You should validate this implementation against the spec to check for back doors before you use it. Not because you'll find a backdoor - I've read this code, you won't - but because it'll be a useful education in crypto implementation techniques. There's quite a bit of cunning in the way the implementation is put together, particularly the way the tables are built. And you can appreciate the simplicity and beauty of Rijndael when you do it. --
All five final candidates for the AES got the NSA stamp of approval. If they can break them all, even Serpent, they probably have orbital mind control rays too.
A burglar you trust is an excellent person to ask about what locks to use. Of course, NIST didn't just ask the NSA, they asked all the best burglars in the world, and the conclusion is that this is as secure a lock as you could possibly need for the foreseeable future. --
The NSA have not proposed a "fix for DES". There is evidence in the design of DES that the designers (IBM) knew about differential cryptanalysis, but not about linear cryptanalysis; however, for practical purposes brute force search is still the best attack on it; thus, the usual fix is to apply it thrice with two or three different keys (Triple-DES).
There is some evidence (in Skipjack) to suggest the public community is now ahead of the NSA in theoretical cryptanalysis. Certainly there are a hell of a lot of breathtakingly smart people in it. --
Electric Angst is a troll, as a check on the user info will reveal (see "YHBT. YHL. HAND.").
No-one who knows how this cipher was chosen could seriously believe that Daemen and Rijmen are NSA plants, or that there's room to hide anything in an algorithm as simple and clear as Rijndael. --
You can use a chaining mode to make a hash function out of a block cipher; AES in (say) Miyaguchi-Preneel mode gives you a 128-bit hash, while Tandem Davis-Meyer gives you a 256-bit hash (rather faster than SHA-256, I might add!). See Applied Cryptography for a description of these modes.
I hope NIST standardise some such mode, but at the moment they're only talking about standardising modes for encryption and MAC, not for hashing. --
Far from resting on their laurels, the Rijndael team have been busy with new cipher design work. Check out their latest creation, Noekon, designed for simple implementation and resistance to differential power attacks and other side channel attacks. --
NIST started the process of designing a successor to AES many years ago, and fifteen algorithms were submitted from all over the world as candidate successors. The eventual winner comes from a team from Belgium; it's been thoroughly examined by the worlds best cryptanalysts and I don't think anyone thinks there's going to be a useful break.
So long as this FIPS is simply a formal description of the algorithm we were all examining (and it appears to be), there's no problem. NIST have done all the right things here. --
I think it's too easy to end up chasing your own tail trying to identify who's "really" who, since new accounts are easy to create. Just call the trolls as you see them; it makes it harder for them to get a +1 bonus, and so reduces the entertainment value of pissing in the intellectual swimming pool. --
Write up what you've done and publish. If you've advanced the art of factoring even a tiny bit, you'll be famous. Hell, put a more comprehensible description here and you might get famous. --
Schneier and Ellison: Ten Risks of PKI
on
Making PKI Work
·
· Score: 3
ObKarmaWhoring: if you haven't read this already then Bruce Schnier and Carl Ellison's "Ten Risks of PKI" is essential background reading:
http://www.counterpane.com/pki-risks.html --
Remember that qpt is a troll
on
Making PKI Work
·
· Score: 2
Check the user info - everything qpt writes is a troll. Remember this before you reply or moderate. --
Everyone here knows the programming references in this troll are nonsense, but just a note on the crypto side.
For the most part, mathematical methods do not *ensure* the security of our systems. We have no proof that, say, AES is secure; all we know is that the world's greatest cryptanalysts have attacked it as hard as they can, and come to the conclusion that there won't be a practical break for a long time to come. In theory, it could be heinously broken tomorrow. We don't have a proof that it won't be, just decades of experience in attacking cryptosystems and finding out what makes them weak in practice.
