Slashdot Mirror
Interrogate Crypto Luminary Bruce Schneier
Most people who have any involvement with or interest in cryptography have heard of Bruce Schneier. If you haven't, check his online biography, check the home page for his consulting company, Counterpane Systems, or learn about his seminal book on the subject, Applied Cryptography (assuming you haven't already read it). Our usual interview rules apply: one question per post; moderators select their favorites; editors choose 10 - 15 of the highest-moderated questions and send them to Bruce on Tuesday; Bruce's answers appear on Friday.
Your book E-mail Security offers an analysis of some of the more popular commercial e-mail systems at the date of publication. What, in your eyes, are the most dangerous potential problems with current non-commercial e-mail systems and their likely direction of development?
How is this process going?
What ciphers have been eliminated due to successful, critical attacks? (Successfully attacking a couple rounds worth of a Feistel-like cipher obviously being less critical than providing cryptanalysis for "all 16"...)
If you're not part of the solution, you're part of the precipitate.
What's your gut feeling on this -- is cryptography as a field in danger of wiping itself out, or do you feel encryption has a secure long-term future?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Does the possibility exist for an unbreakable code or is this a 'Holy Grail' of sorts?
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Co-founder and designer at Music Nearby: http://musicnearby.com
First, I note that quantum computers haven't factored jack (yet, anyhow) :)
:)
All cryptography that's not one-time pad depends on some one-way function to produce its results -- the idea being that the attacker has to go back the other way, which is hard.
Factoring is certainly an excellent example of such a "trapdoor" function. But not that much in cryptography depends on factoring. The only symmetric cypher I know of that depends exactly on factoring is Blum squaring -- though there are certainly others that are equally un-well known.
RSA really depends on the Euler Phi function, which has yet to be proved equivalent to factoring.
Standard DES and the AES candidates are less secure than that, even, since they trade off speed for a measure of security.
I can't remember how closely Diffie-Helman depends on factoring, but I think it's pretty close. Someone correct me if I'm wrong.
Someone want to add some other cipher types?
We're implementing an Enigma machine on our FPGAs in Fundamentals of CE (18-240)...that's definitely not as secure as factoring
Unfortunately, they won't be practical for widespread use for another 10-20 years, when the patents encumbering them expire.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
What do you think of the upcoming Freedom package by Zero Knowledge Systems?
Have you seen Ironstayn vs Supergovernment yet?
Do you think that the many existing (and future) patents on cryptographic protocols and algorithms will stand in the way of widespread adoption of cryptography?
--
bgphints - internet routing news, hints and ti
With IPSec starting to gain some momentum as well as the current VPN craze (which seems to ignore the traditional encryption boundary issue completely), do you see a role in the testing and certification of vendor implementations to include checksumming of binary-only closed-source products and services?
Given that we'll soon see more Voice over IP, and we're currently seeing IPSec in routers, is there any other way the international community can be sure that a particular implementation hasn't been (legally or illegally) trojaned by a manufacturer or that they can gain a high level of trust in their vendors' implementation?
So long, and thanks for all the fish!
Paul
http://www.pauldrobertson.com
Bruce,
I would like to hear your thoughts on the expiration of the RSA patent next September. Do you think that RSA will finally be free, or will RSADSI tangle it up in some type of legal mess?
I have heard that quantum cryptanalysis will only help crack certain forms of crypto, such as RSA. What makes a cryptographic system resistant to quantum cryptanalysis, and is twofish such a system?
- The unexamined life is not worth leading -
Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.
Currently almost all ink signatures (and by extension legal documents in general) are based on the fact that signatures are currently difficult to duplicate.
I would trust a digital signature FAR more than a "real" signature. I can train a plotter to duplicate your "real" signature in under an hour.
Possibilities I can think of right now are:
Any thoughts?
