Crypto Snake Oil

An anonymous reader writes "Luther Martin of Voltage Security has published an article about the perception of cryptography today with regards to quality and honesty in vendors. From the article: 'Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography. Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.'"

Snake Oil

Snake oil is a traditional Chinese medicine used for joint pain. However, the most common usage of the words is as a derogatory term for medicines to imply that they are fake, fraudulent, and usually ineffective. The expression is also applied metaphorically to any product with exaggerated marketing but questionable or unverifiable quality.

'nuff said

Re:Snake Oil

[ObsessiveMathsFreak]

...any product with exaggerated marketing but questionable or unverifiable quality.

Like a religion?!

Re:Snake Oil

[jimicus]

Karma Whoring is a traditional /. method of increasing your slashdor karma by taking advantage of being early to spot the article and posting something informative about it, generally lifted straight from Wikipedia, in the hope of being modded Informative.

Re:Snake Oil

Karma Whoring is a traditional /. method of increasing your slashdor karma by taking advantage of being early to spot the article and posting something informative about it, generally lifted straight from Wikipedia, in the hope of being modded Informative.

How does that work for anonymous cowards then dickhead?

Re:Snake Oil

> exaggerated marketing but questionable or unverifiable quality.

Personally, I was thinking of Slashdot... :-)

Re:Snake Oil

[SanityInAnarchy]

Yes, it should be offtopic. However, it's an interesting and insightful point. You make the point that religion is not always bad, and may in fact be helpful, but you have yet to actually counter the point.

Put it this way -- praying to, say, the TrueCrypt gods seems about as effective as praying to your own God.

But you and I are considerably more offtopic, anyway. If you'd like, we can take this to another forum. I am not anti-religion, but if you are offended by statements like "religion is superstition", you have a lot to learn. Oddly enough, the Unitarians seem the sanest, if the most schizophrenic.

Re:Snake Oil

[TheOneBiscuit]

You may also note that Karma whoring requires not posting anonymously.

Re:Snake Oil

[plover]

The difference between the snake oil hucksters and the crypto-hucksters was not made clear in TFA.

The snake oil salesman KNOWS that his product is worthless. The crypto-huckster believes that his product is the strongest encryption tool known to mankind.

I've seen a lot of the snake-oil type crypto products that claim "this key is used to generate a one-time pad, and a one-time pad is the only truly unbreakable cryptographic algorithm." The authors understand so little of what they're doing that they don't realize the key generation has become the true security comoponent of their algorithm, but continue to sell their products as if there's no cracking them.

Still not too bad

[legoburner]

Even though in many cases this might be true, and product prices are increased because of it, weak encryption is a lot better than no encryption at all. There are many people out there who might go as far as casual data theft (eg; taking someone at their school's USB memory stick), but even a weak layer of encryption will stop all but those who know what encryption is and where to start breaking it.

Re:Still not too bad

[TCM]

I'm not so sure. Once a flawed implementation has been broken, there will be tools to crack it.

Take WEP for example. I personally wouldn't know how to crack it. But others do. They develop tools. Et voila, today it's trivial to download some tool and break WEP, even for novices.

Weak encryption is never good and should be strongly discouraged.

Re:Still not too bad

[Panaflex]

WEP is still a great example... it's enough of a pain that if given the choice between breaking a WEP connection and using an open WAP - well, you'll choose the open one.

In that case, WEP really does work for most people.

Re:Still not too bad

[Snarfangel]

I'm not so sure. Once a flawed implementation has been broken, there will be tools to crack it.

Plus, if there is *no* encryption, people are less likely to put sensitive information in the application.

To use an analogy, consider two locker rooms. Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

Re:Still not too bad

[Lord+Ender]

I would say that there is an inverse relation (at least somewhat) between price of crypto software and real security.

The cheaper the software is, the greater the number of people who could have peer-reviewed it for correctness. The more open the software, likewise.

Really expensive software could only have been peer-reviewed by a small number of people, while free, open source software could have been reviewed by a huge number of people.

I recently was asked to recommend a way for my CEO and several other executives to securie thier IMs. I recommended gaim + gaim-encryption because it was all open source and free, so if there were a flaw in the crypto implementation, it would likely have been discovered already.

I also made sure the CEO knew that he was using open source software, and I told him why. He was totally down with it :-)

Re:Still not too bad

[jimmypw]

When you dont find an open WAP theres only WPA and WEP encrypted...
Why would you want to use WEP when on most routers WPA v1 or v2 is available and is no harder to set up?!?

In that case, WEP really DOESN'T work for most people.

Re:Still not too bad

Unfortunately this is a flawed approach. A million people may have read it, but if none of them were cryptographers than it was no better than if nobody had read it. What's really important is _who_ has read the code, not how many.

Re:Still not too bad

[abhi_beckert]

Peer reviewed does not equal security. It could be there are several known flaws in something that's had "peer reviews", or it could be the system is totally open but hasn't been around long enough to be tested thoroughly, or maybe it's been around forever but is now using a faster alogorithm that hasn't been proven to be secure...

If you want security, ask an authority on the matter rather than basing it on inderect things like price, openness, etc.

Re:Still not too bad

[Panaflex]

Ok, lets say you're strolling around and looking to hook some free internet connection, eh?

In the amount of time it takes to walk to the nearest open WAP, you probably couldn't grab enough packets to break WEP.

But if your intentions are, ohh I don't know.. say DARKER. Then yes, WEP is not going to protect the target of your GRISLY, ABYSMAL ABOMINATION of h4x0ring.

I leave my WAP open.. because it reminds me that no communication is secure unless I MAKE it secure. I don't rely on the router or anything else to protect me - only well tested protocols and applications.

Re:Still not too bad

[duplo1]

I disagree. While weak encryption and other security services might offer short-term benefits, one often starts to take it for granted and consider it to be highly secure. This creates a false sense of security and perhaps even a level of hubris that can be devestating when exploited.

Re:Still not too bad

[vidarlo]

Even though in many cases this might be true, and product prices are increased because of it, weak encryption is a lot better than no encryption at all. There are many people out there who might go as far as casual data theft (eg; taking someone at their school's USB memory stick), but even a weak layer of encryption will stop all but those who know what encryption is and where to start breaking it.

If you don't think, you'll agree that weak crypto is better than none crypto. The problem is if you believe the crypto to be strong crypto, and behaves careless. If you imagine something is uncrackable, like pgp pretty much is, but in reality is ROT13, and trivial to crack, you can get a serious backslash.

You would normally not carry the credit card number and all details with you on a usb drive. But what if you used ACME MegaCrypt v2.0 for it? Woudnt you feel safe? Then what if it was not safe? You could end up without a single cent. Even though you had it encrypted...

THat is the problem. Weak encryption might be sufficient if you *know* it is weak encryption and judge it to be enough. If you, however, believe your encryption is foolproof, whilst it is not, then you have a big gaping problem.

Re:Still not too bad

[Purdah]

weak encryption is a lot better than no encryption at all

There are many schools of though on this subject, but in general this train of thought will generally mean LESS security rather than more security.

The reason is that the sort of people who DO NOT know how to choose effective security measures in the first place, will also not be aware of other security measures required to really protect the data.

What this means in practice is that someone who believes the snake oil claims of a particular product will, under a false sense of security, be more reckless with the data, ie leaving it on laptops which get stolen etc.

This is kind of like believing that as my car has a good imobiliser I can leave it unlocked. This is of course great until someone steals the wheels on your car because the key to your wheel locking nuts was left in the glovebox. In this case you still have your car but you are still unable to use it.

Re:Still not too bad

[eMbry00s]

Both!

You don't go bathing with your wallet.

(sorry)

Re:Still not too bad

[nxtw]

Why would you want to use WEP when on most routers WPA v1 or v2 is available and is no harder to set up?!?

Because WPA is inconvenient when you're using a device that doesn't support it.

Re:Still not too bad

behind the fire extinguisher in the hall between room A and room B. Security through obscurity!

Re:Still not too bad

[Jsprat23]

Given that gaim-encryption is currently based off of Mozilla's NSS and NSPR libraries, I think it's pretty safe to assume that the "right people" have looked at them. Most of g-e is an interfacing layer between gaim and the underlying encryption that also prevents replay attacks by inserting nonces into the stream.

Re:Still not too bad

[RoboSpork]

gaim-encryption is flawed in that it is a weak encryption scheme. Off The Record is a far superior gaim plugin providing a much stronger encrytion, authentication, deniability, and secrecy into the future. Read how it compartes to gaim-encryption on their website. Their whitepaper is really good introduction to what can make encryption strong vs what can make it weak, definitely worth a read for anyone new to crypto. And besides all that, open source != secure. That is a really bad assumption to make.

Re:Still not too bad

[inviolet]

If you imagine something is uncrackable, like pgp pretty much is [. . .]

Cracking PGP is still a Hard Problem, but the times they are a'changin'. It may succumb to quantum computing. Or, it may fall under the combined assault of the army of mathematicians who are studying integer factorization. Nobody knows for sure, but the NSA has been telling people for years now to not rely on RSA. They suggest switching over to Elliptic Curve or other advanced algorithm.

Re:Still not too bad

[Phleg]

In which one is a person more likely to leave their wallet?

Am I the only person who thinks the correct answer to this question is in his pocket?

Re:Still not too bad

[k98sven]

To use an analogy, consider two locker rooms. Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

I take it you're implying the correct answer would then be "Neither". And I'd agree.

Problem is, it's not a relevant point. The context here is consumer's ignorance on the performance of crypto products. If someone is buying a crypto product, they must have determined that they need one. Or to continue your analogy: They have already decided that they're going to leave their wallet in a locker. The problem is that they can't tell the difference between a locker room where all the locks have the same combination, and the safer locker room where they don't.

And given that assumption (that they're going to put their wallet in a locker anyway), the poster who claimed that weak encryption is still better than none is right: If you're going to put your wallet in a locker, it's better to put it in one with a bad lock than none at all.

Continuing the analogy: With no lock, any casual bypasser with no particular knowledge at all can easily and quickly check the lockers for any valuables. "Opportunity makes the thief" as they say. Whereas if you at least had a bad lock, finding your wallet would at least require some knowledge of locks. It would also impede the person searching the lockers, which increases the likelyhood of them being discovered before they find your wallet. All in all, a safer situation.

Now obviously, a good and proper lock is better than a bad one. The problem here is that the consumer can't tell the difference when making the choice between the good and bad ones.

But the option of "don't store valuables in it" simply isn't on the table: They've already determined that they're going to store valuables in it, because that's why they wanted a lock in the first place.

Re:Still not too bad

[BobNET]

Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

Put the wallet in your sneaker. I put it down by the toe, they never look there!

Re:Still not too bad

[Ernesto+Alvarez]

Would you please explain why gaim-encryption is weak?

OTR might be a better choice for social communications, as explained in the paper, but that does not make gaim-encryption (or PGP, etc) weak. For its intended purpose both PGP and gaim-encryption seem strong.

If I wanted to authenticate and keep a message secret from eavesdroppers, I would have no problems using gaim-encryption. At work, non-repudiation is really not a problem, and if my key was compromised, IM compromise would be my smallest problem (assuming that with that key, my SSH and PGP ones were compromised too).

If you know gaim-encryption is weak, I'd like to hear about it. But it looks to me that it is strong, provided you know what you're getting into.

Re:Still not too bad

[Lord+Ender]

Peer reviewed does not equal security. It could be there are several known flaws in something that's had "peer reviews"...

Yes, "it could be" that many unlikely things are true. But they are still unlikely.

Are you new to cryptogology? It seems you are unfamiliar with the fundamental tenet of cryptography: "If lots of smart people have failed to solve a problem, then it probably will not be solved anytime soon."

You seem to think peer review doesn't have much to do with cryptography, but I would argue that it is the most important thing. If you expect an algorithm to be "provably" secure, then the only algorithm you have any business using is OTP.

Because it is unreasonable to expect you to hire "lots of smart people" to review any crypto you use, the next best thing is to go for using a solution that lots of people (in general) use, and assume that a subset of those people were smart :-)

You really should pick up this book as a basic intro to crypto.

Re:Still not too bad

[Jeremi]

If you want security, ask an authority on the matter rather than basing it on inderect things like price, openness, etc

Of course, the authority's opinion on the product might be mistaken also. What we really need is a way for laypeople to test a program's security themselves.... some sort of auto-hacker-in-a-box software, perhaps. I have no idea if that's even remotely feasible, but it would be really useful.

Re:Still not too bad

The cheaper the software is, the greater the number of people who could have peer-reviewed it for correctness.

That's sounds highly dubious. What exactly is your reasoning there? That if the software is cheaper, more people can afford to buy it, meaning more people will have the opportunity to reverse engineer it and study the code for correctness?

The fact that more people have the opportunity doesn't automatically mean more people will do so. In fact, the number of people out there scrutinizing any particular software binaries is so small that I doubt the price has any effect at all.

You can divide "cheap" software into two categories.
1) Software which is cheap because of its popularity, offsetting the development costs by high sales. Now, popular software is more likely to be a target for viruses and hackers, meaning more people will look for exploits there. It also means you can spend more money on development, which can mean more QA staff in order to make sure the software is secure, or more competent programmers in order to create correcter code to begin with. So in that case you have at least the potential to be more secure.

2) Software which has low development costs. Which means less resources to spend on reviewing and testing the software. Which means less secure software.

I don't see how you can make any reasonable generalization on price versus security. Possibly on popularity versus security, but even that is stretching it.

The more open the software, likewise.

Certainly true. But the operative words (in both cases) are could have. In reality, extremely few people scrutinize the security of their software even if they have the source code, making it simple to do so.

