Slashdot Mirror

Preface: If I err in any way, someone please step forward and correct where I'm wrong.
---------------
The key lengths of symmetric and asymetric encryption are not directly comparable.

RSA-public keys are extremely long, because of two things. Number one, they only make use of the prime numbers available within the limits of the key. They also need to be longer and use more complex math functions because they are available for anyone to see. The basis of the idea of the public key is that someone can use that key only to encrypt data for the intended recipient. You can not, in theory, take a public key and use that to determine the corresponding private key. What Shamir has shown is that it is feasible to do this, with a 512 bit key.

Symetric keys are shorter and much faster, because they are kept secret and they make use of the entire spectrum of numbers available, rather than just the primes. However, by gaining access to a symetric key, not only can you encrypt data, but also decrypt it as well.

In order to initiate a secure session with a web server, I believe the sequence goes: the server generates a RSA public key and passes that to the browser. The browser then generates a 40 (for exportable browses) or 128 bit symetric session key, encrypts that with the public key, and sends that back to the webserver. The webserver and webbrowser from that point forward use the smaller and faster symetric key. So long as the symetric session key is passed using an RSA key larger than 512 bits (supposing for this instance that 512 bits is crackable but 513 and more bits is not),

In trying to keep this on the shorter side, I'll point you towards Bruce Scheiner's Counterpane website, which provides a huge amount of resources and links to other sites.

Basically, among other things, I believe you'll find information that says 128-bit cryto:

1. Has more keys than atoms in the universe.

2. Would take longer than the universe has been in existance to brute force a 128 bit key using all available computers.

I think what you meant to say was "Microsoft themselves put W2K server out there for public display, knowing crackers wouldn't expose any new flaws." This way, they get to say W2K is secure because, gosh darn, it survived an onslaught from the worse of the worse of the baddies from the internet. However, nothing could be farther from the truth. These types of contests don't mean a damn thing. For a good expose on why, read The Fallacy of Cracking Contests.

see the Linux Weekly News' Security page for information on Linux security projects which are already under way:
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Debian Alerts
Red Hat Errata
SuSE Announcements

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

Exactly how is this "challenge" intriguing? Cracking contests are a dime-a-dozen these days, which is interesting because they demonstrate almost nothing about security. (See this essay to undestand why.) If you believe that the nature of the open-source community is to fall for tricks like that then you have drastically underestimated this community. Most of the audience here doesn't get paid to find and report security holes in Linux or NT. However, if you find a security hole in Linux the result of your work will be made available to you and everyone in the Linux community at no charge through the efforts of volunteers like Torvalds and Cox. If you make the same effort for NT on the other hand, Gates is sure to offer you the opportunity to pay for the improvement whenever Win2K manages to surface without seeing it's own shadow.

I'm not sure what you mean when you say, "The open-source community has been calling for Microsoft to do something like this for a long time now." As far as I can tell, no one has asked for Microsoft to offer us an opportunity to allow us to support their development and marketing efforts without compensation. Sorry, but now that the opportunity is here, I'm still not impressed. It probably would be easy to knock down the Win2K test server (I can't seem to get through to it so perhaps someone already did), and yours as well -- but I don't much care. I use Linux because it is the most stable and effective operating system that meets my computing needs, not as a protest against some other system. I choose to direct my attention to constructive activities -- attacking a system that isn't even in production without source code or specifications doesn't qualify.

The Fallacy of Cracking Contests
--

If you offered me software that implemented true crypto-cash, I wouldn't have to trust an intermediary bank -- but I would have to trust that the software implemented a secure crypto-cash protocol in a correct way. Even if I had the source code in front of me, I couldn't verify that myself, so I'd have to trust some experts in the field to verify the program's reliability for me.

Furthermore, the average palmtop owners don't have a clue about who to trust on crypto issues, but they do trust the name "Merrill Lynch". So a pseudo-ecash system backed by Merrill Lynch is likely to go farther in the marketplace than a true ecash system backed by, say, Bruce Schneier.

