Slashdot Mirror
What Encryption Do People In The Know Use?
A reader writes "What do cypherpunks in the know recommend for the paranoid types. I'm wondering because of the rising amount of protests. I look and most of these people seem clueless when using the net. Paranoia runs rampant (try taping a protest), yet they use stuff like real, which has been known to violate privacy.
So my question is, what would slashdot readers recommend for people who have privacy they actually wish to protect? Are there any good laymen level papers on this?"
why is this modded down - this is actually probably the only 100% unbreakable encryption (i.e. the key length is the same as the data length, all about entropy and stuff, way over my head).
Of course you don't really want to use the same bit of CD twice, and you really want to XOR the data with the key rather than add. And again, you need to give a copy of the CD to the recipient if you're transmitting the data.
On a practical note, why not do this? two CDs, ZIP the data first, prepend an offset into the CD at the beginning of each message.
100% uncrackable encryption (albeit a pain in the ass)
Too Many Secrets...
After all, you have to assume that with the equipment/manpower/intelligence the goverment has it is capable of breaking most popular encryptian methods. So obscurity would be a benefit when researching a method to encrypt. But obscurity doesn't always mean security, as unless you have in-depth knowledge of the encryptian method you can't be sure its safe.
But it would certainly be cool to have that box from sneakers....
Pegwit is a program. RSA is an algorithm. There IS a difference-- PGP implements RSA (among other algorithms). Pegwit implements ECC algorithms; it is not an algorithm by itself.
As for symmetric algorithms: take your pick.
A lot of programmers and cryptographers are familiar with Blowfish, and it's very popular. It's easy to understand and implement (the F-function is dirt simple, and the key schedule is only a little more complicated), so there are a lot of products using the algorithm. So far, there haven't been any successful attacks against the full, 16-round algorithm, and lots of cryptologists have tried.
Triple-DES is, of course, based on DES. DES has been analyzed thoroughly over the years, and has held up relatively well-- none of the attacks found were within practical ranges. Triple-DES hasn't been broken-- and likely won't be.
Rijndael is, of course, the AES. It's based on some very innovative concepts, and I'm comfortable with it. It's a little unconventional (most ciphers nowadays seem to be Feistel ciphers, or variants thereof-- Rijndael is a step in a different direction), but it's been analyzed extensively. Nothing too damning has been found. It's probably good enough to use right now without worry, but the ultra-paranoid will wait a few years to watch for new analysis.
Serpent was an AES candidate algorithm. It was based on VERY conservative design principles; this has led to a rock-solid cipher. Serpent doesn't do anything truly unconventional-- everything in the cipher spec is based on sound reasoning and is backed up by YEARS of analysis. A little slower than other algorithms, Serpent still has a lot going for it, and I'd recommend it as soon as any other algorithm.
As for public-key algorithms:
RSA and ElGamal. Old, trusted, and well-understood. RSA has been analyzed since the early 1980's, and has held up VERY well. ElGamal has received a boatload of analysis, as well-- it's not likely to crack soon.
ECC is a very open field, currently, and it holds a LOT of potential. But the comfort level isn't quite there, for me. I'd give it another year or two-- there's a lot of research because of the advantages ECC can bring to public-key cryptography.
Programs:
PGP/GPG. Take your pick. I like GPG, partially for the more intensive peer review, partially for the licensing. PGP has been around longer, however, so it may be more comfortable.
Mathmatically, that is not terribly secure, do I have to explain why.. ? Maybe a bit more secure if you sing into it for 74 minutes.. Ask any cryptanalyst.
Proliferate IPsec. Once every datagram is encrypted I'd say the ace is up /our/ sleeve...
Just because a few of us can read write and do a little math, doesn't mean we deserve to conquer the universe
however he is not regarded in the field as being of the very front rank
On the contrary. I'm in the field, and I regard him as part of the very front rank. I wouldn't say he's another Coppersmith, but he is undoubtedly top-drawer. I'd rank him above Rabin, in fact--unlike Rabin, Schneier knows his limits. (See Rabin's brain-damaged "unbreakable encryption scheme" if you want to see what I mean.)
The only reason to use 3DES is if you are forced to
... Or if you absolutely must have the most well-regarded, most-trusted cipher in history. Remember that the best attack against DES has complexity 2**37, and that's with 2**47 chosen plaintexts. This is a lot... one thousand terabytes of chosen plaintext.
That's a minimum of a complexity 2**74 attack against 3DES, requiring 2**97 bytes of chosen plaintext. If you want to call that a practical attack, you can... but I'm not that bold.
