Slashdot Mirror
HDCP Break Proven
zavyman writes: "I just noticed at Cryptome that the flaws in HDCP posted to Slashdot earlier this year, which one person refused to disclose due to possible threats from the DMCA, have been made public by different authors. Scott Crosby of Carnegie Mellon University, Ian Goldberg of Zero Knowledge Systems, and Robert Johnson, Dawn Song, and David Wagner of UC Berkeley have published a formal cryptanalysis of the High-bandwidth Digital Content Protection System that proves its fatal flaws. Interesting reading for those with some background with cryptanalysis."
I guess this means we need to start pooling bail money then, huh?
--nbvb
Some people have refused to make security problems bublic, thus weakeneing the security of HDCP (someone could have fixed it), and this works against the *AA media bunches. Ah, the irony of it....
This is fabulous work and points out the flawed approach of expedient development of crypto based products in a corporate environment.
Good crypto can only be developed in the open where it is subject to formal peer review and detailed scrutiny.
One of these days, this problem will solve itself when shareholders regject propriatary approaches becuase they don't work, are borken and don't make any money.
Shareholders need to be educated that the only way to make money of cryptographicaly protected products or information is the open way.
RGR
Jibe!
In summary...
Conclusion
HDCP's linear key exchange is a fundamental weaknesses. We can:
Why do people continue to think they can build a secure system designed to simultaneous distribute data publicly and prevent its distribution?
It would be nice if the content cartels like the RIAA and MPAA would learn to adapt business models rather than rail against their own consumers. They would rather overturn the legal system than risk their established profit system.
Regards
I like teamwork. It's easier to assign blame that way.
There are some goals that technology can solve, without anyone doing any enforcement. If I can choose my cryptosystem and key length, I can, with very high confidence, hide the content of my private communications, no matter who is trying to break it, no matter how hard.
It's just that "content protection" is not one of those goals. If I have enough information to show a movie, I also have enough to re-show or rebroadcast it. No matter what the technology involved (assuming I have enough computing power).
Policy makers need to understand this distinction, let technology do its thing where possible, and don't expect it to do much of anything where it's not.
IMHO.
I Can't Believe It's A Law Firm, LLP does not necessarily endorse the contents of this message.
Oh, good thing it's the video encryption stuff. When I read the headline I thought it would be insecure to get an IP address with DHCP, and that had me worried.
The DMCA aims not only to protect companies who use crappy encryption from hackers, it aims to hide from the general public the potential dangers of using encryption that could have been deliberately made to be crackable. So the government could release some (easily crackable) encryption standard that gets added to a lot of hardware and software but the people won't know that their privacy could be easily violated because it would be illegal to try to crack the system. This then makes people vulnerable.
Perhaps I just thought of something that everyone knows already, but I wanted to voice it nonetheless.
Just in case the origonal authors' fears are justified, I've mirrored the page here [http://lookingglass.akardam.net/mirrored/hdcp-wea kness/hdcp111901.htm for the link wary].
Mirror early, mirror often.
The difference between this and Felten case is, that Felten "cracked" watermark system, which isn't encryption per se. Stupid, eh?
V.
From a part-time mathematician's perspective (ok, actually a physicist) this was the line that just made my jaw drop. What were they thinking?! If this text is correct, this algorithm may as well have been designed by a high-school student.
As several people have pointed out already, this is really one of the big threats of the DMCA -- that companies will go around using incredibly poor standards like this, and be immune to any pressure to improve their quality because their customers are legally forbidden to ask what they are receiving. It says a great deal about the present legal climate that anyone could get away with a mess like this cryptosystem in a commercial product.
*sigh*
Read a book, get a clue, whatever. "cryptography as we know it is obsolete" puhlease.
Nobody has touched RSA, or RSA key exchange. The problem is the crytographic protocols and implementation. The protocols often use strong (re: compute intesive) cryptography to exchange weak (re: fast) cryptographic keys. It's the weak shit that is getting cracked. Also Protocols and implementations let information to leak about the weak keys. This alows cracks to exploit the leaked info, to find the private keys faster (re: polynomial time) than the standard approaches.