Remember, worse is better.

OpenBSD rules, mainly because it's the first UNIX flavor to detach itself from DES, which is a sucky cipher system.

Blowfish all the way, baby!!!

http://www.counterpane.com/crypto-gram-9808.html#b iometrics

• For many computer-related commercial products (e.g., operating systems, cellular phones, Web server programs), if you can give the impression that your product is more secure than your competitor's product, then (all other factors being equal) you will sell more.
• The people who buy these products, and the people who review them for industry magazines, can't distinguish a product with bad security from a product with good security. Even a computer-security professional may not be able to find security weaknesses right away; there may be one subtle bug that can leaves your system wide open to an intruder, but finding the bug might take weeks or months of full-time work, especially if the people evaluating the product don't have access to the source code.
• It's a lot easier to boast about your product's security than it is to actually implement a secure product. This is especially true when your product has selling points other than security: a hundred programmer-hours spent improving the user interface will probably do more for your sales than a hundred programmer-hours spent looking for security holes.

Public revelations of security flaws are the best way to push these companies into action, since it takes away their incentive to procrastinate.

Recommended reading: "Why Cryptography Is Harder Than It Looks", by Bruce Schneier, and "Trends in 'Press Release' Security Advisories", by someone at l0pht.

If you want a small-memory cipher that uses a Feistel network, Twofish is an excellent choice. If you want something even thinner than Twofish, and do not need to use a Feistel network, Rijndael (pronounce it "Rain Doll") or Crypton are excellent choices.

- Sam

I don't know if he made it to any of the other sites, but when Stephenson did a signing last month in Minneapolis (the one at Barnes & Noble, not the one at Uncle Hugo's), Bruch Schneier was there as well. He didn't end up getting to do much during the presentation (he said he was mainly there to answer any highly technical questions), but I got to chat with him a bit afterwards and he was pretty cool. He was signing his appendix to Cryptonomicon if people wanted; he also indulged my nerdy request to sign my notebook, as there was much more important stuff in there (namely the blowfish algorithm in BestCrypt, the finest completely transparent, container-based encryption (for Windoze, sorry) I've been able to find.) I was wondering if Schneier made it to any of the other signings or if those of us in the Twin Cities were just lucky since this was his home turf.

What worked for me was not just the techno-nerdism like the whole Van Eck freaking episode, but also the math-nerdism. I'm surprised no one mentionned the mathematical model of Lawrence Waterhouse's libido. I've never laughed so hard over mathematical equations before.

Does this book mean Stephenson has stepped away from sci-fi? I doubt it. He said the sequels to Cryptonomicon would take place in multiple timelines. I'm already guessing we'll see a medieval thriller at some point (and see how the Cryptonomicon was written.) I'm also suspecting we'll see just where the events in Cryptonomicon will take humanity next.

Side-note: anyone read An Instance of the Fingerpost? In one of Life's weird sequiturs, I read Cryptonomicon immediately following An Instance.... One character is a cryptographer under Cromwell, in 1660. I could almost picture him as the author of the Cryptonomicon...

Also: I'm grateful this review was filed under "Cryptography" here on Slashdot. I hope Cryptonomicon gets many techno enthusiasts to pick up Schneier's Applied Cryptography .

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

The PPTP implementation is vulnerable to several well known cryptographic attacks. MS's record on good crypto is as good as their record on fixing security exploits.

Check out Counterpane's report here. Counterpane is the company owned by the same guy who wrote Applied Cryptography and the Solitare system used in Cryptonomicon.

If you need a VPN, use FreeS/WAN.

Another interesting paper is "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, by H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, P. Neumann, R. Rivest, J. Schiller, and B. Schneier.

An interesting bibliography is on Bruce Schneier's Counterpane site.