Really expensive software could only have been peer-reviewed by a small number of people, while free, open source software could have been reviewed by a huge number of people.

That's your basic assumption, yes. And it's flawed. You're assuming that more people reviewing the code means more secure code. I guess you're thinking along the lines of the "Given enough eyeballs, all bugs are shallow" maxim. While that holds true in general a more true statement is "Given a competent enough person, all bugs are shallow". All the "more eyeballs" does is increase the probability that at least one pair of them belongs to a competent enough individual to recognize the bug. 1 expert will find more issues than 10 novices.

Now, if you're working on an OSS project where everybody is working on a volunteer basis, then you have no control over the competence of those contributing or reviewing the code. It's fairly random and that means "more eyeballs" is the best you can hope for.

However, if you have professional programmers working on the code (be it OSS or not) you have control over who's working on or looking at the code. That means you don't have to rely on volume; you don't need the 10 novices if you can afford to hire one expert.

I'd say that if the software is popular and open, then yes, you'll probably have fairly good security. The same goes if it's popular and proprietary, under the condition that the vendor didn't skimp on the development resources. Likewise, it'll be more secure if the software has had well-trained people working on it (regardless of being open or not).

It's all about expertise. Commercial (including but not limited to closed-source) software has the advantage that expertise can be bought for money. OSS developed non-commercially needs to rely on popularity and luck.

So an expensive piece of commercial niche software (i.e. impopular) will be secure even if very few people looked at the code, if the vendor prioritized security and spent money on hiring good people to do so. But a similarily niche piece of OSS software will also generally have few people looking at the code. But in that case, it's more a matter of luck and there are no guarantees.

Many, probably most vunerabilities such as buffer-overflow exploits are found by people (black hat or white) who are explicitly looking for them. Not people casually looking at the code, or even developing the code. And if you know what to look for, you don't really need sources.

Re:Still not too bad

[Lord+Ender]

I'd say that if the software is popular and open, then yes, you'll probably have fairly good security.

It sounds like we are mostly in agreement.

So an expensive piece of commercial niche software (i.e. impopular) will be secure even if very few people looked at the code, if the vendor prioritized security and spent money on hiring good people to do so.

I can't disagree with what you are saying. But when evaluating products, I have no way of knowing for sure "if the vendor prioritized secrity and spent money."

If I were stuck in academia and trying to make a name for myself in crypto, I would begin by trying to find flaws in something that is popular and open source. I'm not the only person who thinks that way, I'm sure.

Re:Still not too bad

[Inode+Jones]

Room A.

And I'll bring my own lock.

Re:Still not too bad

[NoOneInParticular]

Two guys were walking through the desert, when suddenly a lion pops up and starts thundering towards them. One of the guys takes off his backpack, takes his sneakers out and starts putting them on. The other guys looks at him in disgust: "you don't think you're going to outrun that lion, don't you!?". The guys answers: "I don't need to outrun the lion, I only have to outrun you".

In other words, I keep the security of my wireless always just a tiny bit tighter than that of my neighbour; making sure that he's easier picking.

Re:Still not too bad

I take it you're implying the correct answer would then be "Neither". And I'd agree.

Well, no. The correct answer is Room B. He said "In which one is a person more likely to leave their wallet?" not "In which one should a person leave their wallet?".

Re:Still not too bad

[SanityInAnarchy]

If they were writing it from scratch, then sure. But good crypto techniques are fairly numerous, and they are well tested. For instance, SSH+AES+RSA authentication is about as secure as you can make a remote shell. Thus, you don't need a cryptographer to review this if you turn around and implement it in something else, like, say, PGP. All you need is someone with a basic understanding of how the original was implemented, and you need to make sure the code doesn't do anything stupid or malicious -- if it's a closed program, how do you know it's really doing AES, and not, say, a Clipper-like algorithm?

To me, being reviewed by a million non-cryptographers, and having it based on a system already reviewed by 100 cryptographers, makes it much more secure than some blackbox reviewed by 10 potentially corrupt cryptographers.

Re:Still not too bad

[Simon+Garlick]

They have lions in the desert now?

Re:Still not too bad

[RoboSpork]

gaim-encryption uses long lived keys for both authenticating and message encryption. This means all of your past conversations can be unencrypted if your key is compromised at any time, and someone has access to an encrypted record of your conversation.

OTR uses a long lived key for authentication, but it uses a key generation/exchange scheme for message encryption. There is no way that a compromise of your fingerprint key can lead to compromise of your conversations. THe keys for encrypting the conversation are discarded after the conversation, they arent left lying around on the computer so that a laptop thief can later acquire and break into them.

OTR is the scheme to use if you have are having vital conversations that must be kept secret. Gaim-encryption is fine for preventing casual eavesdropping, but a determined attacker could read your conversations, especially if physical access to the computer is a possibility. Given that both plugins function similarly and are about the same complexity to the user, why use the weaker one?

Re:Still not too bad

aye, I congratulate you on your mediocre out-of-the-box thinking, but you're missing the guys point..

Re:Still not too bad

[Fred_A]

I'd leave my wallet in a car analogy's glove compartment.

Analogies only work with cars, you should know this by now.

Re:Still not too bad

[jproffer]

I guess you haven't yet seen http://www.tgdaily.com/2006/08/30/defcon2006_janus _project/ :)

Re:Still not too bad

[NoOneInParticular]

yes, and they get mighty horny too!

Obligatory SoaP reference

[Conanymous+Award]

Samuel L. Jackson's favorite dish: Snakes in Oil! Probably virgin oil at that.

Re:Obligatory SoaP reference

I think you wanted to post that on Fark. Last month.

Re:Obligatory SoaP reference

[Conanymous+Award]

Guess I should have. Burn karma burn...

Then use OSS!!

[JimBowen]

If you are worried about the honesty of vendors, this is exactly why you should be using free cryptography software in the first place, because you know that is going to be strong, and trustworthy, because otherwise someone would have changed it by now. :)
It is also much easier to verify strength by reading the source rather than by reading the binary or by cryptanalysis.

Re:Then use OSS!!

[cduffy]

Using OSS is not a guarantee of strong crypto.

See Peter Gutmann's analysis of open source VPNs back in 2003. To be sure, the situation was not as dire as he described it to be in all these cases -- in some cases such issues were arguably not readily exploitable or were documented as recognized tradeoffs -- but it nonetheless raises a point that even having a substantial group of folks looking at the source doesn't necessarily help as much as it generally does if recognizing the bugs requires special knowledge which most developers don't have.

Re:Then use OSS!!

[portmapper]

See Peter Gutmann's analysis of open source VPNs back in 2003.

That has the following great suggestion:

Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment. Replacing the SSL/SSH data channel is marginally justifiable, although usually just running SSL/SSH over UDP would be sufficient. Replacing the SSL/SSH control channel is never justifiable - even the WAP guys, with strong non-SSL/SSH requirements, simply adapted SSL rather than trying to invent their own protocol.

Re:Then use OSS!!

[cduffy]

Is there a point you're trying to make via that quote?

Re:Then use OSS!!

[portmapper]

Did you read that article you linked to?

Re:Then use OSS!!

[cduffy]

Yes, I did -- once back when it was initially released, and again this morning.

Again, is there a point you're trying to make?

that's when the fun bit comes in

[solevita]

>Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.

Which is why everyone should enjoy themselves trying to break the encryption on any product they buy; be it wifi access point, USB memory stick, or a file encrypted with some PC software; trying to break the encryption is enjoyable and vital to continuing security.

Re:that's when the fun bit comes in

Today's encryption is so highly mathematical, that the average admin - let alone any user - is hopelessly lost were they to try breaking a blob of random data, even if they know the algorithm.

Hell, even programmers of cryptographic software often enough make mistakes. There really has to be a lot of trust into the word of cryptologists these days.

Re:that's when the fun bit comes in

Which is why everyone should enjoy themselves trying to break the encryption on any product they buy; be it wifi access point, USB memory stick, or a file encrypted with some PC software; trying to break the encryption is enjoyable and vital to continuing security.

That's just the way to get a false sense of security. Even if you can't break it, doesn't mean that someone else can't.

Re:that's when the fun bit comes in

[heinousjay]

That works for a very limited subset of everyone.

Particularly the enjoyable part.

Crypto is scary stuff

[smilindog2000]

So, for example, with a post like this, will somebody in a dark suit and glasses show up at my door tomorrow?

Blasphemy #1: I've heard from a claimed friend of one of the inventors of RSA that it was cracked it years ago. Yet, it continues to get worldwide use. Sure my friend was probably full of it... but who am I suppose to trust here? The government?

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive. It had something to do with factoring.

Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard.

Then, there's just some silly stuff I've noticed about crypto. Why do we always seem to use encryption just a generation or so ahead of what is needed to crack it? SHA-1 for example... And, why do we encrypt one small block at a time. Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data. Also, public key is great, but secret key can be easily shown NP-hard to crack (in terms of secret key length) with semi-reasonable assumptions, while public key has no such simple proof. I personally have been trying to prove that no public key system can be NP-hard, but what the heck... I'm not that good. However, I do believe it's probably true.

It seems any time you start talking about crypto, you get assailed by experts telling you just how full of it you are. Consider something simple, like generation of random numbers. Just claiming you can do a good job brings nay-sayers out of the woodwork. See:

        http://linux.slashdot.org/comments.pl?sid=193904&c id=15899118
        http://www.billrocks.org/rng

for how to do it well. Any child could do it (well at least my geeky 6-year-old).

Everything about crypto is scary... Are we being manipulated into using weak encryption? Is there some invisible line, which if crossed, bad things can happen? The scary part is the unknown.

--

Just because your paranoid doesn't mean the world isn't out to get you.

Re:Crypto is scary stuff

Is there some invisible line, which if crossed, bad things can happen? The scary part is the unknown.

That's exactly what it is, I think. Crypto is so complex that, unless you are absolutely sure wtf you're doing, you're better off NOT trying to implement your own crypto algorithm, random number generator and whatnot. Without the mathematical knowledge, you can never completely assess side effects, for example.

A nice page about how novice understandig of crypto can turn into horribly insecure software: http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_v pn.txt

Re:Crypto is scary stuff

[Realistic_Dragon]

sci.crypt is a good read if you are interested in Crypto. However it does tend to get a bit antagonistic towards newbies - and it's not hard to see why.

Approximatly every 12.5 minutes someone turns up claiming to have invented a new:

Random number generator
Unbreakable encryption method
Implimentation of old methods that makes them unbreakable
Proof that shows that all crypto is worthless

The percentage of loons is *so* high that anyone who does have an interesting idea (and who doesn't publish in reputable journals) is dismissed out of hand.

For example, here is a typical conversation from the one sane new poster (posted somewhere between the 999,999 people trying to sell "200000 bit quantum crypto based on the randomness of STARS!!!!!"):

<i>** Hi, I'd like to find out if there's a RNG sandbox somewhere so I can play about with some ideas.</i>

<i>* ARGH! Dont impliment your own RNG! It'll be crap! Here, use product X.</i>

Well, yes, that's true. When it comes to crypto there is a 99% chance that what you impliment will not work properly and as a result will be insecure... but stoping on someone who wants to try some ideas out is just plain wrong. All research doesnt have to take place in academic institutions.

Re:Crypto is scary stuff

[kyb]

17 mistakes Microsoft made in the xbox security system. Perhaps it doesn't surprise you that it's quite a long article, but it's fascinating stuff.

Re:Crypto is scary stuff

[Panaflex]

Well, I think the facts(haha - ahem - as far as is publically known) are this:

I've heard from a claimed friend of one of the inventors of RSA that [it was cracked years ago].
1. RSA is not known to be cracked and in general is still considered HARD - though the rapidly increasing amount of free and cheap CPU time will eventually defeat most of today's common length keys in 35-50 years (who knows?). That said, it may be possible that RSA gets cracked next week - I wouldn't be surprised. I too have a few friends that studied with RSA founders and ashamedly, they have not let me in on the secret crack yet, either. (Need more beer)

[Friend who does factoring moves to Numerics]
That could be anything - really - from "professional jealousy", "national secret", or "I didn't get the right vibe."

Quantum computers
Ahh, shake and bake computing at it's finest. Unortunatly, qubits are pesky little critters that tend to get bored and entangled in relationships during the course of research. Some qubits have been known to file their own myspace profile and entangle with Japanese qubits! Oh, the little horrors!

Seriously though - you don't have to make wild guesses and claims here. When somone really does crack RSA it will be widely known. The only scary stuff with crypto is wild claims and dishonesty.

Re:Crypto is scary stuff

[gkhan1]

Boy, you don't know that much about cryptography, do you ;)

Blasphemy #1: I've heard from a claimed friend of one of the inventors of RSA that it was cracked it years ago. Yet, it continues to get worldwide use. Sure my friend was probably full of it... but who am I suppose to trust here? The government?

That's complete BS. It hasn't been cracked, and it wont be for a long time. Just remember to use big keys and your stuff is safe. As for who you are supposed to trust, you're supposed to trust the huge mathematical community that every day is pounding and pounding and pounding on this problem. They are honest academics, and if there is even a hint of progress it will become public.

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive. It had something to do with factoring.

I'm not entirely sure what the hell you are saying. Are you saying that your friends mother is a genius mathematician who published a few papers about factoring and was somehow forced to leave the field? That's completely ridiculous, lots of people publish papers on factoring every year. Either you are lying or you have completly misunderstood the matter.

Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard.

