Slashdot Mirror
Preview of New Block Cipher
flaws writes "Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year. The CS2-128 cipher is a 128-bit block cipher with a 128 bit key. This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128.
The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April. At this time, requests are made for casual peer review and implementation. Secure Science will be offering a challenge at the end of April, introducing the cipher to the public. This ciphers implementation and usage will be offered in multiple hardware devices, such as wireless routers, cell-phones, and storage management hardware."
he can beat neo now?
MD5 of article text: 79592dc553067bfafaa07086c07d2c8a
Hello,
Recently I noticed that my teenage son Ezekiel had begun to encrypt
his emails with a program called PGP. I was concerned because I'd
always covertly monitored their email for any hints of illegal
activity, drug use or interest in the occult - some of his classmates
have begun playing Dungeons and Dragons and listening to KISS. Since
Ezekiel was now using PGP, his activites were hidden from me!
Additionally, I also overheard him talking of using a program called
Stegasaurus to embed secret information into normal-looking pictures.
Terrified that my son might be speaking in some sort of sinful code, I
immediately grounded him for a month. He was only allowed to go to
school and Bible study.
Anyways, I've done several days worth of research on this and
discovered a few things about PGP that I'd like to share with the
readers of these newsgroups. To begin with, I realized that many of
the claims made by the creators of PGP are blatently false. Although I
do not have a background in mathematics (I have an AA in Photography)
I was easily able to rebuild Ezekiel's private key via his public key
and one of his encrypted messages.
Of course I am above-average in intelligence, but PGP is supposedly
unbreakable! Perhaps crytogrophers aren't as smart as they believe?
Fortunately in this case Ezekiel was just discussing a girl he met in
school - a situation I harshly reprimanded him for. However, while PGP
may be a program with flaws, it got me thinking about other programs.
Perhaps someone will construct a PGP-like program that cannot be so
easily broken; one that would take days of computer time to hack!
My concern with a program like this is that people who use
cryptography always do so because they have something to hide. A sense
of guilt and shame seems to drive them. They know that they are doing
something wrong and desperately want to hide it from the eyes of the
world (although hiding it from the eyes of God is another matter!
LOL!)
A study recently released by the Institute for Family Computing
revealed that the top three uses of cryptography were for 1)
"terrorist-related activity" 2) pedophillia and 3) drug abuse. In fact
as far as I can tell, no legitimate use was on the top ten at all!
What scares me about this is that law-enforcement agencies will be
unable to sift through email to find people who are breaking the law,
or otherwise engaged in suspicious activity. At a time when our nation
is under siege, I find it disturbing that people are working on
developing cryptography that cannot be broken, even by our protectors
in the FBI and CIA! Only those with something to hide truly need
cryptography.
Thus I urge cryptogrophers world wide to refrain from working on such
programs, until our nation is no longer at war. I would ask those of
other countries to respect our right to self-defense and aid us in our
time of trouble. Your cryptographic skills can be better put to use
trying to find terrorists than to assist them.
Sorry I never took calculus as a 2nd language
"Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year."
And how many people will have the expertise to provide a "review" that'll satisfy everyone?
Is it really immune? I don't know enough about the subject to understand the paper but that struck me as a bold statement
http://www.busyweather.com/
I read the paper. They devote, oh, a page or so to attacks. Proven as secure as AES? bah.
If I'll be able to understand how this one works. The only algorithm I've ever understood well enough to write an implementation is RC4. I would like to see a strong algorithm that is fairly simple to understand, but I fear that such a thing is not possible.
Is is possible that this may replace current VPN encryption algorithms since it is supposedly "easy to implement in hardware"?
Not long ago there was talk of how fast certain boards could do VPN work because they had offloaded certain algorithms to a specialized chip.
I can't tell if you're trolling or not. Good one, if you are. Otherwise you're an idiot. :-)
The moral of the story: stick to the standards people.
Lasers Controlled Games!
because uncrackable hardware encryption is just what the industry wanted
Hardware accelerated encryption is a novel idea, but how easy is it to to a "peer review" of something that requires a proprietary device to truly recognize the benefits of it?
shop.envescent.com - Computer hardware and more.
The information would be readily available shortly after its public release as a product, I'm sure. There is no such thing as security through obscurity.
Well, I called up DVD Jon , and within about 15 minutes he had a working exploit for the cipher.
Oh well off to the next
Nothing to see here already been cracked...move along....
Top Questions:
1. Is this a proprietary or patented algorithm?
2. Has this algorithm gone through the usual rounds of analysis among the nations top cryptographers?
3. Has it been implemented in a FIPS 140-2 certified cryptographic module?
That should keep them busy.
but what is "casual peer review" and why would it be desired (over perhaps more in depth peer review) for an encryption technology?