DES and papers by Don Coppersmith show that the NSA and at least a few private researchers have known about some techniques, like differential cryptanalysis for over a decade before the general public learned of them. With the current boom in interest in cryptography and judging by the designs of current ciphers like Coppersmith's SEAL and skipjack, it seems plausible to assume that the gap has been closed substantially. How big do you think the gap is between the NSA and the public and what hurdles to you see in closing it if you believe that the NSA still knows vastly more than the public about cryptography?
(I mean the cryptographer public when I say "public," not the masses.)
Thanks again for your wonderful books. Any plans for AC 3rd edition? Maybe with AES covered?
This is my signature. There are many signatures like it but this one is mine..
How do you feel about your ongoing association with internationally famous super-hackers, cDc? Judging by our last meeting, I would suggest that you are perfectly content, but we like to keep our friends happy, so let us know.
obscure images/cDc obscure@cultdeadcow.com www.cultdeadcow.com
What are the emerging technologies from the last few years which most affect cryptography? How important are:
The IP Security (IPSEC) standard has been around for several years, yet it hasn't taken off as expected. What do you see as the future of IPSEC?
Zero-Knowledge proofs were discovered/invented over 15 years ago and are now usually covered in most studies of this science (Although I, unfortunately, haven't had time to go through your book).
Considering that now a days we implicitely trust ATMs or resellers not to tinker with credit card readers or not remember our PIN numbers, since this relatively new field offers incomparable advantages for identification protocols (such as the inability to replicate a session) that could be used in these situations and that the litterature is, by now, relatively well developped (with work from Jacques Stern for example),
a) Would you tend to agree that this would be an interesting addition to the privacy protection of customers ?
b) Do you know of any real world implementation for the general customer ?
c) What do you believe it would take for large banks and Credit Card compagnies to decide to implement these schemes ?
There are a great many cryptographic libraries available, but many of them suffer from poor documentation, cluttered APIs, bad interfaces, or unwise addition of platform-specific code (Counterpane, Inc., isn't immune, either -- your Yarrow code is strictly MSVC++ and hence, Win32 only).
Would the cause of secure algorithms be furthered by the construction of a cross-platform crypto toolkit, open sourced, peer reviewed, clean and well-documented, which could be reused across different platforms and projects? Or would this create hindrances, since each project may need ever-so-slightly different features from its cryptographic infrastructure?
(And if anyone's got a clean, standalone El Gamal library, *please* EMail me at the above address. The El Gamal code in GPG is just plain frightening.)
What do you predict will be happening to cryptography techniques over the next year? 5 years? 10 years?
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
Do you think that "bio" technologies for authentication -- fingerprints, retinal scans and the like -- are really feasible for widespread use?
Always keep a sapphire in your mind
Don't worry about consolidation of the CA structure into one or two "elite" trees. If you are running Internet Exploder, you can see quite easily that there is no such threat. Tools|Internet Options|Content|Certificates Click on the tab that says Trusted Root Certification Authorities. You'll see that there are about four other CA's in the root store that ships with Windows. Since everyone under Windows has those root certs, there is nothing to prevent those CA's from becoming just as powerful as Verisign or Thawte save capitalistic competition. Now, you could legitimately disparage Verisign for distributing certs in such a promiscuous fashion (their "30 day trial" keys), but hopefully as consumers become savvier, they will not reward such behavior.
-konstant
-konstant
Yes! We are all individuals! I'm not!
Do you think PGP has been compromised, and is there any way to really know?
I think what many people are wondering including mysef is:
1) Is there any ongoing effort to build another encryption algorithm as we speak?
2) The plausibility of a security breach on the Blowfish Algorithm, tho is not very likely at this time, are you planning on strengthening it any way in nearby future? thats mostly question of those self-called... paranoid...like myslef ;)
Thanks,
----====___SUBLIME___OR___NOTHING___====----
Do you believe that an effective Client/Server encryption model can exist, at the current stage of progress, without a trusted 3rd party? If no, what is your opinion on what this 3rd party should be? What other alternatives do you see?