Another interesting paper is "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, by H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, P. Neumann, R. Rivest, J. Schiller, and B. Schneier.

An interesting bibliography is on Bruce Schneier's Counterpane site.

Another interesting paper is "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, by H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, P. Neumann, R. Rivest, J. Schiller, and B. Schneier.

An interesting bibliography is on Bruce Schneier's Counterpane site.

Cracking contests prove little. For a start they are usually rigged heavily in favour of the vendor, probably use closed systems and they generally target the wrong threat group.

The last point bears expanding: When you offer $10k to "crack a webserver" you are attracting amateurs. The people who you should be really worried about have a vested interest in your continuing belief that a system is secure, this belief can be worth far more that a one-off payment of $10k.

An excellent treatment of this topic can be found in Uber-cryptographer Bruce Schneier's excellent Cryptogram newsletter.

Further, if you snarf Sol.pl, adding the following line enables decryption.

...source snippet...

## of doing addition for encryption, and subtraction for decryption).

add-->> $d = shift if $ARGV[0] =~ /\-d/; ## end add

$f = $d ? -1 : 1;

Quite by accident, I happened across this link to a site from Bruce Schneier, the cryptographer who dreamed up the crypto system used in the book. It is a fairly detailed description of how to implement the Solitaire system. It is detailed, but it is a rather simple and elegant system, and the details are relatively few. I would like to know just how tongue-in-cheek (or not) the multiple references to the 'secret police' are.

Take a look at the Cryptonomicon FAQ - he mentions that it's essentially just a case of parallel thinking. There's also an interesting link to a page describing Solitaire on the Counterpane Systems site. -Samrobb

The whole point of the 64 bit encryption is that 64 bit is used for all the millary and govenment encryption,

I don't think you can support this statement. Skipjack is 128 bits. Triple-DES is 112, and easier to implement. I seriously doubt that you have access to classified information to show otherwise.

when we crack the 64 bit encryption

In 5 years? wooo.

it is going to get all the governments and companys in the world extremely worried.

Not likely. As I said, I don't think you'll find many governments using 64 bit encryption. The governments would do better to be worried about the NSA inserting backdoors in the encryption they do have (take a look here).

Like I said, any political statement distributed.net could make has been made. Time to move on.


...phil

• www.counterpane.com , Bruce Schneier's company, which hosts a lot of info on e.g. blowfish and the newer twofish cipher. (Twofish is an AES candidate)
• NIST is working towards the Advanced Encryption Standard (AES), which is to take over DES' role as the US-government recommended shared key block cipher.
• www.gnupg.org , the GNU Privacy Guard, a free alternative to PGP. (Currently rapidly approaching version 1.0)
• Lsh ( http://www.lysator.liu.se/~nisse/lsh/.) is a GPL-ed implementation of the SSH2 protocols.

• www.counterpane.com , Bruce Schneier's company, which hosts a lot of info on e.g. blowfish and the newer twofish cipher. (Twofish is an AES candidate)
• NIST is working towards the Advanced Encryption Standard (AES), which is to take over DES' role as the US-government recommended shared key block cipher.
• www.gnupg.org , the GNU Privacy Guard, a free alternative to PGP. (Currently rapidly approaching version 1.0)
• Lsh ( http://www.lysator.liu.se/~nisse/lsh/.) is a GPL-ed implementation of the SSH2 protocols.

• www.counterpane.com , Bruce Schneier's company, which hosts a lot of info on e.g. blowfish and the newer twofish cipher. (Twofish is an AES candidate)
• NIST is working towards the Advanced Encryption Standard (AES), which is to take over DES' role as the US-government recommended shared key block cipher.
• www.gnupg.org , the GNU Privacy Guard, a free alternative to PGP. (Currently rapidly approaching version 1.0)
• Lsh ( http://www.lysator.liu.se/~nisse/lsh/.) is a GPL-ed implementation of the SSH2 protocols.