Someday these corporate dumbasses, who want to limit fundementally unlimited resources, will get a clue and start creating secure implementations. That is when you should be afraid.
Maybe they'll start developing their protocols and implementations in an open process. This would have a much better chance of flushing out the bugs . The only thing they need to really control is the master keys. A smart plan would be to develope the code in a open manner, then and only then start encrypting all their music, video, articles, with the super-secret "Master" keys.
We are lucky that they are following the security thru obscurity developement process. How many times will they fail before they start to wake up?
Sony is working on encryption to the monitor. Others are working on encryption to the speakers (usb speakers with DSPs in them). Combine that with a cluefull open developement process, and we are SCREWED in a squeal-for-me-boy kinda way.
Then we start hoping someone with the real keys reveal them (the whistle blower way). Or the big corperate dumbasses leave the keys on a not-quite-so-secure system and hackers release them.
The cryptographic algorithms aren't being attack it is all the dressing PROTOCOLS, IMPLEMENTATIONS, and PEOPLE.
-- I am not a fanatic, I am a true believer.
Do you have anything to support this assertion, or only anecdotal evidence of specific crypto systems being cracked? If the latter, do you know for sure whether they were cracked because of (a) inherent weakness in assumptions upon which all cryptography is based, (b) weaknesses in the specific algorithms used, (c) weaknesses in the software architecture surrounding the encryption, or (d) bugs in the implementation? I think you'll find that most "cracks" are either (c) or (d).
So what about my 1024-bit RSA private key?
BTW, "even 128 bit keys" is an empty statement. Number of bits is to key strength as megahertz is to computer speed. You can't compare different crypto algorithms, or different models of CPU, with such numbers alone.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
Your post is slightly off topic, but what the hell. Here we go.
Sorry to say it, but you'd have to have an awful lot of resources to break even a 128-bit encrypted message. As in, more resources than most corporations are prepared to devote to such a task, and more resources than the gov would dedicate without a fairly damned good reason (well, at least a "good reason" in *their* view).
Second, you'd have to have INSANE computing resources to break a 1024-bit or 4096-bit PKI encrypted message. As in, more resources than are practical to assemble in reality these days. Your argument just doesn't hold water. Yes, people who *claim* to use cryptography (when in fact their systems are fundamentally broken/flawed) are setting themselves up for a nasty fall, but folks who use encryption properly are far more immune.
Until, of course, the government decides to arrest folks for using crypto to begin with
Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
Yes, this is my protest to the sig char limit
If the goverment released the system then the spec would be available for study. Remember, the goverment can't hold copyright to anything, but some times the contractors can...
I think you may have hit upon a key step in fighting the DMCA: we need to point out that, stripped of all the falderal it is intended to let manufacturers pass shoddy goods off on us poor consumers.
If only some brave defender of the consumer/voter/masses would come forward to defend us from these cads (say, leading up to an election)...I'll bet the press would love it.
Remember, lobyists may give money, but they can be sold down the river in a heart beat if someone comes along offering votes.
-- MarkusQ
Perhaps they didn't realize it was a linear system. Many cryptosystems are broken when someone figures out "but your incredibly complex system is really mostly just doing X", for some well-known mathematical construct "X". Real cryptographers have made similar mistakes in the dim past, although in 2001, it is perhaps a little late for repeating this particular one.
They separated key into public and private parts. But I guess they haven't got to the chapter on RSA in Applied Cryptography Handbook, when the design was due. Too bad.
3.243F6A8885A308D313
Having a bit of formal training in Math, I'm just speechless. This is not crypto analisys, this is second semester of Algebra, Quiz question #2.
.. blech .. I do not know who designed this, neither I'm not sure if they even cared to independently evaluate it, but this is incredibly and incomprehensibly lame. It's like using XOR encryption or computing hash bytes multiplication.
Public/Private keys
3.243F6A8885A308D313
Hmpf, big talk from such an anonymous coward
(This is the author of the slides, BTW)
Intel wanted a scheme that could be implemented in under 10,000 gates. IMHO, the designers were aware of the flaw, though not necessarily of the full impact of the flaw. Some of the attacks are subtle.