But 3DES is not a good cipher
Please tell your doctor that your antipsychotic dosage needs to be upped. You're hallucinating madly again.
it is slow and is subject to a meet in the middle attack
Slow, yes. Susceptible to a meet-in-the-middle, no. Schneier, 12.3: "[If DES were a group], DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 2**28 steps".
DES is, however, not a group.
One problem with PGP is that it only really works well for confidentiality. It does not handle non-repudiation too well.
Please point me in the direction of an implementable protocol which does provide perfect repudiability.
The non-technical problem with PGP is the somewhat combustible nature of Phil Zimmerman. He is somewhat high maintenance.
I know Phil. He's one of the lowest-maintenance people I've ever met. Friendly as all get out, and patient with newbies. Would you care to enlighten me as to his ``combustible'' nature?
except Phil's NIH policy
Strange. Bass-o-Matic was IH, and Phil ditched it like a hot potato for IDEA (NIH) when it turned out Bass-o-Matic was trivially weak.
If you're going to slander a man, you could at least be bothered to make sure your accusations are accurate.
"What do cypherpunks in the know recommend for the paranoid types. I'm wondering because of the rising amount of protests. I look and most of these people seem clueless when using the net. Paranoia runs rampant (try taping a protest), yet they use stuff like real, which has been known to violate privacy. So my question is, what would slashdot readers recommend for people who have privacy they actually wish to protect? Are there any good laymen level papers on this?"
What in gods green earth does this dribble mean??
Two suggestions for you:
1. Turn your computer off
2. Learn to read and write. Pay particular attention to things like complete sentences and paragraphs.
Conformity is the jailer of freedom and enemy of growth. -JFK
BTW, what you guys are talking is called a Verman Cipher, and was demostrated unbreakable by Shannon on the 40's IIR
Make It Secret . Free JavaScript implementation of AES for your browser
Your assumption is correct only if the plain text is greater in length than the repetition frequency of the "pseudo" random sequence.
You're wrong, too. Let's say that the last 140Mb of the PRNG output is the same as the first 140Mb, since after 512Mb it went periodic. Now let's say you've got the Gettysburg Address stored at location 0 on the CD-ROM.
Well, gee, great. You can't read what's at position 0, because you don't have the corresponding part of the pseudo-OTP... wait, yes you do, because 513Mb-rest-of-disk is exactly the same as the pseudorandom output used to encrypt the plaintext in the first place.
XOR it with itself and you recover the Gettysburg Address.
Thus, even if the plaintext is vastly smaller than the repetition rate, you're still in jeopardy.
Moral of the story: don't use a scheme this naieve.
The trick is conveying this sequence to the intended receiver in a secure fashion.
The trick is creating the random numbers in the first place. There are some PRNGs which have outputs suitable for Monte Carlo simulations; others which are suitable for quick randomish values; others which are good for this, that and the other. Cryptographically secure PRNGs are extremely difficult to come by, and unless someone has done formal cryptanalysis on a PRNG, I won't use that PRNG.
The premise of a one-time pad (OTP) being unbreakable is sound provided the key is used once and only once and the positively destroyed.
The pads don't have to be destroyed; they just have to never, ever fall into the hands of the enemy. Destruction is not a necessary condition. A necessary condition that you did not mention is that the key material must be absolutely, totally entropic. Not pseudorandom, not random-seeming... absolutely, totally entropic.
For those who like to look a the source, there is GPG.
This sig intentionally left blank.
Why?
why serpant ? because it stands up nicer to hardware implementation (-;
hardware implementations of RSA are common but remember that you are safe until someone finds a crack
nothing is given so use an obscure one that seems to be secure is often better than one that say the NSA have had a long hard look at (millions of man hours rather than thousands)
what they do not publish is whether they have found ways to attack it after all this is between them and their US lawyers not even the senate has access to this (-;
remember security is an illusion
regards john jones
It is always easier to state algorithms to steer clear of than ones to rely on. At this point IDEA is somewhat suspect, but when Applied Crypto 1 came out it was actually the best 128 bit cipher then available.
At this point most people are recommending AES (nee RIJNDAEL). The only reason to use 3DES is if you are forced to, there are still many banking applications that mandate DES. But 3DES is not a good cipher, it is slow and is subject to a meet in the middle attack that means that you do 3 times 56 bits of work to get 112 bits of security.
