Re: is 3des secure??
Petro wrote/napisa[a]/schrieb: On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. Alex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Tue, Nov 27, 2001 at 12:44:23PM +0100, Janusz A. Urbanowicz wrote: Petro wrote/napisa?[a]/schrieb: On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. It's relative. Encrypt x amount of data with 3des, do the same with blowfish or one of the other AES canidates, using a comparable keylength. Which is faster? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
Petro wrote/napisaĆ[a]/schrieb: On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. Alex
Re: is 3des secure??
On Tue, Nov 27, 2001 at 12:44:23PM +0100, Janusz A. Urbanowicz wrote: Petro wrote/napisa?[a]/schrieb: On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. It's relative. Encrypt x amount of data with 3des, do the same with blowfish or one of the other AES canidates, using a comparable keylength. Which is faster? -- Share and Enjoy.
Re: is 3des secure??
On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Yup. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Sun, Nov 25, 2001 at 11:29:22PM -0600, Warren Turkal wrote: On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. It is important to distinguish between DES and 3DES. DES, which cryptographically secure (i.e. there is no known flaw in the algorithm) uses too short a key to be considered secure. 3DES is a great deal more secure. I was not able to find references to the PuTTY author's opinion on the security of DES or 3DES on his web site, but I do know that PuTTY does support 3DES, if not DES. Also, it is worth noting that if you use the standard unix crypt(3) passwords, then you are using a variant of DES which has the addition of the 16 bit salt. noah -- ___ | A subversive is anyone who can out-argue their government | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpewfLeztLna.pgp Description: PGP signature
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 November 2001 12:08 am, Noah L. Meyerhans wrote: I was not able to find references to the PuTTY author's opinion on the security of DES or 3DES on his web site, but I do know that PuTTY does support 3DES, if not DES. I was thinking DSA, which putty does now also support. Sorry. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Ad+3maGhn1WdnogRAiQTAJ0fCdUtQRqUqWY+Jd+WVgA0524YEACdGJvA IJipWx26Bia/SHz2kN8Z5Jk= =jN8I -END PGP SIGNATURE-
Re: is 3des secure??
On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Yup. -- Share and Enjoy.
RE: is 3des secure??
While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. Paranoid? Yes. That's what security is all about. Curt- -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 21:43 To: Johannes Weiss Cc: [EMAIL PROTECTED] Subject: Re: is 3des secure?? On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Personally I'd trust 3DES more than the DSA signature algorith used in GPG. DSA *was* created by the government. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg04374/pgp0.pgp Description: PGP signature
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. It wasn't allowed to be used, the government promulgated DES as a standard for banks and other high security industries because it was the best they could find at the time to do the job. It has withstood a great deal of cryptoanalysis over the last couple decades, and has held up fairly well. It's only real weakness has been it's key-length. While there may be some people in the government who would be happy to promulgate a broken standard to make their data-collection easier, wiser heads realize that if it's broken for our side (note quotes) it's broken for the other side as well. 3DES effectively triples the key-length for DES, and for SSH sessions, it's quite good enough. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. 3DES is more than strong enough for *today*, it's just that in the near future it won't be. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. No, they've tapped your machine, and theres a minature camera looking over your shoulder from the air-vent in the room. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
Noah L Meyerhans writes: On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Actually, probably the biggest influence from the government was from the NSA. IBM handed them the algorithm to review, and the NSA handed it back to them with the S-boxes subtly altered, no explanation. IBM accepted the changes, and they became part of the standard. Years later, after differential cryptanalysis was discovered, it was found that the changes made foiled differential cryptanalysis. 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8AdM2maGhn1WdnogRAkalAJ9sR44dLiSXzqX6VYO/TDSbTkwm1ACghPP4 tcXQxrLhfmN9s7VA2LMT6eo= =RzJt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Sun, Nov 25, 2001 at 11:29:22PM -0600, Warren Turkal wrote: On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. It is important to distinguish between DES and 3DES. DES, which cryptographically secure (i.e. there is no known flaw in the algorithm) uses too short a key to be considered secure. 3DES is a great deal more secure. I was not able to find references to the PuTTY author's opinion on the security of DES or 3DES on his web site, but I do know that PuTTY does support 3DES, if not DES. Also, it is worth noting that if you use the standard unix crypt(3) passwords, then you are using a variant of DES which has the addition of the 16 bit salt. noah -- ___ | A subversive is anyone who can out-argue their government | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg04379/pgp0.pgp Description: PGP signature
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 November 2001 12:08 am, Noah L. Meyerhans wrote: I was not able to find references to the PuTTY author's opinion on the security of DES or 3DES on his web site, but I do know that PuTTY does support 3DES, if not DES. I was thinking DSA, which putty does now also support. Sorry. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Ad+3maGhn1WdnogRAiQTAJ0fCdUtQRqUqWY+Jd+WVgA0524YEACdGJvA IJipWx26Bia/SHz2kN8Z5Jk= =jN8I -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: is 3des secure??