This is a common misconception, that quantum computers will be like a regular computer, "but way faster". This is not so, a quantum computer works in a fundamentally different way, a way that makes it possible to invent algorithms that are way faster than anything on a classical computer. Many of these new algorithms are made for cryptanalysis, namely Shor's algorithm (integer factorization in polynomial time, breaks RSA), the discrete logarithm algorithm (breaks Diffie-Hellman) and Grovers algorithm (would speed up standard brute forcing cracking, but only a quadratic amount which means that you can just double your key length, and it's still as hard).

As for complexity, the decision-problem form of integer factorization ("Is there a factor of M smaller than N?") is indeed in NP, but the specific class is an unresolved problem. Most people doubt that it is in either P or NP-Complete which would most certainly make it NP-hard (unless P=NP ofcourse, but that's a whole 'nother discussion ;) Maybe you are thinking of primality testing, which has very recently been proven to be in P. The whole village rejoiced.

Then, there's just some silly stuff I've noticed about crypto. Why do we always seem to use encryption just a generation or so ahead of what is needed to crack it? SHA-1 for example...

Has been a problem in the past, but we've learned our lesson. 256 bit AES will (very possibly) never be cracked by an ordinary computer. A quantum computer might, but it would have to be one bad-ass quantum computer. 256 bit AES is completely safe.

And, why do we encrypt one small block at a time. Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data.

It doesn't matter one iota whether a block has known data or not. You still need the key to have any idea what is in there or not (that is, imagine you suspect a block of data Y has encrypted X, there is no way you can prove that if you don't have the key). There is something called chosen plaintext attack which you can do a similar thing in public key cryptography, but it is only works in bad implementations of it.

Also, public key is great, but secret key can be easily shown NP-hard to crack (in terms of secret key length) with semi-reasonable assumptions, while public key has no such simple proof. I personally have been trying to prove that no public key system can be NP-hard, but what the heck... I'm not that good. Howe

Re:Crypto is scary stuff

[dhasenan]

"Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard."

There is no proof that it is and no reason to think that it is. We just have no fast algorithm for it.

"Then, there's just some silly stuff I've noticed about crypto. Why do we always seem to use encryption just a generation or so ahead of what is needed to crack it?"

That's largely a matter of key sizes. We choose them according to the hardware we have to brute-force the key; we want our data to be secure for a certain amount of time. And the rest is a matter of the difficulty of finding exploitable weaknesses in the algorithm--that takes time, so the longer the algorithm is used, the more likely it is to be cracked.

"And, why do we encrypt one small block at a time."

If you don't like block ciphers, use a stream cipher. Or create an encryption algorithm that operates on an arbitrary amount of data at once; I just hope you have twice as much RAM as anything you want to encrypt. Simply put, block ciphers are the simplest method we have of scaling an encryption algorithm.

"Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data."

If the block has known data, then you only need to try different keys until you get that data rather than trying keys until you get sensical data and then trying the key in question on multiple other blocks, but it's only going to be a minor decrease in the amount of time required to crack it. And any worthwhile algorithm will be proof against known plaintext attacks.

"I personally have been trying to prove that no public key system can be NP-hard, but what the heck... I'm not that good."

Take it on a case-by-case basis. Develop exploits for a large number of public key cryptography systems. You might not prove that all public key systems are secure, but you'll definitely destroy confidence in public key cryptography. A pity, though; it's quite useful.

"It seems any time you start talking about crypto, you get assailed by experts telling you just how full of it you are. Consider something simple, like generation of random numbers."

Well, you're not an expert, so you actually are full of it. Hardware RNGs aren't difficult to make; it's just that no computer company has found it worthwhile to market them on a large scale; DPRNGs are difficult to make, but since we don't deploy hardware RNGs on a large scale, they are necessary.

Don't like it? Use Linux, get a hardware RNG, and direct its input to /dev/random. Then modify your software to use that rather than its cryptographically secure DPRNG.

Re:Crypto is scary stuff

[YoungHack]

Blasphemy #1: I've heard from a claimed friend of one of the inventors of RSA that it was cracked it years ago. Yet, it continues to get worldwide use. Sure my friend was probably full of it... but who am I suppose to trust here? The government?

I'm a professional mathematician and have had the opportunity to work with and become friends with some big names in number theory and factoring. No one can know for certain, but my friends were of the general opinion that RSA was probably okay.

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive. It had something to do with factoring.

The US government was very serious about suppressing the publication of some of the early factoring results, but the mathematicians that I know are still working in that field (for over 10 years) after having published anyway. It seems almost surreal now that they were getting calls from the NSA, because the academic cryptography field has grown so much since then. They're still in the field and still publishing.

Blasphemy #3: Anybody else notice that quantum computers have been proven to be capable of factoring really well, but no one has shown that they can solve any NP-hard algorithms? Come on... factoring isn't NP hard.

I can't give any response to this. You may be right.

Re:Crypto is scary stuff

[Tack]

And, why do we encrypt one small block at a time. Each encrypted file usually gives many independent chances to crack the key, and in many cases, some of those blocks have known data.

They're only independent if you use ECB, and anyone using ECB deserves what they get. Cipher modes like CBC or CTR solve these problems.

Re:Crypto is scary stuff

[Lord+Ender]

You really do sound paranoid. Unless you are totally ignorant, you must know that any math/copsci student who could show a well-established crypto system is easily breakable would have his career set for life.

So you must think it is possible that every time one of these students publishes a paper on a fast way to factor large numbers, he vanishes, never to be seen again. How many people vanished from the math dept. of your school? That just doesn't happen. Unlless "they" (meaning all of academia) are also in on it.

Come on, think it through. It's unreasonable.

Re:Crypto is scary stuff

[Atrus5]

On the topic of complexity classes ... Currently, the decision problem form of factorization is known to be in NP, co-NP, and BQP. Because it's within NP, it can not be NP-hard without being NP-complete. If it were shown to be NP-complete or co-NP-complete, that would imply that NP = co-NP, which is currently believed to to be false.

BQP is "bounded-error, quantum, polynomial" and represents what quantum computers are capable of. It is known to contain P and BPP, and to lie within PP and PSPACE.

Your claim that quantum computers should be able to solve NP-hard problems (presumably in polynomial time) doesn't make sense ...

I believe that your formulation of the problem, "any public key cryptosystem", makes it impossible to prove anything. I think you should at least make a list of problems that are currently used as the basis of various public key systems and start hacking at them ...

I'm sorry, but your post borders on incoherent, so it's difficult to comment on more of it.

Re:Crypto is scary stuff

[u38cg]

Well, Cocks at GCHQ derived RSA independently four years before Rivest, Shamir et al. figured it out. One of my (brighter than me) friends went to work at GCHQ (on what I don't know, but he is a wrangler), and his only comment on the place was "it fucking blew my mind how far ahead of the rest of the world they are". It wouldn't surprise me in the least that they have discovered how to fast factor.

Re:Crypto is scary stuff

[Chandon+Seldon]

All research doesn't have to take place in academic institutions, but people who claim revolutionary results should be expected to have a decent background in the field.

What would you expect to happen if I showed up in sci.physics.catapults and said:

I've developed a revolutionary new catapult based on my super-accurate estimation of acceleration due to gravity at 11 m/s^2! With my new iterated approximation algorithmic technique, I can calculate trajectories so accurately I can hit a fly on a wall from a mile and a half!

That post is going to get flamed. Even the nice person is going to say "With your estimation for gravity off by 10% you're not going to get anywhere near that accuracy. Oh, and you should look at the literature for calculating trajectories - it's a solved problem."

Re:Crypto is scary stuff

Heh heh. "Cocks." Heh heh.

Re:Crypto is scary stuff

> Come on... factoring isn't NP hard

No, it probably isn't. From the quadratic sieve onwards, it has been known that factorization can be done in subexponential time, whereas for NP hard problems, only exponential algorithms are known.

Re:Crypto is scary stuff

[Spiked_Three]

"That's complete BS. It hasn't been cracked"

That's double BS. Let's just be real honest with ourselves; with our big brother US government - there isn't an (unclassified) encryption scheme that they can't rip through like butter. Do really think they would let encrypted messages go across the internet if they couldn't get at them if they wanted to? Have you seen the news lately?

"Either you are lying or you have completely misunderstood the matter."

Obviously you have never done any research on areas that threaten national interests. People get visited every day and ask to 'study something else'. Refuse and you get to meet Mr. IRS man. I've seen it.

"Both open source, both readily available, and both uncrackable"

LOL

Look - you're obviously a little naive on reality here. The world is not a nice safe place and given the opportunity people will not all 'just get along'. There are sciences that you are totally ignoring because, well the government(s) doesn't want you to think about them - but go dig out an old movie - like Mercury Rising - and open your mind up a bit to reality based fiction.

Re:Crypto is scary stuff

[zenthax]

Obviously you have never done any research on areas that threaten national interests. People get visited every day and ask to 'study something else'. Refuse and you get to meet Mr. IRS man. I've seen it.

IRS man? The Internal Revenue Service...? Geez I know aduits suck and all but I don't see how that would strike fear into the hearts of a humble researcher...head of a fourtune 500 company maybe...

Re:Crypto is scary stuff

[gkhan1]

Ohh, you're one of those people. The paranoid, cynic, LBJ-killed-Kennedy people with more willingness to post on slashdot than knowledge about the subject. There is a name for those kind of people, and infact, it's one of the moderation options on slashdot....

First off, on the you-can't-do-research bit. My point was that there are thousands of scholars working on this very subject every day, yet they never get threatened by any sort of law enforcement? How does that fit with your little paranoid world-view?

And, as for modern ciphers being uncrackable, lets have a little demonstration. You obviously have no clue about the numbers involved, so lets do this slowly. It is common knowledge that DES has been cracked. A couple of years ago someone built a machine that could crak DES in 7 hours, unacceptable in modern terms. Today, a supercomputer could maybe crack it in a half-hour or so, probably even a shorter time than that. Now, let's imagine an impossible machine, the fastest machine ever created in any universe, fictional or real. This machine can crack DES in a femtosecond. How long is a femtosecond, you ask? It's one quintillionth of a second, or 10^-15 seconds, or 0.000000000000001 seconds. That's way to short a time for anything at all to happen, infact, during that time, the speed of light can only travel about 0.0003 millimeters. Infact that number is so small that the human mind can't really picture how small it is, just like the human mind can't understand how big 1 quintillion is. Anyway, let's suppose that this computer can crack DES in that amount of time (meaning it can crack 1 quintillon DES ciphers per second!) Suppose we set that computer onto a modern cipher, namely 256bit AES. How long would it take to crack that?

Let's see: Assuming that AES and DES takes approximatly the same time to execute (which is true, AES is about twice as fast), since for each increase in bit-length, the time to solve it doubles, that means (since DES has a 56 bit cipher) that it would take 2^(256-56)=2^200 femtoseconds. Let's convert that to something we can understand. 2^200/((10^15 femtoseconds in a second)*(3600 seconds in an hour)*(24 hours in a day)*(365 days in a year)) = 2^200/(10^15*3600*24*365) = 50955671114250072156962268275658377807 years (rounded to the nearest integer). Let's stop and think about this for a minute. That mindnumbingly fast computer (one that will probably never be built, a neither classical nor quantum computers will ever be that fast), so fast that to imagine one is a feat impossible to human beings, for it, it would take 50955671114250072156962268275658377807 years to complete!!! You do realise that the age of the universe is only about 13700000000.

However, you probably won't be convinced. Your type never gets convinced. But you know what, it's not just the math that backs me up, every security expert in the world that has any weight agrees with me. So why don't you go back to your little hole, and dream up another cynical consipracy theory. Because kid, when it comes to cryptography, you're out of your element.

PS. You said "LOL"! You actually said "LOL"! On slashdot? Seriously dude, you are one sad individual.

Re:Crypto is scary stuff

[Spiked_Three]

"Ohh, you're one of those people. The paranoid, cynic, LBJ-killed-Kennedy people with more willingness to post on slashdot than knowledge about the subject." Nope, just someone with more security clearences than you'll ever know of who worked for a retired head of cryptography, CIA for a couple of years. Take your math and shove it, it has nothing to do with solving the problem.

Re:Crypto is scary stuff

[gkhan1]

Look, Mr. Partain, you were kinda funny at first, but know I just feel sorry for you. Maybe you should reexamine why you even visit slashdot, maybe you'd like some other site better, like myspace or youtube. They have neat videos at youtube, I bet you'd like it. You're playing with the big boys on slashdot, and if you can't even present an argument, you should probably just forfeit the game. Listen, I'll give you an out, don't respond to this post, and we will forget that this discussion ever happened. You got in over your head, that's understandable, let's end this with some dignity, ok?

Re:Crypto is scary stuff

[Spiked_Three]

why would i back down? But tell you what - arguing with you now on this thread serves me no purpose - the government likes your type, it makes their job a lot easier - but I will offer to step up my game, write out big long sentences so that even slashdot crowds can understand them when the next crypto article comes around or gets repeated.

We can keep it civilized - i had a dozen arguments against your points earlier but i was too lazy to post them - but when they will be seen by more people I will gladly share them with you.

Deal? remind me if I forget - spiked3@gmail.com

google Kryptos - that was 'designed' by the man i worked for - not the artist.

peace

Re:Crypto is scary stuff

[Spiked_Three]

LOL

No reply? Looks like someone else realized they may be in over their head :)

Re:Crypto is scary stuff

[WuphonsReach]

Rather then add what other posters have said... I'll leave it at this.

Go check out a copy (or purchase) of Practical Cryptography by Ferguson and Schneier. Read the first few chapters which discuss things like known-plaintext attacks, why we use block ciphers and what the estimated strength of the various algorithms are. The rest of the book gets into the nitty-gritty details, but the start of the book is suitable for anyone with more then a passing interest in crypto.

