... is that it's a bigger drain on legitimate users than on the spammers. Take the following scenarios:
Joe Spammer finds an open relay. He sends a million emails out through it, thus bringing the open relay to its knees for a while as it computes SHA-1 hashes. Maybe the sysadmin will close down the open relay as a result, maybe not. New machines come onto the Net all the time, and open relays aren't hard to find. This is a total failure of the CPU tax.
Joe Spammer finds an open relay, but one which won't do the X-SHA1-Hash field, instead replying with MTA code 666 SPAMMERS MUST DO IT THEMSELVES. Great. Joe Spammer creates a dummy X-SHA1-Hash field and sends a million spams. The MTA then blindly passes this mail on, since it has a dummy field. At its destination, sure, the receiving MTA will strip it out as spam... but that still means 1,000,000 legitimate users have to pay a CPU tax, and the spammer doesn't have to pay anything. Doesn't sound like a terribly effective tax, does it?
Opens the door for DDoS attacks. Not only do your networks still get clogged with spam, but now your CPU is tied up sorting out "properly taxed" email messages from "untaxed" email messages. Not only can a DDoS attack eat up all your bandwidth... but now a DDoS attack can eat up all your processor, too. This is a nontrivial failure.
Ever get a spam the had some seemingly random characters in the subject line?
Where do you get the idea PGP incorporates the subject line into a signature? It doesn't. Only the message body is incorporated, and the message body remains constant across a huge number of emails.
The entire subject-line-alteration is a giant non sequitur.
So what? Sign the mail with the recipient's public key.
At this point, you've now demonstrated that you have no clue how asymmetric cryptography works, and thus have no business talking about it.
Free hint: you don't sign a message with the recipient's public key. You sign a message using your own private key, and encrypt using the recipient's public key. (Although both are really encryption operations, just on different keys: formally speaking, there is no such thing as a sign operation.)
Great. Now you're advocating changing an IETF RFC away from its original intended purpose (protecting data in transit) and towards a specific purpose (making it a CPU tax) by the introduction of new MUSTs which serve absolutely no useful purpose towards its original task?
Think about it for five minutes. You'll come up with half-a-dozen methods which don't involve subverting an IETF standard. . . . . . . . . . . Free hint: require a mailer field, X-SHA1-Hash, which is a 20-byte hash of (a) the message, (b) the timestamp, (c) the sender, (d) the original mailserver, and (e) the receiver. Anything which doesn't have an accurate X-SHA1-Hash gets discarded at the destination MTA. Presto. You achieve your CPU tax, but you don't subvert an IETF standard in order to do it.
I leave finding all the flaws in the above idea as an exercise for the reader.
Spammers just can't afford to sign their mails - with any signature.
Spam is one email being sent out a million times. Identical copies of messages flood a network. (If you don't believe this, I'll show you a spam I recently received which had over a thousand entries in the CC field. The spammer accidentally CCd instead of BCCd.)
If you're sending a million copies of one message, you only need one PGP signature. It becomes a fixed one-time fee per different email you send out, not a per-message CPU tax.
A citizenry armed with rifles in 1900 poses as an actual deterrent against tyranny...
No. As I said in my last post, deterrence is only sane if and only if all parties are sane. The Framers knew this, which is why they never intended the Second Amendment to be a deterrent. A citizenry armed with rifles in 1900 possessed the ability to wrest control of the government back by force of arms: just like in 2003, a citizenry armed with rifles possesses the exact same ability.
The relative balance of power in terms of arsenal has shifted towards the government in recent decades...
Not on this, either. The balance of power is still firmly on the side of an armed citizenry, actively resisting the government, wiping the floor with whatever police and/or military forces are stupid enough as to try and retake the city by force.
Like I've recommended that you do twice now: ask cops and ask soldiers what they would think of trying to take an openly resisting American city by force. Not a rioting city, which is bad enough... but a city which had decided they didn't like the government and were going to openly resist until their political demands were met.
I just think that a moral military machine plays an increasingly big role in this equation.