Peter Pawlowski
Given that the administration and congress appear unable to refrain from placing absurd restrictions on how we do math, how optimistic are you that the courts will consistently act sensibly in this matter? Much like CDA could only be defeated through legal challenge, should free crypto activists be turning their attention to the Judicial branch? What do you feel our chances are in this arena and who shall carry the torch?
In order to perform DRoot, you need Euler's Phi, and in order to get that, you need to factor the public key. This is, of course, unless someone finds a better way.
The point is, that someone may find a way to do DRoot, and bypass the factoring, as well as Euler's Phi, problem.
I think we can conclude that factoring complexity >= finding Phi >= finding DRoot.
As for Diffie-Helman, it is based on the difficulty of DLog. The base modulo for DH is a prime number itself. Factoring, therefor, does not enter into it at all.
In the field of cryptology, i think there have been many major advances like
+ fiestel networks
+ combining operators (like in IDEA)
+ data dependent rotations (like in RC)
Do you believe that quantum cyrptography is the next foreseable step.
What do you believe the effect quantum computers will have on cryptanalysis, and the development of cryptology.
If you can generate a one time pad through quantum cryptology, you only need xor, as that is secure as its otp.
I understand, that quantum compuetrs would be able to solve "very hard" problems, like solving discreet logarithms in a fine field.
What major algorithms would be deemed insecure, when quantum computers came about.
Many entries to the AES are essentially fiestel networks, do you foresee this system ever being broken (I know you think that giving dates is stupid)
Also, what AES submission did you least expect to be dropped for round 2. And apart from your submission, what do you think has the most chance of becoming the aes.
Many people are finding ways around the key escrow policies, and the export policies. Like the private doorbell system. Do you think that these embargos on freedom will ever be lifted, or will the us government remain as privicy envading, and paranoid as ever.
Do you see people using stenography instead of encryption. Especially for file systems ?
Do you think deniable encryption would stand up in court ? (E.g using rivest's chaffing and winnowing system)
Is it possible to have a deniable and probablicstic crypto system ?
And what do you feel is the most secure algorithm, and hash function now, as before in your book it was idea, but now wiht the aes systems ? which is the most secure?
I have recently started to question the wisdom of using multiple encryption algorithms over a communications channel.
SSH and HTTPS (for example) have become staples for secure administration and E-commerce. With expanding use of IPSEC for company access from home, what are the dangers behind using SSH over a VPN?
I understand there is a potential for compromise when layering two 3DES channels, one each for SSH and IPSEC; has any analysis been done of the security of a Blowfish (TwoFish/CAST/etc...) and 3DES combination?
Bruce, what is your view of what many have said is the governments relaxation of export controls on commercial cryptography? In particular are there any actual dangers to the requirement that the algorithms and code be submitted for review? My personal feeling is that rather than protecting the consumer the review process is more likely to be to ensure that any cryptography is sufficiently weak to please the government. So maybe crypto for credit card transactions is somewhat safe since the businesses involved can be subpoenaed, but crypto for obsfucating personal communications is less secure since there may be more chance of evidence being withheld.
Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.
Based on these two facts, do you think legally binding digital signatures are secure; why?
--
You have stated, time and again, that while picking a good cryptographic algorithm with an adequate key length is important to security, it is only one link in the chain. There are numerous examples of this, including the attacks on Netscape's PRNG's and attacks against smart cards that measure power consumption, timing, etc. to determine the key. Any one of these methods can effectively render the rest of the system useless.
Now for the question: what do you think is the most overlooked aspect of designing a secure system? For example, PRNGs, ineffective key management, mismanaged trust, bad authentication, etc... What can people writing software do (aside from peer review, which is a *must*) to reduce the risks of common problems?
Thanks!
Back in the "good old days" of cryptography, the algorithms used were understandable by non-mathematicians. Most modern cryptographic systems in use are still mathematically "simple". By this I mean that once you understand the complexities of the algorithm, the mathematical basis is understandable to someone who has, say, a college degree in mathematics or physics.
