AES Announced as Federal Standard

chekhov writes: "Today NIST has finally announced AES (Advanced Encryption Standard) as a Federal Standard after 4 years of development. See the press release. AES is the replacement of DES and is expected to be used in financial systems and secure networks for up to 20 years. More information on the AES homepage."

Rijndael

[wildsurf]

In 20 years when the encryption is broken, will we then find out what "Rijndael" really means?

Re:Rijndael

Sounds like a Dutch name to me... probably the guy who came up with the algorithm?

Re:Rijndael

[selderrr]

Not dutch. Belgian. He works at the same university as I do : KULeuven. here's his homepage : http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

Re:Rijndael

[forged]

It is indeed a play on word on the authors' names: Vincent Rijmen and Joan Daemen

Re:Rijndael

[rtos]

From the Rijndael FAQ...

How is that pronounced?
If you're Dutch, Flemish, Indonesian, Surinamer or South-African, it's pronounced like you think it should be. Otherwise, you could pronounce it like "Reign Dahl", "Rain Doll", "Rhine Dahl". We're not picky. As long as you make it sound different from "Region Deal".

Why did you choose this name?
Because we were both fed up with people mutilating the pronunciation of the names "Daemen" and "Rijmen". (There are two messages in this answer.)

Can't you give it another name? (Propose it as a tweak!)
Dutch is a wonderful language. Currently we are debating about the names "Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".

All that and more at The Rijndael Page.

Re:Rijndael

[Anonymous+DWord]

I like the "bob" suggestion. Only they could spell it in Welsh, like "Cwghlqhgm," but pronounced "bob." Or maybe that's pronounced "rhine-doll." I don't know, my Welsh is worse than my Dutch.

Re:Rijndael

Is that an actual Welsh word, or did you just pick scrabble letters out of the bag at random?

Re:Rijndael

[Anonymous+DWord]

Scrabble letters. I threw the vowels back though.

Standard

[YearOfTheDragon]

"The specifications for the Rijndael algorithm have now been formally incorporated into Federal Information Processing Standard 197." I don't think that such an algorithm can be secure and have backdoors.
"also is completing arrangements so that vendors can have their implementations of AES validated under the Cryptographic Module Validation Program, jointly led by NIST and the Government of Canada's Communications Security Establishment" Cryptographic Module Validation Program is going to put that Backdoors?
Not if it's your implementation and your company name.(Or is going to pay a lot of money) "They have agreed that their algorithm may be used without royalty fees.
So can be done under the GNU/GPL.

Re:Standard

[lhaeh]

It won't need backdoors if the government keeps it around for 20 years, with a 256 bit key size it won't be of much use then.

Re:Standard

[tomstdenis]

You're kidding right?

Unless a shortcut attack is found a 256-bit key will ALWAYS be secure from brute force searching via a computer. There is not enough energy in the universe to make a conventional computer process that much work.

That doesn't preclude QC related attacks but keep in mind that QC is far from reality [in a usable sense] and that even then it will be along time before you're playing your QC powered Gameboy...

Currently the best ways to defeat a cipher like Rijndael [or AES if you will] is non-mathy. You install virii, trojans, backdoors, bribe people, beat it out of them, etc...

Actually breaking AES from ciphertext/plaintext pairs only is not likely for a long time to come

Re:Standard

[plcurechax]

I don't think that such an algorithm can be secure and have backdoors.

You're right, the algorithm AES (a subset of Rijndael) does not have any backdoors. Therefore it may be secure. And to the best of anyone's knowledge it is secure and free of any backdoors.

Cryptographic Module Validation Program is going to put that Backdoors?

The NIST's FIPS standards are used to tendor commercial equipment from suppliers for the US government own use, so it is in the US government's own best interest to make as certain as reasonable possible, using the Cryptographic Module Validation Program, that those products used by the government are safe and secure.

Re:Standard

[GTRacer]

OK, I'm a total retard when it comes to crypto. So bear with:

How does Rijndael's 256-bit key compare to PGP's 4,096-bit key (assuming a well-chosen passphrase)? Can I assume that my PGP key is safer than Rijndael from brute-forcing? Or is there something about PGP's crypto that reduces the key/search space?

IOW, just how does PGP compare? Thanks!

GTRacer
- I'll stick with Enigma, thanks.

Re:Standard

[tomstdenis]

Well you are talking apples and Oranges. Rijndael is a symmetric block cipher where the encrypt and decrypt key are private [and typically the same, or a derivative of the other]. You can typically attack a block cipher through itterative statistical attacks [differential, linear, truncated differentials, boomerangs, square, etc...] or through a brute force of the key space.

Typically for symmetric ciphers those itterative attacks fail [require too many ciphertext/plaintext pairs to work] so brute force is the only remaining known attack.

In the case of DH/ElGamal/RSA over the field of integers [i.e what PGP basically uses for its private/public key stuff] there are ways to attack those systems faster than randomly guessing the secret information. For example, in RSA you can factor the public modulus [typically the 'n' part of your key] to find the private decrypt exponent. Factoring a N-bit number is typically faster than guessing the N/2-bit factors. [Similar idea holds for DH/DSA and ElGamal]. So factoring a 1024-bit RSA key modulus may take the same amount of time as brute forcing a 80-bit symmetric block cipher's key.

That's why in symmetric block ciphers you can get away with smaller keys than in public key ciphers.

Hope that helps!

Tom

Re:Standard

[tomstdenis]

A bit more info. PGP is not a cipher either. Its a cryptosystem. It uses a collection of Public Key Ciphers and symmetric key ciphers todo its work.

A public key cipher is a cipher where you make up a key where you can give out a public copy and keep a private copy. People can send you messages using your public key and only your private key can decrypt them. For example, In RSA you make up two primes p and q, and get N=pq, you make up an encryption exponent typically e=65537 [fixed] and find your own decryption exponent de = 1 mod (p-1)(q-1). Since only you know the factors only you know 'd' [your private key].

Think of it this way.

Let e=5 and then d=1/5.... If you are going to encrypt a message M=4 you do

C = M^e = 4^5 = 1024

Then to decrypt

M = 1024^d = 5^e^d = 5^(ed) = 5^(5/5) = 5

etc...

What PGP really does is uses the PK cipher to encode a random key used in the symmetric cipher. The symmetric ciphers actually encrypt your message, and the PK cipher encrypts the key used. When you go to decrypt a message you use your PK private key to decrypt the symmetric key and then you decrypt the message.

Arrg...

Buy Schneiers "Applied Cryptography" if you want to learn this.

Tom

Completely unbreakable...?

[iworm]

The article assures us that even though DES can now be (relatively easily) broken, AES would take umpteen quadrillion years to break (plus or minus).

I can't help thinking that back when DES was new, they probably told us the same thing.

Moore's law and all that stuff, but betcha in a decade or so AES is suddenly breakable...!!!!

Re:Completely unbreakable...?

I don't think Moore's law will have any effect
on cracking AES. Conventional computers will run out of steam long before they get fast enough to crack AES. Quantum computers on the other hand might be a different story.

However hopefully NIST will simplely issue a new standard if the AES becomes breakable. Like it did for DES.

Re:Completely unbreakable...?

[nyjx]

Er, The solve time is expondential in the length of the key so moores law won't help you very much. You can happily double your computational power every 18 months but still run out of time before the end of the universe.

Your better bet is to work out how to solve NP hard problems (or any one) and map it back to the crypto algorithm. But of course you'll be able to do that easily once IBM releases it's first quantum computer....

Re:Completely unbreakable...?

[Diomedes01]

Actually, when DES was first released, there was quite a bit of scepticism about its integrity. The S-tables were thought to have been chosen to make the algorithm easy to break for someone who knew the secret. Furthermore, the NSA completely gimped DES by forcing IBM to use 8 bits of the key for parity checking, which was completely unnecessary. The only thing it did was shorten the key.

Re:Completely unbreakable...?

[vscjoe]

Um. If you double compute speed every 18 months, compute power is growing exponentially as well, and you lose one bit of key security every 18 months. It takes years, not eons, to catch up.

In addition, AES may have problems we don't even know yet. DES turned out not to require brute forcing.

Re:Completely unbreakable...?

[tomstdenis]

Yeah well all of the attacks that apply to DES do not apply to AES [read the paper dude]. You have to realize that AES is based on the research gained in the decades after DES.

That doesn't mean that AES is invulnerable, just less likely to fall to an attack faster than brute force than DES is.

Re:Completely unbreakable...?

[dimitri_k]

Er, The solve time is expondential in the length of the key so moores law won't help you very much. You can happily double your computational power every 18 months but still run out of time before the end of the universe.

Doubling every so often is also an exponential gain. You must always increase the key size as the faster processors approach feasability of forcing the key.

Your better bet is to work out how to solve NP hard problems ...

I have some time later today.

Re:Completely unbreakable...?

[JohnPM]

This is very true, but as someone else pointed out - you will gradually increase the key length as well. Also, the processor time and memory is roughly proportional to key length. They're all connected in an interesting way. So if you double the capabilities of your computer then you can double the key length without taking a performance hit. In doing so you square the time needed to brute-force crack the key.

For example, when public key cryptography was first invented (there's enough contentious history there to make the founding of Cisco look like a tea party) the cost of actually using "safe" length keys was pretty prohibitive. The founding fathers of PGP were just waiting for computers to get fast enough that this situation would be reversed and encryption would become as common as digital information. Well computers probably got fast enough in the last 80s, but encryption-for-everybody still hasn't really taken off. I guess social factors are harder to model than CPU speeds!

Re:Completely unbreakable...?

[Goonie]

Your better bet is to work out how to solve NP hard problems (or any one) and map it back to the crypto algorithm. But of course you'll be able to do that easily once IBM releases it's first quantum computer....

Not with present theoretical work on quantum computing, as it's been reported. Yes, they can find factors very quickly, but factorisation is not NP-hard, and nor are any of the other (very few) problems that quantum computers have been demonstrated to be useful for.

If I recall correctly from my computer security subject at uni, one of the other things that quantum computers can do is help brute-forcing cyphers, but not by nearly as much as you think. I was told it makes the problem equivalent to brute-forcing a key half the length , so brute-forcing a 256-bit key with a quantum computer would take round about the same amount of work as cracking a 128-bit key with a conventional computer. Brute-forcing 128-bit keys is computationally infeasible and will remain so for decades, at least.

Re:Completely unbreakable...?

[jeremyp]

I remember when I was a child back in the late '70s / early '80s seeing a report on television which alleged even then that the NSA had deliberately crippled DES by restricting the key length. So even then, people did not consider DES to be as secure as it could or should be.

Re:Completely unbreakable...?

[Skuto]

>The S-tables were thought to have been chosen to
>make the algorithm easy to break for someone who
>knew the secret.

Yes, this is what was _thought_.

When differential cryptanalysis was discovered in 1991, many DES 'replacements' were completely broken, but DES itself was only weakened, not broken.

It turned out to be those NSA-picked S-boxes that made it much more secure than the alternatives. So, they actualy made the algorithm stronger, not weaker.

(and they had appearently knew about differential cryptanalysis some 20 years before the academic world did. scary, isn't it?)

--
GCP

Re:Completely unbreakable...?

[mors]

DES did not turn out not to require brute forcing. DES turned out to require a search of slightly less than the whole keyspace, but thats still brute force by any reasonalb definition of the word.

Re:Completely unbreakable...?

[jonathan_ingram]

Yes - it's amazing that people are still using the NSA altering the S-boxes as an example of them trying to *weaken* crypto.

The original paper by Biham and Shamir is available at CiteSeer:

Differential Cryptanalysis of DES-like Cryptosystems. It's a classic paper that everyone interested in the field should read. There are some wonderful analyses of systems which people had suggested as alternatives to DES. For example (from page 72):

This section describes how to cryptanalyse GDES [Generalised DES]. The special case ... which is suggested [by Schaumuller-Bichl] as a faster and more secure alternative to DES is breakable with just six [!] ciphertexts in a fraction of a second on a personal computer.

Re:Completely unbreakable...?

[Captain+Morgan]

Slightly less than the entire keyspace might be a reduction by half of the work required. The smaller keyspace made the already weak DES a bit weaker, and hence the scramble for AES ;-)

Re:Completely unbreakable...?

[gregor_b_dramkin]

IF computing speed can continue to double every 18 months, then today's 56 bit key will be roughly as strong as

• a 128 bit key in 108 years
• a 192 bit key in 204 years
• a 256 bit key in 300 years

But that is a huge "if".

I recently did a study of future trends with regard to processors. Let me sum up ....

Processing speeds are currently limited by charge dissipation (no pun intended). Charge dissipation is related to feature (transistor) size. It is a hard fact that feature size can only shrink at the Moore's Law rate for about another 12 years before we get transistors that are only a few molecules thick.

