Ask Security/Cryptography Expert Paul Kocher

Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.

redundancy is key

[b_pretender]

Mr. Kocher would point out that in computer security, redundancy is key

Therefore, "Please try not to ask questions that can be answered with a few minutes' worth of online research." should be rewritten as, "Please try not to ask or moderate up questions that can be answered with a few minutes' worth of online research. "

Not a question, but a comment for slashdot

After seeing this story go up, it made me actually think about the interview longer, without being so pressed to try to get my response in quickly. I actually went to their website, and read through more carefully then usual. - Which got me to thinking.

Why not make stories have a ten or fifteen minute delay to allow people to actually READ the articles. Have a little timer that says how long until the story goes live for comments. This might take care of some of those who never read the articles.

Just a thought....

What is worth protecting?

[kryzx]

Paul, What advice do you have for people trying to find the balance between security and convenience? When is it worthwhile to protect something? Should a person try to protect all of their info and communications just for privacy purposes, or make a determination about which things are valuable enough to be worth the effort and/or processing power?

Along these lines, of your own personal communications and data storage, what do you encrypt and what do you leave unencrypted?

Why should the public care?

[httpamphibio.us]

Can you present a brief argument that you believe should raise the interest level of the general public in the need for cryptography?

Is Cryptology a House of Cards?

[kakos]

All of cryptology is built on a group of cryptographic primitives. Block ciphers, hash functions, factoring problems, discrete log problems, etc. are all used to build higher order cryptographic structures, such MACs, encryption, and signature schemes. However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?

NSA may not be that far ahead.

[rjh]

First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.

In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.

But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.

For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.

So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.

Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.

Re:NSA may not be that far ahead.

[swillden]

Good post, but I disagree on a couple of minor points.

Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

This doesn't really follow. Schneier's a smart guy, and he's among the better cryptographers in the world, but his screwup doesn't necessarily mean that the NSA would also.

However, the fact that *every* cryptographer who's been around for a while has had his or her share of public failures does.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Umm, not quite. First, Biham and Shamir invented differential cryptanalysis in 1990; they didn't invent it to attack SKIPJACK (although their paper on SKIPJACK did introduce a new variant, IIRC). Second, there are two possible "lessons" to take away regarding the capabilities of the NSA. One is what you said, that the NSA had built in a lower safety margin than they thought they had, but the other is that they knew what they were doing and deliberately chose 32 rounds because they knew 31 could be broken and they're pretty confident in their analysis.

Breaking a 31-round reduction of SKIPJACK does absolutely no good if you need to decrypt messages encrypted with 32-round SKIPJACK.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors

Umm, SKIPJACK *doesn't* have any back doors or weaknesses that we know of. The LEAF (Law Enforcement Access Field) they proposed for Clipper (with SKIPJACK as the cipher) was soundly thrashed by Matt Blaze, but that was the opposite. The NSA intended to design in a back door whereby law enforcement officials could decrypte messages, but Blaze found a way to close that door.

The weakness in the LEAF, however, was almost certainly a significant "braino" by the NSA. Even if for some reason they wanted to be able to defeat the LEAF, they apparently underestimated the ability of academic cryptanalysts. It's more likely, however, that they just plain screwed up, just like they did with the dual counter mode.

Please use Google.

[rjh]

*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.

In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)

That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.

To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.

Let me repeat this.

It requires

650000000000000000000000000000000000000000000000 00 0000000

... joules of power.

By comparison, the Sun's annual power output is in the realm of 1.2 * 10**34 joules.

Or

120000000000000000000000000000000000

... joules of power.

Are you beginning to see why it's such a silly question to ask whether or not modern ciphers can be brute-forced with Crays?

Please. Use Google before asking questions.