That's like microsoft with their stupid XP authentification...3months before it was in stores everyone had cracked versions of it
You are missing the point of XPs copy protection. Its NOT so much meant to stop 3l33t pir8 groups from cracking/distributing it as it is to stop casual piracy. IE, Jim buys a copy for $x then gives his copy of Bob & Jane.
This is the area that Microsoft is loosing real revenue. MS dosn't really care if mr 3l33t hacker dude downloads a copy from the net and installs it on his other machine because mr 3l33t hacker dude would never have bought a copy anyway, but Bob & Jane might have.
There were two versions posted on cryptome, the second (latex2html, much easier to read) omitted this statement the first version had:
h acks.html), and myself (www.cryptome.org/hdcp-weakness.htm). The last two have been available publically for 3 months and 3 weeks prior to Neils Ferguson's declaration. Neils declaration and the skylarov case were an eye-openeer for me and made fully realize what I had done, and what negative consequences I was in danger of experiencing.
`` The attacks on HDCP are neither complicated nor difficult. They are basic linear algebra. Thus, there have been at least 4 independent discoveries of these flaws. The four I know of are my co-authors, Neils Ferguson, Keith Irwin (http://www.angelfire.com/realm/keithirwin/HDCPAt
What wrathful gods one risks angering by a 20 minute straightforward application of 40 year old math. This was an accident, not a habit. Like other researchers, I do not want to be smited and thus do not expect to analyze any more such schemes as long as the DMCA exists in its current form.
(This statement is my own and does not represent the opinions of my co-authors.)''
So, for those of you who watch cryptome, I broke it there about 3 days after it was leaked, 6 months ago. Keith Irwin also put his observations up 3 months ago. All of this predates skylarov and ferguson.
So, this is only the official version of the break, the slides I presented 2 weeks ago.
http://censored.firehead.org:1984/hdcp/crack2/
I broke it over 6 months ago, go look at the cryptome archives, where its been sitting since May 9th.
:)
I know of at least 4 researchers who have independently discovered the flaws. (See my other slashdot post).
After Skylarov and Ferguson, I was reluctant to point out that my work had been sitting around on cryptome since May. I suspect Keith Irwin felt similarily.
Neils wasn't the first to go public or even second, though he did raise a wonderful stink.
to make a practically unhackable system.
I've thought over possible designs very carefully, but, given the DMCA, and my lack of a desire to aid, abet, or otherwise supply any support to any of these digital control technology schemes in any way.. But, with high confidence, I'd say that you could make something essentially hackproof.
I'll be mum, at least, but I can at least reference two proposed standards for you to read. See www.trustedpc.org (with CPRM hard drives, signed drivers, signed bioses, 'trusted windows'), or microsofts slides on the topic. Also, see DTCP, there they *did* use real public key crypto.
Read them, but don't try to break them; I don't want you to aid abet, or otherwise support the digital control freaks any way.
Scott
This is pretty basic, but for those who don't know, HDCP is the encryption scheme of choice for HDTV video signals. This is fairly huge news that it has been broken since all TV's and broadcasts in the US will supposedly eventually switch to the HDTV standard. Unless they pull a fast one and switch the standard (which would alienate everyone who has already bought expensive HDTV equipment), this means that DMCA or not, people are going to have guaranteed access to plaintext HDTV signals for as long as the standard is in use. Of course, I'm personally hoping that the DMCA is at least re-written, preferrably scuttled altogether.
OK, scenario for ya: I work in a small office (25 people) and one of them is a subject of an investigation. When you pick up the phone anywhere in our office, the phone system grabs the next free line. That means that the FBI will be listening to ALL CALLS into and out of our office because this person may be using that phone. The legislation does not limit this! There was a Senator (can't remember the name, can't find it on Google) who had wanted to add that the tap was not allowed to be monitored if the suspect was not on the phone at the time, but this got shot down.
Another question is how often does a suspect use a phone before it's wire-tapped? Should we expect all public to be tapped? If I throw a party and a friend-of-a-friend makes a call or two to order a pizza, should I wonder if my phone is now tapped?
Never never never smoke crack before geometry class!