I'm not saying that it will be impossible to continue with efficiency gains beyond that point. But who's going to pay for the research to continue at such a break-neck pace?

Perhaps, I am being short-sighted, but I think we are starting to see a slowing of the demand for ever-faster technology.
Graphics-intensive games are staying on store shelves for years, instead of months. Even Microsoft is having a hard time making software that is bloated enough to demand the latest hardware.

Developing new processor technologies is horrendously expensive. Unless there is sufficient demand for faster processing speed, it will simply not be viable for companies to research the technology.

Okay, I spoke my mind. Flame on!

Re:Completely unbreakable...?

Jap , for brute force, 256 bit is a completely unbreakable because of termodynamic limit.
(2 termodynamic law) we need at least kT of energy for a single state change (here k - Bolzman constant, T - system temperature). If we take 2.3K (estimate) as the average temperature of the universe, then for 2^265 state changes we'll need more energy than universe has (estimated).
The Moore's law will not prevail physics :)

Re:Completely unbreakable...?

[PinkHeadedBug]

Very true; it's commonly believed that the way that DES withstood differential encryption shows that the NSA knew about that technique in the '70s.

Also interesting, though, is the evidence that the NSA didn't know about linear cryptanalysis; DES was weakened quite a bit more under that method of attack.

That's not to insult IBM or the NSA; you can't predict what sort of an attack people are going to throw at you two decades in the future. That it stood up as well as it did is a monstrously huge accomplishment.

I'm just fascinated how we can deduce what the NSA knew and didn't know so many years ago, by judging how well things withstand attacks today.

Re:Completely unbreakable...?

Moores law says they double the number of transistors on the microprocessor every 18 months. That only translates into 'speed' for awhile, then scalability rears it's ugly head.

Re:Completely unbreakable...?

Moores law says nothing about computer speed doubling. It refers to the transistor count doubling.

And, surprise, someone has to figure out somthing clever to do with all the extra transistors for it to be meaningful.

Re:Completely unbreakable...?

[AnotherBlackHat]

The article assures us that even though DES can now be (relatively easily) broken, AES would take umpteen quadrillion years to break (plus or minus).

I can't help thinking that back when DES was new, they probably told us the same thing.

Not even close.
When DES was new, there was a lot of speculation that the 56bit key length was choosen because it would be possible to crack it via a device like the EFF DES cracker. To further fuel the fire, the reason they didn't choose 64 bits was classified. I'm still skeptical of the "reason", even after learning about differential cryptography.

There are some points that will doubtless be raised in this (and other) threads. Here are my answers:

128 bits is not immune to brute force attacks in theory for more than 100-200 years.
In practice, there may be a fundamental limit to Moore's law that will prevent it, but we don't know what that limit is (yet.)

256 bits is dubious for brute force attacks, but it is certain that other methods of cracking a 256 bit key will always be easier. I.e. looking everywhere the secret might be hidden (including inside the minds of your enemies) will be easier.

Encryption, like a chain, is only as strong as it's weakest link. Key size is just one link in that chain, and only protects against brute force attacks. It doesn't protect against bad passwords, TEMPEST, black bag jobs, rubber hoses, or as yet unknown advances in mathematics,
or computing.

Re:Completely unbreakable...?

[noperoblimo]

In Steven Levy's Crypto, there is a chapter about how DES was invented. There is a bit that mentions that the creators of DES uncovered what was to be called "differential cryptanalysis" independently of the NSA (But because they were working with the NSA at the time, the NSA requested that it be classified).

Re:Completely unbreakable...?

[ChadN]

In addition, AES may have problems we don't even know yet. DES turned out not to require brute forcing.

True, although those were effectively solved with 3DES; hopefully a 3AES won't be needed for a long while.

Re:Completely unbreakable...?

[vscjoe]

Brute forcing keys is fully parallelizable, so for this case, Moore's law does translate into speed.

Re:Completely unbreakable...?

[Zeinfeld]

Er, The solve time is expondential in the length of the key so moores law won't help you very much. You can happily double your computational power every 18 months but still run out of time before the end of the universe.

Untrue.

Each bit of key size doubles the computational cost of brute force attack. So AES is 2^(128-56) = 2^72 times harder to break than DES.

If Moores law continues and computing power doubles every 18 months AES will be broken in precisely 105 years (it being 2 years since the DES cracks).

I don't know about you, but I have no plans to use AES personally after 2075.

In practice the quantum limits of silicon computing will be reached earlier, although it may prove possible to move from 2D slices to 3D systems...

Re:Completely unbreakable...?

[ChadN]

It was unclear whether the original poster meant that weak keys and other problems reduced the keyspace (to about 55 bits), or that techniques such as differential or linear cryptanalysis attacks, might *POSSIBLY* be able to break it with less than brute force (assuming HUGE amounts of chosen plaintext).

Re:Completely unbreakable...?

[JF]

> I can't help thinking that back when DES was new, they probably told us the same thing.

Actually it was developed with a relatively small key size so that the government would be able to break it if necessary. It was estimated at the time that someone with 10 million dollars could break a key in a couple of days.

In the early 90s, I think that went down to 100,000$ and a couple of hours.

AES is another story completly.

-JF.

AES - The only reason I know anything about finite fields.

Re:Completely unbreakable...?

their is a guy who broke it in 9 months he used about 1000 or so puters all unix running it as a background task did it for a uni assinment or somthing it was in an australian paper but said it is pointless as they changed the code he cracked in 6 or so times from when he cracked it so even if i can be cracked why bother thell just change it

Re:One Word...

[-Surak-]

Naw. Don't need it. They'll just charge anyone using it that they don't like under the new anti-terrorism crap. Saves a ton of cycles.

Terrorists?

[Exmet+Paff+Daxx]

Who will be required to implement and use the AES?

The AES is now an approved encryption algorithm that can be used by U.S. government organizations to protect sensitive, unclassified information.

...

Commercial and other non-federal organizations are invited-but not required-to adopt and implement the AES and NIST's other cryptographic standards.


If I read this correctly, terrorist cells qualify as "other organizations". I couldn't find any mention of export limitations, civilian key strength limitations, or bans on use by criminal organizations.

What have we done?

Re:Terrorists?

[ACupOfCoffee]

Absolutely nothing but choose a secure effective cryptographic scheme for important data and transactions. If you think that by imposing legal limitations on the use of cryptography that you will stop terrorists or other unauthorized users from encrypting their data then I would have to urge you to seriously consider your view. The algorithm chosen for AES is not the only secure encryption algorithm out there and it is somewhat trivial to implement a number of highly secure cyphers. Legislation against cryptography generally only means that law-abiding citizens must use insecure methods of protecting themselves.

Re:Terrorists?

Perhaps we've prevented "terrorists" (whom you appear to fear more than those who would require your social security number to be tattooed on your forehead before you're allowed to renew your drivers license) from being able to freely access information like where you live, how much money you have in your checking account, all of the entries in your credit report, a detailed history of what and how much you and your family members consume, and a whole raft of other stuff.

The real "terrorists" are those who push for "civilian key strength limitations" and other erosions of our civil liberties. If you want my 4096 bit key, you'll have to pry it from my cold, dead, cerebral cortex.

Re:Terrorists?

[sql*kitten]

If I read this correctly, terrorist cells qualify as "other organizations". I couldn't find any mention of export limitations, civilian key strength limitations, or bans on use by criminal organizations.

This really is no big deal. There a many high-quality hard crypto techniques around. If al-Queda really want strong crypto they can just FTP it from ssh.com like anyone else. Or PGP. Or OpenBSD.

But historically, they have relied on codes (as opposed to cyphers), trusted intermediaries and one time pads.

Here's a free clue for you: terrorists and other criminals, by definition, don't obey laws. So what if there's a "civilian key strength limitation" when you can download the source, change a #define and type make. So what if there's a ban, that's trivial to people who destroy skyscrapers just to make a point. So what if the algorithm is a secret, the US govt. doesn't have a monopoly on talented mathematicians.

This genie is already out of the bottle. Trying to put it back will only help the terrorists by disrupting and harming the commercial interests of the West further.

<rant>
The Feds never really had a chance of keeping crypto out of the hands of anyone, but they were too stupid to realize it, too busy banning metal cutlery in airports and nonsense like that. I am English, have you ever tried to eat a proper English breakfast with plastic cutlery?!
</rant>

Re:Terrorists?

[gabba_gabba_hey]

um, "proper" english breakfast? hehe, that's subjective i suppose, not that the average american breakfast is any better mind you ;)

Re:Terrorists?

[markyd]

An 'English Breakfast' is a paticular type of breakfast, not just a breakfast eaten in England. Depending on where you are its several or all of:

• Fried Egg
• Bacon
• Hash Browns
• Baked Beans
• Fried Bread
• Fried Sausages
• Grilled Tomato

Probably some other stuff as well

Re:Terrorists?

[Jucius+Maximus]

"An 'English Breakfast' is a paticular type of breakfast, not just a breakfast eaten in England. Depending on where you are its several or all of:

...Fried Bread..."

Can you please explain how one would go about frying bread? I know they do it at Pizza Hut but really ... do you slice it up and toss it in a frying pan with some oil?

Re:Terrorists?

We've done the same thing we always do. We've provided people who think technology should be more restricted to prevent malicious use of it with another argument. And as always, the logic is especially thin. But then, you were joking, right? I wish it were possible to know for sure.

Re:Terrorists?

[AnUnnamedSource]

Criminal organizations don't typically observe government bans on their activity (duh).

Re:Terrorists?

[lizrd]

Can you please explain how one would go about frying bread?

It's bread toasted in a frying pan with a light coat of butter. Americans might better know this dish as texas toast, though that term usually implies that you have prepared an unusually large slice of bread in this manner.

Re:Terrorists?

[saruman1]

First of all YOU did nothing, but they did it here in Belgium. Second, don't you think you should rather search the cause of terrorism in YOUR politics and not in OUR technology?

Re:Terrorists?

[plover]

The Feds never really had a chance of keeping crypto out of the hands of anyone, but they were too stupid to realize it, too busy banning metal cutlery in airports and nonsense like that. I am English, have you ever tried to eat a proper English breakfast with plastic cutlery?!

Nonsense. The Federal government accomplished as much as they could, within the constitutional limits by which they were constrained. They have successfully delayed mass-marked crypto to this day.

Sure, a bad guy can download a crypto package. A bad-guy organization can download a dozen different cryptosystems in less time than it'll take me to write this.

But my brother-in-law with Windows ME still doesn't use it. And neither does your mom, or your car salesman, or the guy who drives the gas tanker truck for BP.

As long as 99+% of the worlds e-mail travels unencrypted, Echelon can watch it. Carnivore can watch it. And encrypted e-mail is still easily recognizable for what it is, so it stands out, making traffic analysis easier (which is also legal without a warrant under the PATRIOT act.)

The DOJ and FBI have so far succeeded masterfully at accomplishing their common goal of preventing a global encryption infrastructure. IPSec, SSL, https:, PGP, etc. are all fine and secure products and protocols, but nothing today is all-pervasive. Encryption only happens on an ad-hoc basis, which has been their goal ever since the genie got let out of the bottle. They have very successfully kept encryption from protecting us to its fullest potential.

John

Re:Terrorists?

[Delphis]

Although to clarify, with fried bread (or even sometimes referred to as a 'fried slice') there is no garlic involved.

Re:Terrorists?

[mmontour]

This really is no big deal. There a many high-quality hard crypto techniques around. If al-Queda really want strong crypto they can just FTP it from ssh.com like anyone else. Or PGP. Or OpenBSD.

Or code it themselves. Rijndael/AES is a fairly simple algorithm, and only relies on a few "magic numbers" (the 256-byte S-box is generated mathematically). It would be easy for someone with a math or electrical engineering background to memorize the algorithm, then implement it from scratch at a later date without any source code or reference material. It took me an evening to write an AES implementation based on the PDF specification on the NIST website, and it would be faster to re-do it now that I understand how the algorithm works. Does that now make me a "controlled munition"?

There is no good way to control or restrict the *distribution* of strong crypto. All that can be done is to restrict the *use* of strong crypto, by widespread wiretapping combined with severe penalties for anyone sending messages that can't be cracked or don't correspond to the copy of your private key that you "voluntarily" registered with the government. The government doesn't have to be able to break a terrorist's message, if that encrypted message itself is sufficient cause to throw the "terrorist" in jail with no further communication to the outside world.

Not that I approve of this, mind you, but it could be done. It might even work, in a theoretical world where law-enforcement officials were all 100% free from corruption or the possibility of bribery/blackmail.

Re:Terrorists?

They have also prevented raincoats from protecting us to their fullest potential.

