| Science Forum Index » Cryptography Forum » Are key files better than passwords?... |
|
Page 2 of 2 Goto page Previous 1, 2 |
|
| Author |
Message |
| Mateusz Stankiewicz... |
 Posted: Mon Jun 29, 2009 8:35 am |
|
|
|
Guest
|
Dimona writes:
[quote:3aa7ee5574]Would a combination of three ciphers (maximum allowed by Truecrypt) be
better than two?
[/quote:3aa7ee5574]
I think that answer above your post is also valid for this question. In
my opinion it would be much slower but I think it wouldn't matter for
storing data for very long time.
Let's say that we use three ciphers each with separate 128bit key which
gives us 384 bits. Quite unbreakeable by brute-forcing but why use three
ciphers? Is one not enough? |
|
|
| Back to top |
|
|
|
| Kristian Gjøsteen... |
| Posted: Fri Jul 03, 2009 1:10 am |
|
|
|
Guest
|
Joseph Ashwood <ashwood at (no spam) msn.com> wrote:
[quote:b2c1040160]Actually I can safely say that 256-bit AES did not remain unbroken for even
50 hours from my statement, let alone 50 years.
[/quote:b2c1040160]
As far as I can tell, AES-256 is "broken" in the sense that it does not
behave like an ideal cipher. This is interesting, because as far as I've
understood, this was essentially one of the design goals. It is not broken
in the sense that it can be distinguished from pseudo-random permutations.
And for most practical applications, we only need AES to look like a
pseudo-random permutation.
--
Kristian Gjøsteen |
|
|
| Back to top |
|
|
|
| Tom St Denis... |
| Posted: Fri Jul 03, 2009 2:26 am |
|
|
|
Guest
|
On Jul 3, 6:06 am, "Joseph Ashwood" <ashw... at (no spam) msn.com> wrote:
[quote:18fff9c692]"Jean-Marc Desperrier" <jmd... at (no spam) alussinan.org> wrote in message
news:h2kiq7$sp8$1 at (no spam) writer.imaginet.fr...
Joseph Ashwood wrote:
Looking back to the absolute state-of-the-art knowledge just 32 years
ago (DES and original RSA publication), very little of that safety
exists today.
I am using Truecrypt with the AES algorythm and Whirlpool for this.
The odds are VERY high that neither of those will last 50 years
I disagree with your consideration.
Actually I can safely say that 256-bit AES did not remain unbroken for even
50 hours from my statement, let alone 50 years. I didn't expect it to be so
fast, but it certainly proves my point that it was very unlikely that it
would survive for 50 years. It may still be secure enough, but it still did
not last 50 years before being broken.
Joe
[/quote:18fff9c692]
This is a very selective interpretation though. It's broken in the
unlikely scenario that you
a) allow someone to encrypt/decrypt with 4 highly related keys
b) allow someone to send through 2^61 texts
c) have the memory and time to handle all this. Remember that with
large memories as time goes up the probability of failing to complete
the attack goes up as well.
d) Have 2^119 time to process the results.
If I send you a message encrypted with AES-256-CTR that is 1000 bytes
long, currently there is no break [on the algorithm] faster than brute
force. At most, if people really cared [which I don't suggest they
should] they could replace the key schedule with something a bit more
secure.
Tom |
|
|
| Back to top |
|
|
|
| Jean-Marc Desperrier... |
| Posted: Fri Jul 03, 2009 3:33 am |
|
|
|
Guest
|
Joseph Ashwood wrote:
[quote:662167ae85]Looking back to the absolute state-of-the-art knowledge just 32 years
ago (DES and original RSA publication), very little of that safety
exists today.
I am using Truecrypt with the AES algorythm and Whirlpool for this.
The odds are VERY high that neither of those will last 50 years
[/quote:662167ae85]
I disagree with your consideration. If she had encrypted that text 35
years ago with the original Lucifer implementation with a 128 bits key,
it would still be secure today, under the reasonable scenario that the
attacker would not have available the number of "clear text"/"encrypted
text" pairs needed to use a differential attack on it.
