Discussion in 'privacy technology' started by syncmaster913n, Apr 2, 2012.
I'd have to look into this, but what's special about being younger than 10 years?
Hi Justin, i would just like to test with some other ciphers.
I tested most , perhaps all of the older ones.
It is very difficult to find software that uses these newer ciphers.
As you might have seen here.
X942 , we never heard what you found in the sources or in decompiling the software.
If there is anything in it that makes it weaker then Truecrypt or others?
Up to now i only read on what you think is the same. (your Cold boot story)
Can you please point out what are the weak spots in the software compared with TrueCrypt ?
Perhaps you are not ready analyzing the cipher yet, but you might already say something on the software ?
Or is it stronger ?
I apologize but I can only dedicate an hour or so of my time to this a day. I am very busy with my company and closing some deals right now. I will keep you guys posted.
x942 is using his/her own resources and time. Unless you feel like paying x942 or x942's company to perform the analysis quicker you can't expect a report to your liking within several days.
Of course i respect that X942 is working on this like this,
but do i remember him saying it might be snake oil...
So now someones reputation is at stake.
I understand the creator did not made himself popular by writing on his website the way he did,
but what i like to know is, is his software safe?
The fact that X942 did not find a weak spot yet after more then a week must be a good sign.
And the fact that nobody claims to have broken it after several years of challenges on his website do the same for me.
how about wait like the rest here, unless off course you know how to prove or disprove faster.
Of course i do respect this, it is great that you are trying to help us, and my apologies, perhaps i am to curious X942
Thanks for giving me once again the chance to stress that this attack is very relevant, but that ciphers can very well be different which may result in much better resistance to this kind of attack.
Well, even better for me then! So you've solely relied on an encryption algorithm with multiple rounds!!!
Why did you have to modify that algorithm then? Isn't it secure for short passwords in the first place ("lame duck cipher")?
Oh, I love this topic! A few years ago I visited the security officer of a big bank here in Germany. He told me: You won't believe it - we ARE allowed to use the Enigma cipher (that's the thing that was broken by the British in WW2) because it is certified! He continued with the words "the same guys who's job it is to gather intelligence hand out such certificates". He was grinning while he said this to me.
That gave me the notion that a certificate was not srictly desirable and ask more often "who is interested in what - and why".
For those who feel "at home" with FIPS certificates: The certificate for DES although seems to be revoked since 2004.
FIPS: A Federal Information Processing Standard (FIPS) is a publicly announced standardization developed by the United States federal government for use in computer systems. (wiki)
Thanks again, Justin, for some good reading. *
This attack is NOT attacking the cipher at all. I don't know how to get you to understand that. All this does is attack the implementation. For example I have an Ironkey the ironkey stores the encryption key in hardware and no software can access it, as such this attack doesn't work. If it was an attack against the cipher it would work regardless. This attack is not prevented by adding 'defences' to the cipher but to software (I.E offsetting the key into CPU buffers instead of RAM)
Again, anyone that has been reading this sees you swaying back and forth with your arguments and what applies to AES and magically doesn't to PMC with no explanation to why. I posted a challenge for you and you flipped it around saying that the attack doesn't crack AES and here you are again saying it is a significant attack on the cipher. If it was an attack on the cipher this would imply it doesn't affect anything but AES and it would work even if the volume is dismounted. This is not the case and thus this attack is not a flaw in the cipher.
Again, I will not repeat myself as it will only fall on deaf ears. Anyone else already understands what I said.
Not talking about Germany. FIPS is the US standard. They do scrutinize ciphers and many don't pass FIPS.
DES was only continued through to 2004 for backwards compatibility, you have to understand that there are millions of millions of computers and files that have to be migrated to new standards. It takes time.
Totally correct. No need to lose countenance.
But if you're a user of whatever disk encryption software and that thing is hacked on your very machine, you won't feel much better if you knew that the cipher per se was secure.
Well, your attempts to analyze the cipher appear to be at a very early stage. You will certainly soon recognize a number of differences between a cipher with features that make the algorithm very dynamic and ciphers like Rijndael with a constant and comparably tiny crypto context.
Because ESTREAM is a project to find a stream cipher. AES/Rijndael is not a stream cipher. Perhaps you should go read and learn the differences in block ciphers and stream ciphers and their different usage scenarios. ESTREAM was formed because none of the stream ciphers submitted to NESSIE were acceptable. However, here is a list of the block ciphers NESSIE approves:
As you can see, this same project you claim rejected AES, actually approved it.
You could throw every computer in the world at AES-128 and it wouldn't be cracked before the sun burned out.
Because they know that most people, like yourself, are ignorant of how cryptography works, so they recommend industry standards instead of asking you to use the cipher little Johnny made for his science fair entry.
.. but it can - like any other block cipher - be used as one:
So there are even more folks out there who love to have more choice! "4" happens to be the power of 2, which could prove to be practical.
Thanks for the info!
The German experts in WWII tried to be more diplomatic when they were asked why all the submarines were sunk one after the other. Their cipher was "so unbreakable". Decades later, DES was also known to be totally secure.