Cipher design is a mixture of a science and an art. There's certainly artistry in the design of AES! --
Of course, it helps that the kinds of places I want to live are thriving metropolises with a cosmopolitan nightlife and so the kinds of places that tend to have high-tech employment, but I would choose a place to live entirely on the basis of what it's like to live there, and then look for a job based on that. In particular, as a bi atheist I'm never going to move to somewhere like Utah where the homophobia and religious intolerance is going to be way beyond what I'm prepared to put up with. --
I'm pretty sure RC6 had the smallest security margin of the five finalists.
Note that Bruce Schneier has also gone on record as saying that he does not believe any practically useful weakness against Rijndael will ever be discovered. Also, Rijndael gains a lot of strength from each round, so the security margin may be misleading; the Square based attacks stretch across quite a few rounds but they're very hard to extend. --
While not as fast as Serpent in hardware, Rijndael is pretty efficient, and doesn't demand too many gates. There should be no problem with encrypting a T1 using Rijndael even in software; in hardware it should be able to encrypt much fatter links, especially used in CTR mode (or OCB, IAPM etc) where you can do several block encrypts in parallel. --
The simple sum says if 56-bit DES was relatively easy in 1998, and if Moore's Law adds two keybits every three years, 128-bit Rijndael falls 108 years later, in 2106, and 256-bit Rijndael falls in 2298. Thus the apt slogan "A cipher for the next century".
Of course, there are many factors that alter this, chief of which is that we'll probably hit theoretical limits on Moore's Law by then. Ross Anderson speculates that the AES may *never* be replaced.
(Unrelated footnote: Slashdotter Nic C Weaver presented a paper at the AES3 conference on hardware implementations of AES candidates on FPGAs, and handed out neat little summaries on yellow business cards!) --
I was at the third AES candidate conference, and everyone I spoke to was basically entirely happy with the way the competition was run. I've heard no complaints from anyone involved; in the Cryptogram, I think Schneier's phrase was that NIST had "covered themselves with glory" in the cipher selection process. This is a cipher the academic crypto community can happily stand behind.
Some may worry that NIST chose one of the ciphers it rated as "Adequate security" rather than those rated "Highest security" like Serpent. However, to be secure the AES must achieve one thing: *it must get used*. If Serpent were named as the winner, it would perhaps be one option in a cipher negotiation stack, but people would tend to avoid using it, preferring faster alternatives. And when they're designing protocols, Serpent would tempt them to include cipher negotiation levels, a notorious source of possible insecurities; attackers try and force you onto your weakest cipher with fake packets before you have the cipher in place. Because Rijndael is so efficient on every platform, it's likely to get used everywhere without negotiation, and overall I think that'll make our protocols more efficient and more secure. --
Oddly enough, I agree. I'm from the UK and I use UK spelling, but I've worked on a project where I had to correct my "honour" to "honor" because the standard was US spelling. This was a company founded in the UK with offices in the US, and I thought they made the right decision to standardise on US spelling. Er, I mean standardize. --
Er, I have automatic updates. I have dependency tracking. I have channels too - in fact, I update my Helix Gnome regularly using them. It's called apt/dpkg, and it's a standard part of Debian.
Now, a GUI tool for setting up and administering APT could be very cool - I'm not making a CLI vs GUI argument here - but why might I want another system to do basically the same job bolted onto the side? If there are things that Red Carpet does that apt/dpkg doesn't, wouldn't it be best to fix apt/dpkg?
The Helix people know Debian, so I'm sure they've anticipated this question, but I'm surprised not to see it answered here. --
This triumph is discussed in detail in Richard Gabriel's famous "Worse is Better" (part of "Lisp: Good News, Bad News, How to Win Big"). It's not necessarily always a bad thing. --
What you've written makes no sense to me at all, and I'm a professional cryptographer and so not entirely ignorant about maths and computational complexity theory. If it's meant to be quasi-scientific gibberish, you've gone for some nice choices of words.
If you have a proof that unbreakable encryption is impossible, please write it up and submit it to one of the crypto conferences, and you will instantly become a world-feted mathematician. --
Slashdot Mirror
You should validate this implementation against the spec to check for back doors before you use it. Not because you'll find a backdoor - I've read this code, you won't - but because it'll be a useful education in crypto implementation techniques. There's quite a bit of cunning in the way the implementation is put together, particularly the way the tables are built. And you can appreciate the simplicity and beauty of Rijndael when you do it.