What if we had a group of say... 10K people "release" a paper like this.
:)
I'd love to see them start going down the list
So what about my 1024-bit RSA private key?
I've always thought that popular ecncryption schemes were sort of a boon to the people who need to decrypt them - instead of a million differing schemes, there is just a few with just a few differing amounts of 'bitness.' It makes their job so much easier to know that 80% of the people out there are using the same algorithm.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
If you do the math you'll see that searching entire 128bit keyspace in a decades time would require the capability to test almost 22^100 keys per second, or roughly 10 million tillion times the computing power of the EFF's DES Cracker
that should read "2^100" and "10 million trillion", in any case, much more processing power than is concievable in the near future
Reading the proof of this was really cool. I knew exactly what it was proving, how it got there, but damn. I feel like a dumb-ass (with a math minor) that I took that long to remember simple proofing techniques. Good work guys!!
I'm sure everyone in NSA shares your educated opinion.
Most likely, NSA fully subscribes to this idea and promotes peer review of top-secret work. They have plenty of scientists with security clearances for that. If NSA doesn't send a paper for review to me or to you it doesn't mean that someone else, better qualified, doesn't look at it.
"Days" is a better estimate, with hardware designed for the task. This was demonstrated in the second DES contest. The EFF's custom built machine found the key in 56 hours, after searching 25% of the keyspace.
Read here for details.
I think that you are buying the same story that the execs of large companies are buying.
Salesman "If you apply our whizzy crypto, then 95% of people won't be able to crack this"
Marketing "95% reduction in piracy? Cool, how much?"
Big mistake. Take my own example. I am not a 1337 haXor d00d. In fact I am closer to a PHB than a geek. However, I can rip CDs, de-crypt DVDs, circumvent region codes, and now de-crypt HDTV - because some clever people have put the tools in my hands.
So how many of the 95% can do this? All of them. How many will? I don't know - but when my friends see me watching a Region 1 DVD on my Region 2 laptop, I just grin and give them the tools...and suddenly the DMCA has a new enemy....
mirror here: http://www.universet.no/hdcp/
Yep. So much easier. Instead of first using seven days to figure out the algorithm used, and then just a few thousand years for decryption, you can get away with ONLY using those thousands of years on the decryption process...
In reality, that 80% of people uses the same algorithm, and have no problem telling others that they do is a testament of the security of RSA.
I'd worry more about certain people trying to outlaw encryption completely..
Yeah, but thats exactly the attitude Microsoft has, and look how secure their products are :)
I gots ta ding a ding dang my dang a long ling long
Or rather, what 10 undereducated volunteers could never put together in 10 years, a professional mathematician will do over the course of many months, and then have reviewed by several more mathematicians review over a period of years :)
Sorry for the flamebait, but amateur coders simply cannot reproduce the kind of work that professional cryptography requires.
That's not to say that they cannot go ahead and implement any developed algorithm out there... likely better than most cryptographers could do it... but that's not the same as coming up with the system in the first place.
Living better through chemicals
For this purpose, it doesn't need to be mathematically valid, any more than a cash register needs to be fireproof and have a 28-digit combination lock. All that a cash register needs is to have a door that closes and stays closed. This means that you can't have things move from the cash register into your pocket by accident.
If there was a vulnerability in the standard which meant that you could access the signals without trying to, that would be bad news. As it is, the signals are only accessible by those who want to consciously make equipment designed for the purpose of veiwing them, which has no legitimate alternative use. In other words, the "crack" of this standard only refers to an attack which is against the laws relating to theft (in this case the DMCA).
This is not a "bad" or "stupid" encryption system; it's just an example of a company using the laws which protect them to cut a cost corner. After all, if one could trust people to pay for what they watched, they wouldn't need to encrypt the signal at all.
For a bunch of self-styled "engineers", slashdot has a really hard time understanding the basic concept of "fit for purpose".
-- the most controversial site on the Web
This is for the most part true. However, by the same token, the sun is insecure. If I could pool together enough resources, I could blow it up. Clearly innovations need to be made to prevent people from blowing up the sun.