An increasingly large role in which equation? If you think 18th century armies weren't dependent on morality for their good conduct, look up the Siege of Magdeburg from the Thirty Years' War, back in the early 17th century. The army of Jan Tzerklas (Count Tilly) entered Magdeburg, supposedly to save the Catholics from the Protestants. Tzerklas figured the best way to do this was to slaughter them all, because Catholics would go to heaven and Protestants to hell. This is the origin of the phrase "kill them all and let God sort them out", due to Tzerklas' order: "kill them all; God will know His own" (i.e., God will know the Catholics and accept them into heaven).
That was neither the first nor the last time a marauding army razed an entire city to the ground in the Thirty Years' War. What we have today is the ability to raze entire cities to the ground in a matter of seconds. The difference is only one of elapsed time--not of capability, nor the human potential for evil and depravity.
Maybe, but that didn't stop the political leadership in Russia from invading Chechnya, or Saddam from gassing the Kurds. Remember I'm talking about deterrence.
Talking about deterrence is, in many ways, a fool's errand. Basing your policy on detente is sane if and only if the other party/parties are sane. If my brother has a gun to my head and I have a gun to my brother's head, I may think "you know, bro, this situation is pretty nuts", but I wouldn't be in fear for my life. If a paranoid schizophrenic has a gun to my head and I have a gun to a paranoid schizophrenic's head, I'll probably elect to pull the trigger first precisely because I can't trust detente to work.
(This is why it was sane for the United States to pursue detente with the post-Stalin USSR, but not with Iraq; in both cases we were talking about trying to deter a foreign power armed with WMDs which was very hostile to the United States, but in only one of the two was our adversary reasonably sane.)
The Second Amendment does not exist, and never has existed, to be a deterrent against unlawful encroachments upon individual liberty against the government. The Second Amendment exists to make damn certain that once the government goes too far, it will soon be dissolved by force of arms.
As a matter of practice, there is a deterrent effect: but only because our current government is sane. This is a happy side-effect of the Second Amendment: but deterrence is not the Second Amendment's raison d'etre.
How many nuclear warheads, among the thousands in the control of the US government, do you think that will require?
The instant the Army uses a nuke on American soil, that 1%/10% number turns into 99%/1%. In other words, using WMDs on civilian centers is ultimately counterproductive, from a fighting-guerrillas standpoint.
Hussein's gassing of Kurds at Halabja did not diminish, not by one iota or instant, the duration of the Kurd uprising. In many ways it made it worse and longer, because the Kurds now were fighting for revenge on their massacred families.
Don't go about thinking Hussein was a military genius. He wasn't.
And please do as I suggested, and go ask a cop or a soldier if they have the capability to take a resisting town by force, when the resisters enjoy the support of a large fraction of the populace.
Who the fsck wins a war? All war determines is which side loses less. The "winner" gets to bury a few tens of thousands of their young men: that doesn't sound like winning much of anything to me.
But it is a clear fact of military history that armies do not prevail against popular guerrilla uprisings.
Which is exactly my point--the only way to fight a guerrilla uprising with substantial popular support is to wage unlimited war on the population itself. This generally does not work in either the military or political arenas, since the heavyhanded tactics (a) demoralize the military troops and (b) create more partisans for the troops to suppress.
Grozny has been the recipient of unlimited war from the Russian Army for years now, and the population is still resisting. You'll see the same pattern in any conflict in which the guerrilla movement enjoys strong popular support.
On the contrary--it's the military that doesn't stand a chance if civilians decide to make a stand.
There are roughly 300,000,000 people in America. Roughly 150,000,000 own firearms. Assume the USG becomes so tyrannical that 1% of the firearms owners decide to take arms against the government, and 10% decide to support and shelter the 1% who will fight.
Suddenly you've got an armed guerrilla uprising of 1.5 million people and 15 million support personnel. This is a fighting army three times the size of the American fighting forces (note: most soldiers today are in support roles, not combat roles) and a support army eight times the Army's support corps.
This is not something any soldier wants to encounter. It's a nightmare, in point of fact.
A close friend of mine is a ten-year veteran of the Military Police and serves on his post's MP-SWAT team. He's an extremely high-speed and professional operator. Last I asked him about what it'd be like to fight against a well-armed, well-supported guerrilla uprising, his answer was terse: "I'd blow my head off first and save myself the slow death."