As far as software goes, practically all mail agents have S/MIME support built in. As far as security goes there are no serious attacks known against either S/MIME or PGP, beyond the fact that the chuckleheads in both IETF working groups flubbed the encryption of the subject line in both cases.
One problem with PGP is that it only really works well for confidentiality. It does not handle non-repudiation too well. Alice may know the message comes from Bob but proving it in court would be rather hard. Trusted Third Parties do have their uses.
The other technical problem with PGP is that it depends on the users being technically competent which most people are not.
The non-technical problem with PGP is the somewhat combustible nature of Phil Zimmerman. He is somewhat high maintenance. There is no reason why S/MIME and PGP use entirely different packaging formats except Phil's NIH policy, somewhat sad. The result being that Microsoft, Netscape, Lotus etc. implemented S/MIME and not PGP.
More recently the stale PKI/PGP debate has been rendered obsolete by technology such as XKMS which allows a client to use any PKI back end at all and not have to worry about how it works or how to configure it.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Oh wait, DC filed for bankrupcy, my bad.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I suggest that you take your own advice and pay attention to detail yourself. I said that 3DES is simply an extension of a broken cipher. Brute force is a perfectly respectable attack.
Or was your attempt to frame the argument that way simple dishonesty?
There have in fact been several attacks against DES that have lower complexity than brute force, however in practice the trivial parallelism and lower complexity of brute force tends to win. The fact that nobody has built a machine to implement Adi's attacks is irrelevant. The fact that the AES contenders were designed with the knowledge of Adi's recent techniques and DES was not is significant.
The key size of DES was reduced to 56 bits for a good reason, to ensure that the aparent strength of the cipher matched the actual strength. That may not be a big thing to you, in the cryptography community it is.
It is pretty easy to 'win' an argument like this on slashdot where most of the posters are like yourself journeymen at best and do not have the internal knowledge of the field. However you are going to find it much harder in the group you aspire to call your peers.
Oh, and if you think this is flaming, I suggest you get on the wrong end of an argument with Phil Z. or Bruce S.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
In other word you would not put Bruce on the same level as Coppersmith, Shamir, Rivest, Rogaway and so on, or as I put it not of the very front rank. Bruce is the Issac Azimov of cryptography, not its Einstein or Newton.
It is somewhat rich for Bruce to imply in 'Secrets and Lies' that he has suddenly discovered that security is about risk control not risk elimination. If he has only just realised that then he should probably give me credit for putting him straight since I pointed out precisely that point to him when we talked at RSA some years back. Not that I was the first to think of it by a long way.
Slow, yes. Susceptible to a meet-in-the-middle, no. Schneier, 12.3: "[If DES were a group], DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 2**28 steps".
DES is not vulnerable to a meet in the middle attack but 3DES is in such a way that the complexity of breaking 3DES is only twice that of breaking DES, despite having three times the key length. That is what makes it a bad cipher, the fastest known attack is well short of brute forcing the keyspace.
The details of the attack are discussed in AP with respect to 2DES, to break 2DES you simply construct an in-memory table of encrypting forwards from the known plaintext (cost = O(2^56)), construct another backward from the known ciphertext (cost = O(2^56)) and look for a match (cost = O(2^56)), total cost = O(2^56). The attack can be extended to 3DES at the cost of performing two steps together, giving overall compexity O(2^112). It is a very well known result in the field and one the reason why those in the know are depricating 3DES, it is not a good cipher, it is merely an extension of a previously broken cipher.
Please point me in the direction of an implementable protocol which does provide perfect repudiability.
None gives perfect non-repudation, however PGP is designed to give pretty good PRIVACY even when the participants are pseudo-anonmous. It does not attempt to support a legal infrastructure, allow parties to place legally enforceable constraints on the liabilities they incur in authenticating a keyholder. As a result PGP is widely used amongst geeks but has a very limmited enterprise use. The vast majority of RFPs issued stipulate a PKIX conformant PKI.
I know Phil. He's one of the lowest-maintenance people I've ever met. Friendly as all get out, and patient with newbies. Would you care to enlighten me as to his ``combustible'' nature?
He has mellowed considerably since the FBI got off his case. However when the PEM vs. PGP war broke out, which is the time in question Phil was definitely of combustible nature. The FBI certainly did not help, but were certainly not the original cause.
Unfortunately rather than simply fix the parts of PEM that were monumentaly broken (the hierarchical CA system) Phil introduced competing formats all the way along the line.
There are 100 million email clients that ship with high quality crypto built in. However rather than leverage that deployed base you and the rest of the OpenPGP community spend your time explaining to people why they shouldn't use it.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
ROT-13. As seen on Slashdot!