In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
will these ciphers be patented?
if so, they will die on day one.
See the past /. story about Mobil SpeedPass hacking if you want to see why hiding an encryption protocol is really stupid. http://slashdot.org/article.pl?sid=05/01/30/161724 0&tid=172&tid=1/
"A little from column A, a little from column B". Personally I think he's half idiot and half trolling for his fucking conga line free mac sig.
Can I buy some weed from you?
That's the stupidest idea I've ever seen. It only makes minimal sense in a single business's internal cryptographic format, and even then it's a bad idea.
The basic principle of cipher design, established in the 1800s, says that a good cipher's security is provided by the key, not knowledge of the system. If they don't release the system, they can't get feedback that might expose weaknesses in the system. A publicly known, rock solid algorithm beats a possibly weak, possibly private scheme every time.
After all, they want to sell this. It's a little hard to keep implementation details secret when you *sell* the chips.
-ShadowRanger
oh dear...is that the time?
Now, I know that it's provably hard to attack a good encryption scheme. However, if this one is easier to implement in hardware -- if the cipher can be hardware accelerated more easily -- does that mean that an attack on this scheme could also be hardware accelerated more easily?
"We prove that our design is immune to differential and linear cryptanalysis"
See Bruce Schneier's "Snake Oil", Warning Sign #8: Security proofs.
"Secure Science will be offering a challenge at the end of April, introducing the cipher to the public."
See: Warning Sign #9: "Cracking contests" and "The Fallacy of Cracking Contests"
All of this may be well and good, but I don't any real engineers are going to be choosing this over AES anytime soon. AES was a competition backed by NIST to replace the current encryption standard (3DES). Most of the world's top cryptographers submitted thier algorithm. Only after a very long and very thourogh peer review process did the NIST declare Rijandel's submission to be the winner, and therefore the new AES standard.
this won't get cracked as easily as SHA-1.
Software is like sex. It's better when it's free. -Linus Torvalds
No, they don't - not if they're GOOD security.
The intention is that with good encryption techniques, the "bad guys" can know all about how the system works...and it will work anyway. What's the point in making sure nobody sees you hiding your key under the doormat (security-through-obscurity) if the key doesn't work for anyone but you anyway?
Hacker Public Radio is our Friend
Just adding in a reference for that principle, which I couldn't find the source for.
o f_Secrecy.html
"The significance of the key is an enduring principle of cryptography, and it was definitively stated in 1883 by the Dutch linguist Auguste Kerckhoffs von Nieuwenhof: "The security of a cryptosystem must not depend on keeping secret the crypto algorithm. The security depends only on keeping secret the key."" - Excerpted from http://www.simonsingh.com/History_of_the_Science_
-ShadowRanger
...how badly patent-encumbered these ciphers are going to end up being?
Hacker Public Radio is our Friend
You are right. Nevermind what I said. Buy the snake oil, it has a better track record.
Lasers Controlled Games!
In that case we need lasergun equipped mobile drone patrolbots that will guard you until they are fried to a nice crisp. In fact, why not a whole legion for every man?
We all deserve our horde of guardbots!!!
Wait, what were talking about again?
put in the public last year...
Part of the problem with these ciphers is having to constantly convert to and from decimal, which is a very poor base to use in computer science.
Transcend Humanity. Please.
Ugh.
1) No decrypt specified. So it doesn't work with many modes.
2) Complete ambiguity in the endianess of the test vectors. Which end is which?
3) Optimized for HW complexity. We have AES for that. We want new ciphers optimized for security.
Evil people are out to get you.
There were plenty of alternates to the NIST AES "contest" when it was first proposed. Some of them were simpler to implement in hardware than the finalist. Unless they're suggesting that this new scheme would have beaten Rijndael in the original proposal, I'm not sure I see the point. I would much rather see additional scrutiny paid to elliptics or another technology that will actually buy something in the implementation or key size.
"You keep using this word. I don't think it means what you think it means."
dmiessler.com -- grep understanding knowledge
Why don't they just have 1000 bytes (~8000 or so bits) as encryption keys?
Crypto systems do not always need to be brute forced: 'More often than not' it is a brain dead technician sending the keys across a timeplex, via satellite, and then over HF or something equally as silly, out to their remote site.
Key exchange is where the biggest failures occur (that I see). Many crypto systems still in use throughout this part of the world (still) work in a similar method to the old enigma typewriters - typically they are rapidly broken because they send identical messages using different keys, then send the same message in clear text via some other link.