We could all carry raincoats with us all the time. The government could have funded an industry to produce cheap tiny raincoats that would be durable. But they haven't. In fact they haven't even given a tax advantage to any industry wanting to do so.

It is all a conspirasy

And obviously, raincoats are more useful to the average citizen than cryptographic messaging.

Re:Terrorists?

[Sandor+at+the+Zoo]

I couldn't find any mention of export limitations,

You didn't look very far into the FIPS pub, did you? :-)

11. Export Control. Certain cryptographic devices and technical data regarding them are subject to Federal export controls. Exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce. Applicable Federal government export controls are specified in Title 15, Code of Federal Regulations (CFR) Part 740.17; Title 15, CFR Part 742; and Title 15, CFR Part 774, Category 5, Part 2.

Now, the real question is, what does this mean? Has anyone looked these up? Can you just use AES/Rijndael in software and publish it or sell it on the net? Or do you have to get a waiver or file notification with the Bureau of Export Administration, as you did with DES?

Re:Terrorists?

If its british food, spices of any type are not involved...

European Technology

[Hougaard]

I think that its interesting that the US goverment had the guts to thoose a european developed algorithm. Usually those thing goes to US based companies/scientists.

Heads up for choosing the best solution from a cryptography viewpoint!

Re:European Technology

[Mike+Connell]

I think the fact that it's academic (ie from the open peer-reviewed world, well discussed and attacked), plus the fact that nobody in Europe has anything the size of the NSA would helps.

Re:European Technology

[Hougaard]

Hmmm.. Who broke the german Enigma under WWII, US or England/Poland ? :-)

Re:European Technology

[iworm]

Good man. Someone who gives credit to the Poles as well as the UK for breaking Enigma. So often the Brits get all the credit - Much credit is of course due, but to Brits and Poles.

Re:European Technology

[Mike+Connell]

It isn't the 40's anymore. Due credit to the UKs wartime effort, and GCHQ's discovery of PK, but they aren't the size of the NSA - nor should they be.

I dont know about Poland, but I think it's safe to assume they don't have anything bigger than the NSA either!

Re:European Technology

[onion2k]

Poland got there first, but when the Germans invaded completely ran out of resources and handed all their research over to England. A lot of work further down the line, and we (I'm English) were breaking the 3 wheel standard Enigma within hours of getting the first encrypted transmissions, thanks to Turing's 'bombes' (electro mechanical decrypting devices).

However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.

Note however, that the 3rd Reich trusted Enigma utterly. They fell into the trap of thinking they were completely secure, and that was the downfall of Enigma, as it would be of any trusted encryption. Encryption by definition is breakable in a certain length of time. The problem with Enigma was that there were backdoors, such as the fact it never encrypted any letter as itself. The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.

Re:European Technology

[Hougaard]

So size matter ?-)

Ofcause they are smaller, but the important thing to is to be able to mount the effort when its needed. NSA on the other hand is just "Yet another US goverment office out of control" or in selfcontrol - but out of reach from gov.hill. Nobody in the US goverment dare to touch NSA. Both the NSA and the CIA failed completely 11.sep.
So what do they need NSA for when cryptography is retreived in Europe, creating secure Linux distributions?

Re:European Technology

[Mike+Connell]

So size matter ?-)
Basically - yes - that is with "all other things being equal". Even if the NSA is "Yet another US goverment office out of control", I don't see (for example) that GCHQ would be any different - except for being smaller ;-)

Both the NSA and the CIA failed completely 11.sep.
That's true. However, it's not like GCHQ knew exactly what was going on but didn't bother telling the Americans is it?! Everybody failed.

Re:European Technology

[Hougaard]

Yeah, but if size matter the failure should be measured in budget fonds and the CIA+NSA gets more money than anyother intelligence organisation in the world.

But what are we discussion? My primary point was the its nice that the algorithm was thoosing for its design/features rather than what country it was from. One of the analysts (cant remember who) said that no matter who got choosen (from round 2) they would all be a excellent AES, but Rijndael would be the bold choice based on its pure/simple matematical base.

Re:European Technology

[nzhavok]

A previous version of the enigma machine was sent to the German embassy in Poland before WWII. The postal staff knew something was up because practically half the entire embassy staff turned up for the arrival. The staff closed the post office and told the Germans tough luck, come back tomorrow it's past closing time :-) Overnight the machine was disassembled and photographed in detail and reassembled for the morning.

Re:European Technology

[dimitri_k]

The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.

Key length is, of course, vitally important. Understand the Rijndael spec. before you continue your speculation. Also, many "idiots" try to brute force it. Effort required to force a key is proportional to the cipher's weakness.

Less generally, by employing lack of symmetry and a non-linear layer in the cipher, AES pretty much gurantees that you'll simply be searching the key-space at random. If you can come up with a way to do better than a brute force, you should quit your current job.

The 2^255 Rijandel iterations required to force a 32 byte key is certainly sufficiently secure by todays standards, but historically consistent increases in computing power coupled with increased distributed processing ability due to networked computer proliferation means that keys will have to keep growing to stay resonably secure.

Re:European Technology

[psamuels]

One of the analysts (cant remember who) said that no matter who got choosen (from round 2) they would all be a excellent AES, but Rijndael would be the bold choice based on its pure/simple matematical base.

Bruce Schneier, author/submitter of Twofish (which made the top 5), cryptanalysed the top 5 and said that they all looked fine to him - though obviously he was biased toward Twofish.

It sounds like nobody really had any objections to Rijndael, or to one or two of the others, so the final selection truly was "best of breed" rather than "least worst".

Re:European Technology

[lost_it]

The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.

I'm not anywhere near a crypto expert, but in one of Tom Clancy's books, there's a conversation that goes something like this:

Mastermind Criminal: "I'm using xxxx crypto, I don't need to worry about the government reading that."

Computer Criminal: "The government used to use xxxx crypto, but has switched to yyyy crypto."

*blank stare from Mastermind Criminal*

Computer Criminal: "It's very expensive for the entire government to switch crypto methods--they don't do it just for fun, so there had to be a reason. A reason like: they figured out how to break xxxx crypto."

I think Clancy has a good point. The basic rule is: for anything that you really want to be secure, make sure that you're crypto method is at least as secure as what the government uses.

Re:European Technology

[ethereal]

Also, many "idiots" try to brute force it. Effort required to force a key is proportional to the cipher's weakness.

Technically, effort required to "brute force" the key is just proportional to the keyspace, isn't it? If you're talking about a weakness of the cypher then you're no longer doing a brute force attack. "Brute force" means just guessing keys (iteratively or otherwise) without regard to the algorithm at all.

Miracle Max: I'll call the brute squad!
Fessik: I'm on the brute squad.
Miracle Max: You are the brute squad!

Re:European Technology

As I understand it, the majority of the Enigma encryptions weren't broken mathematically. GCHQ noted that Enigma was being used for repetitive messages (example: every morning at 6AM a particular transmitter broadcasts an encrypted message, and the plaintext of that message always begins "Aviation weather report 0600 . . . "). Frequently, Turing's bombes were used to rapidly confirm a key derived by working backwards from an assumed plaintext. Additional assistance came from harried Enigma operators who re-used keys, substituted girlfriends' initials for keys, etc.

The German Navy, on the other hand, was notably more disciplined in the use Enigma. That, more than any other single factor, made it harder to read naval intercepts.

Useful lesson, in my humble opinion; the encryption method (DES, AES, PGP, Enigma, whatever) is less of a vulnerability than the habits of the person using the method. If my messages always begin with "Dear Mom," and always end with my name, I've introduced an exploitable flaw.

Re:European Technology

Turing Didn't invent the concept of the bombes, he just took Rejewski's design and made it work on another level. Even so, Turing does deserve most of the credit for cracking the Enigma. Everyone else was just exploiting implementation flaws in the Enigma code, while Turing kept looking for a more permanent solution. The Poles passed the torch to Britain because they could no longer crack the messages with their budget. This was because the Germans gave every Enigma operator two new scramblers (total of 5), and thus it would have required more bombes than they could afford to build.

The German naval Enigma machines were the most secure, yes, but they had eight scramblers, not four. Also, the navy machines' reflectors could change position, unlike other Enigma boxen. The German navy basically had their shit together where the Enigma machine was concerned. They probably took it more seriously than the other branches, since it was their one and only secure link to the Reich while they were out to sea.

However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.

This is plain not true. The German naval ciphers were cracked by continually stealing the code books. Right up to the end of the war, the cryptanalysts at Bletchley Park were completely dependent on codebooks to make sense of the Kriegsmarine messages. That was the only Enigma implementation that wasn't "cracked."

Yes, Enigma had backdoors. But it was only after Enigma had already been cracked due to poor message construction and not enough scrambler wheels that this was discovered. So that wasn't why Enigma was initially cracked. It was initially cracked thanks to the cryptanalytic genius of Marian Rejewski, a name that is unknown even in many crypto circles.

Only an idiot would try to brute force it though,

It WAS Martin Hellman who said "God rewards fools."

Re:European Technology

[dimitri_k]

Technically, effort required to "brute force" the key is just proportional to the keyspace, isn't it? If you're talking about a weakness of the cypher then you're no longer doing a brute force attack.

Key-space and search-space aren't necessarily the same thing, although they are close in a good cipher. So, to make my original statement more clear:

The strength of the cipher is proportional to the search-space.

As far as whether a random search of, say, half the key-space (because of a known symmetry in the algorithm which precluded half of the keys from being generated) would still be considered brutish or not, I don't know. I'd have to brood longer.

Re:European Technology

[ethereal]

Hmmm, good point. I guess it depends on how much basic knowledge you already have about weaknesses versus the amount of cryptanalysis you would have to do yourself. It would be stupid to ignore known symmetry shortcuts that could halve your search time.

Re:European Technology

[plover]

Both the NSA and the CIA failed completely 11.sep.

I think both agencies have successfully delayed or prevented similar activities more times than we can count. Because one set of fucking psychos slipped through shouldn't lessen our appreciation for the other schemes they've stopped so far.

Not that I'm going to let them take PGP away from me, mind you... :-)

John

Re:European Technology

[mscout1]

There is an exellent history of Enigma and it's cracking in "The Code Book" by Simon Singh.

It's a fun read.

Enigma was cracked because of the way the germans used it, not a flaw with the device.

Re:European Technology

[bob_jenkins]

Assuming nanotech, and 100x100x100 atom processors that operate at the speed of light, a nanocomputer the size of the sun running a million years can do 2^268 instructions. I don't think brute forcing a keyspace of size 2^255 with a conventional computer will ever happen.

A quantum computer I hear only has to cover sqrt(n) of a keyspace of n to get the right answer. A 1-meter cube nanocomputer running 1 second could do 2^129 instructions, so a quantum nanocomputer that can break a keyspace of size 2^255 is believable.

http://burtleburtle.net/bob/crypto/magnitude.htm l

Re:European Technology

[thogard]

"The Goverment" isn't using this.... its the people like the USDA to protect records of projections of cow life spans and pay roll records. Its not to be used for military communication or calassified stuff. So the three letter spooks from "The Goverment" are using something else.

Re:European Technology

[rjamestaylor]

. If my messages always begin with "Dear Mom," and always end with my name, I've introduced an exploitable flaw

Also true if you're always in a harry and start your email virms with "Hi"...

The other pages...

[Mike+Connell]

AES is Rijndael (ie the name of the cipher selected selected as AES is "Rijndael").

Find out all about it (including how to say it ;-) here and here

Re:The other pages...

And DES was Lucifer but we now call it DES just like we'll now call the new standard AES.

Rijndael popular acceptance

[imrdkl]

The latest take on HushMail, called CryptoHeaven, is using AES/Rijndael, this was discussed here.

It seems to be open, and acceptable to alot of people. More information on the cipher is to be found here.

Standard ?

[mirko]

There a big ambiguity that I couldn't really sort out while reading these web pages: Is this an Open standard or a Commercial standard ?

Will I have to pay royalties if I intend to write AES-compliant programs then sell related services?

I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public?

Re:Standard ?

[Stackster]

> There a big ambiguity that I couldn't really sort out while reading these web pages : Is this an Open standard or a Commercial standard ?

It's a US government standard, meaning that all government-related (whatever that means) should use it (or something like that). It's just another algorithm instead of DES/3DES to be used as The Official US Government Encryption Standard.
Some pieces-o'-software, both free and commercial, use Rijndael, but it's not a standard (ISO or ANSI or whatever).

> Will I have to pay royalties if I intend to write AES-compliant programs then sell related services ?

Probably not. There are plenty of free implementations of the Rijndael algorithm, and from what I can figure out, there doesn't seem do be any restrictions to it. From the authour's page:
Rijndael is available for free. You can use it for whatever purposes you want, irrespective of whether it is accepted as AES or not.