After that (or before that) you should also read Secrets and Lies which will help you to put things into perspective. Schneier does a very good job of arming the reader with the knowledge needed to make informed decisions about the process of security. Encryption is generally worthless without considering the overall picture.

As Schneier (and others) have said. Encryption is like a very sturdy pole in the ground. It's merely one part of the security system and often not even the weakest point of attack.

Re:Crypto is scary stuff

[WuphonsReach]

Without digging out my copy of Practical Cryptography, CBC also suffers the same flaw or similar flaw as ECB. It's the reason that the TrueCrypt folks switched from CBC to LRW for disk encryption. (And why tweaked CBC algorithms are popular.)

Re:Crypto is scary stuff

[smilindog2000]

Thanks for the info... these sound like good books.

As for all the replies, well thanks! I'm obviously not qualified to talk much about encryption. As for hardware random number generators, yes I am qualified, having done it well. It's a rather trivial problem in comparison to encryption, though you gotta love that lava-lamp based rng.

On most forums I wouldn't post my ill-informed opinions, but this is slashdot :-D

Re:Crypto is scary stuff

[Tack]

Without digging out my copy of Practical Cryptography, CBC also suffers the same flaw or similar flaw as ECB.

It all depends on the IV. If you use a fixed IV, then CBC has the same problem as ECB for the first block. For a strong IV, I believe CBC should be strong. For encrypted filesystems, it may well be that there's no good way to generate an IV that's safe to use with CBC. I do recall dmcrypt implementing ESSIV to thwart watermarking attacks, but there may be other kind of information leakage and it happens that for disk encryption there's no great way to choose an IV that is secure with CBC.

It's been a while since I've looked into this stuff. I hadn't known aobut LRW but I'll have to read up on it. Thanks.

Re:Crypto is scary stuff

i had a dozen arguments against your points earlier but i was too lazy to post them

You Lose, Transparent Idiot.

Re:Crypto is scary stuff

[smilindog2000]

Sorry it took so long to reply.... Good points. I'll only respond to a few.

"Boy, you don't know that much about cryptography, do you ;)"

Er... no. But hey, this is /. :-)

"That's complete BS. It hasn't been cracked, and it wont be for a long time."

One link to doubts about RSA:

http://www.vnunet.com/vnunet/news/2118141/1024-bit -encryption-compromised

"Are you saying that your friends mother is a genius mathematician who published a few papers about factoring and was somehow forced to leave the field?"

Yes, but this was a long time ago. Early on, the government actively tried to control published research into factoring. There's another post on this thread that mentions this. I believe my friend's mother (and father) was a mathematics professor at Cal Tech.

"Most people doubt that it is in either P or NP-Complete which would most certainly make it NP-hard"

Not according the the gospel of truth (cough) wikipiedia.org: Because of the compelling evidence that factorization is not NP-complete, many believe such an algorithm is likely to exist. (refering to a polynomial time factorization).

"256 bit AES will (very possibly) never be cracked by an ordinary computer."

I tend to agree. It's easy to see that secret key encryption can be made very safe. Munge the data so it looks random, then munge with the secret key. Unless you've got a crappy munging algorithm, decryption will be hard. However, I still don't like the 128 bit block thing. Why not use blocks that are at least as long as the key (AES256 still uses 128 bit blocks)?

"No we're not being manipulated into using weak cryptography!"

You don't secretly work for the NSA or CIA, do you? ;-)

Re:Crypto is scary stuff

[gkhan1]

As for the RSA being cracked part, it is true that using a short key (1024 bits) might be compromised (just to be clear: it hasn't been cracked yet, it's just that it could be in the forseeable future), but RSA itself is still very secure. Use a 2048-bit key, and you'll be safe for a century, or a 4096-bit key and you'll be safe for a few thousand milleniums.

While it is true that in the early days, the goverenment didn't want these algorithms getting out (they said that giving a lecture on RSA would be punishable as a weapon smuggling offence), there is no report that they hassled the people making them. I mean, for instance, Whitfield Diffie has never said such a thing. And I've never heard anyone else claim it. However, if you say it's a firsthand account, I won't dispute you, you know better in that case.

As for the wikipedia article, if you look two paragraphs up it says: "Many people have tried to find classical polynomial-time algorithms for it and failed, and therefore it is widely suspected to be outside P". ;) While there is by no means consensus in the field, most people feel that it is unlikely to be in P. Also a quick note: there is a difference between NP and NP-Complete. Many people think that they are synonymous, but they aren't. I'm not sure if you're under that impression, but I though that I'd clear that up, just in case :)

The block size isn't really important when it comes to cryptography atleast after a certain point: a 128-bit block cipher is essentially as hard as a 256-bit cipher (actually that's not entirely true, 256-bit is alot harder, just that 128-bit is hard enough for it not to matter anymore). For a 128-bit block size to become an issue, you would have to encrypt around 256 exabytes. Since it is estimated that the sum of human knowledge (that is, information created by humans, audio, video, text, etc.) is about 12 exabytes, it would have to be ALOT of information for it to be compromised ;) However, if you want, Rijndael (ie. AES) comes in a 128, 192 and 256 bit-block sizes. Take your pick.

And no, I don't work for the CIA (I work for the Greatest and Noblest Order of Masons, and we rule the world from behind the scenes!!!! Ahh, crap, now I'll have to kill ya....). I'm just saying, there are free tools which provides absolute security, and are completely open source. We have arrived at a point in history where we can store information and know that it is safe for perpetuity. Modern ciphers are that good.

Appriciate the response. Cheers!

Snake oil that uses AES

[Paul+Crowley]

Many Slashdot readers are savvy enough to know that when a software product advertises itself as using, say, secret encryption algorithms with 10,000 bit keys, it's probably snake oil. But I'm seeing increasing amounts of snake oil that uses the Advanced Encryption Standard, AES, and it can be just as weak.

AES itself of course is nigh-on as trustworthy a cryptographic primitive of its kind that we have. But just because you've used the right primitive, doesn't mean you've built a secure product. You have to consider what chaining mode to use, how to handle passphrases if they exist, how to keep your secrets secret, defense against side channel attacks, and more.

What I look for is a product that provides enough information that I can actually assess its security - what attacks they've considered and how they've built the product to defend against them. What I see disturbingly often is a bald declaration that the product is secure, because it uses AES.

Re:Snake oil that uses AES

[flyingfsck]

Actually, there is a simple test that can give you a some idea of the quality. Take a large file an encrypt it with the tool of choice. Then compress the file with gzip or even winzip. If the result ends up larger than the original, then the encryption is probably OK. If the result ends up smaller, then it is obviously snake oil.

Re:Snake oil that uses AES

You have to consider what chaining mode to use,

Huh? CBC or Chained Block Cipher is even part of the standard. See RFC 3602 for example.

Re:Snake oil that uses AES

[Paul+Crowley]

You illustrate my point - see some of the other comments I've replied to. CBC is hard to use correctly because the IVs have to be unpredictable to the attacker. CTR mode is generally a much better idea. Better yet, use EAX or GCM modes, which provide authentication as well as encryption. Frankly I'm sorry to hear that RFCs that propose using CBC mode with AES are being published; I know of no genuine advantage it offers over CTR mode. See

http://csrc.nist.gov/encryption/modes/workshop1/pa pers/lipmaa-ctr.pdf

Re:Snake oil that uses AES

[Paul+Crowley]

It's worrying that you believe this. Even the worst snake oil is rarely so bad that a standard compressor can compress the output.

It requires expensive... blah blah blah

[melted]

>> It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography

No. It requires reading a couple of good, inexpensive books and understanding of what the heck you're doing. Math behind the whole thing can be complicated. But you don't really need to understand the math 100% here. All you need to know is whether an algorithm is considered "strong" by today's standards, understand a few key concepts, guard your keys, and aproach security related coding with a healthy amount of paranoia.

In other words, a decent developer can get a pretty good understanding of this all in two weeks or less. And these skills need to become "common" already.

Re:It requires expensive... blah blah blah

[zolaris]

Yeah sure they can get a great understanding of crypto... with inexpensive books. Just curious do you know how many crypto courses at top level universities rely on textbooks for teaching crypto? I'd suggest discounting any books where the professor is the author. But even with that, it will probably be very small. There are recommended books but in my crypto classes (granted Johns Hopkins isn't exactly the number one crypto school in the country or world but I'd like to think we are half way decent) we never cracked a textbook. Sure we read a bit of papers but is average Joe developer really going to read through any crypto papers? I know I wouldn't unless I had to.

[Sarcasm captioning*]On a side note, let me know what project you are working on where developers employ crypto after about two weeks of reading some books.[/sarcasm captioning]

*Sarcasm captioning provided for cya purposes only and not for any public benefit.

Re:It requires expensive... blah blah blah

[canuck57]

No. It requires reading a couple of good, inexpensive books and understanding of what the heck you're doing.

That is an understatement.

Reminds me of the time I watched a finance person use PGP to encrypt a very sensitive file they sent via email. They did everything right except for one critical part.

After the file was encrypted, they deleted the original one as per instructions. Trouble was it was in the "Recycle" bin a readable.

Re:It requires expensive... blah blah blah

In other words, a decent developer can get a pretty good understanding of this all in two weeks or less. And these skills need to become "common" already.

1) There are relatively few decent developers. Perhaps 1 in 500.
2) A "pretty good understanding" isn't enough.
3) You are talking out of your ass.

Re:It requires expensive... blah blah blah

[madcow_bg]

After the file was encrypted, they deleted the original one as per instructions. Trouble was it was in the "Recycle" bin a readable.
And how is THAT supposed to be a problem of the encryption?

The truth is that electronic materials leave traces. Recycle bin? Don't get me started on the swap file, and so on, and so forth.

99% of using encryption is to know what you're doing. That's what the GP said, and that is the truth. 99% of the posts underestimate human intelligence so much, that I would believe there is actually nothing done with reverse engeneering - but mind my words - people are smarter than that. They just need to be educated.

Re:It requires expensive... blah blah blah

There are recommended books but in my crypto classes [...]

Look, it really doesn't matter what your point is, because you don't do this stuff in the real world. Be quiet now while the grown-ups are talking.

Re:It requires expensive... blah blah blah

it was in the "Recycle" bin a readable.

And how is THAT supposed to be a problem of the encryption?

Yes it is, the human factor. Mistakes by people still rank number one.

No, it's much harder than you think.

[Paul+Crowley]

If you believe that, no wonder so much insecure stuff is being written. I have been called upon to review code written by developers with your level of knowledge in crypto. They do things like use RSA without proper padding, or use predictable IVs in CBC mode, or fail to properly authenticate the message. They also add totally unnecessary complexity to the system in the mistaken belief that their improvements make it more secure. I shudder when I see a copy of "Applied Cryptography" on the shelves because it is just enough knowledge to be dangerous.

Even the experts make errors in cryptographic protocol design and implementation - I've been doing this for ten years and I've made at least one howler myself. Why do you think, contrary to the advice of pretty much everyone who really knows their stuff, that people with a couple of week's worth of knowledge can get this stuff right?

Re:No, it's much harder than you think.

[zolaris]

I agree entirely. I did quite a bit of crypto study (both the math and the protocol) for my masters. A vast majority of crypto protocols are broken in some form or another. Granted this is usually a minor flaw that gets fixed in version 2, 3 etc. (a la SSL) or something that just gets changed in name to add in the guy that figured it out. Which kind of demonstrates your point,

Even the experts make errors in cryptographic protocol design and implementation... .

I think the best part of a presentation was when one of my classmates at the end of his PowerPoint had one slide. That slide said "Crypto is hard.". We all laughed but it's very true. From a conceptual standpoint it's difficult to grasp why something is insecure. However it is very easy for someone to believe something is secure. So the end result of that is someone not finding a flaw and believing that his/her data is protected.

I also heard a story (not sure if it was true or not) about Bruce Scheiner saying something at a conference or maybe in a book of "I am writing this book to show all of the people who read Applied Cryptography that if they only read that book they don't know anything about Cryptography." And that statement amuses me because it will probably always be true.

Re:No, it's much harder than you think.

I am one of those developers using predictable IVs having only read Applied Cryptography. Can you recommend any further reading? Any help would be much appreciated.

Re:No, it's much harder than you think.

[Paul+Crowley]

Er. To that specific question, I recommend using EAX or GGM modes, which are much easier to implement and to use correctly; they include authentication as well as encryption. However, to the more general point, the answer is to try to use existing crypto protocols rather than rolling your own wherever you can, and to get expert help if you can't. I haven't read it but I'm told Ferguson and Schneier's "Practical Cryptography" is aimed at people in your situation.

Re:No, it's much harder than you think.

[Bishop]

Scheiner wrote that book. It is Secrets & Lies. This quote from the preface sums it up:

The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The AnswerTM. I was pretty naïve.

Re:No, it's much harder than you think.

[Lord+Ender]

I shudder when I see a copy of "Applied Cryptography" on the shelves because it is just enough knowledge to be dangerous.

Which books would you want to see on someone's bookshelf for you to consider respecting them?

Re:No, it's much harder than you think.

[Paul+Crowley]

Which books would you want to see on someone's bookshelf for you to consider respecting them?

Conference proceedings are a good sign, especially with your name on the contents page :-) Seriously, no book on the shelf can be a badge of expertise or otherwise, and I imagine most people who know what they're doing also have a copy of AC. It's just that there are a lot of people who consider themselves qualified to write cryptographic software because they've read it, and that just isn't so. If you're asking me to recommend a book, I've heard good things about Practical Cryptography.