If we have gained something during those years, it's a much better
understanding of the key size needed for long term cryptography, but
even back then, the weakest point of DES, the use of 56 bits keys, the
one that would be used if we were to break it today was a *deliberate*
weakening of the algorithm.
And for RSA, we're still using it today, and we'll still be using it 50
years after the publication, so the only problem is the proper choice of
key size. |
|
|
| Back to top |
|
|
|
| Joseph Ashwood... |
| Posted: Fri Jul 03, 2009 4:06 am |
|
|
|
Guest
|
"Jean-Marc Desperrier" <jmdesp at (no spam) alussinan.org> wrote in message
news:h2kiq7$sp8$1 at (no spam) writer.imaginet.fr...
[quote:c209b619a4]Joseph Ashwood wrote:
Looking back to the absolute state-of-the-art knowledge just 32 years
ago (DES and original RSA publication), very little of that safety
exists today.
I am using Truecrypt with the AES algorythm and Whirlpool for this.
The odds are VERY high that neither of those will last 50 years
I disagree with your consideration.
[/quote:c209b619a4]
Actually I can safely say that 256-bit AES did not remain unbroken for even
50 hours from my statement, let alone 50 years. I didn't expect it to be so
fast, but it certainly proves my point that it was very unlikely that it
would survive for 50 years. It may still be secure enough, but it still did
not last 50 years before being broken.
Joe |
|
|
| Back to top |
|
|
|
| Jean-Marc Desperrier... |
| Posted: Fri Jul 03, 2009 7:49 am |
|
|
|
Guest
|
Joseph Ashwood wrote:
[quote:d6e370bf6f]Actually I can safely say that 256-bit AES did not remain unbroken for
even 50 hours from my statement, let alone 50 years.
[/quote:d6e370bf6f]
https://cryptolux.org/mediawiki/uploads/1/1a/Aes-192-256.pdf
« both our attacks are still mainly of theoretical
interest and do not present a threat to practical applications using AES. »
[quote:d6e370bf6f]It may still be secure enough, but it still did not last 50 years before being broken.
[/quote:d6e370bf6f]
My response was very clearly oriented toward practical, and not
theoretical attacks. |
|
|
| Back to top |
|
|
|
| Joseph Ashwood... |
| Posted: Fri Jul 03, 2009 9:20 pm |
|
|
|
Guest
|
"Kristian Gjøsteen" <kristiag+news at (no spam) math.ntnu.no> wrote in message
news:h2kouc$v1u$1 at (no spam) orkan.itea.ntnu.no...
"Tom St Denis" <tom at (no spam) iahu.ca> wrote in message
news:85e57b7d-00a4-49bb-a3b0-495974234008 at (no spam) l31g2000yqb.googlegroups.com...
"Jean-Marc Desperrier" <jmdesp at (no spam) alussinan.org> wrote in message
news:h2l1qm$3i2$1 at (no spam) writer.imaginet.fr...
[quote:c2c6a90e04][it's theoretical, requires extra assumptions, etc]
[/quote:c2c6a90e04]
Yes, the new attack is theoretical for now, but it is still now weaker than
128-bit AES. This does not affect the fact that 256-bit AES now cannot be
considered as secure for 50 years, a week ago it could be speculated, today
it is known to not be enough. We can debate all day about whether or not
2^119 is sufficient for todays needs, or if the extra needs of the attack
are sufficient to ignore the reality, but the general recommendations are
that the equivalent of a 119 bit key is only good until 2030 to 2040, well
before the 2059 target, and it is below the current recommendations for
security (generally 128-bit).
Based on the overwhelming evidence, I conclude that for new implementations
it should be considered broken. It does not need to be removed from current
implementations, but it did not last even 50 hours from my referenced
comment.
