Modern History of Cryptography Techniques

Heather writes "The encryption scheme you rely on today might be full of holes just a few years down the road. Learn how far we've come in the last few decades, and why your apps need to be ready for change. This article builds on a previous article about Enigma, Germany's WWII-era encryption system."

Related earlier slashdot story

[karvind]

U.S. Army Guide to Code Breaking.

Premise is nonsense

[Paul+Crowley]

DES was *not* considered "uncrackable" when it was launched. In fact, cryptographers such as Michael Weiner warned that the key was too short and described the dangers of a hardware-based key cracker practically as soon as it was announced.

The history of cryptography is not simply one of algorithms thought uncrackable being cracked. It is one of consistent refinement of our understanding and technique, but to imagine that the history of DES means we'll be breaking open 256-bit AES-encrypted messages in a few years is delusion.

Re:Premise is nonsense

[JUSTONEMORELATTE]

FWIW, DES was effectively broken by Evi Nemeth (at CU Boulder) using a paired-primes database and an all-software solution. There was no hardware-based key cracker, there was an algorithm that took a ton of cylces to generate the db, then a simple bit of lookup code to decrypt the cyphertext.
IIRC, when she demonstrated it, they decrypted something like 5,000 passwords from a nearby /etc/passwd file in less than a minute on a Sun3.
She made a point of telling us that the NSA has a copy of her work and her database.

Re:Premise is nonsense

This does not make sense. Using paired primes to attack DES? DES isn't based on primes, it is based on shuffling bits around iteratively (a Feistel network.) Decrypting password files from an /etc/passwd file? For that context, DES is used in hash mode, and password *doesn't* decrypt - because multiple passwords end up with the *same* hash.

Also, searching reveals Evi Nemeth talking about implementing a break of a DES keyexchange using Diffie-Hellmann: Date: Fri, 30 Oct 87 19:32:32 MST From: evi@boulder.Colorado.EDU (Evi Nemeth) To: Eric.Cooper@SPICE.CS.CMU.EDU Subject: Re: DES breakthroughs? the break is in the diffie hellman key exchange for des based on 127 bits. it was done quite a while ago, solving the discrete log problem for the field 2 ** 127 -1. the work was with ron mullin at the university of waterloo. the actual implementation of the algorithms was done on the denelcor hep supercomputer (since defunct) in 1984. there were several technical papers by mullin and by coppersmith at ibm yorktown on the method of attack. our paper on the implementation which includes a description of the algorithm but not the gory details, was in the proceedings of the international conference on parallel processing in the summer of 1984. i can send you a copy if you dont have access to the proceedings. the paper actually won the best paper award at that conference, no $$, but i got a plaque for my wall and denelcor sold a machine to nsa. the reason i mentioned it to van was that sun has now done two talks at meetings about their security on the network that is based on des using the diffie hellman key exchange in exactly the field that we broke. both times the talk was given by the programmer who is implementing it not the mathematician who decided what to be implemented. i pointed them again to the papers on it; hope a number theorist there actually reads them. evi This seems likely as having been misunderstood as a break of DES itself. A Diffie-Hellman break would match with the database generation and with using primes.

Eivind.

Re:why no encryption by default?

[qwijibo]

As has been mentioned, it's the job of the application to determine whether or not encryption is necessary and what type. There is no one size fits all solution that could be implemented at the network layer without creating more problems than it solves. If you're sending financial transaction information, the additional time to encrypt and sign is worthwhile. It takes time to encrypt and decrypt data. For VOIP, that may be considered an unnecessary and unacceptable inconvenience. However, from an application development standpoint, not offerring the user that choice is pretty lame.

Another reason for not having a default level of encryption at the network layer is that it takes a long time to get everyone to upgrade. Poor encryption can be worse than none in the sense that non-security-geeks don't know the difference and may assume that their connections are secure. It's better to start with the assumption that they are insecure and if that is not acceptable, mitigate against that risk with an appropriate level of encryption in the application.