Please ask police forces (military police and otherwise) how much they'd like trying to take an American city by force against a resisting populace. Dollars to donuts says most of them would give answers reasonably close to Rick's. If you aren't willing to ask police forces--and it's as simple as going down to the local Sheriff's Department and asking some local deputy--then ask yourself this: why aren't you willing to ask the people who have the best idea of how difficult it'd be?
In fact, why don't you ask the Russian Army how that little city in Chechnya is holding out? Have they managed to maintain control of Grozny yet?
but its a bit of a jump going from a organo-phosphate that's tuned especialy to distupt an insect's neverous system to one tune specificaly to disrupt a human's nevous system.
Depends on how good your organic chemists are. It ain't rocket science--it's just science, and the raw materials are easy to come by.
Unfortunately, you really need to do your homework.
I have all the supplies I need for chemical weapons within a five-minute walk of my home. Cholinesterase inhibitors are used all over the place. Raid an Orkin truck and you'll have a chemical-weapons stockpile which would be the envy of either side in WW1--compared to mustard gas and chlorine, cholinesterase inhibitors are a +5 vorpal chainsaw.
So sure, I'm certain we did provide Hussein with the chemicals he needed to create his chemical arsenal. Just like I'm certain that if we'd said "noooo, Saddam, we don't trust you with organophosphates and we're not going to sell you any", you would've screamed "Look at how the US is killing Iraqi civilians! We're refusing to sell them PESTICIDES so they can grow enough crops to feed their people! We're condemning millions of Iraqis to starvation!"
For God's sake, learn what a freaking dual-use chemical is.
Not only that, Agent Orange is harmless. To prove the harmlessness of Agent Orange, the DoD had spokesmen drinking Agent Orange for the cameras. If Agent Orange was so spectacularly toxic, don't you think we would've seen some of these guys paraded on the nightly news, covered with tumors and maybe a third arm beginning to sprout out of their neck?
When they synthesized Agent Orange in the lab, it was remarkably harmless--that's what the DoD spokesmen were drinking, laboratory-synthesized defoliant.
When they synthesized it on an industrial scale, the defoliant became contaminated with either dioxin or polychlorinated biphenyls, I can't remember which--dioxin and/or PCBs are not fun for living things. It was the contaminants in the Agent Orange which were responsible for all the health damage, not Agent Orange itself!
So yeah, Agent Orange has received a bum rap all these years. Which further goes to show the original poster is on crack--nothing screams "whackjob" like someone who's dead certain he's got all the facts straight, when in reality the facts are quite a bit different.
I don't know what you guys are nattering about. What's there to be afraid of at that link? Come on. Everybody knows real men use lynx for just this reason...:)
A couple of weeks ago I finished a couple thousand lines of Java code for a pretty simple app a friend of mine needed. Heavy use of Swing throughout--Eclipse handled it just fine. In fact, I would've been more surprised if Eclipse hadn't handled it just fine.
The poster didn't ask it about 256 bit AES keys. He asked about modern PGP. Since the default behavious of most PGP implemtations is to use a symetric session key that is quite a bit less that 256-bit AES, the detailed answer you gave is irrelevant:(
On the contrary. He asked about modern PGP, and AES256 is supported in both PGP 7.x/8.x and GnuPG. Sure, if you just want to address 128-bit ciphers, then you get some marginally feasible numbers, but it still amounts to something like $800 million in power bills alone just to run a thermodynamically-perfect computer to brute-force the cipher. And since we don't have any good cryptanalytic attacks against any of the ciphers involved in PGP, brute-forcing it is pretty much the only cryptanalytic technique you have.
He was not asking about human factors or usage factors. He was asking about the strength of the PGP protocol and algorithms--and the short answer to that one is, "by all of our current understanding, it's extraordinarily strong".
Repetitive plaintexts are not a problem for the ciphers used in PGP, incidentally. And all of the ciphers in the PGP suite are extremely resistant to differential cryptanalysis.
We're fortunate that cryptography is a mathematical discipline. That way, whenever anyone makes claims about "no mathematical attack can ever be successful", we can say "great--prove it."