For high privacy, national security, etc, use ROT-14...that ought to confuse the (few) experts that are able to crack ROT-13.
Pig Latin may also work for text-only data.
Oh? What? The people who want to crack it are not under the age of 5? My bad.
Following this thread, it is quite evident that rjh knows what he is talking about, and that you are just trolling.
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
Bruce is the Issac Azimov [sic] of cryptography, not its Einstein or Newton.
Asimov had a PhD in biochemistry and taught at Harvard. In addition, he's one of a (very) few authors who ever published in every single categorization of the Dewey Decimal System. Asimov was one of the world's true Renaissance men, the last of a dying breed.
I would suggest you examine Asimov's curriculum vitae if you really wish to claim that Asimov was not among the top rank of scientists.
3DES is in such a way that the complexity of breaking 3DES is only twice that of breaking DES, despite having three times the key length. That is what makes it a bad cipher, the fastest known attack is well short of brute forcing the keyspace.
As I said, have your doctor up your antipsychotic medication. 3DES is not a bad cipher. It has its share of warts and foibles, but those warts and foibles are extremely well-known and no-one, absolutely no-one in the published world of cryptanalysis has ever come up with even a marginally feasible attack against it.
Regarding it needing 196 bits of key (3 64-bit keys) to get 112 bits of entropy, who cares? Really? Use a cryptographically secure PRNG and you can generate 196 bits trivially. If you've got a really sensitive secret, then invest in a true RNG and generate 196 bits that way. It's not a limitation in any sense of the word.
Regarding it being slow, fine, I'll grant you that. It's slow. That means it's unsuitable for certain applications which operate in extremely narrow time constraints. But for the rest of them, 3DES is a champ.
it is merely an extension of a previously broken cipher
DES has never been broken.
Its keyspace has been exhausted by brute force. That doesn't mean DES has weaknesses which have been exploited via cryptanalysis. That's what the word ``break'' means in the cryptanalytic field.
None gives perfect non-repudation
Thank you for conceding the point.
He has mellowed considerably since the FBI got off his case
Well, gee. If I was facing a Federal investigation and multiple felony counts, I'd be prickly, too. But, as you say, he has ``mellowed considerably''. Which means he is no longer ``combustible''. Thank you for conceding this point.
However rather than leverage that deployed base you and the rest of the OpenPGP community spend your time explaining to people why they shouldn't use it.
Please find me a single post I've made, either on USENET or on Slashdot, where I've come down opposed to any reasonable email encryption standard.
As I said before, if you're going to slander a man, you should at least check the facts first.
~~~
...but then we'd have to kill you.
sorry,
davidu
# Hack the planet, it's important.
And yes, one-time keys are absolutely unbreakable when used correctly. That means never using the same bits more than once, and ensuring that no one else can access the keys.
However, as Neal Stephenson pointed out at the CFP 2000 conference, encryption is like a fence thats a mile high and a foot wide--it's powerful, sure, but it's still pretty easy to just sneak a key logger onto most computers.
~=Keelor
Last I checked, Bruce Schneier (in his book Applied Cryptography) recommended PGP.
Well I have been reading a few webpages and I follow BUGTRAQ and a pgp newsgroup, so I feel I qualify as a Slashdot Expert(tm).
I'm going to go out on a limb here and assume that you are talking about Email security. If you use windows, you want to use one of the PGPckt builds found at http://www.ipgpp.com These are pretty much the standard in the Windows PGP world, as commercial PGP has gone closed-source and GPG isnt perfect on windows. *nix/*BSD users should use GPG.
What you want to avoid with the recent PGP's and GPG is an interoperability problem. GPG doesnt ship with IDEA encryption, and that was the standard in PGP for years. It can be added easily, and I suggest you do that. If you do use GPG, please enable all of the PGP compatability options, or it will come back to bite you later. As for choice of algorithm, there is no reason not to use the RSA/IDEA combo that has been used with PGP for years, just boost up the length of your public key to 2048 or so. Oh, and dont bother going past 3000 or so, as that key would be harder to break that the 100(?) byte IDEA key that is actually used to encrypt the message.
As for computer security, there isn't much you can do asside from patching regularly, reading BUGTRAQ, choosing secure passwords, and never allowing unsecured logins. It also helps if you get to know your system and check up on anything that starts acting different that what you are used to.