The point is that nobody has "enough" resources, nor can be expected to have them for quite a long time in the future. In this context, gathering "enough" resources is made difficult by such things as the number of particles in the universe and the speed of light.
The existence of a few failed cryptographic systems does not invalidate cryptography.
Re: 128bit keys: Do the maths. If attacking the keyspace is your only option, that's 340,282,366,920,938,463,463,374,607,431,768,211,46 keys my friend. That is a Large Number. Let's assume DNET come out with a client that checks 100 thousand keys per second per client, and there are 100 million clients. That's about 38 million times the age of the Universe (~14B) to search half the key space. I repeat, do the maths.
Re: 1024-bit keys: [sigh] That's the size of the prime modulus. When your counting bits, it is not the same measure of strength as symetric (eg. RC4, IDEA, Rijndael).
Just because its an algorithm that could be built by a blind monkey given a typewriter doesn't mean that the crack isn't an analysis.
:)
:)
I'm not disagreeing about its lameness, just claiming that I didn't do a cryptoanalysis.
Also, the slides do elide out a few things, the operations occur in the ring of the integers modulo 2^56, This is a ring, not a field because even numbers to not have multiplicative inverses. You also have to worry about mistakenly assuming that you can construct stronger attacks than are actually provable based on the specification.
Second semester algebra might be pushing it, but I'd agree that just about any junior in math could crack it in about 10 minutes after pointing out the relevant section of the specification.
BTW, the designer is Intel.
Want to read the DMCA again please?
You are allowed to hack the system and proove that it is broken (by showing exactly where is the flaw etc..) - but you cannot use the resulted crack for profit...
Enter ElcomSoft - they found a flaw in Adobe's eBook and made money from this hack by using it to make a "backup" program so you can "backup" your eBooks and in this case - the DMCA is right...
Lets be honest here - DMCA is a draconian law, but lets also be real here - Go read Adobe's statements, DMCA statements and other statements - if you're hacking in order to proof the world there is something wrong with the protection - then no one will sue you (did u see MS suing the guy who showed the flaw in their password? I didn't, what about the numereous flaws in HotMail? I didn't see them chasing those guys either)...
Hetz (Heunique)
Security by obscurity may or may not be effective - depends on who is trying to read your mail and how much time/money/effort they want to spend. In general I'm glad not to have to rely on it. Picking a weak but obscure crypto algorithm is a bad idea. (No pun intended, IDEA is neither weak nor obscure.)
RSA has stood the test of time - it has probably been through more hours of cryptanalysis by qualified professionals than almost any other algorithm, and nobody has found a serious flaw in it yet. Could it be cracked tomorrow? ("Cracked" in the practical rather than the academic sense.) Yes, but I'd bet serious money against it.
Now ... if 80% of the world used the same program to produce their RSA-encrypted e-mail, that's when it's time to worry. Because I have a lot less confidence in an individual program being bug-free than I do in RSA itself being secure. That's where the famous software monoculture (i.e. "everyone runs Microsoft Outlook in 1999, ergo Melissa", or "everyone runs Sendmail in 1988, ergo Morris worm") problem lies.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
I have only one consolation... web searches for "Scott Crosby" reveal pictures of a strange man in drag. My embarassment will be your own!
-- Minds are like parachutes... they work best when open.
Microsoft shares their software with their business experts to find flaws in their business model.
NSA shares their software with their security experts to find flaws in their security model.
You don't think this makes a big difference in the final product?
Um. HDCP is actually a standard being pushed by Intel, among others. It's the standard protection for DVI, which is used for digital cameras, etc. IIRC, they're also pushing it to be the standard video IO for PCs and as well as set-top boxes, there was a big thing on /. (here) about it when the HDCP details were first leaked. So it's about more than digiTV.
This is not quite what it's about.
The purpose is to prevent the consumer from intercepting the signal between the "set-top-box" and the TV, and doing something useful with it like making a digitally perfect copy of the material.
Ensuring payment by the consumer is a mechanism already in place - i mean, you've got the set-top-box, haven't you?
This sig left unintentionally blank.