There is only one cipher out there nowadays which has been formally proven to be totally immune to mathematical attack: the Vernam Cipher, which is conceptually brilliant but too impractical to use.
Everything else (so far) has been proven susceptible.
I would suggest reading Knuth's The Art of Computer Programming, where he does basically exactly what you suggest except with random numbers. And yes, he successfully cryptanalyzes the output.
You were just saying that it was doubted that RSA is NP, which it's not.
And I say: show me the reference. RSA is conjectured to be equivalent to an NP problem. As far as I know, nobody has ever proven it to be equivalent/isomorphic to an NP problem.
NP doesn't mean hard. NP means that a proposed answer can be checked in polynomial time.
Schneier, pg 240 (I would use a formal CompSci reference, but this is the book within reach):
The class NP consists of all problems that can be solved in polynomial time on a nondeterministic Turing Machine: a variant of a normal Turing Machine that can make guesses. The machine guesses the solution to the problem--either by making lucky guesses or by trying all guesses in parallel--and checks its guess in polynomial time.
While it is a property that an NP answer can be checked in polynomial time, it is not the case that NP = EASY. Yes, it's true that there are simple NP problems--but generally speaking only degenerate cases or P problems (since P is at least a subset of NP).
Again, pg 240:
Many symmetric algorithms and all public-key algorithms can be cracked in nondeterministic polynomial time. Given a ciphertext C, the cryptanalyst simply guesses a plaintext, X, and a key, k, and in polynomial time runs the encryption algorithm on inputs X and k and checks whether the result is equal to C. This is important theoretically, because it puts an upper bound on the complexity of cryptanalysis for these algorithms. In practice, of course, it is is a deterministic polynomial-time algorithm that the cryptanalyst seeks.
... Which is why, for a proof of security, you have to prove P != NP. Because if P = NP, then you can execute this NP attack on the cipher in P time.
Reference, please? Last I heard RSA was conjectured to be equivalent to the Integer Factorization Problem, but no proof for this has been found--and if I recall correctly, there's been some academic research which suggests it's not the case.
at least you did not do the Power/ENergy thing this time
Make one little mistake, they never let you forget it.:)
Just an interesting question: That number you used to indicate the minimum amount of energy to flip (or reset) a bit. Any references on that?
Sure. The Boltzmann Constant, 1.38 * 10**-23 joules per Kelvin, is the fundamental relationship between temperature and energy. You can think of it as, "this is a quanta of energy at a given temperature". (It's not, and physics majors the world over are now marching on my house with pitchforks and torches. But I don't have time to explain fully.) So if you're running your computer at 3.2K, the ambient temperature of the universe, you can think of the minimum energy as being 4.4 * 10**-23 J. (I may have listed it earlier as 4.4 * 10**-26 J; if I did, I was misremembering the Boltzmann constant.)
So your chips require a certain amount of energy to set each bit (really, to erase information in each bit--but that's splitting hairs at this point), and that energy can't be below 4.4 * 10**-23 joules.
(Yes, you could drop the temperature of the computer to a few nanokelvins, and thus drop the energy required to set the bits... but then you'd have to supply extra energy to run the heat pump, bringing the total cost back up.)
what is your opinion on the security of AES, in particular of Rijndael in comparison to Blowfish and Serpent?
First, my cryptanalysis is rusty: I know enough to follow the papers, but I'm absolutely not on the cutting-edge of research. That said, I'm not especially fond of any of the AES candidates, not at this point in time. AES/Rijndael looks good, but it doesn't have much safety margin in it. Already we're seeing cryptanalytic results against it--I'm not going to say attacks, but... there's some interesting research coming out. Nobody knows if it'll lead to an attack.
I don't know enough about Serpent to make an informed statement about the cryptanalytic results against it. I stopped following Serpent after Rijndael was selected for AES. I vaguely recall some of the latest AES research also applies to Serpent, but... check that one before you rely on it.