Kelsey and Schneier proposed an escrow system for electronic cash in "The Street Performer Protocol." As the title implies, this was written to deal with artistic works, but it wouldn't be hard to adapt it for open-source financing.

This is not twofish or loki or any of the other AES candidates because it isn't a symmetric block cipher. It's asymmetric. Incidentally, Sarah is well aware of the issues in the general area. Everyone knows that an algorithm needs peer review etc, even if it doesn't have any other disadvantages etc.

I refer everyone (as usual) to Bruce Schneier's excellent Crypto-gram in October edition/episode of which he talks about the number of new algorithms proposed each day (this generations Fermat's Last Theorem?)

Enjoy,

Keith
--
Keith Brady,
Baltimore Technologies,
IFSC House, Custom House Quay,
Dublin 1, Ireland

Ok, what am I missing? This new encryption/decryption system devised by this 16 year old is unique how? That it uses matrices to encrypt and decrypt? Twofish, Shark, Square, and Manta are encryption/decryption algorithms that use matrices. Twofish was first brought to my attention through slashdot, Dec 22, 1998, to recap that article, the "TwoFish encryption algorithm, a possible DES-replacement." The algorithm is already being subjected to hacker assults, and is holding up very well. And the algorithm is fast. I was impressed with what I read about Twofish, and I'm not holding my breath about what this 16 year old has created. Not being able to examine her source, it is difficult to see how her algorithum is would be any better.
Time flies like an arrow;

This is another example of reporters being in completely over their head's when discussing anything more complicated than the drivel written on their Tele-Prompter.

It looks like this girl has come up with a Potential new encryption menthod. This happens all the time, although usually by people alot older than her. The next step in the process in peer review. She needs to write it up and submit it for examination by people like those at Counterpane who know how to tear apart a new algorithm.

Brian
nexus@tatoosh.com

Now that the congradulations are over. I would like to say "DARN!" RSA has not exactly been overly kind to the OpenSource community inside the US. C2Net Software has been extreamly kind to ensure funding of the SSLeay development. Even in the face of SSLeay based Apache mod_SSL and in the face of mod_SSL based RedHat Secure Web Server (which was clearly directly competting with C2Net's Stronghold), C2Net has continued to push SSLeay forward. Counterpane Systems has pritty much dontated Twofish encryption to the world, thus putting crypto experts in a better position to attack companies that have promoted their XOR "encryption" enabled product as being secure. Since Twofish is free, fast and impliments well in software and hardware there is no excuse for continuing to push XOR as "encryption." Certicom Corp. has been extreamly friendly regarding third-party non-commerical implimentations of Elliptic Curve Crypto (which has shown itself to be a possible alternative to RSA). How does RSA measure up to all these other companies? Well, RSA puts on additional restrictions on RSA than ITAR ever has or well! While ITAR makes it *difficult* to make cryptography available on the internet for peer-review. RSA makes alternate implimentations of RSA *impossible* to legally make available for peer-review. The only RSA "educational" use there can be is on their own RSAlib. While exploring alternative meathods (languages, done via hardware, etc) of existing crypto algorithms can help keep cryptographer's minds sharp, RSA attacks any peer review of other methods. To take things a step further, RSA goes all out in enforcing it's patent on both encryption and *DEcryption*. This is despite that finding a solution to a formula (2+x=4 hence x=2) is not patentiable. While using prime numbers for encryption maybe a unique patentable concept, the formula for decryption has pritty much been dictated by the formula used for encryption. Hence, the decryption of RSA is pritty much the solution of a formula and should not be patentable. RSA knows this but continues to ride on the stupidity of the US patent office and the non-crypto savvy court system. Hence, I definately think there are preferable companies in the crypto game other than RSA.

Btw, to see creative use of applied cryptography, look into Zeroknowledge. They are presently looking for beta tester for their linux (the first platform type they have software available for!) privacy software. This is one product you have to check out!