Re:No, it's much harder than you think.

[melted]

>> developers with your level of knowledge in crypto

As a matter of fact, you don't know my level of knowledge in crypto. Which kinda makes you sound like an insecure snake oil salesman in the rest of your missive.

Re:No, it's much harder than you think.

[Paul+Crowley]

Actually your comment that I replied to gives me a fairly good idea of your current level of knowledge in crypto :-) It's sweet the way so many Slashdot users think that darkly hinting at an unspoken expertise will make us wonder if they are in fact Adi Shamir, but really, you give yourself away.

Re:No, it's much harder than you think.

[WuphonsReach]

IIRC, he talks about it again in Practical Cryptography (regarding the naivety of Applied Cryptography). I think... I've been reading both books at around the same time, so things get mixed up.

How is this different from any other product?

[njdj]

Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography.

Can you distinguish, by inspection, between a reliable automobile and a piece of junk that will barely last 2 years? I certainly can't. So I rely on reviews by people I trust when I buy a new car.

In the field of cryptography there are several people who have written peer-reviewed books about cryptography, are trusted in the community, and who occasionally review products. Bruce Schneier is one (there are others, use Google, this is not mean to be a puff for Schneier or his company).

There are also open-source cryptographic programs, which are peer-reviewed and definitely not snake-oil.

Re:How is this different from any other product?

There is also the obvious: given human fallibility, it's almost impossible to prove any program bug free. Writing good code is HARD - and it ends up with bugs. Understanding the principles behind cryptography is hard: you then have to find someone who can read and understand your code AND find the bugs to prove your code is good, you understand the algorithm and you've implemented it correctly with no obvious bugs.

Re:How is this different from any other product?

[WuphonsReach]

Schneier comes up a lot because he's done a very good job of bridging the gap between mere mortals and those who work on crypto systems. Books like Secrets and Lies or his CRYPTO-GRAM monthly e-mail newsletter where he explains crypto systems in plain english.

I get a kick out of reading about products in the "doghouse" in the monthly CRYPTO-GRAM.

(I know just enough about cryptography to know that I shouldn't try to roll my own...)

or

[xmodem_and_rommon]

or you could just take the common sense approach and use products that rely on algorithms that are open, widely tested and reviewed, and known secure. Algorithms like Blowfish, AES, etc. I use Apple's built-in Filevault protection to encrypt my Powerbook's hard disk, in the event that it is ever stolen. It uses AES-128, which means I know that no-one is getting in without my password.

Any vendor that relies on a custom algorithm for their encryption technology shouldn't be trusted.

Re:or

[TCM]

Any vendor that relies on a custom algorithm for their encryption technology shouldn't be trusted.

Of course.

But even then there are vendors who claim to be using AES and end up introducing implementational flaws that are not obvious to the user. It's not just algorithms that need to be reviewed but complete implementations.

Nice read: http://www.schneier.com/crypto-gram-9902.html#snak eoil

Re:or

[swelke]

...use products that rely on algorithms that are open, widely tested and reviewed, and known secure.

Just because the algorithm is widely tested and known to be secure doesn't make the software based on it secure. It's very easy to take a secure algorithm like AES and make a totally insecure program by, for example, not encrypting all of the data it should, or by selecting the encryption key poorly so that it's easy to "guess",meaning you might only have to check 2^20 keys to decrypt that email of yours instead of 2^128, like you're supposed to have to. So instead of being secure against years of hard cracking, your data is compromised in seconds. Besides that, there are other ways to build a crappy program that I'm not a good enough cryptographer to know.

Re:or

[rew]

or you could just take the common sense approach and use products that rely on algorithms that are open, widely tested and reviewed, and known secure ... and in reply I quote the blurb from the article on slashdot:

"Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do."

If it claims to use AES, does it really? Even if it actually does, are you sure it doesn't conveniently store the key somewhere? Even if it doesn't do anything this stupid, are you sure it doesn't leak one bit of your key in every encrypted block?

The implementation around a secure algorithm is just as important as the algorithm itself. Even if you have the source, some problems can be difficult to detect.

Don't use weak ROT-13

[CrazyJim1]

Get creative, use Rot-14 or something.

Re:Don't use weak ROT-13

"Get creative, use Rot-14 or something."

Rot-14 is weak, but tripe-Rot-14 is safe (for now). For maximum security, write in Chinese, and use Rot-2453

Re:Don't use weak ROT-13

Please! ROT-14 is almost as bad as ROT-13. I hear there's a machine in the basement of the NSA that can crack any of ROT-13 through ROT-18 in less than two days!

No, use ROT-26, that's like two times as strong as ROT-13 and your secrets should be safe for at least a hundred years.

Re:Don't use weak ROT-13

[cortana]

We need a feature addition to Slashcode that does that repeated-plunging-of-penis-shaped-sound-wave thing into the head of anyone who rehashes the thired, old ROT-13 joke in one of their posts.

At least '1, 2, ???, profit', 'I, for one...' and 'haha it says nothing to see here OMGWTFBBQAOLCIA' are finally being retired.

Re:Don't use weak ROT-13

[maxwell+demon]

1. I for one welcome our new rot13 joke fighting overlords.
2. ??? (Nothing to see here, please move along)
3. Profit!

SCNR :-)

Re:Don't use weak ROT-13

[cortana]

I guess I asked for it, didn't I? :)

Re:Don't use weak ROT-13

[kestasjk]

I know it's a joke, but I thought I'd clear up a common misconception; ROT-13 by definition isn't encryption. Encryption requires a key to decrypt, you can know the encryption algorithm but can't know the data without the key. Encoding only requires an algorithm.
ROT-13 is encoding; ROT by an unknown amount, where the unknown amount is the key, is encryption.

Re:Don't use weak ROT-13

[noamsml]

Ha! I use ROT-26 to encrypt MY messages!

Re:Don't use weak ROT-13

[gkhan1]

Exactly correct. The name of that algorithm btw is a Ceasar shift or a Ceasar cipher since Ceasar used it (Gaius Julis, that is).

Some insights about the article

[owlstead]

It's pretty well known that there are many snake oil products that deploy cryptography. Bruce Sneier frequently displays snake-oil cryptography products in his newsletter, for instance. And these are just the really obvious ones.

Some time ago, I tried to evaluate if a Enterprise Service Bus (intercomponent communication) was fit enough to be put into a production environment. It said that it had AES encryption build in. When I looked at the manual, it displayed a pop up window where you could choose the key-size. It listed exactly all key sizes that were *not* possible for AES. This was a very short evaluation, I can tell you. This also shows a very important thing about cryptography: the algorithms used say very little about the security of an application.

Generally, the manual for cryptographic services is easy to find. This is simply because cryptography is added at the end of the development lifecycle. This is logical because cryptography is not part of the main functionality of most applications (e.g. mime encryption in email products). It's something that was added after the products main functionality was finished. So just look at the last paragraph, or Appendix Z and you are looking at it.

Sometimes it is easy to see why so many products contain bad cryptography. Take XML signatures for instance. XML signatures themselves contain *references* to the data that is signed and the cryptographic techniques used. If you are to verify an XML digital signature, you *must* check if these are not altered. Furthermore, you must keep the XML schema-definitions on your own disk, and not retrieve them from the internet. Nevertheless, I've not seen any API-documentation even mentioning this rather obvious cryptographic insight. You can rest assured that there will be many implementations that will get this wrong.

Cryptography is hard.

The real insight of this story is the listing of the products into "credence goods". If you can call this new insight. Otherwise, it's just stating the well known/obvious.

Re:Some insights about the article

[rbannon]

You said, "The real insight of this story is the listing of the products into "credence goods". If you can call this new insight. Otherwise, it's just stating the well known/obvious." And I agree, but we also need an infrastructure where encryption is a given and is transparent to all users. For example, I believe https works, but I don't really need to do anything special. This of course largely depends on an infrastructure where certain certificates are trusted. Now for email, s/mime works, but to many it looks scary and requires users to think.

BTW, thawte offers free s/mine email certificates.

Re:Some insights about the article

[WuphonsReach]

Cryptography is hard.

I prefer to say that cryptography is easy, it's the implementation of the cryptography that is fiendishly difficult. And key-management is even more difficult. (There are enough published cryptography algorithms and PRNG algorithms that are widely trusted and generally considered secure. Things generally fall apart in other areas, usually key management.)

Truecrypt

[urikkiru]

This is something I've often considered about commercial encryption software. There's just no way to be sure of their validity, as they are closed source implementations. Open source solutions like Truecrypthttp://truecrypt.sourceforge.net/ are at least somewhat more trustworthy, in that they can be openly reviewed by anyone. Despite the fact that I know jack all about the specific math behind AES and such, at least I can read some simple explanations of the concepts, read the source, and decide if I want to trust my data to it. Honestly, unless we get down to the fraction of the population that actually does understand these bits at a deep level, that's the best any of us can do really.

Sure, large clusters of powerful servers working in tandem(or quantum computing) may render the factoral math behind crypto obsolete. A nice thing though, is that those kind of solutions are limited to those that can afford them. Still, even if it's all true, and I'm wasting my time encrypting things, what better solutions do we have?

Re:Truecrypt

[kasperd]

I agree TrueCrypt is well documented, and in addition to that the source is available. I have the necesarry knowledge to actually review such a design, and in the case of TrueCrypt I must say it is not the worst I have seen, but it is certainly not perfect either. There are some subtle watermarking attacks if you can get access to different encryptions of the same sector. Still in spite of that I'd much rather rely on TrueCrypt than some closed source products. So far all storage encryption products I have seen have had some weakness, I'd much rather use one where I know what it is and to what extend it could be a problem to me.

Re:Truecrypt

There are some subtle watermarking attacks if you can get access to different encryptions of the same sector.

Any efficient 1-to-1-mapped disk encryption software (not just TrueCrypt) is subject to "water mark" attacks based on comparison of re-encrypted blocks. Increased granularity (i.e. wide-block modes) will not prevent the attack either. There is no mode of operation that can feasibly prevent it (you can prevent it only if you accept dramatic and generally unacceptable degradation of performance).

Re:Truecrypt

[Lord+Ender]

There are some subtle watermarking attacks if you can get access to different encryptions of the same sector.

Care to explain that a little bit further?

Re:Truecrypt

[kasperd]

Any efficient 1-to-1-mapped disk encryption software (not just TrueCrypt) is subject to "water mark" attacks based on comparison of re-encrypted blocks.

That is absolutely correct. In fact you didn't even have to use the word efficient here. Any 1-to-1-mapped encryption is subject to such attacks. The point is that if you are willing to sacrifice a few percent of disk space, you can improve security.

One encryption sacrificing about 3% of disk space is GBDE. Unfortunately GBDE suffers from a few other problems. The author designed his own weak pseudo random number generator. And GBDE does mean you have a risk of loosing data as the consequence of an incomplete write.

Those problems can be solved, and the overhead could be reduced from 3% to 1%. And I believe this can be done at only a few percent of cost in performance, though I don't yet have the complete solution, I'm pretty close.

Re:Truecrypt

[kasperd]

Care to explain that a little bit further?

In recent versions of TrueCrypt, the encryption is performed using tweakable block ciphers in way that reuse tweaks. When a sector is written, a sequence of 32 tweaks is used for each 16 byte cipher block. If this sequence was used only once, the encryption would have been as secure as the underlying cipher. However the same sequence is used every time a write is performed to the same sector. Thus by looking on two encryptions of the same sector, you can tell exactly which of the 32 cipher blocks have been changed. In other works carefully designed watermarks might leak close to 32 bits for each such pair.

There are modes which use twice as much CPU time and only allow detecting if the complete sector is identical to an earlier write. Even more secure solutions using a few percent extra disk space could avoid this weakness entirely.

Re:Truecrypt

If there was a solution, then PGP Whole Disk or PGPDisk would have used it. But no, they are as vulnerable to the attack as TrueCrypt. Why? Because there is no feasible solution to this (other than re-encrypting the whole disk every time a bit changes).

Re:Truecrypt

There are modes which use twice as much CPU time and only allow detecting if the complete sector is identical to an earlier write. Even more secure solutions using a few percent extra disk space could avoid this weakness entirely.

These wide-block modes are as vulnerable as narrow-block modes. The only difference is the granularity. Instead of changing blocks, you observe changing sectors. That's practically the same thing complexity-wise.

If there are feasible solutions to this, then why does no disk encryption software use them? Because there are no practically usable solutions offering significantly higher level security than the existing software.

Re:Truecrypt

[kasperd]

If there was a solution, then PGP Whole Disk or PGPDisk would have used it.

You seem to belive the authors of that product know everything. I don't know how you got that idea.

But no, they are as vulnerable to the attack as TrueCrypt.

Vulnerable to some kind of watermarking? Probably yes. As vulnerable as TrueCrypt? Not necesarilly, methods a little more secure than what TrueCrypt does have been known for years, but they usually require twice as much CPU time.

Because there is no feasible solution to this (other than re-encrypting the whole disk every time a bit changes).

You are wrong. All it takes is a litle extra disk space. Take a look on the disk layout used by GBDE to see one way to handle this.

Re:Truecrypt

[trifish]

Even more secure solutions using a few percent extra disk space could avoid this weakness entirely.

Obviously, you don't know much about designing and developing transparent real-time disk encryption software. The two attributes "transparent" and "real-time" rule out any solution that is not 1-to-1 mapped.

That's why all transparent real-time disk encryption programs (PGPDisk, TrueCrypt, etc.) use and have to use 1-to-1 mapping.

Re:Truecrypt

[arevos]

Sure, large clusters of powerful servers working in tandem(or quantum computing) may render the factoral math behind crypto obsolete.