Even if the US government puts some kind of export restriction on software using it, it's still very available (in several free (of some kind) implementations) outside US.
NIST too, provide their own reference implementation.

> I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public ?

The algorithm was invented by "the public" (two guys in Belgium), not by NIST or the US government. NIST just selected the one algorithm they considered the most appropriate from the whole lot of available encryption algorithms out there.

Re:Standard ?

[psamuels]

> Will I have to pay royalties if I intend to write AES-compliant programs then sell related services ?
Probably not.

Definitely not. This was an important consideration for defining the standard. NIST only accepted unencumbered submissions - meaning:

1. no patent restrictions
2. no restrictions the sample code provided (every submission had to come with working C code, IIRC).

So - not only can you use the algorithm, you can even use their implementation, no questions asked. They actually released two implementations, a "basic" and an "optimised" one. I don't remember whether having two versions was a NIST requirement.

Re:Standard ?

[J.+Random+Software]

NIST required a reference implementation in C and two optimized implementations in C and old Java (JDK1.1). Reasonably good software benchmarks (even on 8-bit microprocessors) and probable hardware complexity were part of what they selected for.

Re:Standard ?

IIRC, some of the algorithms were patented, with a promise that the patents would be freely licensed if the algorithm was chosen as AES. So Rijndael (AES) is free (it was never patented anyway), but if you wanted to use any of the competing algorithms, it would be a good idea to check the patent situation first.

Goverment Sponsored Attacks

[ukryule]

From the press release:

After the field was narrowed down to five in April 1999, NIST asked for intensified attacks and scrutiny on the finalists.

Interesting that the US government was busy asking people to try to crack an encryption standard, while at the same time upholding a law to make breaking encryption illegal.

So, now that this encryption method is officially accepted, will it be illegal to try to crack it?

Re:Goverment Sponsored Attacks

Interesting that the US government was busy asking people to try to crack an encryption standard, while at the same time upholding a law to make breaking encryption illegal

As far as I've read, the DMCA doesnt make breaking encryption illegal, it make defeating copy/copywrite protection mechanisms illegal.

Re:Goverment Sponsored Attacks

Right; so as long as nobody uses AES to protect something with a copyright on it, it's ok to attack it.

Is that really a condition you want placed on encryption research, though?

Re:Goverment Sponsored Attacks

The way I understand it, you can attack the algorithm with impunity. It's when you deal with an actual implementation that is being used to protect copyrighted information that you run into trouble with the DMCA.

In other words: you can figure out how to crack AES, and you can even test out your crack against the commonly available implementations to prove (or disprove) it's effectivness. (Presuming you encrypted the data you're attacking, there's no DMCA problems.) The DMCA kicks in when you use that knowledge to bypass a specific implementation of a copyright protection scheme that makes use of AES (aparently, regardless of whether or not you are legitimately allowed to deal with the protected data.. <shrug>).

IANAL, though, and the DMCA is still new enough that this is just conjecture. I wouldn't be surprised if the lobbying forces behind the DMCA argued that anyone even thinking of cracking AES was an un-American criminal terrorist hell-bent on stealing the last scraps of food from starving children.

Re:Rijndael -- for linux only !

[selderrr]

look at this page in the AES author's site : http://www.esat.kuleuven.ac.be/~rijmen/windows.htm l

340 undecillion

[ukryule]

Each of the algorithms submitted for the AES competition was required to support key sizes of 128, 192 and 256 bits. For a 128-bit key size, there are approximately 340 undecillion (340 followed by 36 zeros) possible keys.

One of the perks of cryptography seems to be the chance to make up words for big numbers! 1 undecillion = 10^36 ... anyone know what other numbers have been defined?

10^3 = Thousand
10^6 = Million
10^9 = Billion
10^12 = Trillion
10^15 = Zillion(?)
...
I seem to remeber Douglas Adams invented a 'grillion' but don't know how big that was supposed to be :-)

Re:340 undecillion

10^3 = Thousand
10^6 = Million
10^9 = Billion
10^12 = Trillion
10^15 = Zillion(?)


Actually 10^15 = quadrillion. There is no such number as a 'zillion' it is simply a figure of speech used to express incredibly large numbers.

Re:340 undecillion

[jhines]

a google is 1 followed by 100 zeros

Re:340 undecillion

[eMilkshake]

google: 10^100 googleplex: 10^google

Re:340 undecillion

[sconest]

Zillion is just a club in Antwerp, Belgium. And I don't think you can put 10^15 people in there.

Re:340 undecillion

For names of large numbers, see http://www.unc.edu/~rowlett/units/large.html.

Re:340 undecillion

[sithlord2]

Zillion is just a club in Antwerp, Belgium. And I don't think you can put 10^15 people in there.

Hehe.. not anymore since they closed the place and our good friend Franky is in jail :-)

(yeah,yeah... offtopic... I know...)

Re:340 undecillion

[scottj]

Actually, it's "googol". Your spelling has been corrupted by Corporate America.

Re:340 undecillion

[scottj]

The word you're looking for is "googol". Google is a search engine.

Re:340 undecillion

[scottj]

I thought I'd go for a bit of variety. ;-)

Re:340 undecillion

[syzygysucker]

name with number of zeros

thousand 3
million 6
billion 9
trillion 12
quadrillion 15
quintillon 18
sextillion 21
septillion 24
octillion 27
nonillion 30
decillion 33
undecillion 36
duodecillion 39
tredecillion 42
quattuordecillion 45
quindecillion 48
sexdecillion 51
septdecillion 54
octdecillion 57
novendecillion 60
vigintillion 63

the names stop here (unless something's
changed since I learned this in middle school) except for google and googleplex.

Of course, you can use these to form bigger numers, like 10^126 is a vigintillion vigintillions.

Re:340 undecillion

The system we use for numbers is based on the same system we use for polyhedrons. pity i dont know the name... each advances by 3 zeroes its in latin

10^6 million
10^9 billion (bi=2)
10^12 trillion (tri=3)
10^15 quadrillion (quad=4)
10^18 quintillion (5)
10^21 hex/sextillion (6)
10^24 hept/septillion (7)
10^27 octillion (8)
10^30 nonillion (nona = 9)
10^33 decillion (deca = latin for 10)
10^36 undecillion
(undec=latin for one and ten = 11)
10^39 dodecillion (12, do and deca = 2+10 = 12)

see? it works. centillion is biiig. by simple math 3 * 100 + 3 (thousand = "0") = 10^303
sextillion is my favourite (though im sure its really hextillion)
mod up the AC! :)... cmon this has gotta be "informative" at least

my math may be wrong. ditto with the latin. but the naming convention is right.

Re:340 undecillion

[linzeal]

Where did you go to school Indonesia ? You would need to what is the rupiah down to 2 billion to the dollar ?

Re:340 undecillion

[stevelinton]

See John Conway and Richard Guy's excellent book "The Book of Numbers" on p 14, where they define two systems of "illion" names for all powers of 1000. In their system, for instance,

four millinillitrillion and 14 is 4*10^{3000012} + 14 (American) and 4*10^{6000018} + 15 (British).

Re:340 undecillion

It's not the same as polygons/hedrons, they use the greek prefixes (penta, hexa, hepta) while this is the latin (quinta, sexa, septa)

Re:340 undecillion

[dagnabit]

> four millinillitrillion and 14 is...

There's gotta be a joke about MilliVanillion in here someplace, but I'm too low on caffeine to even try it myself... :)

Re:340 undecillion

[Jon+Abbott]

The word "grillion" was coined in the third installment of Douglas Adams' Hitchhiker's Guide to the Galaxy, named Life, the Universe, and Everything. References are stated below, although no further quantification was given in the series. Enjoy.

--- Reference 1, located 45% into the book ---

"And how many guys zilched out?"

"Two grillion, m'lud." The Clerk sat down. A hydrospectic photo of him at this point would have revealed that he was steaming slightly.

---

--- Reference 2, located 84% into the book ---

"Which means, I suppose," said Marvin, requiring only one ten thousand million billion trillion grillionth part of his mental powers to make this particular logical leap, "that you're not going to release me or anything like that."

---

Re:340 undecillion

[Leto2]

Unless you live outside the US, where
10^6 million
10^9 milliard
10^12 billion
10^15 billiard
10^18 trillion
10^21 trilliard

Re:340 undecillion

[mmontour]

One of the perks of cryptography seems to be the chance to make up words for big numbers!

That's one of the perks of writing press releases. Cryptographers just use 2^N notation.

Re:340 undecillion

[grassy_knoll]

still favor the number Sagan.. as in "Billions and Billions"

Re:340 undecillion

wow, for once the US has a consistent, well thought out naming scheme, and the rest of the world uses something equally bizzare as the imperial system of measures...

We should organize a trade. US starts using the metric system, and the rest of the world starts using resonable number prefixes.

serpant is more secure IMHO

[johnjones]

personally I am a fan of serpant Ross Anderson work because I understand it and after some conversations with people who know both I think its better than AES

the sooner AES is used widely the better though

regards
john 'keys ? no sir I forget things' jones

Re:serpant is more secure IMHO

[Mike+Connell]

There was some discussion on sci.crypt after the AES announcment. A fair number of people liked serpent - I think it is very "conventional" - a very good thing for a cipher. It didn't perform as well as some of the others though (especially in hardware IIRC). Serpent would have been a very secure choice, but I think Rijndael won out as a good "All round" contender.

Re:serpant is more secure IMHO

[tomstdenis]

The problem with Serpent is that the security arguements were heuristic. Rijndael's security is based on the fact that after eight of the ten rounds there are 50 active sboxes. That makes the best differential or linear trail have an amazingly low probability. Rijndael is also a complete cipher after two rounds.

In the case of Serpent the design relies on having a ton of rounds for security since the branch number of the linear transform is not known.

Government backdoor?

[grap]

Governement approved? does it means that there is some sort of "anti-terrorist" backdoor to be used by the FBI?

used in PGP?

[esbjorn]

I can't see any info about AES being adopted in the PGP framework. Anyone knows how this work is progressing? (or has even started..)

Re:used in PGP?

[ssimpson]

RFC2440, which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).

Gnupg already supports AES in all 3 block sizes and so does 'official' PGP v7.0x.

PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.

Re:used in PGP?

[psamuels]

I can't see any info about AES being adopted in the PGP framework. Anyone knows how this work is progressing?

You still use crypto software you have to pay for? [Yes, this was a joke, maybe you only use crypto "for personal use".]

GnuPG, on the other hand, developed AES capability less than 2 days after NIST originally approved Rijndael last year. The next public release wasn't for a week or two, but still.... (Well, NIST officially "approved" it just now, but they "recommended it for approval" just over a year ago.) I remember seeing a message from the GnuPG development list about an hour after the NIST announcement saying "I'm working on it."

GnuPG is similar to the command-line version of PGP and supports the same file formats / protocols, but is free for all uses and isn't affiliated with Phil Zimmerman or Computer Associates. I don't know if it has the same depth of plugin support for third-party apps, but hey, it's supported by all the Linux apps I need it for.

Insightful/Informative/Interesting MOD THIS UP !!!

[mirko]

Excellent answer, thank you very much.

Pity, Slashdot has not given me the possibility to send you this notice in private (* hint ! * hint !* ), hence such "noise" which I apologize for.

Now, if I happen to successfully develop an AES "decryptor", may I publish its source code without infringing the DMCA?

Coming in OpenSSL soon...

[imrdkl]

I found several notes on the openssl users list which seem to indicate that AES/Rijndael support will be available in OpenSSL 0.9.7. This has not been released yet, but is reportedly available in the CVS area.

Re:Coming in OpenSSL soon...

[LWolenczak]

I think there is a patch floating around for frees/wan... to support AES/Rijndael. They have yet to mention anything about it, but I'm assuming it will be in a release very shortly... ofcorse, they don't seem to like anything american.

Re:Coming in OpenSSL soon...

[BitterOak]

And AES has been available in OpenSSH for nearly a year.

[Nitpick] AES isn't 100% of Rijndael

[jon_eaves]

Rijndael is a variable key length, variable block length cipher. The keys and blocks can be 128, 192 or 256 bits long. This gives a total of 9 different variants that could be specified to use the particular algorithm.

The AES has selected the variable key lengths of 128, 192, 256 to be used with a 128 bit block

BouncyCastle has had a full implementation of Rijndael since 1.0 beta 4 (now at 1.10)

Disclaimer: I'm a BouncyCastle author.

20 bucks

[Blind+Demiurge+Ialda]

I have $20.00 that says that some wiseguy will crack AES by this time in 2002. Any takers?

