Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Encryption Do People In The Know Use?

Posted by Hemos on from the gnupg dept.

A reader writes "What do cypherpunks in the know recommend for the paranoid types. I'm wondering because of the rising amount of protests. I look and most of these people seem clueless when using the net. Paranoia runs rampant (try taping a protest), yet they use stuff like real, which has been known to violate privacy. So my question is, what would slashdot readers recommend for people who have privacy they actually wish to protect? Are there any good laymen level papers on this?"

6 of 59 comments (clear)

  1. Re:Depends on what you're protecting by Anonymous Coward · · Score: 5, Interesting

    Pegwit is a program. RSA is an algorithm. There IS a difference-- PGP implements RSA (among other algorithms). Pegwit implements ECC algorithms; it is not an algorithm by itself.

    As for symmetric algorithms: take your pick.

    A lot of programmers and cryptographers are familiar with Blowfish, and it's very popular. It's easy to understand and implement (the F-function is dirt simple, and the key schedule is only a little more complicated), so there are a lot of products using the algorithm. So far, there haven't been any successful attacks against the full, 16-round algorithm, and lots of cryptologists have tried.

    Triple-DES is, of course, based on DES. DES has been analyzed thoroughly over the years, and has held up relatively well-- none of the attacks found were within practical ranges. Triple-DES hasn't been broken-- and likely won't be.

    Rijndael is, of course, the AES. It's based on some very innovative concepts, and I'm comfortable with it. It's a little unconventional (most ciphers nowadays seem to be Feistel ciphers, or variants thereof-- Rijndael is a step in a different direction), but it's been analyzed extensively. Nothing too damning has been found. It's probably good enough to use right now without worry, but the ultra-paranoid will wait a few years to watch for new analysis.

    Serpent was an AES candidate algorithm. It was based on VERY conservative design principles; this has led to a rock-solid cipher. Serpent doesn't do anything truly unconventional-- everything in the cipher spec is based on sound reasoning and is backed up by YEARS of analysis. A little slower than other algorithms, Serpent still has a lot going for it, and I'd recommend it as soon as any other algorithm.

    As for public-key algorithms:

    RSA and ElGamal. Old, trusted, and well-understood. RSA has been analyzed since the early 1980's, and has held up VERY well. ElGamal has received a boatload of analysis, as well-- it's not likely to crack soon.

    ECC is a very open field, currently, and it holds a LOT of potential. But the comfort level isn't quite there, for me. I'd give it another year or two-- there's a lot of research because of the advantages ECC can bring to public-key cryptography.

    Programs:

    PGP/GPG. Take your pick. I like GPG, partially for the more intensive peer review, partially for the licensing. PGP has been around longer, however, so it may be more comfortable.

  2. Re:My concern over security by szomb · · Score: 2, Interesting

    Proliferate IPsec. Once every datagram is encrypted I'd say the ace is up /our/ sleeve...

    --
    Just because a few of us can read write and do a little math, doesn't mean we deserve to conquer the universe
  3. Re:Applied Cryptography is old. by rjh · · Score: 3, Interesting

    however he is not regarded in the field as being of the very front rank

    On the contrary. I'm in the field, and I regard him as part of the very front rank. I wouldn't say he's another Coppersmith, but he is undoubtedly top-drawer. I'd rank him above Rabin, in fact--unlike Rabin, Schneier knows his limits. (See Rabin's brain-damaged "unbreakable encryption scheme" if you want to see what I mean.)

    The only reason to use 3DES is if you are forced to

    ... Or if you absolutely must have the most well-regarded, most-trusted cipher in history. Remember that the best attack against DES has complexity 2**37, and that's with 2**47 chosen plaintexts. This is a lot... one thousand terabytes of chosen plaintext.

    That's a minimum of a complexity 2**74 attack against 3DES, requiring 2**97 bytes of chosen plaintext. If you want to call that a practical attack, you can... but I'm not that bold.

    But 3DES is not a good cipher

    Please tell your doctor that your antipsychotic dosage needs to be upped. You're hallucinating madly again.

    it is slow and is subject to a meet in the middle attack

    Slow, yes. Susceptible to a meet-in-the-middle, no. Schneier, 12.3: "[If DES were a group], DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 2**28 steps".

    DES is, however, not a group.

    One problem with PGP is that it only really works well for confidentiality. It does not handle non-repudiation too well.

    Please point me in the direction of an implementable protocol which does provide perfect repudiability.

    The non-technical problem with PGP is the somewhat combustible nature of Phil Zimmerman. He is somewhat high maintenance.

    I know Phil. He's one of the lowest-maintenance people I've ever met. Friendly as all get out, and patient with newbies. Would you care to enlighten me as to his ``combustible'' nature?

    except Phil's NIH policy

    Strange. Bass-o-Matic was IH, and Phil ditched it like a hot potato for IDEA (NIH) when it turned out Bass-o-Matic was trivially weak.

    If you're going to slander a man, you could at least be bothered to make sure your accusations are accurate.