The cryptographic systems being developed today are often based on much more sophisticated mathematical ideas. Elliptic and hyper-elliptic curves spring to mind. The algorithms may be understandable, but the mathematical basis may be complicated enough that it takes a PhD in mathematics to understand.
These systems are the future generation of cryptography. Some have suggested that their security is based more on mathematical obscurity than anything else (i.e. the number of people able to even understand what the algorithm is doing is very small). Do you think this is accurate? Do you see cryptography moving exclusively into the domain of mathematicians, so that it is totally inaccessible to motivated non-mathematicians (such as yourself)?
I am in the midst of reading Applied Cryptography (1st edition). Amazing book so far, thanks for all the hard work you obviously put into it.
Here's my question: Your short timeline at the beginning of AC notes that public research in cryptography didn't really get under way until 1976 but that the NSA (and it's predecessors) started during WWII. What far ahead do you think the NSA (or whoever) is? In particular, do you have any reason to believe they have cracking algorigthms for some of today's hardest problems (NP-completeness, etc)?
---
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Most of the discussions I hear and work I see is towards makeing algorithms safer. On the other hand a lot of security gets compromised by a large number of protocol violations, human errors (like dictionary passwords, pet names etc) and other means like reading electromagnetic emissions, bugging or bribing. Where do you see the optimal division of effort?
I have read your papers on Yarrow and was impressed both with the algorithm and your discussions of the importance/vulnerablities of Pseudorandom Number Generators. It seems to me that PRNGs can be just as important a component of a protocol as the algorithm or keys themselves. How important do feel they are? Do you see this role increasing/decreasing in the future with new technologies and developments (Quantum Computing/Encryption)? What do you see as their future?
thanks
When Applied Cryptography was published, CAST was looking very promising but was still very new. How IYO has CAST held up since then?
Always keep a sapphire in your mind
What did you think of Neal Stephenson's Cryptomonicom ?
Vidi, vici, veni. (I saw, I conquered, I came)
I know that you have done a lot of work in the area of A. But what about B? Specifically, what do you think it will take, to get people to use cryptography with their email on a regular basis? Most of us here agree that it should be as standard as putting your letter in an envelope instead of using a postcard.
However, even I don't regularly use encryption. I have tried encryption packages and they are easy to use, but I can't seem to be able to convince my friends an family to go through the trouble. Because the people that I communicate with, don't use encryption, it seems that I can't either.
Because of its inclusion with web browsers, some level of encryption is now used for much of e-commerce. Most people just know that their transaction is somehow secured and know nothing of the details. But the same hasn't happened for other mediums.
What do you think it will take? An personal electronic Pearl Harbor in which many people have their secrets spread throughout the world? Inclusion of crypto with the most popular free email clients? Or maybe people just don't care and they will never encrypt their email?
Many government officials are opposed to encryption on the grounds that it will somehow impede investigation and prevent prosecution.
I beleive this is the same feint magicians use to misdirect the audience from the real action. Currently, prosecutors must only provide phone records as evidence, and not a tape of the actual phone call. The evidence that something transpired, and not the actual "what" is all that's required. Records of wire transfers are acceptable, even if you can't seize the actual money. The classic tenets of motive and opportunity suffice, without someone having to provide a videotape of the crime. In other words, I think you can prosecute, and convict, even if you can't decrypt.
So, first, any idea what the Feds are really worried about? (It's got to be more than just Eschelon.) And second, how do we present the privacy issues to the public so that the average citizen understands what's at stake? (e.g. encryption = privacy = good thing)
I've heard you say many times that unless a particular crypto alg. has undergone lots of public review, it should not be considered safe. Unless possibly it's from the NSA. (Excluding, of course, the NSA stuff that is INTENTIONALLY backdoored.)
The implication there is that the NSA has applied some many resources to the crypto problems,that they are as good as the rest of the cryptographers put together.
My question is: Do you really think that a private process, no matter how many resources applied, can equal the public process?