Re:20 bucks

[negacao]

I agree.. As soon as a large body (i.e. the gov't) is stupid enough to agree on one standard, it *will* be cracked.. Remember, there is no such beast as absolute security. If someone wants in bad enough, they will get in. Period.

Re:20 bucks

[tomstdenis]

Have you read up on AES? Its not some form of DRM or something.

Its a real block cipher designed by two of the best cryptographers [in this field of study] in the world.

Rijndael is based on a design that is 7 years old [Square Block Cipher] and is fairly easy to analyze w.r.t to current forms of cryptanalysis.

Rijndael has been around since 1998, what do you think that NIST just made it up last week?

Stupid troll go away!

Re:20 bucks

[Foogle]

You're crazy. I'd take that bet any day.

Enough Rounds?

[Euphonious+Coward]

Bruce Schneier pointed out that Rijndael was less secure than it could have been because it specified fewer rounds than he thought it should. I seem to recall that a plausible attack on an only slightly reduced-round variant was presented.

Points for whoever can produce the explanation why the apparent weakness doesn't matter, and why we shouldn't be jimmying our Rijndaels to do a few more rounds, and calling the variant "RWS" (for Rijndael With Suspenders) or something.

Remember that it was the suspenders added to MD4 to make MD5 that made the cracking of MD4 something other than a disaster.

Re:Enough Rounds?

Bruce Schneier's submission (TwoFish) suffers from the opposite problem (his algorithm has the most rounds of all as I recall.) So I wouldn't be surprised if he complained about all the algorithms for the same reason.

The algorithm also was chosen on the basis of speed, simplicity of implementation, and complexity of hardware implementation. Twofish ranked last on all those counts as I recall, and Rijndael ranked first on most if not all of those criteria.

As to whether or not its really fundamentally weak, I think there would have been more of an uproar after the selection if that were truly the case.

Re:Enough Rounds?

[Morphine007]

Any cipher can be attacked, and generally just about every cipher is vulnerable when you take a reduced round variant.
Also, right now you can take ANY key and block multiple of 32bits (there may be a lower limit of 128, but there's no upper limit) and you have to do at least 12 rounds (14 if you're using a 256 256 mix) And the reduced round attack (published by Eli Biham and Nathan Keller rom the Israel Institute of Technology) can only work on 4,5 or 6 rounds.... The main reason for choosing Rijndael over the other 5 competitors was that it is FAST!!!!!!!!!!! I'm using it for my undergrad thesis and it's ridiculously fast at encryption and decryption... it's also fairly easy to implement (except for the MixColumn and inverseMixColumn step) and very small... the cipher could fit easily on a smartcard.

Re:Enough Rounds?

[Catiline]

Wouldn't we be better off calling a supercharged Rijndael "RMS" for "Rijndael Maximized Security"?

Oh wait, never mind, that acronym's already been taken...

Re:Enough Rounds?

Wouldn't we be better off calling a supercharged Rijndael "RMS" for "Rijndael Maximized Security"?

Oh wait, never mind, that acronym's already been taken...

"Root Mean Square"???

Googleplex

[JPRelph]

A googleplex is 10^google and was in the Guiness book of records for being the highest named number. Don't know if thats changed now, I've only got the 1992 book :-(

Re:Googleplex

[scottj]

The word you're looking for is "googol". Your spelling has been corrupted by Corporate America.

/. poll comments

[psyclone]

Look at the comments from this poll. Particularly note this comment.

my favorite part:

The accepted pronunciation of the initial G of "giga-" was once soft, /ji'ga/ (like "gigantic"), but now the hard pronunciation, /gi'ga/, is probably more common.

Re:/. poll comments

[Anonymous+DWord]

I remember taking a tour of the school in fourth grade, and my teacher taking the class down to the boiler room, where she mentioned gigajoules. I always thought that was a funny word.

Re:Rijndael -- for linux only !

He might be able to create a pretty neat encryption algorithm, but he sure as hell can't do browser detection very well ;)

Why bother..

[Cave+Dweller]

...developing it, when you can ROT-13 anything and slap anyone who decodes with a copy of the DMCA? :P

Re:Why bother..

Bite your tongue, man! I'm afraid there may come a day, some time soon, that your statement won't be a joke.

And THAT'S when I will become a citizen of some Pacific island nobody's ever heard of. Just to get away from the madness.

20 Years?

[Stardo]

Bah, try 20 months. :P

Quantum Computers to crack all encryption

[SomethingOrOther]

But of course you'll be able to do that easily once IBM releases it's first quantum computer....

You mean the Men In Black will be able to do that.
Since by definition, a quantum computer can produce an absolutely unbreakable (no shit!) cypertext, and at the same time be able to crack any current cryptosystem (Read Simon Singhs "The code book" for a simple explination of how and why). I don't think us mortals will be alowed near one for many years to come.

Intersetingly, I know people who are working on 'spintronics' (a way of using electron spin up/down to convay info over a laser signal). They are being steered away from doing to much work into the quantum cryptography aspect of this.
I wonder why?

Re:Quantum Computers to crack all encryption

It's all a conspiracy!!!

Yiminy!

[AbbaZabba]

Oh my word, K-maps really kick my ass all over the place!

Names for Large Numbers (link)

Go here: Names for Large Numbers.

You will find that "undecillion" is not in fact made up, nor are likely most of the terms you've seen used by cryptographers. "Zillion" however is a nonsense word. 10^15 is a quadrillion (in the American system). According to the above page it might be a thousand billion or billiard in continental Europe, or a million billion in Britain (especially by the Times of London--more likely they would avoid a specific term).

The most noted (and specific, unlike "zillion") made up terms are gogol and gogolplex.

Re:Insightful/Informative/Interesting MOD THIS UP

[Hobbex]

Now, if I happen to successfully develop an AES "decryptor", may I publish its source code without infringing the DMCA [tompox.com] ?

The inventors of Rijndael, who seem to be exceptionally intelligent and sane people, would probably be more than happy to be challenged with a real attack on the algorithm. Unless you have a PHD in Mathematics specializing cryptoanalysis you probably needn't waste your breath though.

Of course, if the media industry has had time to implement AES in one of their ridiculous UHT (User Hostile Tech) schemes, you may well end up under legal attack, as could, very possibly, the authors of the algorithm themselves should they find a flaw. It has been noted that the media industries will probably not go after "academics" in the short term considering how the Felten affair blew up on them (Russian's apparently don't count).

Just because the enemy has usurped the term "secure" for their UHT does not mean that you should confuse all encryption with DMCA etc. These algorithms really are secure, based on real math that most people agree not even the NSA can break, and do not rely on stupid "gun in mouth" schemes to keep people from breaking them as UHT invariably does.

doug adams

[cjkarr]

grillion == 10^42?

-ck

Re:doug adams

[Hektor_Troy]

That would make some kind of sense, but the 10^n bases it self on our decimal system - which we probably use, because we have ten fingers.

Maybe it would be 42^42 ...

The most famous j-iga quote of all time

[frog51]

One point twenty one (j)igawatts of power! One point twenty one (j)igawatts of power!! Great Scott!!!

I prefer

[wiredog]

Double rot-13. I hear that's even more secure than rot-26!

It is also very interesting, please, MOD UP TOO!

[mirko]

(insert same *hint* as above here ;-)

OK, so you mean that if I happen to break it as an algorithm, this is okay, but if I happen to break its implementation as the new killerdvd format, then I may end up in a similar cell as Dmitri Sklyarov's?

So this once again makes me wonder whether there is or not a bug in the DMCA:

If some technologies are based upon some free algorithm which get broken, (*breathe here*) why should the happy-genious-hacker be sued as he just pointed out some flaw in a "public" technology?

Actually, as he'll make the technology improve and thus get rid of the given flaw, it'd rather be the fault of the suing organization as they accepted to use a flawed1 algorithm...

I guess the DMCA seriously sucks because of its lack of consistance:

They should rather not use any protection at all than inventing some stupid placebo and whining it's been broken into by some clever hacker.

1: though this argumentation is purely 100% hypothetical, I assume there are flaws until one mathematically demonstrates there aren't...

Quantum Computing

[Aceticon]

I tought that the number of possible states in a quantum computer is something around 2 to the power of X, where X is the number of qbits.

Does the computing power not increase in a similar way?

If it does, then to brute force a bigger key one just has to use more qbits!!!

Can anyone who really knows about this confirm or deny it????

Re:Quantum Computing

[linzeal]

Yeah looks like your right

To: Dick@whitehouse.gov
From: Georgie@whitehouse.gov

How do you spell beroot?

Re:Insightful/Informative/Interesting MOD THIS UP

Now, if I happen to successfully develop an AES "decryptor", may I publish its source code without infringing the DMCA?

If you happen to successfully develop an AES decryptor, you should just emigrate to Sweden when they hand you your Nobel prize.

What does the NSA know that we don't, yet?

[markt4]

From the NIST site:

The AES is now an approved encryption algorithm that can be used by U.S. government organizations to protect sensitive,

• unclassified information.
  
  Emphasis mine. So what is approved for sensitive classified information? Anybody know?

Re:What does the NSA know that we don't, yet?

[Mister+G]

if we told you, we';d have to kill you ...

Re:What does the NSA know that we don't, yet?

[jonathan_ingram]

that's classified.

seriously.

Re:What does the NSA know that we don't, yet?

[zeno_2]

Well at Los Alamos National Labratory, they take the approach of hiding the data in more then one sense.

Usually they will encrypt the data as normal, they took the extra step of physically taking out the hard drive and hiding it someplace. I guess the memo didn't get around, because his superiors couldn't find the data later. How is that for hiding data? =)

If you want to use their methods, here is a description of what happened =)

Los Alamos National Labratory Classified Information techniques

Zeno

Re:Insightful/Informative/Interesting MOD THIS UP

Of course, if the media industry has had time to implement AES in one of their ridiculous UHT (User Hostile Tech) schemes, any inteligent and lazy cracker would try to break the implementation, and not the algorithm.

too easy....

[eclectric]

that's *classified*.

;)

Eh?

I think that its interesting that the US goverment had the guts to thoose a european developed algorithm.

Do you also think it interesting that the US chose to use the internal combustion engine (a European development) in its automobiles!

Re:Insightful/Informative/Interesting MOD THIS UP

[lfourrier]

there is no Nobel for mathematics, and I don't think you can decrypt with medicine or litterature;)

Security not the only consideration

[foo+fighter]

Security wasn't the only consideration in choosing an algorithm for AES. Another major factor was how efficient the candidate was. The winner had to be not only secure, but also fast on very low-end devices and able to scale up to very powerful machines. You can expect to see AES used on emmbedded microcontrollers, smart cards, and appliances (music players, phones, etc.) and also on hulking encryption "mainframes" dedicated to doing huge amounts of cryptographic operations very, very fast.

I'd guess that Rijndael was more efficient on more types of devices than serpent and that led to its being accepted as the standard.

IMO, that doesn't take anything away from the other top five candidates in terms of their usefullness at hiding information.

distributed.net?

[Bwana]

Lets see if RSA labs will start another contest like DES III with a 10 grand prize. Heh, I say a year from now, we'll have new d.net clients :)

pUt th3 cr4cKp1p3 d0wN!

Way to answer your own question

Well....

obviously....

that's classified.

yeah

[Afrosheen]

I read Cryptonomicon also :) I'm re-reading it now so this is pretty fresh in my mind. As I understand it, the Germans did rely too heavily on Enigma; however, they changed their boxes every night at midnight to a new key structure. This would break the previous day's decryption (on the British side) and sometimes they'd crack the new codes in a few hours, sometimes not at all.

In regards to 'Enigma 2', it was virtually unbreakable for months. Adding a 4th wheel to a 3 wheel encryption box was pretty hardcore for the crackers to deal with. Luckily they never fully deployed their grandest scheme which was multitudes more difficult than Enigma.

Re:yeah

[onion2k]

Cryptonomicon is a good book, as is Enigma by Robert Harris.. however, they are works of fiction.

The Germans changed the wheel order, start positions, and reflector positions on the Enigma machines nightly, but that wasn't enough. The operators often used the same start codes over and over again, they sent predictable messages, and, like I said, there were issues with the Enigma itself. The UK RAF set up 'traps' by mining specific locations of the English Channel, and then Bletchly Park knew that the messages from specific lookout posts would contain the coordinates of the mines.. a very useful crib.

Try books such as Station X, Engima, Seizing The Enigma, and The Code Book for a readable history..
(The Code Book even has a nice challenge at the end (although the prize has been claimed))

Zillion

was also a rather average anime, mostly intended as a promotion for the light gun accessory for the Sega Master System (AKA Megadrive).

OSS authors: Don't pick self-destructive names.

[Futurepower(tm)]

BouncyCastle.

It amazes me how often open source authors pick self-destructive names. A serious effort should not be limited by a humorous or trick name.