Re: Blowfish... I'm damn fond of the fish. It's been out for just a little under a decade, with no significant cryptanalytic results to it. With just a few equivocations, I'd actually recommend it above 3DES. 3DES has a much longer history of turning brilliant cryptanalysts into burned-out alcoholic wrecks, but... DES is a very complex algorithm. It's so complex that it's damnably hard to implement DES right. (I know; I've had to code 3DES on multiple occasions. I've put coworkers on notice that I refuse to do it again.) But Blowfish is extremely sexy, so much so that it can be succinctly described in about 50 lines of LISP. So on the grounds that Blowfish has an impressive cryptanalytic record, and is far simpler to implement correctly... I'd actually recommend Blowfish as my favorite cipher today.
Slashdot Mirror
You can use PGP to sign whatever you want. We're talking about a proposed implementation, not a current one.
See my other replies in this thread re: the idiocy of altering RFC 2440/3159/etc. to accomodate antispam advocates.
The subjevt line is part of the message, and it get's changed.
Quote me the relevant part of RFC 2440 (or 1991, for that matter) which indicates that the subject line is considered to be part of the message.
Free hint: there isn't one.
RTFrfc.
Ever get a spam the had some seemingly random characters in the subject line?
Where do you get the idea PGP incorporates the subject line into a signature? It doesn't. Only the message body is incorporated, and the message body remains constant across a huge number of emails.
The entire subject-line-alteration is a giant non sequitur.
So what? Sign the mail with the recipient's public key.
At this point, you've now demonstrated that you have no clue how asymmetric cryptography works, and thus have no business talking about it.
Free hint: you don't sign a message with the recipient's public key. You sign a message using your own private key, and encrypt using the recipient's public key. (Although both are really encryption operations, just on different keys: formally speaking, there is no such thing as a sign operation.)
Great. Now you're advocating changing an IETF RFC away from its original intended purpose (protecting data in transit) and towards a specific purpose (making it a CPU tax) by the introduction of new MUSTs which serve absolutely no useful purpose towards its original task?
Think about it for five minutes. You'll come up with half-a-dozen methods which don't involve subverting an IETF standard.
.
.
.
.
.
.
.
.
.
.
Free hint: require a mailer field, X-SHA1-Hash, which is a 20-byte hash of (a) the message, (b) the timestamp, (c) the sender, (d) the original mailserver, and (e) the receiver. Anything which doesn't have an accurate X-SHA1-Hash gets discarded at the destination MTA. Presto. You achieve your CPU tax, but you don't subvert an IETF standard in order to do it.
I leave finding all the flaws in the above idea as an exercise for the reader.
Spammers just can't afford to sign their mails - with any signature.
Spam is one email being sent out a million times. Identical copies of messages flood a network. (If you don't believe this, I'll show you a spam I recently received which had over a thousand entries in the CC field. The spammer accidentally CCd instead of BCCd.)
If you're sending a million copies of one message, you only need one PGP signature. It becomes a fixed one-time fee per different email you send out, not a per-message CPU tax.
No, we're not agreed:
A citizenry armed with rifles in 1900 poses as an actual deterrent against tyranny...
No. As I said in my last post, deterrence is only sane if and only if all parties are sane. The Framers knew this, which is why they never intended the Second Amendment to be a deterrent. A citizenry armed with rifles in 1900 possessed the ability to wrest control of the government back by force of arms: just like in 2003, a citizenry armed with rifles possesses the exact same ability.
The relative balance of power in terms of arsenal has shifted towards the government in recent decades...
Not on this, either. The balance of power is still firmly on the side of an armed citizenry, actively resisting the government, wiping the floor with whatever police and/or military forces are stupid enough as to try and retake the city by force.
Like I've recommended that you do twice now: ask cops and ask soldiers what they would think of trying to take an openly resisting American city by force. Not a rioting city, which is bad enough... but a city which had decided they didn't like the government and were going to openly resist until their political demands were met.
I just think that a moral military machine plays an increasingly big role in this equation.
An increasingly large role in which equation? If you think 18th century armies weren't dependent on morality for their good conduct, look up the Siege of Magdeburg from the Thirty Years' War, back in the early 17th century. The army of Jan Tzerklas (Count Tilly) entered Magdeburg, supposedly to save the Catholics from the Protestants. Tzerklas figured the best way to do this was to slaughter them all, because Catholics would go to heaven and Protestants to hell. This is the origin of the phrase "kill them all and let God sort them out", due to Tzerklas' order: "kill them all; God will know His own" (i.e., God will know the Catholics and accept them into heaven).