IDEA is patented

[crimethinker]

It is my understanding that IDEA is patented (how this is even possible to patent a sequence of mathematical operations is a topic for another flamewar^Wdiscussion) and the holders of that patent wanted royalties. PGP used IDEA originally, but GnuPG wouldn't touch it for the royalty issue, and it eventually fell out of favour as other ciphers with 128-bit and larger keys became more widely available, e.g. Blowfish, Twofish, Serpent, Rijndael (AES), etc.

-paul

Re:why no encryption by default?

[RAMMS+EIN]

``so... great, but why aren't most tcp streams encrypted by default?''

Because there is really no need to. I don't need to have all the public webpages I request to be sent to me over an encrypted link. Nor the publicly accessible ISO images I download. Nor the files I access over NFS. Etc. Encryption is there when I need it, but I don't need to burden myself, my computer, and the whole network infrastructure with it when I don't need it.

``the client side load is negligable''

I really don't agree with that. The process of key negotiation alone can take up to multiple seconds in many cases. On my local network, transfers are notably slower with than without SSL. Even when transmitting over the Internet, there's a noticable difference in CPU usage between transfers with and without encryption.

And don't forget that an encryption mechanism that can be decoded quicker can typically also be cracked quicker. If the decoding cost is "negligable" on a single desktop system, maybe that tells bad things about the feasability of cracking the encryption with a little botnet or campus cluster?

Simon Singh's Codebook

[SenseOfHumor]

Simon Singh's Code Book covers history of encryption pretty extensively starting from Caesar's time. Enigma and others are covered very well.
The encryption methods are covered in layman's terms(I think!).

Re:World War II encryption tech

The success of using Navajo wasn't so much due to Japan being a closed society; it was because there were no Navajo speakers outside the US at all, and the language had no alphabet and had never been written down. On top of all that, they spoke in coded ways that didn't even make sense to untrained Navajo speakers.

I can guarantee you that the Polish would have been just as stymied by the Navajo "Code-talkers" as the Japanese were.

Re:Author appears ignorant about cryptography

[pclminion]

It is also interesting to note the bias they give PGP here. Basically, there are two good asymmetric key distribution schemes in the world: PGP and PKI.

PKI just means "public key infrastructure" and can refer to any method for managing and exchanging public keys. X.509 certificates and the entire framework of trusted authorities surrounding them are just one implementation of a PKI. PGP is another, more simplistic implementation.

So you can't really compare PGP, which is a specific application, to PKI, which is just a broad term for key management infrastructures.

And what about "PKI" (in the sense you seem to mean it) isn't free? OpenSSL can do everything with certificates that you'd ever want to do.

About OTP

[Ernesto+Alvarez]

Implementing a program that encrypts with an OTP is a no-brainer. Any program capable of doing a bitwise XOR can do it (basically because the algoriths IS a XOR).

There are two BIG problems with OTP:

1) You need a lot of random bits (the good stuff, like this, not your cheap pseudo random numbers). You need exactly as many as your plaintext.

2) You need to securely send a copy to the intended receiver, and make sure the pads are destroyed once used.

Basically, no one does it because it's a real bitch to implement correctly (pad creation) and it's not worth the effort (unless you're using them in a hotline from Washington to Moscow or something like that).

You probably don't want a OTP. If you want something to encrypt your files and recover them with a password, you CERTAINLY don't want a OTP (in fact, you can't have one because the pad is not random, it's pseudo random, generated from the password and thus lacks the important properties of an OTP).

And very important: most companies that sell "One time pad" software usually sell snake oil, so be very careful.

And if you think you can get away with a pseudo random pad, the soviets spent some big time making pads for diplomatic and espionage messages, and made the little mistake of using the pads more than once, you can see the results here.

Parent is total bollocks

[Paul+Crowley]

The most effective attacks on DES are brute force, linear cryptanalysis, and the improved davies attack (a form of differential cryptanalysis). This talk of paired primes is confused nonsense, probably to do with some sort of dictionary-based attack on Unix passwords, which is a different but related problem. It sounds like she might be using Hellman's time/space tradeoff.