History tends to repeat itself ...
I do agree choice is good!! However arguing about DES is pointless. DES was developed behind closed doors and was shrouded in NSA secrecy. AES was developed in the open and has been public ever since it was conceived.
I've said this many times: Why would the NSA/3-letter agency/etc Backdoor a perfectly good algorithm when all the have to do is use one of many many side channel attacks.
These attacks aren't practical for the average person, but the government agencies have the financial backing for them (think Tempest).
Also really if the NSA wants your Data they can always rely on rubber-house cryptanalsys. No need for backdoors, Just target the weakest link (YOU).
See now the NSA/Gov can use AES and not worry about backdoors/weaknesses and still get what they want.
Really if they are motivated enough they will use TEMPEST or another side-channel and get around any encryption including PMC. Since it merely "reads" the screen and "projects" it to them. So unless you surround your self in a Steal room with 4 ft walls and RFID/EM blocking paint for added measure - They can see what's on your screen if they are after you.
This is where I actually agree with you. Even people like Adi Shamir and Ron Rivest have said they think NIST should have approved more than one block cipher in the case of future breakthroughs in cryptanalysis. I think the European version of NIST (NESSIE) has the right idea in "approving" more than one cipher/hash. However, I can see the reason why NIST only approves one (because it makes implementation easier if everyone is following the same model -- and implementation errors are FAR more likely to break the crypto than the algorithm itself). Not saying I agree, but I can see both sides.
DES still has not been broken through cryptanalysis, even after 30+ years of trying. The best anyone can do is brute-force. Sure, brute force works well because the DES key is short by today's computing standards. But as far as cryptanalysis goes, the best attacks against full round DES require an ungodly amount of chosen plaintexts, so they're not practical. Indeed, the NSA helped make DES immune to differential cryptanalysis 20 years before the attack was discovered by academia. This is why most of the AES candidates used a design similar to DES (Feistel structure). Their reasoning was that it was the most studied and understood structure in all of cryptography and thus likely to resist all known attacks. It turns out the winner (Rijndael) was one of the few that did not use a DES-like structure.
Not really true. DES was designed by IBM and IBM alone (it was actually named Lucifer at the time). However, when the competition got started, NSA approached IBM to help them with the design. Many people were highly suspicious of NSA and their involvement (Martin Hellman of Diffie-Hellman fame was one). So the NSA tweaked the cipher's S-boxes and did not explain why they were doing it. Of course, it made lots of people suspicious and there was even a Senate hearing on the whole matter.
So fast forward to the early 90's. Differential cryptanalysis was discovered by academia and they found that the tweaks NSA made to DES actually improved its strength against this very attack! NSA had known about this attack in the 70's. IBM knew about it as well but was told by NSA not to reveal it. So after all the years of speculation about what exactly was the purpose behind NSA's changes, we found out that they actually were genuinely making the cipher stronger. They couldn't say why they were doing what they were doing at the time. But now the cat's out of the bag, and we know their changes improved the design. Several old NSA cryptologists have come forward in recent years and have said "When we got involved, we agreed internally that if we did help, we were genuinely going to help. We had no ill intentions whatsoever."
I find this story quite amazing really. It must have been really difficult to be an NSA cryptologist back then. You want to tell everyone what you're doing and why because you love your field and want to share knowledge. But you can't because because your bosses would get really angry and likely find a way to put you in jail. As Bruce Schneier says "When NSA released SKIPJACK, it was like looking at alien technology." (SKIPJACK was the cipher NSA designed completely internally for use in the Clipper chip). It turns out that SKIPJACK has just enough security (but not more) to resist every form of attack academia knows about. Within a month after it was released Shamir and company produced an attack on all but the last round, which implies NSA knew exactly how many rounds it needed to resist such attacks. I guess the question that should be asked is "what other attacks does NSA know about that academia doesn't?"
Perhaps. You might think it is safe and that it will NEVER be broken,
or that your data is always safe in every software that uses AES.
You may call me 'ignorant' i don't think that is friendly, i would not call people that think different 'ignorant', anyone can make mistakes:
- Einstein himself wrongly thought that black holes would not form.
- Aristotle thought that that the idea of atoms was absurd.
- Isaac newton ==> alchemy
Again i have never claimed to be an expert, but i think it is unwise to bet on one horse.
And encryption don't have to be broken to decrypt a file/container.
Brute forcing might work in a lot of cases, see a tool as this:
If you are using one of the million most used passwords, how long would it take do you think?
Perhaps i am not a specialist in encryption ciphers, but i sure know what kind of passwords most people use.
And i can tell you these are not 40 chars passwords.
And what about the top500.org or the Hyper computers in China or at other countries/government agencies??
So the question is not on as simple as "can the cipher be broken?",
more important is: "can encrypted data be decrypted ?"
That is why i am looking at other ciphers and thus other encryption software.
I am convinced that if i encrypt a file with one piece of software (first encryption algorithm) and then again use another file encryption with a second algorithm this must be safer.
Just as simple as: Zip a file and RAR the zipfile after that.