That was neither the first nor the last time a marauding army razed an entire city to the ground in the Thirty Years' War. What we have today is the ability to raze entire cities to the ground in a matter of seconds. The difference is only one of elapsed time--not of capability, nor the human potential for evil and depravity.
Maybe, but that didn't stop the political leadership in Russia from invading Chechnya, or Saddam from gassing the Kurds. Remember I'm talking about deterrence.
Talking about deterrence is, in many ways, a fool's errand. Basing your policy on detente is sane if and only if the other party/parties are sane. If my brother has a gun to my head and I have a gun to my brother's head, I may think "you know, bro, this situation is pretty nuts", but I wouldn't be in fear for my life. If a paranoid schizophrenic has a gun to my head and I have a gun to a paranoid schizophrenic's head, I'll probably elect to pull the trigger first precisely because I can't trust detente to work.
(This is why it was sane for the United States to pursue detente with the post-Stalin USSR, but not with Iraq; in both cases we were talking about trying to deter a foreign power armed with WMDs which was very hostile to the United States, but in only one of the two was our adversary reasonably sane.)
The Second Amendment does not exist, and never has existed, to be a deterrent against unlawful encroachments upon individual liberty against the government. The Second Amendment exists to make damn certain that once the government goes too far, it will soon be dissolved by force of arms.
As a matter of practice, there is a deterrent effect: but only because our current government is sane. This is a happy side-effect of the Second Amendment: but deterrence is not the Second Amendment's raison d'etre.
How many nuclear warheads, among the thousands in the control of the US government, do you think that will require?
The instant the Army uses a nuke on American soil, that 1%/10% number turns into 99%/1%. In other words, using WMDs on civilian centers is ultimately counterproductive, from a fighting-guerrillas standpoint.
Hussein's gassing of Kurds at Halabja did not diminish, not by one iota or instant, the duration of the Kurd uprising. In many ways it made it worse and longer, because the Kurds now were fighting for revenge on their massacred families.
Don't go about thinking Hussein was a military genius. He wasn't.
And please do as I suggested, and go ask a cop or a soldier if they have the capability to take a resisting town by force, when the resisters enjoy the support of a large fraction of the populace.
My point was that doesn't mean the "people" win
Who the fsck wins a war? All war determines is which side loses less. The "winner" gets to bury a few tens of thousands of their young men: that doesn't sound like winning much of anything to me.
But it is a clear fact of military history that armies do not prevail against popular guerrilla uprisings.
Which is exactly my point--the only way to fight a guerrilla uprising with substantial popular support is to wage unlimited war on the population itself. This generally does not work in either the military or political arenas, since the heavyhanded tactics (a) demoralize the military troops and (b) create more partisans for the troops to suppress.
Grozny has been the recipient of unlimited war from the Russian Army for years now, and the population is still resisting. You'll see the same pattern in any conflict in which the guerrilla movement enjoys strong popular support.
On the contrary--it's the military that doesn't stand a chance if civilians decide to make a stand.
There are roughly 300,000,000 people in America. Roughly 150,000,000 own firearms. Assume the USG becomes so tyrannical that 1% of the firearms owners decide to take arms against the government, and 10% decide to support and shelter the 1% who will fight.
Suddenly you've got an armed guerrilla uprising of 1.5 million people and 15 million support personnel. This is a fighting army three times the size of the American fighting forces (note: most soldiers today are in support roles, not combat roles) and a support army eight times the Army's support corps.
This is not something any soldier wants to encounter. It's a nightmare, in point of fact.
A close friend of mine is a ten-year veteran of the Military Police and serves on his post's MP-SWAT team. He's an extremely high-speed and professional operator. Last I asked him about what it'd be like to fight against a well-armed, well-supported guerrilla uprising, his answer was terse: "I'd blow my head off first and save myself the slow death."