A name like BouncyCastle will limit the number of people who adopt the software. People are afraid there is a hidden joke they don't understand.

There are times when it is appropriate to be 100 percent serious.

I am NOT saying anything negative about the software. The ONLY negative thing I am saying about the authors is that they are obviously not professional communicators.

Open Source Software needs marketing communication like any product that wants to reach a large number of people.

Re:OSS authors: Don't pick self-destructive names.

OK, henceforth you will be able to obtain the latest distribution of the AES from

www.stodgyunbreakablefortress.com

Re:OSS authors: Don't pick self-destructive names.

[gowen]

A name like BouncyCastle will limit the number of people who adopt the software. People are afraid there is a hidden joke they don't understand.

Says you, but why the hell should I believe a bloke called FuturePower?

Re:OSS authors: Don't pick self-destructive names.

[pkesel]

And Windows is a serious name? It does make a serious statement about the security level, I guess.

I guess your name is probably Barney Fife. I think you take yourself seriously while everyone else probably laughs at you.

Re:OSS authors: Don't pick self-destructive names.

[dstone]

A guy named Futurepower said:
It amazes me how often open source authors pick self-destructive names.

"Hello, kettle? This is the pot. You're black."

Um, yeah.

Re:OSS authors: Don't pick self-destructive names.

[jon_eaves]

Funny that Sun, the UK Times, Informix and others don't seems to think so. Funny how Sun gave us a signing certificate for our provider. Maybe companies that actually know what they are doing can look at what's being done. Funny how Sun list us on their webpages as a JCE implementor. They don't seem too concerned about the whole thing.

At the end of the day we don't give a shit. We're doing this for us. If it turns out that other people want to use it, then bully for them.

We (authors of BouncyCastle) have already gone through this with somebody who mailed us directly, who's boss didn't want to use it because the name was funny. We said, "OK, that's up to you". In the end, they ended up using it because it's the best available (Maybe I'm a touch biased, but as far as features go, it's comprehensive, and as far as price goes, it can't be beat, and as far a licenses go, it's the most attractive. (It's not GPL)

If you care about "acceptance" and "how it looks to others", then you're not doing it for the right reason. I've had at least a dozen people ask me to commercialise what we've done.

And "Linux" is a serious name exactly how ?

PS: No, I'm not a professional communicator, I'm a professional geek. But it's pretty funny how if you do a job well, that communicates all by itself.

Re:OSS authors: Don't pick self-destructive names.

[Futurepower(tm)]

"Linux" is a great name that follows all the rules. It communicates what it was intended to communicate, and nothing more. It's a Unix work-alike that is still guided by a man named Linus. The name couldn't be better.

I'm not saying that companies with humorous names don't ever have customers. I'm saying that, in my experience, these companies don't last. They either go out of business or they change their name.

I can give only one counter-example: The Beatles. Sounds like an insect. This shows that, if you have an absolutely revolutionary product, and George Martin as a producer, you can overcome unfortunate connotations. But it doesn't happen often. If you disagree with this, can you give me counter-examples?

My quick impression when I visited your web site was that it was a good product. My comments have NOTHING to do with you or your product. My comments are only about unfortunate connotations.

Quoting your post:

"We (authors of BouncyCastle) have already gone through this with somebody who mailed us directly, who's boss didn't want to use it because the name was funny."

How many people had this reaction, but didn't communicate with you?

P.S.: Here is another example. Don't call yourself a geek. It carries the connotation that you have difficulty communicating with others, and avoid communicating by immersing yourself in technical things. After seeing your website, I very much doubt that is true.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:OSS authors: Don't pick self-destructive names.

[dstone]

"Linux" is a great name that follows all the rules. It communicates what it was intended to communicate, and nothing more. ... The name couldn't be better.

Well, if designing a name that results in several common (incorrect) pronunciations is one of the rules, then yes. There are 2 common variations on the "i" and 3 on the "u" that I hear in this part of the world. Sure, many constructed names suffer from this problem, but it can be minimized in the name design process. For a little fiver-letter name, it's pronounced incorrectly an impressive amount, even by the old Unix crowd where you'd think it would be closest to its roots. Nice name, but room for improvement.

Something related about the name "Linux" that I notice... I commonly need to repeat and spell the name for people the first time they hear it. Now, this isn't critical in business and it probably won't break any deals. But having it written down incorrectly by receptionists, bankers, etc. is an annoyance. Again, nice name once you get to know it, but the first introduction is difficult.

My point here is simply to show that something doesn't have to follow any rules to be a great name. Linux is great. But not because it "follows all the rules" or "couldn't be better".

Re:It is also very interesting, please, MOD UP TOO

[Hobbex]

OK, so you mean that if I happen to break it as an algorithm, this is okay, but if I happen to break its implementation as the new killerdvd format, then I may end up in a similar cell as Dmitri Sklyarov's ?

Yes, pretty much.

So this once again makes me wonder whether there is or not a bug in the DMCA :

If some technologies are based upon some free algorithm which get broken, (*breathe here*) why should the happy-genious-hacker be sued as he just pointed out some flaw in a "public" technology?

Don't try to apply logic to law, it will lead you nowhere. The reason the happy-genious-hacker gets sued is because he is a convenient target, who can easily be painted as a villian in the eyes of courts, politicians, and the public.

Actually, as he'll make the technology improve and thus get rid of the given flaw, it'd rather be the fault of the suing organization as they accepted to use a flawed1 algorithm...

You are missing a vital point that a lot of technologists seem to miss, but that has not been lost on the international media cartels. It is this: there is no non-flawed implementation of UHT.

Because UHT relies on your computer controlling you (what "user hostile" means) and in at least some sense your computer is always actually under your control, regardless of implementation it will always be possible to crack it. Hackers like Sklyarov and Beale Screamer are not helping improve the UHT technology because whatever is done it will always stay vulnerable, and the vulnerablilities they exposed were undoubtably known by the implementors. If you support the existance of UHT (or copyright law, with doubtlessly requires UHT to be enforced) then the DMCA is not only a justified, but a necessary law. In fact, the DMCA does not go nearly far enough, which is why laws like the 'SS'SCA are very necessary as well.

I guess the DMCA seriously sucks because of its lack of consistance :

They should rather not use any protection at all than inventing some stupid placebo and whining it's been broken into by some clever hacker.

The DMCA provides the international media cartels with a weapon to harrass technologists who want to use computers freely as they see fit rather than under the control of the cartels' authority. It may not be too helpful against software hackers, though it has certainly slowed down many projects, but it certainly works for other purposes (consider why you will never see a CD-ROM drive that by default ignores the broken error-correction codes on those new "copy-proof" CDs).

1 : though this argumentation is purely 100% hypothetical, I assume there are flaws until one mathematically demonstrates there aren't...

Unfortunately that puts you in a quite a bad place, as to my knowledge there are no(*) current ciphers that are mathematically proven to be uncrackable. There are a couple of, at least hypothetical, asymmetric ciphers that have been shown to be "NP-complete" meaning, roughly, that if they can be cracked then a whole class of problems nobody has found any answers to yet can be solved as well (you may have heard of the N != NP conjecture), but the common ones (RSA, DSA, ElGamal) are not even that. Newly designed ciphers like Rijndael/AES (which is a symmetric cipher, so should not be confused with those mentioned before) are not proved to be mathematically secure, but simply engineered to be secure against all currently known attack vectors.

(*) In order to avoid the obligatory lamer responding with ("There is a provably secure cipher, it's called One Time Tap"), I digress that there is a provably secure cipher called a one time pad, which uses keys as large as the messages that can only be used once. OTP can only be used as a type of secrecy delay - if you have a secure channel between two parties at one point in time, they can exchange random key data that will allow them to securely communicate the exact same amount of data securely over an insecure channel later. There is also the algorithm that I believe came from a student of Adi Shamir last year which hid the data in a stream of random data so large there would be no way to cache it long enough to crack the cyrpto (in theory anyways).

Super K

[oni]

In 1976 Donald Knuth published a paper titled Coping with Finiteness in which he names a number Super K. It is defined as 10^^^^3 where 10^^10 = 10^10^10^10^10^10^10^10^10^10^10 or 10^10 10 times.

I couldn't find the paper (damnit) but Knuth says in Things a Computer Scientist Rarely Talks About
"If you don't agree that Super K is so large as to be beyond human comprehension, I can at least prove conclusively that if you consider all the numbers less than or equal to Super K, almost all of them are impossible to describe in any way in the univerise"

I dunno, is that bigger than a googleplex? I wouldn't be surprised if the Guinness people spent less than 30 seconds researching this - in fact I suspect this was just some piece of useless trivia someone who happened to be in the office that day happened to know

Re:Super K

ITYM "googolplex".

Re:Super K

[smileyy]

IIRC, the Ackerman function (and relatives) do a relatively good job of describing very large numbers.

Re:Super K

Super K is a lot bigger than a googolplex! A googolplex is only 10^10^10^10, or (using Knuth's notation) 10^^3. Super K is truly huge.

The other Very Large Number I've heard bandied about is Skewes' Number, which has something to do with the distribution of prime numbers, and is also mind-bogglingly large, but I'm guessing it's smaller than Super K... hmmm, some research shows that it is in fact relatively small, less than 10^^4.

Smileyy mentions that the Ackerman function does a good job of describing large numbers. This doesn't help, though — Knuth's point is that there are vastly more numbers the size of SuperK than there are possible descriptions of numbers in the universe, so no matter what notation you use, only a tiny fraction of them can ever be described (or even thought about in any way except en masse).

Knuth's book sounds interesting, I should pick it up.

Re:Super K

[oni]

Knuth's book sounds interesting, I should pick it up.

the book I quoted from _Things a Computer Scientist Rarely Talks About_ isn't all that great IMHO. It is about his religious beliefs. Fortunatly, it's short enough to read over a weekend if you are bored.

Knuth's paper _Coping with Finiteness_ and his book _Surreal Numbers_ do sound interesting. I get the feeling he'll be talking way over my head though!

I mad? No. You mad.

[Futurepower(tm)]

Oh great. Here's a site that calls itself "I mad".

Poll: Would you use software from a site called "I mad"?

Re:I mad? No. You mad.

[ssimpson]

The guys name is "Imad R. Faiad".

let me guess, you're American, right? ;)

As usual : MOD PARENT UP ;-)

[mirko]

Thanks, I have absolutely no knowledge of cryptology and you actually managed to teach me a lot without digressing too much from my original rights-related questions.

Now, what about setting up a unique dedicated processor (programmable-FPGA-based) that'd only execute encrypted binary code ?

I believe, at this level, only "trusted" components would be able to use it as part of a trusted network, no?

I mean: The various encryption you mentioned suggested a "passive key" (aka "data").

If the key happened to be either a program (which one could disassemble...) or a chip, then I guess we'd have something quite secure.

Re:As usual : MOD PARENT UP ;-)

[plover]

That's precisely what the direct-to-consumer satellite TV providers have done with their "smart cards". A "secure computer in a hostile environment" type solution is required.

And that's why satellite TV hackers have gone to the lengths of ion-beam analysis of the smart card chips to decode what's stored in them.

And as many people have pointed out before, information can be spread much easier than most other commodities. (Which is why they're trying to protect this stuff in the first place!) So once hacker A has disassembled the chip, and hacker B has written a chip emulator for the PC, all non-hackers C-Z have to do is download the emulator and they're ( watching free porn && stealing TV service ).

IBM has proposed addressing this with "secure" hard drives and "digital monitors". Sony and others have pushed for SDMI music players. Retailers have used this for more than 10 years with the ubiquitous Verifone PIN pads you see at retailers and gas stations everywhere.

John

In other news, AG Ashcroft jailed all 857 employes

[sphealey]

In other news, Attorney General John Ashcroft "detained" all 857 employees of the NIST as "suspected terrorists". They are being held incommunicado at an undisclosed location, awaiting execution by a miliary tribunal. "We can't just have people releasing encryption algorithms whenever they feel like it, even if they are employees of the US Government," said Ashcroft. When it was pointed out to him that bin Laden avoids technical means of communication in favor of face-to-ear whispers among trusted family members, Ashcroft replied: "That's OK. Better to execute 857 innocent geeks than allow one terrorist to slip through."

sPh

Chaining

[Futurepower(tm)]

What is almost never mentioned in discussions of cryptography is that brute force or most mathematical attacks require that the method of encryption be known.

If the method of encryption is not known, then it can be impossible to decrypt a message. For example, if several kinds of strong encryption are used, and the kinds and order are not known, then brute force or mathematical attacks don't work. (Using several methods of encryption together is called "chaining".)

This is of limited use since, in many cases, it is impossible or impractical or difficult to keep the methods of encryption secret.