Maybe I'm misreading the description, but it looks to me like this is an 8-round cipher with a round function considerably simpler than Rijndael's round function.
Given that 8-round Rijndael is broken, it seems highly optimistic to think that this new cipher will not be broken.
Tarsnap: Online backups for the truly paranoid
whitenoise labs, a cryptography startup that just got it's algo's patented...
r %20Secu rity%20Analysis.pdf
2 0Perfor mance%20Analysis.pdf
Company link:
http://www.whitenoiselabs.com/
Cryptographic analysis link:
http://www.whitenoiselabs.com/papers/Wagne
Performance anaylysis link:
http://www.whitenoiselabs.com/papers/UVIC%
So whitenoise encryption offers a cheaper solution that is mathematically stronger, and computationally order log n complexity where n is filesize (therefore faster too)
and please tell me why anyone in their right mind would still bother using this shoddy, expensive, slow method for cell phone encryption?
-judging another only defines yourself
You know that "DVD Jon" is just a code name for a bunch of slave gnomes who sit in somebody's basement and crack stuff, right? Free the gnomes!!!
I have this really funny quote that I like to put here. Unfortunately, there's this really annoying thing called a char
Duh!
What's the point in making sure nobody sees you hiding your key under the doormat (security-through-obscurity) if the key doesn't work for anyone but you anyway?
If they took the key you wouldn't be able to use it. This doesn't apply to crypto. I'm just pointing out that it's never a good idea to hide things under doormats.
From TFP:
Our original 256-bit key designs were designed to use the round function to lower the design, implementation and cryptanalysis time. However, all of our attempts were either weak against reduced round related keys attacks or were too inefficient for on-the-fly computation. As a result for this design we reduced the key size to 128-bits.
In general (not just in cryptography, which is certainly not my field), it's a good thing to have an idea how to extend an algorithm when designing it. Here, however, that doesn't seem to be the case.
Presumably, advances in computing hardware will eventually render this 128-bit algorithm unsecure, and it would be necessary to extend the algorithm to a higher-bit cipher. However, the quote above seems to indicate that they don't really know how to extend it to higher bits and still provide the necessary cryptoanalysis and implement it well. That doesn't sound like a good thing in a design.
In contrast, many other crypto algorithms are fairly easy to strengthen over time just by increasing the key size, since such algorithms already have a substantial amount of cryptoanalysis and it's known how large the keys need to be with a given amount of computational power (with known attacks, granted). I'd be curious to see whether or not the problems they encountered are insurmountable. -- Paul
OpenSource.MathCancer.org: open source comp bio
Public domain has a very specific legal meaning. Open source is definitely not in the public domain. It is protected by copyright and all of the "open" licenses are precisely that - licenses to use that code (or documentation, images, etc.) in specific ways.
Of course some companies make the mistake you made... and when they're caught they're usually act surprised to learn that 1) somebody cares and 2) that somebody has enforceable legal rights.
As for the second comment, that's all anyone serious about security needs to know. Get back to us after at least five years of serious review by experienced cryptographers - until then you're pissing in the rain and trying to sell umbrellas.
(P.S., are you familiar with the saying that any fool can invent an encryption algorithm that they can't crack... and only a fool would believe that that proves nobody else can either?)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Considering the number of "hired guns", and
the amount of resources poured into various
3 letter alphabet soup government organizations,
any reliance upon the "next big thing" in ciphers,
like ellipse curve encryption, is likely to end
badly. AES-1 was supposed to have been the hot
new encryption, but has been found vulnerable.
I don't expect much better long term security
with a number of other encryption methods,
particularly with the "seal of approval" of those
same 3 letter alphabet soup organizations.
A CD-R chock full of books in ANSI text or XML
or even PDF format could easily provide the basis
for a lifetime's worth of OTP (One Time Pad)
encryption. Perhaps it is time to revisit older
methods married to newer technology, instead of
newer methods with bleeding edge technology.
I seem to recall an awful lot of problems with
pseudo-random number generators and the seeding
methods they used, not so very long ago.
One of the advantages of Rijndael as the AES cipher (when such was still undecided) was ideological neutrality, unlike American, British, Japanese or Israeli ciphers. At least, no one seriously believed Belgium was out to destabilize world hegemonies. It probably behooves contenders for a "hardware replacement" for AES to demonstrate a similar lack of pups in the brouha.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
"...This implies that cryptography may come ultimately from the infantile sexual pleasure that children obtain from the muscle tension of retaining the feces." From Kahn's "The Codebreakers".
Aren't those algorithms same? similar? to Tom's ciphers? Didn't he work there?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April."