--
All five final candidates for the AES got the NSA stamp of approval. If they can break them all, even Serpent, they probably have orbital mind control rays too.
A burglar you trust is an excellent person to ask about what locks to use. Of course, NIST didn't just ask the NSA, they asked all the best burglars in the world, and the conclusion is that this is as secure a lock as you could possibly need for the foreseeable future.
--
The NSA have not proposed a "fix for DES". There is evidence in the design of DES that the designers (IBM) knew about differential cryptanalysis, but not about linear cryptanalysis; however, for practical purposes brute force search is still the best attack on it; thus, the usual fix is to apply it thrice with two or three different keys (Triple-DES).
There is some evidence (in Skipjack) to suggest the public community is now ahead of the NSA in theoretical cryptanalysis. Certainly there are a hell of a lot of breathtakingly smart people in it.
--
Electric Angst is a troll, as a check on the user info will reveal (see "YHBT. YHL. HAND.").
No-one who knows how this cipher was chosen could seriously believe that Daemen and Rijmen are NSA plants, or that there's room to hide anything in an algorithm as simple and clear as Rijndael.
--
You can use a chaining mode to make a hash function out of a block cipher; AES in (say) Miyaguchi-Preneel mode gives you a 128-bit hash, while Tandem Davis-Meyer gives you a 256-bit hash (rather faster than SHA-256, I might add!). See Applied Cryptography for a description of these modes.
I hope NIST standardise some such mode, but at the moment they're only talking about standardising modes for encryption and MAC, not for hashing.
--
Far from resting on their laurels, the Rijndael team have been busy with new cipher design work. Check out their latest creation, Noekon, designed for simple implementation and resistance to differential power attacks and other side channel attacks.
--
NIST started the process of designing a successor to AES many years ago, and fifteen algorithms were submitted from all over the world as candidate successors. The eventual winner comes from a team from Belgium; it's been thoroughly examined by the worlds best cryptanalysts and I don't think anyone thinks there's going to be a useful break.
So long as this FIPS is simply a formal description of the algorithm we were all examining (and it appears to be), there's no problem. NIST have done all the right things here.
--
I think it's too easy to end up chasing your own tail trying to identify who's "really" who, since new accounts are easy to create. Just call the trolls as you see them; it makes it harder for them to get a +1 bonus, and so reduces the entertainment value of pissing in the intellectual swimming pool.
--
No, only when I catch them early enough. S/he posts a *lot* of trolls - I only catch a few.
--
... check qpt's user info.
cheers,
--
Write up what you've done and publish. If you've advanced the art of factoring even a tiny bit, you'll be famous. Hell, put a more comprehensible description here and you might get famous.
--
ObKarmaWhoring: if you haven't read this already then Bruce Schnier and Carl Ellison's "Ten Risks of PKI" is essential background reading: http://www.counterpane.com/pki-risks.html
--
Check the user info - everything qpt writes is a troll. Remember this before you reply or moderate.
--
Check the user info before you reply or moderate - everything qpt writes is a troll. "A Sinister Legacy" or "It's Too Much" are good examples.
--
I must put together a brief crypto FAQ for slashdotters one day. Summary: QC is interesting but way overhyped.
--
Everyone here knows the programming references in this troll are nonsense, but just a note on the crypto side.
For the most part, mathematical methods do not *ensure* the security of our systems. We have no proof that, say, AES is secure; all we know is that the world's greatest cryptanalysts have attacked it as hard as they can, and come to the conclusion that there won't be a practical break for a long time to come. In theory, it could be heinously broken tomorrow. We don't have a proof that it won't be, just decades of experience in attacking cryptosystems and finding out what makes them weak in practice.
Cipher design is a mixture of a science and an art. There's certainly artistry in the design of AES!