Disk encryption under windows is best done by ScramDisk (found at http://www.scramdisk.clara.net), which is a disk encrypter that whose source code is available online. OpenBSD people should enable encrypted swap partitions, though that may be done by default, I dont know. Linux has several encrypted filesystems. Use One.
Yes, but a key logger for a one-time key would double the disk usage of every file... That is fairly noticeable.. The biggest problem with this is reliably generating 650MB of random data. If you just used a known 32bit algorythm, it would be pointless. You would have to use a pretty beefy algorythm to generate this key data, and re-seed it several times on the CD.
DES is by far the most analysed algorythm around and it has withstood everything that has been thrown at it. The key size is much too small but there is no known method of attack that is faster then key exhaustion.When it is extended to 3DES we have a equivalent key length of 112 bits (minimum, some research say 128+). It is not feasable to brute force 112+ bits of key.
In time the other algorythms may analysed enough to match the trust that 3DES has but until then I will stick with tried and true.
Generate 650MB of pseudo-random bytes in some non-standard way, put them on a CD, and add each byte in order to the file. do the reverse to decrypt. start each file at a different point on the cd. If -insert agency you are afraid of- shows up at your door, put the cd in microwave on high. Simple, fast, & as secure as your pseudo-random algorythm is good.
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
you won't take the algorithms specified in other posts and toss them into a program, because it would almost certainly be insecure. Algorithms are fine, but strong block ciphers, public key encryption algorithms, and hash functions have been around for 10 years or more. OTOH, getting the key managemnet, random number generation, etc right is hard and takes a lot of experience and knowledge.
My call would be to use GnuPG. It uses strong algorithms, uses a well know and fairly intensivley studied format, open source, and the people who did it seem to know what they're doing pretty well. If you're feeling paranoid, use the TripleDES or Rijndael-256 options to encrypt, though personally I feel perfectly safe encrypting even very personal things with CAST5.
If you're actually interested in papers, etc, I would start it out with more practical-oriented things (for example, the specifications of Blowfish, MD5, SHA-1, and RSA - not what you find in Applied Crytography or whatever, but the original academic papers - with fairly minimal experience in programming you should be able to understand things like this fairly easily). From there, you can start to read the more involved papers, with complex algorithms and protocols, weird mathematical systems, etc.
Basicaly "in the know" people know that it's not encryption that breaks a secure system. It's the fact that your OS has a remote root hole (or equivalent), or the FBI put a keylogger in your keyboard, or there is a microphone planted in your room. It's much, much simpler to do any of those things than actually break modern encryption algorithms (consider that the FBI actually carried out my keylogging point in order to grab a PGP passphrase that some mob guy was using to encrypt his books). So unless you're sure that the FBI (or anyone else) can't do something like that, there is no point in using anything that might theoretically be more secure cryptographically speaking.
Speaking of Rijndael, where can you download a good implementation that is free and licensed for commercial use? I recently had to choose an encryption package for a program my group was writing and our client (government affiliated) wanted to go with Rijndael since it was the new AES standard. The NIST implementation is not licensed for commercial use and other implementations don't seem to come from trustworthy enough sources. I couldn't find anything that I felt comfortable recommending so we ended up going with Blowfish.
When violence rules the world outside / And the headlines make me want to cry / It's not the time to just keep quiet
RSA and Pegwit are excellent public key systems, where it is impossible to safely convey a secret key from one machine to another, or where a secret key could be stolen from a machine.
For ultra-solid security for archive material, 3DES and Serpent are probably the best. They're slow, but they're very very solid. Nobody is going to be breaking them in a hurry.
If you're ultra-paranoid, though, you can always take the Square algorithm out of Pegwit and replace it with Serpent, making other changes as needed. Elliptic Curve encryption is faster than classic Public Key encryption, but (so far) it's about as secure.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Your assumption is correct only if the plain text is greater in length than the repetition frequency of the "pseudo" random sequence. There are plenty of ways to generate truly random numbers..the lava lamp method being one of my personal favorites. The trick is conveying this sequence to the intended receiver in a secure fashion.
The premise of a one-time pad (OTP) being unbreakable is sound provided the key is used once and only once and the positively destroyed.
With the OTP, as in any encryption scheme, there are at least two points of failure when exchanging messages....the sender and the intended receiver. Failure to complete the key destruction process at either end or key compromise (intercept) will render even the most powerful encryption scheme moot.
Is anyone familiar with Bestcrypt? It's an open source, non-free encrypted loopback filesystem program that works under both windows and linux. One problem that prevents me from using it though is that it collects no entropy whatsoever when you create a container. I don't know if it's just reading from /dev/random, but I think this is a potential weakness of the program. (Beside it being non-free).