Nevertheless, software that used several encryption methods and varied the methods depending on the passphrase would have value in some cases where there is plenty of computing power.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:Chaining

[Knight2K]

Seems to me that the method of picking which encryption to use would also end up being known. The scheme you mentioned above would give you security through obscurity, but not true perfect security.

I forget who said it (must dig through encryption class notes), but the security of a particular encryption system must rely solely on the key to be perfectly secure.

Re:Chaining

It's Kerckhoffs' Principle.

NIST has approved new 256-bit Encryption Standard

[Weron]

The U.S. government has standardized an AES (Advanced Encryption Standard) algorithm after four years of testing. The original encryption formula is developed by two Belgian scientists, Joan Daemen and Vincent Rijmen. Will the new standard pass the test of time? By comparison to the old standard, where government used triple DES with an effective symmetric strength of 112 bits, we are far ahead now. The 256 bit key space allows for over 1 followed by 77 zeros combinations. Several companies are already offering AES crypto toolkits and new products are emerging. For example a toolkit from Cryptix includes the new AES for some time now. Also, CryptoHeaven is already offering a data exchange platform with AES 256 bit security. Watch for more exciting new products as they are doomed to come to the computer near you!

RSA?

What is so wrong with RSA? From my limited experiences with it, it has proven to be very secure.

It's Greek to me!

[coyote-san]

While there are two different approaches (the US "billion" is a British "millard"), they both follow the convention of the Latin (or is it Greek?) "combining form" for a number followed by "illion." So 1, 2, 3, 4 -- "mil-, bi-, tri-, quad-" -- becomes "million," "billion," "trillion" and quadrillion.

If we use our familiar SI prefixes:

deca: decillion: 1e30

hecto: hectillion: 1e300

kilo: kilillion: 1e3000

mega: megillion: 1e3000000

giga: gigillion: 1e3000000000

tera: terillion: 1e3000000000000

exa: exillion: 1e3000000000000000

and so forth. (In other words, what comes after exa-?)

And never forget

triskadillion: 1e39

AES already in use

Check out http://www.cryptoheaven.com they already have a file sharing system using it.

Oops!

[coyote-san]

Oops, all of those exponents should be bumped by three. I'm from an alternate reality where all of this was rationalized years ago..., yeah, that's it!

So a gigillion is 1e3000000003, etc.

Re:Insightful/Informative/Interesting MOD THIS UP

[discipledaniel]

Yep, you're right... but there is the Field's Medal... kind of the same thing...

Re:Completely untrue...!

[coyote-san]

I think you're confused. RSA claimed, in their Scientific American article at least, that their 100-bit key would take millions of years to break. In fact, advances in factoring algorithms (and to a far less extent, raw computing power) lead to it being broken in less than 20 years. Now the minimal recommended key size is 400 bits longer, amd most of us use keys 900 bits longer.

DES was never expected to have a lifetime longer than 25 years or so. The cryptanalysts who designed DES never heard of Moore's law, and wouldn't have cared about it if they had. They knew that the most important factor was algorithm efficiency, not the raw computing power.

In fact, a study in Programming Pearls a while back compared the effects of improved algorithms vs. improved hardware speed for several historically hard problems. The results were clear - hardware is getting faster, but you could still run circles around the latest supercomputer running 1960s era algorithms with your PDA running current algorithms. (Okay, the original article compared Crays to TRS-80s, but kids today may not know what a trash-80 is.)

The only reason computers seem slower is that they're used to solve far bigger problems. People tend to be willing to spend the same amount of time solving problems, and for a given time O(nlg(n)) has a far larger value of 'n' than O(n^3).

How To Write A Press Release

[Captain+Chad]

From the press release:

• The new standard contains a sophisticated mathematical formula known as an algorithm.

Did anyone else find this to be hilarious? I can see a manager saying something like, "We need to write this at a 6th-grade level of comprehension. Be sure to define the word 'algorithm'."

At least it is not a joke.

[Futurepower(tm)]

Power for the Future

At least it is not a joke. Back before IBM sold PCs, I was selling Morrow Microdecision PCs, that ran the CP/M operating system. Back then it was unusual that someone would own a computer. 4.77 Megahertz for $2,300. No hard drive, 13 inch monochrome monitor.

I chose that trademark to signify exactly what it says.

Re:At least it is not a joke.

[pkesel]

Your name isn't very specific. I'd think it meant Power IN the Future. Perhaps it's not ready for prime time yet?

149 trillion years? and it's not good enough for..

[Lawmeister]

US Government classified information? What the heck are they using for classified info crypto? From the article:

Q: What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

A: Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.


snip...
The Advanced Encryption Standard (AES) will be a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.

Re:It is also very interesting, please, MOD UP TOO

you may have heard of the N != NP conjecture

Ermmm... no, actually, I've never heard of that. I've heard quite a bit about the P != NP conjecture, though. Is this similar?

Re:Toast?

[Jucius+Maximus]

"Can you please explain how one would go about frying bread?"

"It's bread toasted in a frying pan with a light coat of butter. Americans might better know this dish as texas toast, though that term usually implies that you have prepared an unusually large slice of bread in this manner."

OK well I've never heard of 'texas toast' either... (I'm not an american.) Thanks for the description.

Re:Toast?

[Killer+Napkin]

I'm an American but I've never heard of "Texas toast," either. I did, however, learn to stay away from any type of food dish whose name involves the word "Texas." Words to live by. Crazy Texans.

Not the guy doing AES?

[bstadil]

Says you, but why the hell should I believe a bloke called FuturePower? You don't have to. He is not the person doing the AES. I think he has a very good point both on the specific and for naming in general.

OT: English Breakfast (Re:Terrorists?)

[armb]

> Fried egg.
Or possibly scrambled. Maybe boiled as an option.

> Hash Browns
Not in an English breakfast. Not one without strong American influences anyway.

> Fried bread
and toast.

> Probably some other stuff as well
Fried (or possibly large grilled) mushrooms. Black pudding (blood sausage). (Or possibly white pudding, but that's less common).

It doesn't matter that much....

since key sizes of most passwords are at most 40 bits.

If the software chose the methods of encryption...

[Futurepower(tm)]

If the software chose the methods of encryption, and the sequence in which the methods were used, based on the password, then chaining would be secure.

The problem with this is that it does not allow public key encryption. So, some independent way must be found to distribute the password. In many cases, however, there is no difficulty with distributing passwords. For example, if employees of a company often visit the home office, they can receive new passwords.

Re:Completely untrue...!

I am wondering if the printed RSA paper that they sent out from that Scientific American article is a collector's item now. I still have my copy and it'd be cool to get a bunch of cash for it on eBay.

Radical opinion, on Slashdot

[Futurepower(tm)]

Please don't sound superior about this.

If I lived in Iran, I would change my name to Moshen. Why? Because I don't want to sound Christian in a country where that is not favored. (Because Christians killed Muslims during the Crusades.)

I suggested to a friend of mine whose name is Mohammad that he pick another name for use in the U.S., since someone named Mohammad had bombed a TWA flight, and Mohammad Salameh bombed the World Trade Center the first time it was bombed. He strongly agreed, and now calls himself Mike when communicating with people who don't understand his culture.

I had a Japanese-Brazilian acquaintance whose last name is Asso, which is pronounced to rhyme with asshole. When he says his last name, it sounds like he is saying asshole. If he came here, I would recommend he adopt a different name.

I heard about a German man, now living in the U.S., who changed his last name. Before the change, it was Raper, a perfectly good name in German.

Un-intentional communication has killed many Open Source Software projects, and commercial companies, too. I have found that this is a very radical opinion on Slashdot, but it is the standard opinion of professional communicators and marketing people. My opinion is that OSS must adopt good communication methods to avoid silly problems like this.

I'm not saying that someone who is named Imad should change his name. He should arrange his communication, however, so people who are new to knowing him don't read it as "I mad", which is what a native English speaker is likely to do.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:Radical opinion, on Slashdot

[ssimpson]

Having read your response I feel justified in feeling superior.

If you judge people by their name (and associate Imad with "I Mad", as per your previous post), then I feel sorry for you.

By the tone of your response, I guess I was right about the American part ;)

Re:149 trillion years? and it's not good enough fo

[pkesel]

You just answered the question. If you know it's DES, or even AES, you know something about how to break it, or at least the magnitude. The biggest threat to security is knowing what security steps were taken. The gov may not use anything more sophisticated, but just that it's not well known makes it better.

Then it's O(n*2^n); PGP practical problems

[yerricde]

Also, the processor time and memory is roughly proportional to key length

In other words, the time to decrypt a message with an n-bit key is O(n). The time to bruteforce a message (decrypt a message with all n-bit keys) is thus O(n*2^n) which is still O(2^n) at high values of n. So you still lose a bit of key length to Moore's law of transistor density every 18 months.

So if you double the capabilities of your computer then you can double the key length without taking a performance hit.

But then you and everybody you communicate with would have to make new keys. And even then, you often can't use more than 128-bit keys across national borders.

Well computers probably got fast enough in the last 80s, but encryption-for-everybody still hasn't really taken off. I guess social factors are harder to model than CPU speeds!

Another problem is that PGP/GnuPG "web of trust" model requires you to know somebody face-to-face who is already part of the web of trust so that you can validate her key and gain access to the rest of the keys. In fact, there must be a path in the graph of PGP users that leads to Phil Zimmermann or to Richard M. Stallman (see also Oracle of Bacon).

For crypto, transistor density == speed

[yerricde]

Moores law says nothing about computer speed doubling. It refers to the transistor count doubling.

Distributed.net relies on the fact that all other factors being equal, brute-forcing a key (decrypting a message with all possible keys) scales linearly with the number of processors involved because of the inherent parallelism. If transistor density doubles, the number of crypto datapaths you can put on a given-sized die doubles. Therefore, Moore's law of gate density translates directly into speed increases.

Re:For crypto, transistor density == speed

[thogard]

It is off the case in crypto that if you double the size of your processors work size, you get better than double the speed because you can reduce the total about of work. You can also do thing such as doing more work in parallel in such a way that you don't have to do as much. In the past few years, decrypto hardware can be made so that things like DES are loosing about a bit every six months not every 18 months.

Re:Completely untrue...!

[randombit]

Now the minimal recommended key size is 400 bits longer, amd most of us use keys 900 bits longer.

Actually, 400 + 100 == 500 bits, and a 512 bit RSA modulus was factored, um, either last year or the year before, I can't remember which. It took about 6 months with an array of about 400 Pentium IIs and Alphas, and one very big Cray, to do some precomputation and the final big set of matrix operations. IIRC, it used a modified version of the Number Field Sieve, which involved a good deal more precomputation, which for larger keys saves more time than it hurts.

Many new specifications (for example, OpenPGP) specify an absolute minimum of 768 bits.

megadrive != master system

light gun accessory for the Sega Master System (AKA Megadrive)

Megadrive != Master System. Megadrive == Genesis.

Billiard?

[yerricde]

According to the above page [10^15] might be a thousand billion or billiard in continental Europe

What does 10^15 have to do with the game of pool?

Re:149 trillion years? and it's not good enough fo

[randombit]

US Government classified information? What the heck are they using for classified info crypto?

Short answer: Stuff designed and vetted by the NSA.

Also note that 149 trillion years is an upper bound on the strength, and 255 keys/second is pretty damned slow. Brute force is essentially infinitely parrelizable; consider a room with 1,000,000 FCPGAs or ASICs each cracking 100,000 keys/second. That's still about 53914487622781590403 years for a brute force (on average), but you catch my drift, I hope.

The algorithm itself also has to be strong. It would not take much effort to design a block cipher with similar parameters (block size, key lengths, etc), that was trivially breakable. Rijndael is not trivially breakable, but it may (in fact, almost certainly does) have undiscovered weaknesses.

Longer answer:

There are a few major reasons the AES was not simply handed to us, fully formed from the head of the NSA.

One is that they probably don't want to give people any "hints" about design techniques. We've learned a hell of a lot from trying to attack DES, and people have probably re-invented a good portion of the techniques the NSA had at the time. Getting the specifications to a block cipher designed with the NSA's latest design and analysis techniques would probably advance the state of the art by at least 5 years.

Slightly off the topic: Some people at IBM claim DES was invented entirely at IBM, NSA had nothing to do with the design, and so on and so forth. I don't believe this is the case, but whatever. If you believe it is true, S/NSA/NSA+IBM in the above.

Also, people were worried that the NSA would try to put a backdoor in it, or at least, people were worried that other people would worry that the NSA would try to backdoor it. So they wanted people in the academic community to come up with something for them. But obviously the NSA can't trust something like that, at least without a few years of "in house" analysis.