--
Of course, it helps that the kinds of places I want to live are thriving metropolises with a cosmopolitan nightlife and so the kinds of places that tend to have high-tech employment, but I would choose a place to live entirely on the basis of what it's like to live there, and then look for a job based on that. In particular, as a bi atheist I'm never going to move to somewhere like Utah where the homophobia and religious intolerance is going to be way beyond what I'm prepared to put up with.
--
I'm pretty sure RC6 had the smallest security margin of the five finalists.
Note that Bruce Schneier has also gone on record as saying that he does not believe any practically useful weakness against Rijndael will ever be discovered. Also, Rijndael gains a lot of strength from each round, so the security margin may be misleading; the Square based attacks stretch across quite a few rounds but they're very hard to extend.
--
While not as fast as Serpent in hardware, Rijndael is pretty efficient, and doesn't demand too many gates. There should be no problem with encrypting a T1 using Rijndael even in software; in hardware it should be able to encrypt much fatter links, especially used in CTR mode (or OCB, IAPM etc) where you can do several block encrypts in parallel.
--
The simple sum says if 56-bit DES was relatively easy in 1998, and if Moore's Law adds two keybits every three years, 128-bit Rijndael falls 108 years later, in 2106, and 256-bit Rijndael falls in 2298. Thus the apt slogan "A cipher for the next century".
Of course, there are many factors that alter this, chief of which is that we'll probably hit theoretical limits on Moore's Law by then. Ross Anderson speculates that the AES may *never* be replaced.
(Unrelated footnote: Slashdotter Nic C Weaver presented a paper at the AES3 conference on hardware implementations of AES candidates on FPGAs, and handed out neat little summaries on yellow business cards!)
--
I was at the third AES candidate conference, and everyone I spoke to was basically entirely happy with the way the competition was run. I've heard no complaints from anyone involved; in the Cryptogram, I think Schneier's phrase was that NIST had "covered themselves with glory" in the cipher selection process. This is a cipher the academic crypto community can happily stand behind.
Some may worry that NIST chose one of the ciphers it rated as "Adequate security" rather than those rated "Highest security" like Serpent. However, to be secure the AES must achieve one thing: *it must get used*. If Serpent were named as the winner, it would perhaps be one option in a cipher negotiation stack, but people would tend to avoid using it, preferring faster alternatives. And when they're designing protocols, Serpent would tempt them to include cipher negotiation levels, a notorious source of possible insecurities; attackers try and force you onto your weakest cipher with fake packets before you have the cipher in place. Because Rijndael is so efficient on every platform, it's likely to get used everywhere without negotiation, and overall I think that'll make our protocols more efficient and more secure.
--
Oddly enough, I agree. I'm from the UK and I use UK spelling, but I've worked on a project where I had to correct my "honour" to "honor" because the standard was US spelling. This was a company founded in the UK with offices in the US, and I thought they made the right decision to standardise on US spelling. Er, I mean standardize.
--
Er, I have automatic updates. I have dependency tracking. I have channels too - in fact, I update my Helix Gnome regularly using them. It's called apt/dpkg, and it's a standard part of Debian.
Now, a GUI tool for setting up and administering APT could be very cool - I'm not making a CLI vs GUI argument here - but why might I want another system to do basically the same job bolted onto the side? If there are things that Red Carpet does that apt/dpkg doesn't, wouldn't it be best to fix apt/dpkg?
The Helix people know Debian, so I'm sure they've anticipated this question, but I'm surprised not to see it answered here.
--
This triumph is discussed in detail in Richard Gabriel's famous "Worse is Better" (part of "Lisp: Good News, Bad News, How to Win Big"). It's not necessarily always a bad thing.
--
What you've written makes no sense to me at all, and I'm a professional cryptographer and so not entirely ignorant about maths and computational complexity theory. If it's meant to be quasi-scientific gibberish, you've gone for some nice choices of words.
If you have a proof that unbreakable encryption is impossible, please write it up and submit it to one of the crypto conferences, and you will instantly become a world-feted mathematician.
--