Although some find this too complicated i can handle that, and i am convinced more people can.
This brings us back on the topic, is the "polymorphic cipher" and encryption safe to use?
After that Berndroellgen even handed over the sources of his software,
but there was never a report on the software being safe or not.
X942, just a simple question, can you give us a update on what you found up to now, and if you don't find anything wrong with it, can or will you ever say so?
Because in general i think it is easier to say what is wrong with something, if you found errors.
Then to say there is nothing wrong with it, and having the chance to have overlooked something.
Which brings back the repeated logical question of: Who cares?
See the Title of the Thread,
If you don't care ..... Why are you here ?
If you are interested in alternative encryption , you care and if not, you don't.
Typically the style in this forum is extremely hard. But after thinking for a considerable amount of time about chronomatic's post I have the feeling that his post contains authentic information. It's pretty likely that, in spite of the conflict of interest of people working in certain organizations, a relatively good result is yielded. Things are rarely black and white and human beings by far tend to do more good than bad.
Maybe it's a bit early, but there might already exist some findings. You'll certainly have recognized the Feistel structure and the dynamically changing round functions (function pointer/delegates), as well as the huge internal state of the cipher.
If you read this:
And the fact that this computer power is mostly used for cryptanalyses,
which encryption algorithm and encryption software used will they encounter in in most cases?
Will , in general , it be easier for them or harder if more kinds of encryption software and more encryption ciphers will be used? Or a combination or cascade of them? Remember there is a hard link between ciphers en software.
In this case, this is all well known, but i think some encryption software users are naive to think that the NSA is the only organization or worse the US is the only country that is building these kinds of data centers, or are always the most effective.
Just think about the countries that have been behind some recent, major hack incidents.
Using the same encryption software and or cipher over and over again,
will make it easier for malware writers as well.
And there are a lots of specialized malware writers out there, they produce some 70 thousand new ones a day
at the moment. Rootkits, Trojans and more kinds then ever which are getting more and more techn. advanced and difficult to fight each day.
Every update is welcome!
This part is true to a small degree but then...
This is where I lost you, what does this have to do with AES encryption cracking?
I believe you are confusing encryption ciphers and software code.
Wow! I didn't know about that! ".. 65-megawatt power demand .." is massive! A parallel code breaker for 128 bit AES should be able to try (roughly) 2^56 key combinations per second or 72 bit in one day. Keyphrases with up to 12 alphanumeric characters (6 bit *12 = 72 bit) are thus within reach - assuming that no practical attack against the cipher itself exists.
But then, of course, the investment only makes sense if everybody was using AES (as it is pretty certain that dedicated hardware is being used rather than universal computers).
Let's be conservative and assume this machine will be capable of 1 exaflop per second (it's not that fast, it's more likely in the range of 15-20 petaflops as the anonymous NSA official said). Let's further assume each floating point operation is capable of trying one AES key (in reality this wont happen, but it makes the calculation easier). If the AES key was only 64 bits, this machine would break it in 9 seconds on average. However, 64 bits is nowhere near 128 bits. In order to break a 128 bit key, the machine would need 5.3 trillion years on average. That is much longer than the age of the universe. In order to break a 256 bit key, it would need 10^51 years on average. This number is so large, there isn't really a name for it as far as I know.
However, the above calculations only hold if we assume they haven't found an attack which reduces the time complexity of AES significantly. Let's assume they have found a cryptanalytic attack which brings the time complexity of the full 10 rounds of AES-128 down to 80 bits (that would be a very huge breakthrough, but I guess it's possible for NSA and their hundreds of mathematicians). If the key were 80 bits, this machine could break it in 7 days on average, which seems reasonable for a high value message. So, in order for this machine to be practical, NSA would need a huge cryptanalytic break on AES. I seriously doubt they have a break this magnificent -- at least not one that is practical, such as a ciphertext-only attack, which are kind of the holy grail of attacks.
My opinion is that NSA probably has better attacks against AES than what the academic community does, but not by a large enough stretch that would make it practical to break. The academic community's strength are block ciphers and I don't think they are *that* far behind NSA in that specific field. The best attack the academic community has against full round AES is the biclique method which reduces AES-128 to AES-126.
All that said, if the NSA has indeed "made a huge breakthrough" as the now infamous Bamford report suggests, my guess is they have made some sort of factoring breakthrough on public-key crypto. Crypto systems are only as strong as the weakest link, and coming from a SIGINT perspective, if you were going to try to read encrypted messages you would naturally not go after the strongest link (AES), but the weaker (and more well studied) RSA/DH/Elgamal systems. Remember that the public-key is only used to encrypt the AES key. If you break the public-key, you automatically retrieve the AES key and can read the message.
What this breakthrough the official is referring to we don't know. It could just be that they are getting faster computers. It could be from the cryptanalysis side. It could be both. We don't know as he didn't specify. But my guess is they have found some more efficient way to break public-keys. I think they can probably break 1024 bit public-keys without a whole lot of work. NIST has already recommended everyone drop 1024 bit keys by 2010. It is now 2012, so you shouldn't be using them anyway.
Separate names with a comma.