While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. Paranoid? Yes. That's what security is all about. Curt- -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Saturday, November 24, 2001 21:43 To: Johannes Weiss Cc: debian-security@lists.debian.org Subject: Re: is 3des secure?? On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Personally I'd trust 3DES more than the DSA signature algorith used in GPG. DSA *was* created by the government. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpWDbL6RoqHU.pgp Description: PGP signature
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. It wasn't allowed to be used, the government promulgated DES as a standard for banks and other high security industries because it was the best they could find at the time to do the job. It has withstood a great deal of cryptoanalysis over the last couple decades, and has held up fairly well. It's only real weakness has been it's key-length. While there may be some people in the government who would be happy to promulgate a broken standard to make their data-collection easier, wiser heads realize that if it's broken for our side (note quotes) it's broken for the other side as well. 3DES effectively triples the key-length for DES, and for SSH sessions, it's quite good enough. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. 3DES is more than strong enough for *today*, it's just that in the near future it won't be. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. No, they've tapped your machine, and theres a minature camera looking over your shoulder from the air-vent in the room. -- Share and Enjoy.
Re: is 3des secure??
Noah L Meyerhans writes: On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Actually, probably the biggest influence from the government was from the NSA. IBM handed them the algorithm to review, and the NSA handed it back to them with the S-boxes subtly altered, no explanation. IBM accepted the changes, and they became part of the standard. Years later, after differential cryptanalysis was discovered, it was found that the changes made foiled differential cryptanalysis. 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Steve
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8AdM2maGhn1WdnogRAkalAJ9sR44dLiSXzqX6VYO/TDSbTkwm1ACghPP4 tcXQxrLhfmN9s7VA2LMT6eo= =RzJt -END PGP SIGNATURE-
Re: is 3des secure??
Johannes Weiss wrote on Nov 24, 2001 at 10:28:56 AM: Hi, I MUST :(( tunnel an HTTP stream from a winshit-my linux server and on win I must use SSH-WIN that it works. UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. So, because of this my question is: Is 3des secure enough?? It's not an answer to your 3DES question, but I would suggest you check out: Putty - http://www.chiark.greenend.org.uk/~sgtatham/putty/ Full-featured Win32 SSH suite, the development version supports tunneling and all common ciphers Stunnel - http://www.stunnel.org Universal SSL Wrapper, windows binaries are availible for download -- .- David Hardne [EMAIL PROTECTED] `-- pgp key D5268D91 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
Johannes Weiss wrote on Nov 24, 2001 at 10:28:56 AM: Hi, I MUST :(( tunnel an HTTP stream from a winshit-my linux server and on win I must use SSH-WIN that it works. UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. So, because of this my question is: Is 3des secure enough?? It's not an answer to your 3DES question, but I would suggest you check out: Putty - http://www.chiark.greenend.org.uk/~sgtatham/putty/ Full-featured Win32 SSH suite, the development version supports tunneling and all common ciphers Stunnel - http://www.stunnel.org Universal SSL Wrapper, windows binaries are availible for download -- .- David Hardne [EMAIL PROTECTED] `-- pgp key D5268D91
Re: is 3des secure??
On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpMqTIfd4aD1.pgp Description: PGP signature