Stalin and Hitler screwed their accademic communities for politics and it nearly ruined them. It can be argued that both geared their artists to propaganda and their science to warfare but failed. Hitler made good weapons for a while, but was unable to develop high altitude long range bombers and nuclear weapons. Stalin had tanks and planes designed from prison. As good as those designs were, they were not as good as US. While some of the failure of Soviet agriculture was intentional, who can say what effect Stalin's wierd insistence on evolution of individuals had?
Will the US be next? The DMCA is only part of the picture. When you can't say what you think, you can't trust anyone and therfore don't know what to believe ever. If you can't trust your teachers because they are afraid of being fired, what do you really know? Such distrust of your neighbor is central to autocatic control. Beware of people who scoff at things "un-official" and recomend central control.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
This is quite likely, but even the NSA isn't invulnerable. In the past decade, most of their products they have released for public consumption have been found to be flawed. Consider:
The original SHA hash algorithm had only 2^61 bits of complexity rather than the 2^80 it was originally claimed to have.
Skipjack has only one more round than is necessary to break it with impossible differential cryptanalysis.
The "Dual Counter Mode" they proposed for AES was independently broken by multiple reviewers within weeks of publication.
The NSA is quite good, but even they are human. And sadly, to err is human.
Indeed, that's how it's supposed to work, but that doesn't stop the "offended" party from filing a lawsuit they never intend to bring to court. Let's face it, most people don't have the resources to wait out a legal siege, regardless of whether or not the law is on their side.
The problem with American civil law as it stands is the more powerful party can do irreparable harm to the weaker party without having a valid claim. They only need a claim plausible enough to enter discovery.
True to a degree I'm sure, but remember that public crypto in this country came about due entirely to amateurs - and they created some of the strongest crypto around, such as RSA. I reccommend the book "Crypto" by Stephen Levy as an excellent overview of the history of public crypto. As anyone who has worked with an MCSE knows, being a "proffesional" does not neccesarily mean you are more skilled.
Don't you think that it might just be possible that the NSA was fully aware of the flaws in thier products, and was hoping that their standards would be widely adopted before anyone found out that they were peddling snake oil?
All cryptosystems boil down to trust. NSA can never be blindly trusted to give the general public a cryptosystem that they cannot themselves defeat. History bears this pattern out -- for example, NSA (and/or it's predecessor) flogged off Enigma machines to foreign governments and big businesses after WWII, touting them as "secure". Of course we now know that Enigma had been completely defeated by that time -- NSA and their British counterparts could break it, but (presumably) no one else could. NSA has no incentive whatsoever to promote or endorse a cryptosystem that they cannot defeat; any cryptosystem that the DO endorse must automatically be held suspect.
Also we must remember that just because there is no KNOWN (unclassified) attack on a particular cypher, that does not mean that NSA doesn't have an attack that hasn't been publicly re-discovered yet: there's substantial evidence that suggests NSA had developed differential cryptanalyis at least a decade before the technique was published openly.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
> ..at least, I *think* that's how you spell it...
Yes.
http://www.m-w.com/cgi-bin/dictionary?demagogue
rant
Security by obscurity may or may not be effective - depends on who is trying to read your mail and how much time/money/effort they want to spend.
Agreed.
The point I was trying to make, was because people use the same algotithm, it's easy to just throw computing resources at a decryption problem. If everybody used ad-hoc encryption, a little rot13 here, a mix of RSA on top of that, followed by some bothched LZW compression - then you would have to throw human resources on the problem, and that gets expensive.
Beacuse RSA is perceived to be almost perfect, nobodty uses one time pads - and that would really piss off the powers that be. RSA.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Considering Ian Goldberg is probably still a Canadian citizen living in the U.S., he also has to worry about the new anti-terrorism laws.
-no broken link
So what you are saying is that Microsoft (and all other software companies) should just Bend Over and take software piracy up the ass because 20% of the community can obtain a cracked copy? What about the other 80%, this still represents millions of dollars in revenue saved.
I don't remember offhand whether Rivest, Shamir or Adleman had their PhDs in 1977, but I don't think that the RSA algorithm was "amateur" cryptography. It was certainly professional-level research work, done at MIT under government grants. Pioneering work is not necessarily amateur.