Raw power alone cannot overcome modern encryption. One either has to find a flaw in the encryption algorithm, or the implementation being used; or use something radically different from your run of the mill Turing machine, such as a quantum computer. Otherwise, you simply have too many possibilities to feasibly calculate; even with the fastest computers in the world, the Sun would run out of fuel long before you cracked even one 256bit AES message.

Re:Truecrypt

[kasperd]

The two attributes "transparent" and "real-time" rule out any solution that is not 1-to-1 mapped.

GBDE have proven you wrong a long time ago, it is transparent and does not use such a 1 to 1 mapping. Besides why do you think the 1 to 1 mapping is necesarry on the encryption layer when both the layer beneath it (firmware in the storage device) and the layer above it (file system) can use something more complicated than a 1 to 1 mapping?

Re:Truecrypt

[kasperd]

These wide-block modes are as vulnerable as narrow-block modes.

You fail to distinguish between using additional disk space and using additional CPU time. It appears 1% of extra disk space usage can give you more security than 100% of extra CPU time usage.

As long as you are only willing to pay a price in CPU time, it is true that you will only get better granularity. But a factor of 32 on the granularity may very well be worth the effort, in particular if you could get the granularity above the units allocated by the file system at which point attacks will start to get more complicated. Rewriting a sector which is completely identical does not happen nearly as often as rewriting a sector where some 16 byte blocks are identical.

However if you are willing to pay a price in disk space, you get a security improvement which is better than just a change in the granularity of the units on which the attack could work. Even if exactly the same data were written, the encryption would differ.

It is possible to do even better than this. You can even hide the sector numbers by having a dynamical mapping between logical and physical locations. But such an encryption would require a larger overhead and might not be feasible on media where seek times have a significant cost.

If there are feasible solutions to this

There are.

then why does no disk encryption software use them?

Don't ask me, I didn't write that software. (You could read the article, it actually suggest one possible reason. The users cannot tell the difference between good crypto and bad crypto anyway).

Re:Truecrypt

You seem to belive the authors of that product know everything. I don't know how you got that idea.

You seem to believe that you know everything. What is the feasibility of a watermark analysis attack? What is the practical application of such an attack? Theoretical side-channel attacks are just that, thoeretical. If the spooks grabbed my HDD they would be unable to perform this attack without the password.

Perhaps if they grabbed an image, waited and grabbed another image after a period of time, there may be a shift in the analysis odds. But if the spooks were to do they then they p0wn the system anyway, much easier to keylog the passphrase.

Re:Truecrypt

[kasperd]

If the spooks grabbed my HDD they would be unable to perform this attack without the password.

Of course it can be performed without a password, otherwise it wouldn't be an attack. Whether it can be done after just getting hold of the HD depends on a few factors. If the HD have remapped some sectors it may be easy to find two sectors to use for the attack (if the physical storage was flash rather than HD, the wear leveling would help performing the attack). It also depends on whether you use a partition or a file as your backing storage. If you use a file, the file system could have moved it to a different location. It might be that you had defragmented the file system.

But since you bring passwords into the discussion, I might as well say a few words about the password protection. I have not yet seen a product which offers a secure way to change password. Of course you can create a new encrypted container using the new password and copy all the files, this would be secure but inefficient. Everything I have seen with a more efficient way to change password will reuse the old key and just reencrypt it under a different password. In other words, the old password can be used to decrypt new data if you can somehow find the old encryption. There are solutions for this, but they are a bit complicated. Until somebody actually implements this, my recommendation is to newer change password on a container and instead create a new container with a different password.

Re:Truecrypt

Rewriting a sector which is completely identical does not happen nearly as often as rewriting a sector where some 16 byte blocks are identical.

You are so wrong. Sector is the smallest accessible unit on any disk. If you rewrite a block somewhere on a disk, you MUST rewrite the entire sector. Moreover, clusters are the smallest accessible unit on normal file systems. A cluster is usually 4K or more. If you change a byte on a disk, you have to update the entire cluster. This means writing a FIXED SEQUENCE of sectors. See why wide-block modes are as vulnerable?

You keep writing in multiple posts that there are easy solutions to this. I haven't seen anything concrete so far. So you remind me of those guys claiming they can LOSELESSLY compress ANY KIND of data to exactly 50%.

Either post a solution or quit trolling (because saying all this and not posting a solution is nothing but trolling). I could as well start claiming that all crypto including AES-256 can be cracked in 1 second. If I don't say how, I'm just a troll and a moron.

Re:Truecrypt

[trifish]

GBDE have proven you wrong a long time ago, it is transparent and does not use such a 1 to 1 mapping.

If it's not 1-to-1 mapped, it's not really transparent. And what are you talking about anyway? GBDE does NOT prevent traffic analysis. You can prevent water-mark attacks based on traffic analysis only by massive relocation of sectors during write operations. In software, this can be hardly real-time.

Re:Truecrypt

[kasperd]

If you rewrite a block somewhere on a disk, you MUST rewrite the entire sector.

Yes exactly, and if all other blocks in the sector remains unmodified, that would be visible in recent versions of TrueCrypt.

Moreover, clusters are the smallest accessible unit on normal file systems. A cluster is usually 4K or more.

Typical sizes on the file systems I know about are in the range from 512 bytes to 4KB. FAT 16 is the only file system I know about which would use larger units unless explicitly told to. So it is correct, that a 1-1 mapping of 512 byte sectors still could leak 8 bits of information (which is significantly less than the 128 bits with TrueCrypt). In this is one of the reasons why I suggest something stronger. Of course you might also reconsider the size of the units handled by the storage encryption.

You keep writing in multiple posts that there are easy solutions to this. I haven't seen anything concrete so far.

Just use a probabilistic encryption. CBC mode is one possibility. (And when I say CBC I don't mean the flawed implementation used by many storage encryption products, including older versions of TrueCrypt). It does mean that a 512 byte sector grows to 528 bytes, GBDE shows how the additional data can be placed on the disk. Another possibility is to use tweakable block ciphers, but extend the tweak with a counter. Each sector needs a small counter, the overhead can be less than the 16 bytes for a CBC mode.

I could as well start claiming that all crypto including AES-256 can be cracked in 1 second.

Yes you could as well start claiming that. You wouldn't be the first AC to make that claim.

Re:Truecrypt

[kasperd]

If it's not 1-to-1 mapped, it's not really transparent.

It is transparent to the file system and any application running on top of that.

GBDE does NOT prevent traffic analysis. You can prevent water-mark attacks based on traffic analysis only by massive relocation of sectors during write operations. In software, this can be hardly real-time.

There is a difference between leaking the sequence of locations accessed and the actual data. Avoiding leak of the data is clearly feasible. If you also want to hide the locations it does get tricky. Some relocation would be necesarry, and I don't think you can avoid a significant number of extra seeks. On a harddisk there might be no feasible solution (unless you have RAM enough to cache most of the data). But on flash storage where there is no seek cost, I believe it is feasible. I could give you a solution that would require 2-3 times extra disk space and 2-3 times extra I/O. But then it also does wear leveling for you. Probably the best solution would be achieved by intgegrating the encryption with the existing wear leveling. But I'm no expert on weak leveling (only know the basics).

Re:Truecrypt

You are an ignorant troll not really worth my time. But as I am a forgiving person, I'll repeat it just for you one last time before I leave you to your lonely trolling:

Water-mark attacks are feasible on any product that does not randomly heavily relocate sectors on each write. GBDE can be watermarked by traffic analysis as easy as any other disk encryption software.

Here are the default cluster sizes for NTFS:
          512 MB or less 512 bytes 1
          513 MB - 1,024 MB (1 GB) 1,024 bytes (1 KB) 2
      1,025 MB - 2,048 MB (2 GB) 2,048 bytes (2 KB) 4
      2,049 MB and larger 4,096 bytes (4 KB) 8

Source: http://support.microsoft.com/kb/314878/

(For FAT32 the default clusters are even larger -- do your homework and look it up).

So as you can see, any volume over 1GB is vulnerable, because the attacker can easily force you to write a crafted sequence of sectors (in case of 2GB and larger volumes you rewrite 8 sectors in fixed sequence!) So wake up. Wide-block modes do not prevent this kind of attack, nor does GDBE and sector tags. The only thing you can do is relocation of sectors which rules out real-time transparent disk encryption.

Re:Truecrypt

[kasperd]

GBDE can be watermarked by traffic analysis as easy as any other disk encryption software.

You can tell the access patterns. But unless you break either AES or the PRNG there is no way to distinguish the data. (Besides that access patterns in GBDE are hidden slightly better than many other storage encryptions. But the difference is not large enough to really rely on it). Cluster sizes are not important because GBDE does probabilistic encryption. (And is AFAIK the only storage encryption to do that). TrueCrypt is deterministic and you can create data which are easilly watermarked. Older versions could be watermarked after a single write by simply having two neighbour sectors where data differs in the same bit positions as the IV. Newer versions requires multiple writes to be watermarked. Write twice to the same sector changing only a subset of the 32 cipher blocks. Those attacks will not work against GBDE, neither will anything similar.

Government incompetance is scary stuff

[dbIII]

Blasphemy #2: One of my close friend's mother had to switch fields from Numerics after she published some papers considered too sensitive.

Considering that an agency that thinks polygraphs give absolutely perfect proof of lies is enforcing this sort of stuff - yes we are being manipulated into weak encryption by a bunch of incompetant clowns that have already been taken in by snake oil and are seen internationally as bumbling fools. US intelligence doesn't rate as highly as newspaper articles these days. Also due to strange laws the encryption work has to be done offshore to be useful for anything other than purely domestic communication.

The Safe Option

[noamsml]

In other words, for crypto-dummies of the likes of myself, it's probably better to stick with peer-reviewed, time-tested Open Source programs.

The classic warning signs.

[infolib]

Snake Oil Warning Signs: Encryption Software to Avoid

Last updated 1998, still insightful.

Classic snake oil: Blitzkrieg!

[WWWWolf]

Anyone remember the Blitzkrieg server, which seems like the solution to all of the world's security needs? The expression Bruce Schneier used was "just too bizarre for words". I don't know if this was an elaborate trolling attempt or an actual real honest scam to deceive the terminally dumb, but it's fun to read, still, just for the amazing technobabble and ludicruous claims.

Article taken from Wikipedia???

[transporter_ii]

So did he write the article and then post it on wikipedia, or did he swipe it from wikipedia and post on his site?

http://en.wikipedia.org/wiki/Snake_oil

Not trying to troll, I just couldn't figure out which it was and I don't have a lot of time to investigate.

Transporter_ii

Re:Article taken from Wikipedia???

[gEvil+(beta)]

Or it could possibly be neither, since the definitions given in both are generally accepted and don't match up word for word (assuming you're trying to insinuate plagiarism). Yes, they're similar, but they are not identical. Anyone familiar with the term or its history would write something very similar if asked to...

Re:Article taken from Wikipedia???

[44BSD]

Actually, Ross Anderson was the first infosec/crypto dude to channel Akerlof, in section 5 of this paper.

Re:Article taken from Wikipedia???

[non-sequitur]

Similar ? They're exactly the same - to the punctuation!

Re:Article taken from Wikipedia???

[gEvil+(beta)]

I must be completely blind then, because they are not identical on my machine. Could you please include the quotes that are "exactly the same - to the punctuation" for me?

Re:Article taken from Wikipedia???

Hello. I'm the same AC that posted the original comment.

Yes, I lifted my whole post from the Wikipedia entry for 'Snake Oil'. My only appendage was "'nuff said."

I hope that settles it. Yes I plagurised, but fuck it - I'm an anonymous coward why would I give a shit.

Re:Article taken from Wikipedia???

[gEvil+(beta)]

I just realized you guys are referring to the AC's comment up there. Silly me for thinking that transporter_ii's use of the word article was referring to, oh, I don't know, the article, and not a comment.

Re:Article taken from Wikipedia???

C U Next Tuesday cunt

Not in the ciphers stoopid...

[Kaptain_Korolev]

All too often when people talk about their security solution they talk only about the cipher they are using, the length of keys and the time required to crack it.

Nowadays this is moot.

Security is in the protocol, how you exchange keys amongst parties and more importantly how you store the keys locally on the client and server.

I don't give a shit how strong your cipher is if your keys are negotiated in an in-appropriate fashion or stored in the clear on your machine. I'll do a dump of your memory and analyse the result for random looking data runs, chances are it's crypto related. Knowing the key and block lengths of your cipher getting past your security will not present a tremendous difficulty.

Unfortunately with security, you are not making something that will either work or it will not, you are adding protection to something that works. Hence it's pretty easy to hack together something that works but fail stands up to even basic analysis.

Real security lies in trusted platforms ( here we go...! ) and data hiding techniques using obfuscation. Unfortunately this sort of thing, data obfuscation in particular is difficult to explain to Joe public and can't be used to advertise you product.

Oh well, and Bruce, if you're reading this, how about a 2nd ed. of Practical Cryptography.

honesty in vendors ..

[rs232]

It isn't a matter of honest vendors. It can generally assumed that most/all cryptography companies are owned and run by the various security services. For decades a US/Swiss/Israli firm Crypto AG sold a cryptology machine with a secret built in backdoor. At least until Pres. Reagan announced on television that they were reading Gaddafi's coded messages.

There has also been speculation why Windows requires three unique signing keys. The disengenious reason given being that in case the first one got lost in a fire.

5,000 bit unbreakable crypto!!!!!