  4. Re:Applied Cryptography is old. by Zeinfeld · · Score: 3, Interesting
    On the contrary. I'm in the field, and I regard him as part of the very front rank. I wouldn't say he's another Coppersmith

    In other word you would not put Bruce on the same level as Coppersmith, Shamir, Rivest, Rogaway and so on, or as I put it not of the very front rank. Bruce is the Issac Azimov of cryptography, not its Einstein or Newton.

    It is somewhat rich for Bruce to imply in 'Secrets and Lies' that he has suddenly discovered that security is about risk control not risk elimination. If he has only just realised that then he should probably give me credit for putting him straight since I pointed out precisely that point to him when we talked at RSA some years back. Not that I was the first to think of it by a long way.

    Slow, yes. Susceptible to a meet-in-the-middle, no. Schneier, 12.3: "[If DES were a group], DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 2**28 steps".

    DES is not vulnerable to a meet in the middle attack but 3DES is in such a way that the complexity of breaking 3DES is only twice that of breaking DES, despite having three times the key length. That is what makes it a bad cipher, the fastest known attack is well short of brute forcing the keyspace.

    The details of the attack are discussed in AP with respect to 2DES, to break 2DES you simply construct an in-memory table of encrypting forwards from the known plaintext (cost = O(2^56)), construct another backward from the known ciphertext (cost = O(2^56)) and look for a match (cost = O(2^56)), total cost = O(2^56). The attack can be extended to 3DES at the cost of performing two steps together, giving overall compexity O(2^112). It is a very well known result in the field and one the reason why those in the know are depricating 3DES, it is not a good cipher, it is merely an extension of a previously broken cipher.

    Please point me in the direction of an implementable protocol which does provide perfect repudiability.

    None gives perfect non-repudation, however PGP is designed to give pretty good PRIVACY even when the participants are pseudo-anonmous. It does not attempt to support a legal infrastructure, allow parties to place legally enforceable constraints on the liabilities they incur in authenticating a keyholder. As a result PGP is widely used amongst geeks but has a very limmited enterprise use. The vast majority of RFPs issued stipulate a PKIX conformant PKI.

    I know Phil. He's one of the lowest-maintenance people I've ever met. Friendly as all get out, and patient with newbies. Would you care to enlighten me as to his ``combustible'' nature?

    He has mellowed considerably since the FBI got off his case. However when the PEM vs. PGP war broke out, which is the time in question Phil was definitely of combustible nature. The FBI certainly did not help, but were certainly not the original cause.

    Unfortunately rather than simply fix the parts of PEM that were monumentaly broken (the hierarchical CA system) Phil introduced competing formats all the way along the line.

    There are 100 million email clients that ship with high quality crypto built in. However rather than leverage that deployed base you and the rest of the OpenPGP community spend your time explaining to people why they shouldn't use it.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  5. Use your own... by Anonymous Coward · · Score: 2, Interesting

    Generate 650MB of pseudo-random bytes in some non-standard way, put them on a CD, and add each byte in order to the file. do the reverse to decrypt. start each file at a different point on the cd. If -insert agency you are afraid of- shows up at your door, put the cd in microwave on high. Simple, fast, & as secure as your pseudo-random algorythm is good.

  6. Depends a lot on your needs. by rjh · · Score: 4, Interesting
    For public-key algorithms, I'm actually really fond of Rabin. RSA (and ElGamal) is built on three totally unproven conjectures:
    • P != NP
    • Factoring very large composites is an NP problem (El Gamal: calculating discrete logarithms is an NP problem)
    • There is no other way to break RSA than by factoring large numbers (El Gamal: no other way to break it than by calculating discrete logarithms)

    Rabin, on the other hand, is based on two totally unproven conjectures:
    • P != NP
    • Factoring very large composites is an NP problem

    ... Yes, Rabin has some problems--the ciphertext tends to be much larger than with RSA--but on the whole, it's on a much stronger mathematical foundation. There have been some interesting hints, throughout the years, that the third of RSA's assumptions is not valid--nothing to make any but the most out-there mathematicians drool, but hints nonetheless.

    By dodging the third issue, Rabin manages to be (theoretically) safer than RSA for a given modulus size. The word `theoretical' is extremely important, though; putting algorithms into practice is a far different thing than analyzing them in theory!

    For this reason, although I prefer Rabin in theory, in practice I really don't care much which algorithm you use--RSA, El Gamal or Rabin are all just fine.

    For symmetric algorithms, there is one and only one option for the hardcore and paranoid cryptogeek. That option is TripleDES--either two or three subkeys doesn't matter all that much, but three is definitely preferred. No other symmetric algorithm in history has been cryptanalyzed as heavily as DES. No other symmetric algorithm in history has established as much trust as DES. While at 56 bits of key DES is too weak for anything serious, TripleDES (at somewhere between 112 and 168 bits of key, depending on who you believe) is solid as a rock.

    Of course, it's slower than hell and rekeying takes forever. But hey. If you want only the best, most secure, most-trusted, nothing else even comes close.