The "peers" "review" the code. Perhaps they find vulnerabilities or exploits in the implementation.
And then the company releases it... in hardware.
Then, who peer reviews that? Sounds supremely fl@wed. :-)
I've actually designed the encryption end of a synthesizable Rijndael chip. It was lab 5 of ECE 435 at U.Va. Granted, that's a 4 1/2 credit course, and there were only 5 labs, but still. Adding the decryption would have less than doubled the work, and considerably less than doubled the silicon. Implementing AES in hardware is NOT hard. In the name of laziness, I did it in a highly parallel fashion a lot of work that could be serialized to reduce the transistor count by about a factor of 8, before getting to even slightly fancy optimization techniques.
You need some registers, some shifters, and some very minimal control logic. Doing the sbox algorithmically isn't terribly fast and requires a fair amount of logic, so generally you just use a 256 byte ROM for the sbox. With die space being as expensive as it was when DES was being designed, it's understandable that they did some weird things to make it fit on the chip. These days, nobody blinks at 10k transistors, even on embedded devices.
Sure, their 4x4 sbox is going to take a lot less space on the chip, but does that really buy anything? Their design document shows that 32 of them are necessary to do a whole round in a single step, while only 4 are needed for Rijndael. That's 2048 bits of ROM on CS2 and 8192 bits of ROM for Rijndael, but CS2 takes 33 rounds while the 128-bit version of Rijndael takes only 10. The amount of hardware required for comparable throughput is about the same, though Rijndael's pipeline is an order of magnitude shorter, due to fewer rounds and the rounds not having to go through that barrel-shifter network.
WARNING: there is a trojan on your
But it doesn't say who wrote the algorithm (just the reference code) - is it someone known to the community? It's written by the anonymous academic "we" - it references a couple of papers by Tom St. Denis, but has the feel of somebody who doesn't natively speak English, and the web version has spelling problems. The paper's about 8 months old - has some version of it been submitted to any of the academic journals, and have any of the published it? fl@ws says later they're working on getting some professionals to look at it, which is a good start (realistically, if the academic community doesn't generate its own buzz, you're going to have to hire credible people to vet it to start to get some attention so that more people will start trying to attack it.) The posting mentions a "challenge", which is usually a bad, bad sign, though this looks better than the usual snake oil that does that.
Things I'd hoped to see that are missing include
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Finally I can change to something better then rot-13!
http://groups.google.de/groups?selm=4e2f159f.02071 91637.3e2c334@posting.google.com
Wouldn't any 40bit cipher be 'easy' to crack due to the small keyspace, especially if it's easy to compute.
I just hope that the passwords on my private keys use a algorithm that's so slow no one could brute force my password.
thank God the internet isn't a human right.
To see what its biggest weakness is...its a SECRET KEY TECHNOLOGY! all the wonders of unbreakability that are claimed may be true, let the hoped for flood of reviewers decide that. The whole scheme stands or falls on protection of the keys...I can't afford a courier the way DOD can so I am not sure how I am getting my key sent to my intended secure recipients.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
For a company called Secure Science I would expect something better than a publicity stunt. If these algorithms are really that good then they should be reviewed by cryptagraphy experts instead of a proof by mass media exposure. Wheres Bruce Schneiers review? Wheres the peer reviewed journal articles? This looks more like hype than security or science.
As the United States has known since its founding, all cryptographic algorithms (even the one-time pad) are vulnerable to attack via divine revelation, even in the absense of the ciphertext itself. Those able to take advantage of this regularly are a pearl without price in the intelligence community.
Your services have immense potential value for your country in the hunt for terrorists like Osama Bin Laden. If you'd like a circular describing opportunities for employment with the NSA, just pick up your phone, call your mother, and ask for one.
//Information does not want to be free; it wants to breed.
So? It's a block cipher, and it has a secret key. This is not a weakness if you use it in the way it is intended to be used. Such a cipher presumes that you have you have appropriate protection for the key (which could be stored in a secure hardware device, for example) and use a secure key exchange mechanism (such as Diffie-Hellman) if you are using it over a transport layer.
umm. like other secret key technologies, its probably quite useful as a bulk data encryption after a session key has been negotiated using public/private
A cipher that is more efficient in hardware and therefore more easily brute-forced. What will they come up with next?
I may be wrong, but I think I recall reading in the big red book that most encryption is done with symmetric keys. Public-key methods are orders of magnitude slower. Thus, you encrypt the symmetric key with the recipient's public key (so only they can read it), and sign it with YOUR private key (so they know you sent it). The symmetric key is then unpacked and used to do the heavy lifting.