While I was searching for a crypto solution for my thumbdrive, which will work under Windows and OSX (and source for UNIX'a'likes would be nice), I came across some site that claimed something like, "5,000 bit unbreakable encryption!". I chuckled and then moved on without even reading what they had to say for themselves. Simply because just making some crypto scheme x,xxx bits is not a magic bullet. In fact, any company which relied on such a silly idea MUST by definition be peddling weak crypto. Even if they don't know it.

There are people in the World who think they know crypto. A very small subset of those actually do and then a very small subset of those can actually implement crypto properly and securely. I would guess that of all the big vendors putting out crypto products, you could probably count on one hand those which are doing a decent job of it. The World over.

How many poor bastards fall for the x,xxx bit crypto bullshit and fork over their money for that dubious security?

The audience

[Plutonite]

To protect yourself truly, you must know the people who theoretically can sniff your sessions and have access to your files: call them the "audience".

Your audience are either script kiddies with tools who want your CC number, or professoinal mathematicians hired to break access codes to your military research.

For the former audience, use google to make sure no tools are lying around ready to ruin your shit. Inventing your own scheme is actually a good idea.

For the latter, hire professional assistance, don't use your own coded-over-the-weekend scheme, and don't mess with the Russians.

Re:The audience

[jimicus]

Either that or hire the Russians as your security advisors.

Try This...

[thebdj]

If you are truly concerned about the validity of cryptography provided by the vendor, then try to find products that have been certified under the FIPS 140-2 standard. The only problem might be that a lot of those products are usually commercial grade items meant for use by government agencies; however, some of the items that have received approval are reasonably available to consumers. The products are reviewed by independent labs, and then the CMVP reviews the labs results. (The site was down earlier this morning.)

These products have been reviewed by independent labs, who review their implementation to verify that cryptographic mechanisms are implemented properly. This includes reviewing source code and/or hardware designs. Just a thought for anyone who is truly concerned that their hardware or software be compliant. (Note: If you want a "secure" operating system, look into CC Evaluation.)

Re:Try This...

You, my good sir, need to read your CC Evaluation guidelines a bit more closely. CC says _nothing_ about the security of the product. It describes the robustness of the processes used to create and vet the product.

We cannot measure security. Period.

Check the certification

[gr8dude]

http://cs-www.ncsl.nist.gov/cryptval/aes/aesval.ht ml
NIST maintains a list of those who passed the tests successfuly, and were certified to use AES in their products.
So, besides making sure that all the things mentioned by the parent were done right, check out whether the algorithm itself was properly implemented.

Use ROT-12

[swelke]

Use ROT-12 to decrypt. Well, either that, or use ROT-14 twenty-five more times. It depends how much your time is worth to you.

Re:Use ROT-12

[dascandy]

What should the last 13 runs do?

an old problem

[v1]

I worked for sevearal years on a programming language called REALbasic. In the latter releases that I saw, it featured "encryption". A compiler is basically a tool that takes human readable commands and turns them into a program that a computer can run. This process is not easily reversable, and once compiled, it's difficult at best to make changes to the progam.

Encryption was added to RB so that it was possible for you to give away portions of your program's "source code" (the human readable part) without anyone actually being able to READ it. They could incorporate your souce into their new project and use it normally, they could just not read it or make changes to it.

This sounds like a nice idea, until you realize that when you get someone's "encrypted" source code and add it to your program, the compiler has to be able to read the source code, because it needs to translate it for your new program. This means one thing: the encryption is not secure because the compiler itself must somehow posess a "master key" of sorts so that it can read the source code to do its thing. So... when you select the module and try to open it to look at it, it's not that it can't read it.. it's that it won't read it. A sufficiently skilled programmer could go into the compiler and flip a switch inside it and basically say "ignore that", and you would have unrestricted access to the so called "encrypted" informataion.

I assisted with a project where we found out how this information was encrypted. In short, a fixed key was used to encrypt the project data. Then a different fixed key was used to encrypt the passcode you would use to "protect" the project. Thus, the compiler could ask you for the password if you wanted to read your own project, and it could verify you typed in the correct passcode. If you did, it would decrypt the project for you to view. So you see, the compiler does not NEED the passcode, it simply WANTS it.

It took us about a week to write a program that would read in the projects, decrypt them using the fixed key and completely ignoring the passcode thing, and saved an unprotected naked project file that anyone could edit or view.

This is probably not too far from the mark on how a LOT of programs "protect your privacy". In reality they are only protecting you from the casual inspection. Anyone that really wants your data can get it, all too easily. Be sure that with any program you are certain that the program NEEDS the passcode to unlock your data. If it only WANTS it, (is there a password reset option available?) then you know it's "security through obscurity", and we know how totally worthless that is.

You thought your windows or OS X keychain was secure? You have auto login turned on? Does the computer need your password? Think about it.

Re:an old problem

Yes, both OS X & Windows needs your password for encrypted data. On Windows, chaning your password results in data being reencrypted. Losing it results in data lost forever.

Re:an old problem

[jimicus]

Wouldn't it have been simpler to distribute un-linked object code which the compiler could link in when needed?

That list doesn't seem to help

[Paul+Crowley]

From what I can see, this checks only that what the product is using really is AES; it doesn't check that it's being used correctly or that the product is secure as a result.

Is Voltage on the NIST list?

If the author of the article is bringing this up, what does it say about his employer's products? I checked out the product at their http://vsn.voltage.com/ on-line service and it looks interesting. They also have http://developer.voltage.com/ a free toolkit for integrating their Identity Based Encryption (IBE) into applications.

Re:Is Voltage on the NIST list?

It appears that they are: http://csrc.nist.gov/cryptval/140-1/140crt/140crt5 22.pdf

and what if...

[YesIAmAScript]

What happens if I use predictable IVs in CBC mode?

I just finished up a system where I do use (very) predictable IVs in CBC mode (with AES128).

From what I could tell, an IV really only helps with preventing parallel dictionary attacks. That is, like people use against the UNIX crypt function (in passwd files). Since there won't be more than about 30 things ever encrypted with this key, I figured I didn't need the additional security IV gives me.

And besides, the IV has to be in the code or data somewhere, as it is one of the bits of data needed to decrypt. Most people just store it next to the cyphertext.

Re:and what if...

[Paul+Crowley]

IVs are public after encryption. However, in CBC mode an attacker must not be able to predict the IVs before encryption takes place. This is a pain; you're better off using CTR mode, for which your IVs need only be different from each other, and predictability is not a problem. Or better yet, EAX or GGM mode so you get authentication too. Why are you hand-rolling your crypto? Why did you use CBC rather than CTR mode? What are you using for authentication?

Your guess about what the IV is for is mistaken. For a simple example, think of what happens if you don't use an IV in a Vernam cipher (like RC4): this is trivially weak.

Did you just mention Skype?

Skype is the #1 "free" voip application around, both in features and amount of users. They claim to be using "very heavy duty crypto stuff, 256 bits this and that blabhlah". Yet there are no indication of a robust PKI scheme being in place (in fact, it's virtually impossible) which reduces their products security closer to zero. What they use is some auto-enrolling service that is protected by user account credentials. (Which are often weak.)

It's good enough against amateurs, and even professionals that can't get well enough into your network. However against anyone with proper resources it's simply trash. Furthermore they fail to mention that even if anyone can't eavesdrop your connection it is possible to determine other things from your usage - you are not completely safe. They've caught stuff like fugitives that have been stupid enough to use Skype already. Think about that.

Try Voltage Security Network

Check out the author's company's product at the Voltage Security Network.

Not snake oil.

In fact, I am the Blitzkrieg server. Your attack has been logged. Your house will be destroyed in the next few minutes.

You have been warned.

Peril of the semi-educated know-it-all

[Coward+Anonymous]

One of the major perils facing a would-be crypto user is himself. Many people think they know it all (as evidenced in many of the posts to this article) and therefore can dictate insecure and plain silly design choices when deploying a secure solution in a non-trivial environment (for anything: authentication, the crypto itself, access enforcement, etc.).
For the vendor this creates a conflict. On the one hand, you want to satisfy the customer's request. On the other hand, you know your customer is shooting himself in the foot and very possibly becoming a vendor reputation problem later on down the line.
In my experience, most customers are accustomed to being "always right" and fail to recognize that crypto/security may be one of those things that they simply do not know enough about and to let the vendor help them. It is often the case that the vendor can explain/evangelize and detail the very attack the customer is opening himself up to with little or no effect - the customer is convinced they know it all.

You'd have thought so...

[jd]

But I've worked as a contractor for Government sites where their central data server was:

• Publicly accessible, outside of any firewall
• Had .rhosts on it, for the specific purpose of avoiding having to write login code for scripts that copy data
• Stored commercially sensitive (and possibly classified) information.

Ok, I'll be fair - though God alone knows why, and I think even God gave up trying to figure out the tangled mess I call a brain some time ago. They did use DES - not triple DES, just plain DES - for the really really sensitive stuff. The encryption key was visible to anyone logged in on any account, however, as the DES they used required the key to be the first parameter and they made no effort to erase it. So it was technically encrypted. (Once the passkey has been broadcast to all and sundry, I do not regard the encryption as anything more than a technicality, and in the case of DES, I seriously doubt you could even claim that.)

I've heard that security has since improved. I say "heard", because it was some time AFTER security was said to have been improved that reports started coming out of a fileswapper using NASA storage machines as extra disk space - the very same organization and very same type of mass storage device I had serious doubts about many years prior to that.

But that's a Government institution! Yes, and they're the ones with a great many experts in such matters and a great many contracts with people who can not merely withdraw business but also guarantee a disaster in the next election. The bulk of private corporations out there have neither the skills to draw on OR the incentives to maintain some sort of standard. All they have to do is ROT13 and tell you it's got digital security. Enough suckers'll buy into it to keep the CEO in champaign, caviar and girls of commercially-negotiable virtue for life.

The problem is, there is no mandated minimum standard for security, so those who can WILL use the lowest standard possible that will deceive customers into thinking they're safe whilst staying a gnat's whisker (after being compressed by the forces of a neutron star) beyond what could be sued for in courts, assuming a technically ignorant judge.

IMHO, "snake oil" could be vastly reduced - not eliminated but reduced - by placing minimum standards for crypto, compression and other easily-manipulated areas of technology, and enforcing them. Not maximum - that's what the intelligence services want, and they want it to be zero. I'm strictly talking minimum. Your good, old-fashioned lemon law - does it fill the purpose for which it was sold to the customer? Yes or no.

In the case of cryptography, that would be rephrased as follows: would a reasonable person, aware of the strengths and deficits of the technique concerned, aware of any warnings published on the block crypto lounge, hashing function lounge, etc, aware of the Usenet Crypto FAQ (ie: aware of the "common knowledge" that exists on cryptography), and aware of the grade of security the user is demonstrably expecting, agree or disagree that the cryptographic system sold meets the grade expected or not?

If it does not, it is a lemon for the purpose for which it was sold. It might be perfectly good otherwise, but it doesn't, can't, and never will do what was expected of it.

This would be enforceable, as I said very clearly that I'm talking about weighing the "common knowledge" against the "personal expectation". Both are easy to define and even a non-expert should understand a skull-and-crossbones labelled "BROKEN, DO NOT USE" in a crypto lounge. They might not understand the fine nit-picking or the advanced maths, but that's why I'm sticking solely to what is commonly known and understood, not what is derivable from axiom 327 as applies to lemma 291 as described by Professor Branestawm's obscure paper entitled "techniques for splicing dormice genes into giraffe brai

WPA-supporting devices all but mandatory

[davidwr]

Because WPA is inconvenient when you're using a device that doesn't support it.

WPA-supporting devices are all but mandatory for laptops and WAPs these days. If your device doesn't support WPA, replace it.

These WEP is little more than a "no tresspassing" sign - it will keep people from accidently connecting to your WLAN, but not much else.

Re:WPA-supporting devices all but mandatory

[DarkJC]

So do you suggest I replace my DS with a WPA DS? Oh wait, they don't exist. My PSP also supports WPA, but unfortunately some of the older games don't support it when using their infrastructure mode. I guess I should just go and replace those games then, with copies that have been updated for WPA support! Oh wait, those don't exist either. I'm sure it's easy to say just go and replace it, but sometimes it's just not possible.

Re:WPA-supporting devices all but mandatory

[SanityInAnarchy]

I would suggest that for a gaming device, you could provide a completely open network, but a completely facist firewall. For instance, send most HTTP traffic to "Please don't steal my bandwidth. If you really need to connect real quick just for email, come knock on my door at (your address)." Block most other connections. Set up laptops and such to go through a VPN to get around it. And allow your DS, Xbox360, and whatever else access, by Mac address, to just the ports they need.

I would also suggest that, for anyone who doesn't already have such a device... Do your research. Write Nintendo and tell them you didn't get a DS because it doesn't support WPA. Write whoever makes these games and tell them you didn't buy their game because the game doesn't support WPA. Anyone who doesn't say, write them with questions.

This is how consumers control corporations. It's time for a revolution -- replace the corporatocracy with a true republic again.

Re:WPA-supporting devices all but mandatory

[personman21]

http://www.nintendowifi.com/customersupport/showFe edbackForm.do

Re:WPA-supporting devices all but mandatory

[SanityInAnarchy]

OK, I admit it -- I have other reasons I didn't get a DS. Mostly because I have a gaming desktop and no need for a portable. But thanks for the link.

Main point -- don't complain to Slashdot, complain to people who can actually do something about it -- and then rally Slashdot to help you complain.