Please ask police forces (military police and otherwise) how much they'd like trying to take an American city by force against a resisting populace. Dollars to donuts says most of them would give answers reasonably close to Rick's. If you aren't willing to ask police forces--and it's as simple as going down to the local Sheriff's Department and asking some local deputy--then ask yourself this: why aren't you willing to ask the people who have the best idea of how difficult it'd be?
In fact, why don't you ask the Russian Army how that little city in Chechnya is holding out? Have they managed to maintain control of Grozny yet?
but its a bit of a jump going from a organo-phosphate that's tuned especialy to distupt an insect's neverous system to one tune specificaly to disrupt a human's nevous system.
Depends on how good your organic chemists are. It ain't rocket science--it's just science, and the raw materials are easy to come by.
Unfortunately, you really need to do your homework.
I have all the supplies I need for chemical weapons within a five-minute walk of my home. Cholinesterase inhibitors are used all over the place. Raid an Orkin truck and you'll have a chemical-weapons stockpile which would be the envy of either side in WW1--compared to mustard gas and chlorine, cholinesterase inhibitors are a +5 vorpal chainsaw.
So sure, I'm certain we did provide Hussein with the chemicals he needed to create his chemical arsenal. Just like I'm certain that if we'd said "noooo, Saddam, we don't trust you with organophosphates and we're not going to sell you any", you would've screamed "Look at how the US is killing Iraqi civilians! We're refusing to sell them PESTICIDES so they can grow enough crops to feed their people! We're condemning millions of Iraqis to starvation!"
For God's sake, learn what a freaking dual-use chemical is.
Not only that, Agent Orange is harmless. To prove the harmlessness of Agent Orange, the DoD had spokesmen drinking Agent Orange for the cameras. If Agent Orange was so spectacularly toxic, don't you think we would've seen some of these guys paraded on the nightly news, covered with tumors and maybe a third arm beginning to sprout out of their neck?
When they synthesized Agent Orange in the lab, it was remarkably harmless--that's what the DoD spokesmen were drinking, laboratory-synthesized defoliant.
When they synthesized it on an industrial scale, the defoliant became contaminated with either dioxin or polychlorinated biphenyls, I can't remember which--dioxin and/or PCBs are not fun for living things. It was the contaminants in the Agent Orange which were responsible for all the health damage, not Agent Orange itself!
So yeah, Agent Orange has received a bum rap all these years. Which further goes to show the original poster is on crack--nothing screams "whackjob" like someone who's dead certain he's got all the facts straight, when in reality the facts are quite a bit different.
I have found a truly remarkable proof that RSA is insecure, but the margin of this comment is too small to contain it.
... with a nod-of-the-head to Fermat and Wiles.)
(
I don't know what you guys are nattering about. What's there to be afraid of at that link? Come on. Everybody knows real men use lynx for just this reason... :)
A couple of weeks ago I finished a couple thousand lines of Java code for a pretty simple app a friend of mine needed. Heavy use of Swing throughout--Eclipse handled it just fine. In fact, I would've been more surprised if Eclipse hadn't handled it just fine.
The poster didn't ask it about 256 bit AES keys. He asked about modern PGP. Since the default behavious of most PGP implemtations is to use a symetric session key that is quite a bit less that 256-bit AES, the detailed answer you gave is irrelevant :(
On the contrary. He asked about modern PGP, and AES256 is supported in both PGP 7.x/8.x and GnuPG. Sure, if you just want to address 128-bit ciphers, then you get some marginally feasible numbers, but it still amounts to something like $800 million in power bills alone just to run a thermodynamically-perfect computer to brute-force the cipher. And since we don't have any good cryptanalytic attacks against any of the ciphers involved in PGP, brute-forcing it is pretty much the only cryptanalytic technique you have.
He was not asking about human factors or usage factors. He was asking about the strength of the PGP protocol and algorithms--and the short answer to that one is, "by all of our current understanding, it's extraordinarily strong".
Repetitive plaintexts are not a problem for the ciphers used in PGP, incidentally. And all of the ciphers in the PGP suite are extremely resistant to differential cryptanalysis.
We're fortunate that cryptography is a mathematical discipline. That way, whenever anyone makes claims about "no mathematical attack can ever be successful", we can say "great--prove it."
