndael implementations run in 128-bit key mode with 128-bit block size ... is this really advance over non-AES 128-bit ciphers with 64-bit block size ? Of course, this does not prove anything, but still, if there were reliable 20-year escrows, I'd bet some money on transparency of modern ciphers. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
Re: [303] If you're sick of crypto talk don't read this (fwd)
> What is peculiar about the rejoinders to Lucky's sensible proposal > is the dismissal of it with elaborate affirmations of mathematical > surety, as if there has not been voluminous warnings to never > rely on mathematical surety when weaknesses are far more > likely to be found in the faulty implementation of cryptosystems. Still, insistance on the *current public knowledge* about algo security as a proof for anything is silly. I do not have a rational explanation for this. Crypto history demonstrates consistent short-sightedness of public and not so public experts. Granted, within the contemporary knowledge realm they were right. But when unpredictable advances predictably continue to happen, even the more dim ones should realise that the current knowledge is not a good metric; it's like trying to predict a book from an unborn writer. It took Germans 20 years to find out that allies were decrypting Enigma traffic. Why would anyone think that the gap between public and private crypto expertise is anything less today is beyond me. So do not easily dismiss possibility that someone may not care about implementation vulnerabilities at all, as long as cyphertext is available. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
Re: [303] If you're sick of crypto talk don't read this (fwd)
Morlock wrote: >So do not easily dismiss possibility that someone may not care about >implementation vulnerabilities at all, as long as cyphertext is available. Agreed that there may well be ways to access cyphertext that does not attack its crypto-mathematical shield, which could indeed be practically invulnerable. What gets pondered, surely, in the same way Ellis, Cocks, Diffie, Hellman and Name noodled the PK challenge, is what would such an access be through or around practically invulnerable algorithms. Not the electronic, DFA, and other now known attacks, but a mathematical breakthrough, say, following the unprecedented model of PK. The release of the Ellis/Cock paper on Non-Secret Encryption is intriguing. Why was it released, not for the reasons given at the time but perhaps others. One might imagine, in the paranoid spirit of good cryptologists, that the release was intended to divert attention away from X, for example, to encourage public trust in PK as with the Germans and Enigma. What though might be the Achilles heel of PK that is not protected by any key strength? That increase of key strength is meant to enhance false confidence about? And what if the promotion of implementation vulnerabilities is part of the diversion? That the weakness is neither known mathematical nor implementation nor the other well- publicized attacks. A mathemetician given this problem would surely not accept failure as the outcome: mathematicians are nuts for the impossible, the unsolvable. Wondrous would be that PK is weak precisely where it is believed to be strongest but not in a way readily grasped by those who have faith in the strength, that ever Enigmatic vainglory sustained by the refusal to give up legacy assurance when challenged by novelty, or worse, seduced by A Beautiful Mind.
[303] If you're sick of crypto talk don't read this (fwd)
Just to add to the saga... -- Yours, J.A. Terranson [EMAIL PROTECTED] -- Forwarded message -- Date: Tue, 16 Apr 2002 09:47:02 -0700 (PDT) From: Person <[EMAIL PROTECTED]> Subject: [303] If you're sick of crypto talk don't read this Quote from http://www.rsasecurity.com/rsalabs/technotes/bernstein.html: 'Finally, the recent concern [2] [3] [9] about the security of 1024-bit RSA keys is based in part on a misreading of Bernstein's paper. These references quote an estimate that for about $1 billion, a national agency could build a factoring machine based on Bernstein's design that could break a 1024-bit RSA key in a matter of "seconds to minutes". However, a factor of 10 billion or more was inadvertently left out of the running time in the preliminary analysis --- which means that the actual running time, assuming the machine could be built, would be measured in decades (see Note 1). Moreover, Bernstein himself is quoted [5] as saying "This is a theoretical advance. I have no idea and nobody else has any idea how practical it might be."' Now granted, RSA has a vested interest in calming down the FUD on the perceived weakening of cryptosystems based on IFP (of which they are the most popular), but they raise a valid point. The preliminary analysis that Bernstein described was hardware-implemented circuits to do odd/even transposition sorting and then to find smooth numbers (an integer with no prime factors). This would be done (in theory) via RAM sieving, parallel trial division, or parallel elliptic curve methods. It's unclear as to which method would be the most efficient in hardware. In fact, the methodology outlined in page eight of Bernstein's paper (http://cr.yp.to/papers/nfscircuit.ps) is extremely theoretical, to the point of casting doubt on whether it's even worth discussing the NFS itself without another five or six years of research on these preliminary operations. Something I've said time and again, that RSA won't say, is this: if you are worried about the security of your RSA public key based on it's seemingly obsolete size but you don't want to deal with the processor overhead of doubling your RSA keysize, just switch to an equivalent size Diffie-Hellman key. Easy as that. [t]
Re: [303] If you're sick of crypto talk don't read this (fwd)
What is peculiar about the rejoinders to Lucky's sensible proposal is the dismissal of it with elaborate affirmations of mathematical surety, as if there has not been voluminous warnings to never rely on mathematical surety when weaknesses are far more likely to be found in the faulty implementation of cryptosystems. It's as if comfort is to be found in a return to early faith in chanting unbreakable crypto mathematics to avoid the truth that math at any strength is not the solution to comsec, rather it is what you promote (and blow sunshine) when you don't have a solution to implementation weaknesses except to advance the virtues sophisticated security monitoring systems. This waving the flag of mathematical security, coupled with the need for long-term security monitoring, sure smells like national security religion, and lucrative it is so long as nobody can prove its shinola. Strong crypto systems of super-duper key length are likely crumbling regularly behind this scrim of mathematical pin-headedness.
Re: [303] If you're sick of crypto talk don't read this (fwd)
On Tue, 16 Apr 2002 [EMAIL PROTECTED] wrote: > > -- Forwarded message -- > Date: Tue, 16 Apr 2002 09:47:02 -0700 (PDT) > From: Person <[EMAIL PROTECTED]> > Subject: [303] If you're sick of crypto talk don't read this > > > Quote from > http://www.rsasecurity.com/rsalabs/technotes/bernstein.html: > [...] > The preliminary analysis that Bernstein described was hardware-implemented > circuits to do odd/even transposition sorting and then to find smooth > numbers (an integer with no prime factors). This would be done (in I hope he meant no _large_ prime factors, 'cause otherwise it makes no sense at all! Patience, persistence, truth, Dr. mike