French and British number systems

[yerricde]

wow, for once the US has a consistent, well thought out naming scheme, and the rest of the world uses something equally bizzare as the imperial system of measures...

They're both pretty well defined. Given n as the prefix-number (mi=1, bi=2, tri=3, quadri=4, quinti=5...):

The U.S. system: n-llion == 10^(3n+3).

The continental system: n-llion == 10^(6n); n-lliard == 10^(6n+3).

Windows was a carefully selected name.

[Futurepower(tm)]

Windows was a carefully selected name. At the time Microsoft picked it, windowing was an advanced ability for a PC.

These ideas about avoiding the chance of miscommunication are completely accepted by the people who sell all the consumer products you use. I'm surprised these ideas are so difficult for Slashdot readers to accept. My posts about this have consistently been modded down.

Re:Windows was a carefully selected name.

[pkesel]

Most slashdot readers are far from serious commercial developers. Most are simply over-opinionated hackers with too many of their own half-baked ideas to stump. I believe you do have a valid point, but not really one worth mentioning. Pet crusades generally aren't. It's like the blokes continually posting about the poor grammar or spelling in one's post. Valid but pointless.

Re:Windows was a carefully selected name.

[dstone]

Windows was a carefully selected name. At the time Microsoft picked it, windowing was an advanced ability for a PC.

As you point out, it is a geeky name. At the time Microsoft picked it, no consumer would know about "windowing" (an advanced ability for a PC). They'd hear the name Windows and draw their own conclusion. Now, it's a catchy name, but consumers would have connotations of "fragile", "breakable", "something I look through", "something transparent", "something I open and close", "something that keeps things out", etc. It's a catchy name. With lots of bad connotations, admit it. Thank goodness not everyone follows the rules.

Qbits and power

[karlm]

Okay, so I've only had a couple of lectures on quantum computing, but the were in Prof. Rivest's Network Security class, so the focus was pretty relavent to your question.

The basic idea with quantum computing is that you can do compuations on all of the possible inputs simultaneously. It appears that some of the problems we'd like to solve with quantum computers may not be able to be expressed efficiently with the quantum operations at our disposal. Someone mentioned in another post that quantum computers don't seem to be able to break block ciphers as efficiently as they can factor large numbers.

If everything is working properly, the Qbits probably aren't exactly ones or zeroes until you look at them. (In the world of quantum mechanics, particles act differently when you look at them. Look up Schrodinger's Cat on Google if you're not familiar with the basic idea of quantum.) The state of each qbit is a pair of complex numbers, called amplitudes. The square of a magnitude (vector length squared for the spatial thinkers among you. The dot product of a vector and its complex conjugate for those of you that prefer linear algebra.) is a probability.

The qbit is most likely not totally a 1 or a zero. The qbit is partially a one and partially a zero and these parts are represented as amplitudes. This indertiminant state is called a quantum superposition. In Ket notation we say a qbit is alpha |0> + beta |1> where alpha and beta are those complex amplitudes I mentioned earlier.

Stay with me. I'm almost done with the stuff that makes your head swell.

When you observe the qbit, it magically becomes exactly a one or exactly a zero, with probability determined by the amplitudes. Therefore, the sum of the squares of the magnitudes of alpha and beta always add up to one, sonce the probabilities of the qbit being observed as a zero or one must sum to 100%.

So, what does this all mean? It means that all of your computations are done with the qbits being BOTH zero and one at the same time. (Okay, so you set come of the qbits to specific values in order to control the quantum gates.) This means that with n qbits, it's like doing computation on 2^n data points simultaneously. You set up your computations so that in the end when you look at your qbits, you have a high probability of seeing the correct answer.

There's a big problem keeping very many qbits in quantum superposition for very long. A random neutrino or other minor disturbance has the same effect as looking at the qbits in mid computation.

Googleplex is a building

[yerricde]

the names stop here (unless something's changed since I learned this in middle school) except for google and googleplex.

Google is not a number; it's a search engine. Googleplex is not a number; it's the building that Google operates from. You're thinking of googol and googolplex.

Rijndael is unpatented

[fabbe]

Seems like someone has understood something about patents. According to the Rijndael spec, the algorithm is not patented. Specifically, section 1 of the spec says:
Rijndael or any of its implementations is not and will not be subject to patents.
This should enable Free Software and Open Source Software projects to use the algorithm, and it seems some do already (like GnuPG). It would be interesting to know if the working group has considered patent issues when selecting an encryption algorithm for AES.

Re:Rijndael is unpatented

Yes, all of the ciphers submitted for consideration as the new AES were required to be unpatented. The government does get things right from time to time. (Well, a lot of the time really, but they still get things really, really wrong sometimes.)

The NSA is charged with, among other things, maintaining the security of domestic communications, including domestic commercial communications such as would use AES (bank transfers, e.g.). In fact they seem to work at that in good faith. Yes, this is sometimes at odds with their other purposes, but since when does that stop any large organization?

Re:Coming in OpenSSL soon... (sig)

[HiThere]

"Can liberty be destroyed by the truth?"

Of course. It depends on how selective one is about which truths are allowed.
.

I don't trust it yet...

Never trust unproven cryptograpy. Never. I'll stick with 3DES for a long time, because I can rely on it's known level of security.

Did you know that the NSA wants to push AES to replace 3DES ASAP? Doesn't that make you wonder? 3DES's time hasn't come yet (by a long shot), so we can only assume that the NSA consider AES weaker than 3DES (they might even be aware of a backdoor).

A 19-year-old Korean woman understands this issue.

[Futurepower(tm)]

It's amazing how difficult this concept is on Slashdot.

I'm not "judging people by their name". I'm NOT judging a person at all. I'm saying don't call your web site or open source software product by a name that has any possible unfortunate meanings or connotations.

I did not invent this idea. It is universally used by people who design professional communication.

Why avoid side communication? Because long experience has shown that products with such communication don't do well in the marketplace.

I repeat. This has NOTHING to do with "judging people by their name".

I have a Korean woman friend whose name is "Go-oon". I suggested that, if she stayed in the U.S., she call herself "Susan". "Go-oon" sounds like "Goon" and is difficult to pronounce correctly for English speakers.

She didn't accept my suggestion; she didn't stay in the U.S. long. But she certainly did not take my suggestion as anything negative. She was 19. Why is it that a 19-year-old Korean woman understands this issue, but not many Slashdot readers? (Incidentally, she ran Linux. So, she is an above-average 19-year-old Korean woman. But still.)

Re:149 trillion years? and it's not good enough fo

[ChadN]

On a nit picky note about your otherwise informative posting, the "255 per second" in the article you quote should actually have been "2 to the power of 55" (ie. 36028797018963968) keys per second, which IS rather a lot...

I'm proud to be called a geek/nerd !

[jon_eaves]

P.S.: Here is another example. Don't call yourself a geek. It carries the connotation that you have difficulty communicating with others, and avoid communicating by immersing yourself in technical things. After seeing your website, I very much doubt that is true.

But maybe that's the difference between you and I. I'm proud to be a geek/nerd, and I'm proud to call myself that. A lot of my friends are also the same. As you mentioned, maybe we don't fit the geek/nerd stereotype, but if enough of us that don't fit the stereotype call ourselves by that name, maybe perception will change.

You're just parroting the generally accepted line for what a geek/nerd is. I'm working to change that. In reality, there are more geeks/nerds like me, than there are as you describe, so why shouldn't perception get changed ?

I'm also obviously less concerned about what other people think about me and the things that I do. Obviously what my wife says is law, but that's just natural ;-)

We've managed to change the perception in our wider circle of friends that being a geek/nerd is a "good thing".

Maybe my communication skills aren't as bad as you thought, eh ?

PS: If you want to keep up this communication, please just send email, I'm sure I don't need to bore anybody else with my mindless banter.

Hey Feds! Can I say PROMIS?

yeah, theres no 'E'... Its a [not so] secret US guvverment communications program... Fed ICQ i guess. Oh and its been in the hands of terrorists for at least 15 years, and one copy moved hands to Bin Laden & Co. just before 11/09/2k+1.

If i just typed a load of BS or whatever, sorry, i cant find the magazine right now.

Ah yeah the point of this post: What stopped them using a VPN layer or whatever? Encryption on the packets with some decent security regarding the keys.

Oh one other thing: exactly how the fuck does one get a net connection in an afghan cave? FFS i cant even get broadband here!! [Surrey, UK]

Ali

And your point is?

[vscjoe]

I didn't make any claims about whether Moore's law holds. I simply pointed out that if it holds, it doesn't take until the "end of the universe" to catch up with larger key lengths because Moore's law is exponential, just like the thing it's trying to catch up with.

As for whether Moore's law will actually fail in 12 years or not, that remains to be seen. Looking at current processor designs tells you nothing about that: current processor and systems designs should have been abandoned decades ago. The only reason we still stick with them is because it has been easier to push processes than design. I very much hope we'll hit the limit on processes soon so that we can then focus on getting better performance through better overall systems design.

I argue that few are hackers.

[rebelcool]

..in any sense of the word. Most have no clue about software design in any sort, and consider the ability to write a shell script makes them a 'programmer'... more like dweebs and wannabes with too much time on their hands.

Re:Coming in OpenSSL soon... (sig)

[imrdkl]

Hmmm. Yes, I see it now. >> TODO

it should have read 2^55 keys per second...

[Lawmeister]

damn cutting and pasting.. or just "damn, I should have read the preview..."

;-)

As If!

As if AES will replace DES. Sure it may be a better technology, but with good management techniques, DES can be kept secure. We have already seen this happenning! Triple DES is now in use on modern operating systems. And im sure it will continue to evolve.

But who is going to use AES? Im sure software developers arent going to rush in flocks to "upgrade" their apps to support AES. Sure, AES might sound good, but are we sure its safe? Being only 4 years old it is very young, c/w things like RSA and DES. And DES isnt that broken, is it?

And whats to say that AES isnt backdoored? Some people still speculate DES is backdoored, but it is yet to be proven.

Call me paranoid, thats just my opinion :)

Re:149 trillion years? and it's not good enough fo

[randombit]

On a nit picky note about your otherwise informative posting, the "255 per second" in the article you quote should actually have been "2 to the power of 55"

Oops. I was just going off what the original post said. I thought it was weird that they were says 255 keys/second - I mean, a 100 Mhz Pentium could do that!

Give me examples of truly bad names...

[Futurepower(tm)]

Nice name, but room for improvement.

I see your point. Part of the problem was that Linus did not care how it was pronounced until people began asking him.

Please, however, give me examples of truly bad names of commercial products.

Re:Give me examples of truly bad names...

[dstone]

Please, however, give me examples of truly bad names of commercial products.

Okay, thoroughly offtopic here now, but it's time to burn off some karma. And product naming is something I've been involved with...

That's a nicely constructed challenge you issue, since any name I give you can be retorted with "it's unique/politically incorrect/irreverant/offensive/bizarre/funny/horri ble, and therefore good for its intended market". Furthermore, as long as a product is still on the market and selling to at least a niche, it can be claimed that the name must not be truly bad.

I won't cite this as a "bad" example, because it actually works, but something that still amuses me is the way Ikea names its products. There are thousands of nearly interchangable names for their stuff. Now, functionally they might as well just use model numbers, but the crazy Swedish names apparently sound sexy or exotic to non-Swedish buyers, so they work. They communicate nearly nothing and are frequently impossible to pronounce, spell, or remember to non-Swedes. But they do the job in the store and catalog and are quickly forgotten since the product itself is good enough. I don't know the name of any of my Ikea products, and I've got a bunch. And I couldn't use those names to give to a friend for a referral. There's simply nothing "good" about any of those names, but as a naming scheme it's good. So I suppose you'll say that's a "meta-rule" in action.

The best thing about rules is that there are so many to choose from and we can always make more! ;-)

Re:149 trillion years? and it's not good enough fo

[Snotnose]

How do these hardware-DES codebreakers know when they've got the right key? I mean, it's not like a team of NSA folks are looking at all the output. So I'm assuming a lexigraphic analysis is done after trying each key. Now, IANAC (I am not a cryptogropher), but wouldn't it be effective to use hacker-speak in your plaintext? After all, if you can crypt then you can talk like a l33t d00d. Even better, sprinkle your plaintext with some binary codes like backspace, some 8 bit ascii, etc.

snotnose

Re:It is also very interesting, please, MOD UP TOO

[MrFredBloggs]

I imagine its similar - the conjecture still holds for any value of P...

averages and exceptions

[geekoid]

thats if you had to try all the possibilities.You could get it right on the first try. Likely? no.Possible?yes.
It doesn't take into acoung advance in algorithms and hardware.

Of course I'm crazy.

[Blind+Demiurge+Ialda]

There's never been a blind demiurge that wasn't a raving nutter.