There is only one cipher out there nowadays which has been formally proven to be totally immune to mathematical attack: the Vernam Cipher, which is conceptually brilliant but too impractical to use.
Everything else (so far) has been proven susceptible.
I would suggest reading Knuth's The Art of Computer Programming, where he does basically exactly what you suggest except with random numbers. And yes, he successfully cryptanalyzes the output.
... fufme.
Click here for the Icky Badness, or hit http://www.fu-fme.com.
You were just saying that it was doubted that RSA is NP, which it's not.
And I say: show me the reference. RSA is conjectured to be equivalent to an NP problem. As far as I know, nobody has ever proven it to be equivalent/isomorphic to an NP problem.
Schneier, pg 240 (I would use a formal CompSci reference, but this is the book within reach):
- The class NP consists of all problems that can be solved in polynomial time on a nondeterministic Turing Machine: a variant of a normal Turing Machine that can make guesses. The machine guesses the solution to the problem--either by making lucky guesses or by trying all guesses in parallel--and checks its guess in polynomial time.
While it is a property that an NP answer can be checked in polynomial time, it is not the case that NP = EASY. Yes, it's true that there are simple NP problems--but generally speaking only degenerate cases or P problems (since P is at least a subset of NP).Again, pg 240:
Actually, RSA is an NP problem
Reference, please? Last I heard RSA was conjectured to be equivalent to the Integer Factorization Problem, but no proof for this has been found--and if I recall correctly, there's been some academic research which suggests it's not the case.
at least you did not do the Power/ENergy thing this time
:)
... there's some interesting research coming out. Nobody knows if it'll lead to an attack.
Make one little mistake, they never let you forget it.
Just an interesting question: That number you used to indicate the minimum amount of energy to flip (or reset) a bit. Any references on that?
Sure. The Boltzmann Constant, 1.38 * 10**-23 joules per Kelvin, is the fundamental relationship between temperature and energy. You can think of it as, "this is a quanta of energy at a given temperature". (It's not, and physics majors the world over are now marching on my house with pitchforks and torches. But I don't have time to explain fully.) So if you're running your computer at 3.2K, the ambient temperature of the universe, you can think of the minimum energy as being 4.4 * 10**-23 J. (I may have listed it earlier as 4.4 * 10**-26 J; if I did, I was misremembering the Boltzmann constant.)
So your chips require a certain amount of energy to set each bit (really, to erase information in each bit--but that's splitting hairs at this point), and that energy can't be below 4.4 * 10**-23 joules.
(Yes, you could drop the temperature of the computer to a few nanokelvins, and thus drop the energy required to set the bits... but then you'd have to supply extra energy to run the heat pump, bringing the total cost back up.)
what is your opinion on the security of AES, in particular of Rijndael in comparison to Blowfish and Serpent?
First, my cryptanalysis is rusty: I know enough to follow the papers, but I'm absolutely not on the cutting-edge of research. That said, I'm not especially fond of any of the AES candidates, not at this point in time. AES/Rijndael looks good, but it doesn't have much safety margin in it. Already we're seeing cryptanalytic results against it--I'm not going to say attacks, but
I don't know enough about Serpent to make an informed statement about the cryptanalytic results against it. I stopped following Serpent after Rijndael was selected for AES. I vaguely recall some of the latest AES research also applies to Serpent, but... check that one before you rely on it.
Re: Blowfish... I'm damn fond of the fish. It's been out for just a little under a decade, with no significant cryptanalytic results to it. With just a few equivocations, I'd actually recommend it above 3DES. 3DES has a much longer history of turning brilliant cryptanalysts into burned-out alcoholic wrecks, but... DES is a very complex algorithm. It's so complex that it's damnably hard to implement DES right. (I know; I've had to code 3DES on multiple occasions. I've put coworkers on notice that I refuse to do it again.) But Blowfish is extremely sexy, so much so that it can be succinctly described in about 50 lines of LISP. So on the grounds that Blowfish has an impressive cryptanalytic record, and is far simpler to implement correctly... I'd actually recommend Blowfish as my favorite cipher today.