The only real example I've seen of good amateur cryptography was from the Irish student a few years back. I think the jury's still out on that one though, and she was still a student of mathematics.
The point I was trying to make was that amateur coders simply cannot come up with good crypto, no matter how good their hacking skills. Amateur mathematicians, on the other hand, might get lucky.
And no, being a "professional" doesn't mean anything, but having your work survive the sort of peer review that cryptographic algorithms are subjected to usually does.
Living better through chemicals
Lets, get together, and, all 10,000 of us start to sell crack cocain in our local neighborhoods. They can't arrest us all, right?
*STUPID*
Hey, I remember you.. You have my email address from the past, or its easy to find out.
And finding me online is trivial:
http://www.google.com/search?q=Scott+Crosby
Note the first two links.
Reading the document, the crack hinges on collecting a sufficient number of public keys. The solution is obvious:
Ban the sharing of public keys!
Oh, wait...
What in the hell are you talking about!?? you somehow made the leap from talking about Fascists and Dictators to business and capitalists, which i think could not be more wrong.
Capitalists believe in free market society!
They are not the propenents of the recent bills sweeping through congress! The true fascists are the anti-corporate people. Take for example the microsoft case, in a truly free society, they would be allowed to thrive or wither in the open market, however the DoJ, anti-corporate whiners, and companies unable to succeed on their own, are demanding Microsoft suffer for being better than everyone else!
Your arguement that the capitalists are the dictators makes no rational sense to me!
Don't worry, numerous universities offer courses in "Law & Economics" which can cure you of this deficiency.
-- the most controversial site on the Web
What you're saying is that someone without signifigant mathematical skill can't create very complex high level math algorithms? I don't think anyone is disputing that. An amateur mathematician isn't going to be able to create, say, a cross-platform 3d first-person shooter, either. I'm not sure how your point is relevant.
While this is possible, and it's always good to be more paranoid than necessary when dealing with security, it does not behoove the NSA to distribute products with known flaws as suggested standards.
The NSA is charged with protecting national security. If they promote a product with a known flaw as a standard for U.S. government agencies and businesses to use, of course it lets them snoop on anyone who uses the product. But it also gives that ability to anyone else that knows the flaw. This potentially includes foreign intelligence agencies, and if the flaw is publically discovered, everyone.
It would be the height of arrogance on the NSA's part to assume that they are so far ahead of other cryptanalytic researchers that the flawed standard they promote will not be broken by anyone else until all data protected by the standard is no longer sensitive. Remember, even if the standard is "secure" at the time of transmission, an evesdropper can catalogue it in the hopes of a future break.
While it was once true that the NSA was about two decades ahead of public academic cryptanalysts (judging by the fact that DES is resistant to differential cryptanalysis), what scanty evidence there is suggests the gap was about 3-5 years during the 1990's. This is hardly time enough for sensitive data to become irrelevant.
For the NSA to promote a flawed standard would be an enormous risk to national security, because the odds are high that the standard will be publically broken eventually.
I think the evidence supports this. In the case of SHA-0, the NSA retracted the standard citing an unrevealed flaw, and about three years later the flaw was publically figured out. Even if the NSA is inhumanly good, possibly omniscient, I have seen no evidence that they are prescient enough to figure out that academic researchers would break their standard three years in the future and so withdrew a flawed standard that they always knew was flawed. It seems far more plausible that they released the standard, discovered the flaw, and retracted it (in that order).
And the Dual Counter Mode was nothing more than completely shoddy work. Any professional cryptanalyst could break it using publically known techniques (and several did). If the NSA released it knowing it was flawed but thinking no one else would figure it out, they were not only arrogant, but downright foolish. It is far more likely that they didn't subject it to much internal review.
As for Skipjack, who knows? It's possible the NSA didn't discover impossible differentials first, although it being exactly one round above the breakpoint seems a little bit suspicious. It's equally likely they knew about impossible differentials and published an algorithm on the very edge of security.
I don't trust the NSA, but I think their mission of protecting national security precludes them from releasing products with known flaws. It's nice to be able to snoop on your own citizens, but not at the cost of letting everyone else do so, too.