A site that used HTTPS urls for every page, every graphic, every click, would 'feel' slower to the end user, and the server would not be able to handle as many concurrent users as a site which makes
I do not deploy Linux. Ever.
Nah, rjh is just a crypto-groupie who read Applied Cryptography and thinks he knows it all.
If you talk to cryptographers you will find that Shamir, Rivest and Diffie are considered the Newtons and Einsteins of the field. Bruce has not yet made it into that rank, nor for that matter has 'Zeinfeld'.
Bet you wish you thought of this nym first
Rabin, on the other hand, is based on two totally unproven conjectures:
... Yes, Rabin has some problems--the ciphertext tends to be much larger than with RSA--but on the whole, it's on a much stronger mathematical foundation. There have been some interesting hints, throughout the years, that the third of RSA's assumptions is not valid--nothing to make any but the most out-there mathematicians drool, but hints nonetheless.
By dodging the third issue, Rabin manages to be (theoretically) safer than RSA for a given modulus size. The word `theoretical' is extremely important, though; putting algorithms into practice is a far different thing than analyzing them in theory!
For this reason, although I prefer Rabin in theory, in practice I really don't care much which algorithm you use--RSA, El Gamal or Rabin are all just fine.
For symmetric algorithms, there is one and only one option for the hardcore and paranoid cryptogeek. That option is TripleDES--either two or three subkeys doesn't matter all that much, but three is definitely preferred. No other symmetric algorithm in history has been cryptanalyzed as heavily as DES. No other symmetric algorithm in history has established as much trust as DES. While at 56 bits of key DES is too weak for anything serious, TripleDES (at somewhere between 112 and 168 bits of key, depending on who you believe) is solid as a rock.
Of course, it's slower than hell and rekeying takes forever. But hey. If you want only the best, most secure, most-trusted, nothing else even comes close.
While 95% of Applied Cryptography is still dead on the money--it's still the first book I recommend to people who want to make a serious study--some of its recommendations now look painfully naieve. For instance, Schneier recommends IDEA almost without reservation in Applied Cryptography; but today we know that better-than-brute-force attacks exist for 4.5 round IDEA (a miss-in-the-middle attack, if I recall correctly).
While these attacks don't extend to the full IDEA algorithm, cryptanalytic attacks only get better with time--never worse.
Short version: Schneier recommends against IDEA today. Last I heard, he was wholeheartedly endorsing RIJNDAEL, Twofish and TripleDES.
... except for Blowfish libraries written by half-assed, lazy programmers who can't be bothered to run their code past the Blowfish test vectors. Which are, for the record, conveniently available off Counterpane Labs' homepage.
This is no different from running a cipher in OFB8 mode. Which also happens to generate a long stream of pseudorandom values. Which also happens to be susceptible to cryptanalysis.
The reason why? Collisions. If the numbers were totally random, you'd expect any given group to repeat itself after a random interval. You don't see that with the output of pseudorandom number generators, or ciphers running in OFB8.
That tells a cryptanalyst that you're not using random numbers, which means the data wasn't encrypted with a one-time pad.
And that, my friend, means it's 100% breakable encryption.
Using a good pseudorandom number generator like YARROW-160 will provide you with 160 bits of entropy. Using a bad pseudorandom number generator, like, say, a cipher in OFB8 mode, is tempting but wrong.
The reason why is that people naievely believe that "well, if I seed my Blowfish key with 448 bits of entropy--its maximum--then my output will have 448 bits of entropy." Which is true, as far as it goes... but it goes periodic after only 2^32 bits. Or about 512 Mb.
That means if you fill a CD-ROM with the random-seeming output of Blowfish in OFB8 mode, you'll wind up repeating your output for the last 140Mb or so. And at that point, it's trivial cryptanalysis to recover the original plaintext.
Short version: if you want to use a one-time pad, you ABSOLUTELY MUST USE REAL RANDOM VALUES, NOT GENERATED PSEUDORANDUM VALUES. If you don't do this, then it's not a one-time pad and it doesn't enjoy the unbreakable nature of a one-time pad.
is its limited use. Most every web page I've run across uses encryption for only sensitive things, which is like a red flag saying "here is the good stuff worth the effort".
I'd like to setup my own web server, and encrypt everything, making it that much harder on any potential adversary.
It would be nice to make the feds decrypt a weeks worth of spam, before getting to the juicy emails.