One would think that cryptographers, who study the mathematical means for controling information (not just secrecy, but also signatures, zero knowledge proofs etc) would be the least inclined to support the articial limits to information set up by our legal system, and yet the field is littered with patents (probably more so than any other field of mathematics).
You, on the other hand, have been very generous with your algorithms and cryptos. Is there a political, ideological, or practical reason behind this?
-
Bruce,
in a recent cryptogram, you write that most symmetric ciphers need more entropy than people can remember and hence supply. Even with bio-metrics adding more bits, it is not really worth the effort to construct ciphers with more than 128 bits of entropy in the key, because people won't give them more than that much entropy in the pass phrase.
However, social and technological pressures make longer and longer keys a necessity. What promising approaches do you see for making remembering and entering -- even though I have long passages of text memorised, I don't want to type them in for each email I want to send -- usefully long passphrases?
Ie, to paraphrase, would you discuss the state of the art of cipher/human interaction, as it pertains to key management.
Johan
What impact do you think your science studies have on your current career? I suspect the high mathematical background of physics prepared you for cryptology, but what other aspects of a science degree come into play in your line of work? Would you call your B.S. in Physics an advantage or a disadvantage?
"Knowledge = Power = Energy = Mass"
Bruce, thanks very much for making cryptography so much more accessible to us all.
You wrote in Applied Cryptography that IDEA was your "favorite" symmetric cipher at the time. Is that still true today?
Always keep a sapphire in your mind
Your book describes a slew of interesting applications for crypto protocols, including electronic money orders, digital time-stamping, and secure multi-party computation. What are the remaining crypto problems of interest to the general public which have not been solved? (secure distribution of digital media comes to mind -- can you sell someone a music file, allow them to use the file anywhere, but make sure no one else can use it?)
OK, hypothetical question. You rub a magic lamp, and a genie comes out. Specifically, a cryptographic protocol genie. He can come up with an effecient, secure protocol for any activity you want (assuming a protocol is possible, of course). What would you pick, and more importantly, why?
Quantum physics seems to be the "magical" form of physics, and its application to cryptography even more magical. I don't think I properly understand "quantum cryptography," and I don't think that most of the people that have made public comment on it understand it terribly well either.
Could you comment on the present state of Quantum cryptography, and its probable relevance in public matters short term (which appears nonexistent), medium term (where the research of today may be in 5-10 years), and longer term?
If you're not part of the solution, you're part of the precipitate.
Scott McNealy claims we've already fought and lost the war for personal privacy. Do you agree with him or not, and why?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Given that most cryptographic algorithms are well known and understood worldwide, can governments control their use effectively by legal means? Do you think legal restrictions on cryptography are likely to become more or less strict over the coming years?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Bruce --
As many know, your twofish algorithm is one of the (many) submissions to become the AES standard. The goal for these algorithms is to be able to implement them extremely cheaply in hardware -- say on a 6800 with 256 bytes of RAM. In other words, cheaply enough to put on a smart card.
But IBM's team alleges that any algorithm that simple can be fairly easily cracked by doing a power usage analysis on the chip (by watching fluctuations in the electrical contacts with the reader) and that the necessary equipment to protect against power analysis would be equivalent to a much more complex processor -- so much so you might as well just implement a different and more complex (and hopefully power-random) algorithm. Of course IBM suggests their own implementation.
What do you think? Is there a way to build a simple smart card so that power analysis isn't a problem? Perhaps the whole question will become irrelevant since we'll be carrying around so much processing power in our PDAs that we'll just use them?
In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.
Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.
Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?
The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.
thad
I love Mondays. On a Monday, anything is possible.
What are your thoughts on the recent reports of quantum computing and its effects on encryption?
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
Thanks again,
PS Neville
As one of the stronger voices behind the proposition that only peer reviewed, open, and thoroughly tested algorithms can be trusted you've widely disseminated several algorithms, Solitaire and Yarrow among them. What attacks or interesting analyses have surfaced since their release?