Re:WPA-supporting devices all but mandatory

[personman21]

Hello and thank you for contacting Nintendo,

I can appreciate your comments regarding our choice of WEP security for the Nintendo Wi-Fi Connection (WFC) service. Nintendo's decision to make the WFC compatible with WEP and not WPA stems from the fact that WEP is the most prevalent standard for securing Wi-Fi connections. We feel that WEP provides sufficient protection.

If you prefer not to change your current security, then you might consider using the Nintendo Wi-Fi USB Connector. Although it uses WEP security, it can only be accessed by a Nintendo DS and will not interfere with your regular wireless security.

We have developed an application you can download to test your PC's possible compatibility with the Nintendo Wi-Fi Connection and the Nintendo Wi-Fi USB Connector. This test is not a guarantee that the USB Connector will work, as there are a number of things the application does not test. However, a successful test is a good indication the connector will work. The test application can be found at the following address:

http://www.nintendowifi.com/troubleshooting/Networ kTest.jsp

The Nintendo Wi-Fi USB Connector is available at Best Buy, EB Games, Frys, GameStop, Star City Video and Toys R Us. You can also purchase this item directly from our online store (http://store.nintendo.com/usb) or over the phone by calling 1-800-895-1672. The connector carries a Manufacturer's Suggested Retail Price (MSRP) of $34.99 U.S. ($39.95 Canadian). Please keep in mind that although Nintendo of America Inc. may suggest retail prices for products, the dealer is free to determine on its own the prices at which it will sell products.

Sincerely,

Nintendo of America Inc.
Sharon Matheny

Nintendo's home page: http://www.nintendo.com/
Power Line (Automated Product Info): (425) 885-7529


This is the message I got from Nintendo.

I do not think WEP is sufficient protection, and will NOT buy a DS until it supports an industry standard.

Please cite that claim

[Paul+Crowley]

the NSA has been telling people for years now to not rely on RSA. They suggest switching over to Elliptic Curve or other advanced algorithm.

Provide a cite for that, please?

I don't personally feel very kindly disposed towards RSA - I don't see any advantage it has over Rabin-based schemes and important disadvantages - but I think it is scaremongering to say that the NSA have been warning people about it.

Re:Please cite that claim

[inviolet]

Fact Sheet NSA Suite B Cryptography

The Case for Elliptic Curve Cryptography

From the latter:

Since their use in cryptography was discovered in 1985, elliptic curve cryptography has also been an active area of study in academia. Similar to both RSA and Diffie-Hellman, the first years of analysis yielded some degenerate cases for elliptic curve parameters that one should avoid. However, unlike the RSA and Diffie-Hellman cryptosystems that slowly succumbed to increasingly strong attack algorithms, elliptic curve cryptography has remained at its full strength since it was first presented in 1985.

Re:Please cite that claim

[Paul+Crowley]

I stand corrected! Of course, they're making their case based on what's known in the public sphere rather than secret knowledge they can't allude to, but then they would, wouldn't they? Thanks for setting me straight on this.

odds still better than closed-source

[davidwr]

If a million people read the code, and 1 in 10,000 were cryptographers who examined the code closely, that's still 100 cryptographers examining the code. Assuming most of them were working independently or in small groups, that's good enough for me. It's probably a lot better than a closed-source solution where maybe half a dozen experts looked closely at the code.

The best thing about open-source is that if it's a real concern to you, you can hire your own experts to check out the implimentation. You don't have to take the vendor's or anyone else's word for it.

why am I hand-rolling my crypto?

[YesIAmAScript]

I'd like to be funny and say it's because I've used OpenSSL, and I am astounding anyone (including myself) is capable of making a system that works with it, let alone is secure. It's a complete disaster.

But really it's because the system I'm using is an embedded system. And by embedded system I don't mean a full-blown PC running Linux, I mean a small system. I was allocated about 4,000 instructions for my crypto work (and an AES ECB accelerator).

In CTR mode, the each encryption doesn't depend on other data encrypted before it. Thus someone could change a single 128-bit area in the cyphertext and it wouldn't affect anything else. This greatly reduces the difficulty at changing my cyphertext to change the plaintext in certain areas without it being detected after decode.

I appreciate your info, but I think you're jumping to huge conclusions about my system. Again, in my system only about 30 pieces of plaintext will every be encrypted. And they will be encrypted by legitimate users. So I don't have to worry about people trying to guess the IV before encode. There are no clients of my crypto code that are malicious (and if they were, they'd have brought the company down already, crypto or no). And besides, if you were to break into the code I am securing, you'd just change the system so that the crypto wasn't used instead of trying to game IVs.

I guess on of the most important things is that I'm using crypto for authentication more than message hiding.

As to your last statement, I wasn't speaking of anything but AES128 here. But I think I did use RC5 without an IV for crypto in a previous product. It wasn't broken, it was exploited (bypassed), making all of my efforts moot anyway.

Re:why am I hand-rolling my crypto?

[vrt3]

In CTR mode, the each encryption doesn't depend on other data encrypted before it. Thus someone could change a single 128-bit area in the cyphertext and it wouldn't affect anything else. This greatly reduces the difficulty at changing my cyphertext to change the plaintext in certain areas without it being detected after decode.

I'm a layman in the field, but it just so happens that I just read Practical Cryptography. The book makes it very clear that you should never depend on encryption for checking the authenticity of a message. You should *always* use a cipher like AES in CBC or CTR or whatever mode for encryption and something else, like HMAC, for authentication.

I guess on of the most important things is that I'm using crypto for authentication more than message hiding.

Please use HMAC instead of AES with CBC or CTR for that.

In other words, as far as I know anything about it, this shows exactly why it's dangerous for non-experts to create cryptographical applications.

Re:why am I hand-rolling my crypto?

[Paul+Crowley]

RC4 and RC5 are very different; all they have in common is a designer and a few ideas.

As the guy says, don't use CBC for authentication; that's broken. Since you have an AES accelerator EAX mode is probably a good fit; it provides both encryption and authentication.

You can do it wrong if you prefer, but it should be possible to do it right.

What you should do

[davidwr]

Get a console with wired connection then use a standalone WAP. If your favorite game doesn't support that ask yourself if you would rather be safe or have fun.

The other alternative is to make sure there's nobody within range who might be hostile, or put up a faraday cage around your gameroom or house.

Quick, answer this

[texaport]

With the prevalence of keystroke loggers on Windows boxes, is the typical home user better off having encrypted/stored passwords for website forms -- or better off crossing his fingers and typing them manually dozens of times per day?

Discussing encryption under ideal circumstances is like saying birth control pills are 99.97% effective when taken as directed in laboratory studies.

Peer review, One-Time Pads, and Strong Crypto

[billstewart]

"It's even worse than it appears", as Master Hunter tells us...

If lots of smart people *haven't* reviewed a system, then it probably wasn't interesting enough to review, so don't bother with it. This includes commercially distributed systems like GSM cell-phone encryption and WEP, both of which collapsed when a couple of smart people at Berkeley looked at them (IIRC, GSM's algorithm took three hours to crack instead of two, because the Chinese lunch Ian was having was interesting that day, but I may have the details backwards.)

Microsoft's PPTP used RC4, which lots of smart people had looked at. Problem was, the smart people all said "It looks pretty strong as long as you don't do this or that with it", and Microsoft's design found a couple of different ways to do this and that, as well as recycling some other weaknesses from older products.

That's why the kinds of people you're giving advice to definitely should *not* use OTPs. The rules for using them are very simple - the pads have to be purely information-theoretically random, and you have to make sure they can only be used once. Those rules make OTPs operationally annoying to use, which results in clever (as opposed to smart) people "fixing" the problem by generating their one-time pad using some algorithm or other, or sloppy (as opposed to stupid) people doing things that let pads be reused or stored or copied or whatever. The Venona decryptions were successful due to Soviet operators reusing "one-time" pads when they ran out of new ones, and also because the randomization methods (clerks banging on typewriters that had original and carbon-paper copy) weren't really good enough randomness.

Cryptography's harder problems are mostly implementation-related. There are enough really strong algorithms out there to make good crypto possible, though occasionally there'll be attacks on important algorithms like MD5, and Moore's Law means that you need to be careful that key lengths are good enough for the length of time you need to protect your information, and strong keys won't usually protect you against the KGB installing a bug in your computer's keyboard or pointing a ceiling camera at your monitor. But design of intermediate problems like key exchange or user authentication can still be difficult, and integrating them into applications and operations is still hard. We're at the point that you can build a nice solid steel front door to your building with an unpickable lock on it, but that doesn't mean that the side windows aren't open, or that the parking-lot valet didn't make a copy of your keys.

Re:Peer review, One-Time Pads, and Strong Crypto

[Lord+Ender]

I never suggested anyone use OTP. I said it was the only one that was provably secure. Everything else relies on the fundamental tennet of cryptography.

I tell you what.

[YesIAmAScript]

Let's consider this conversation between me and you over. I ask for help with one thing and instead of get criticism from people who don't know anything about the system I implemented (and I like it that way) insulting me as not even knowing as much as they got from reading a single book.

The useful part of this conversation is clearly ended and I don't see any point in hurling judgements at each other.

two-pass is not an option...

[YesIAmAScript]

Again, the system I'm on is not just a PC in a box. Performance is critical, and I can't use a two-pass system.

I'm sure it's great to have a ton of MIPS available and to be able to choose from many complex modes of operation, but that's not the situation I'm in.

Your judgement of wrong and right assumes you know all the tradeoffs. You don't. Please leave out your uninformed judgements. I just asked from some help on IVs, and as far as I am concerned, I got it. So if you think you can't help me further with the amount of information I am able to give, then I understand.

Re:two-pass is not an option...

[Paul+Crowley]

Defensive much? If you really can't afford EAX - which you should check - look into using GCM mode; the authentication pass is pretty cheap there. Or if you can't afford that, and your AES accelerator is flexible enough, you could look at replacing the CTR mode with LEX to save even more on the encryption but using the GCM authenticator. Or if you tell me more about your situation: there may be a variety of other options. Authentication is very, very cheap - the theory of universal hashing allows us to cut it much closer to the bone than we can with encryption.

Or, you know, you could just deploy something with bad, broken crypto out of ignorance and advertise it as "Uses 128-bit AES for maximum security!" which seems to be your current plan and which was exactly what I was talking about when I first posted. You'll be following the example of thousands, it seems.

Key handling is more important than AES

[billstewart]

Sure, if it used 40-bit RC4, it'd be easy to crack, while AES-128 is good enough that anybody who doesn't have the key won't be able to crack it this century, and maybe not this millenium. The problem is what Apple or some other vendor does with the keys - are they protected, or is there an "emergency backup copy" in plaintext on the disk, or an emergency backup copy public-key encrypted with a private key only known to the Apple Store Genius helpdesk, or is there no backup copy on disk but a trojan-horse program can steal it out of kernel RAM? Or is the key just the passphrase that you type in, which is an easy dictionary search if it's just your dog's name spelled backwards, as opposed to a hashword made from 128 coin-flips?

None of this is an insult against Apple's product - I don't know what they're using. I've seen a wide variety of similar applications over the years, and saying that they use AES-128 only says they've done the obvious parts well, so the product runs as fast as a well-oiled snake. It doesn't say whether it's secure or not.

I don't think I'll do that.

[YesIAmAScript]

I think instead of just using broken crypto and advertising as "uses 128-bit AES for maximum security", I'll instead do that AND insult others. I'll be sure to pass immediate judgement on others and state I know what their plan is without knowing anything about what they're doing.

Then I'll be following the example of you, it seems.

Thanks for the initial help. No thanks for the ivory tower bullshit.

You are wildly optimistic, I'm afraid

[Paul+Crowley]

You know that's not how it is, right? In practice, if a hundred thousand people download it, then at most a thousand will hack on it, at most twenty or so will thoroughly review the security related code, and an average of zero of them will be cryptographers.

In the unlikely instance that a cryptographer does review it, they will suggest changes, and they'll be told to get lost; cf Gutmann trying to tell people to use proper padding with RSA, or my conversations elsewhere in this thread.

Auto hacker in a box

[Paul+Crowley]

Actually such systems do exist, are surprisingly good, and getting better. They read a formal protocol specification in their own special language rather than source code, but they find real attacks that others have missed. I don't think they're ready to replace experts yet, but they're good enough to be used to find the things the experts missed.

Data security

[Oshkoshjohn]

Some level of personal responsibility is called for, too. I frequently see memory sticks lying beside piles of books at the library. If people can't be bothered to physically protect their belongings, cryptography protection won't prevent someone from picking it up, wiping it, and gaining a nice tool for themselves!

Analogy is fatally flawed.

[Paul+Crowley]

A lion can only bite one person at a time. An attacker or a worm can attack many at once.

This is what breaks many intuitions about network security. People say "I have nothing worth taking, so no-one will attack my network". But as you surely know, unless suitably firewalled, a PC will come under attack within minutes of being put online, because each attacker attacks millions of machines at a time so attacks are cheap.

Re:Analogy is fatally flawed.

[NoOneInParticular]

Ah, but this is particularly about wireless (beside the tangential issue of lions hunting in the desert). In that case there are not millions of attackers, but just a few. On the wild internets however, to outsmart your neighbour, you have to outsmart those millions of other boxes. Yes a stringent firewall is necessary. On my home wireless however: I can survive the attacks of my neighbours and the occasional war-driver will target my neighbours first. Anybody that is out there to get me specifically: there are probably better ways.

Voltage and Snake Oil, perfect together

Good grief. It's rare to see a company with such brilliance behind it selling more snake oil than Voltage. Their "identity based encryption" is really "email-address-based encryption" - i.e., anyone who can read your email can also read your encrypted email. It's basically using a genius mathematical invention to enable your mail provider to do key escrow. Pass.