Joe |
|
|
| Back to top |
|
|
|
| Andrew Swallow... |
| Posted: Sun Jul 05, 2009 2:43 pm |
|
|
|
Guest
|
Tom St Denis wrote:
[quote:232bb26dcb]On Jul 3, 6:06 am, "Joseph Ashwood" <ashw... at (no spam) msn.com> wrote:
"Jean-Marc Desperrier" <jmd... at (no spam) alussinan.org> wrote in message
news:h2kiq7$sp8$1 at (no spam) writer.imaginet.fr...
Joseph Ashwood wrote:
Looking back to the absolute state-of-the-art knowledge just 32 years
ago (DES and original RSA publication), very little of that safety
exists today.
I am using Truecrypt with the AES algorythm and Whirlpool for this.
The odds are VERY high that neither of those will last 50 years
I disagree with your consideration.
Actually I can safely say that 256-bit AES did not remain unbroken for even
50 hours from my statement, let alone 50 years. I didn't expect it to be so
fast, but it certainly proves my point that it was very unlikely that it
would survive for 50 years. It may still be secure enough, but it still did
not last 50 years before being broken.
Joe
This is a very selective interpretation though. It's broken in the
unlikely scenario that you
a) allow someone to encrypt/decrypt with 4 highly related keys
b) allow someone to send through 2^61 texts
c) have the memory and time to handle all this. Remember that with
large memories as time goes up the probability of failing to complete
the attack goes up as well.
d) Have 2^119 time to process the results.
If I send you a message encrypted with AES-256-CTR that is 1000 bytes
long, currently there is no break [on the algorithm] faster than brute
force. At most, if people really cared [which I don't suggest they
should] they could replace the key schedule with something a bit more
secure.
Tom
[/quote:232bb26dcb]
119 bits of password is insufficient to protect US (and British)
Government TOP SECRET military and diplomatic messages.
There is no evidence that existing messages have been
compromised.
AES-256 is probably still adequate for SECRET messages.
Over the next couple of years the National Security Agency needs to
a) officially strip AES-256 of its TOP SECRET authorisation and
b) develop a replacement. (Possibly by competition.)
DES was replaced by 3DES. As a temporary measure can
3AES-256 be used?
Andrew Swallow |
|
|
| Back to top |
|
|
|
| Paul Rubin... |
| Posted: Sun Jul 05, 2009 2:54 pm |
|
|
|
Guest
|
Andrew Swallow <am.swallow at (no spam) btinternet.com> writes:
[quote:ac2a91e697]DES was replaced by 3DES. As a temporary measure can 3AES-256 be used?
[/quote:ac2a91e697]
Huh? This AES attack is a related-key attack. Sensible crypto
applications use random keys, not related keys. Has any even
certificational weakness been found in AES as a pseudorandom
permutation, assuming the keys are random? |
|
|
| Back to top |
|
|
|
| Maaartin... |
| Posted: Mon Jul 06, 2009 3:06 am |
|
|
|
Guest
|
On Jul 4, 5:20 am, "Joseph Ashwood" <ashw... at (no spam) msn.com> wrote:
[quote:2a2170385c]Yes, the new attack is theoretical for now, but it is still now weaker than
128-bit AES.
[/quote:2a2170385c]
Is it? I don't know, it is applicable only under some very special
conditions. AES128 has no such weakness, but in general I'd suppose
AES256 to be still stronger (when used properly). Am I right? |
|
|
| Back to top |
|
|
|
| Kristian Gjøsteen... |
| Posted: Mon Jul 06, 2009 12:11 pm |
|
|
|
Guest
|
Joseph Ashwood <ashwood at (no spam) msn.com> wrote:
[quote:3f885e2bb7]"Kristian Gjøsteen" <kristiag+news at (no spam) math.ntnu.no> wrote in message
news:h2kouc$v1u$1 at (no spam) orkan.itea.ntnu.no...
[it's theoretical, requires extra assumptions, etc]
[/quote:3f885e2bb7]
In general, you'll be better off if you actually read what I write.
[snip nonsense response]
--
Kristian Gjøsteen |
|
|
| Back to top |
|
|
|
|
