Re: Newbies: part duex
From: Ben Mord (benmord_at_earthlink.net)
Date: 09/17/03
- Next message: Michael Amling: "Re: A stupid text trick - Example of the redundancy of English text"
- Previous message: Michael Amling: "Re: Cryptanalasys of SRP protocol ??"
- In reply to: M.S. Bob: "Re: Newbies: part duex"
- Next in thread: Jonathan Baker: "Re: Newbies: part duex"
- Reply: Jonathan Baker: "Re: Newbies: part duex"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Sep 2003 22:17:40 -0400
M.S. Bob wrote:
> On 16 Sep 2003 09:54:41 -0700, jonathanrbaker@yahoo.com (Jonathan
> Baker) wrote:
>
>>Do previously determined weak encryption schemes (are there links to
>>already broken schemes showing what is wrong with them?) have
>>fingerprints?
Yes. For example, Handbook of Applied Cryptography (at least the one
published by Alfred Menezes, Paul van Oorschot, and Scott Vanstone,
perhaps also the other book by the same name written by Bruce Schneier)
discusses historical ciphers and how they are defeated. I believe the
first one, published by CRC Press, might be available online.
>
>
> Yes, sometime, but not a lot is done in the (open cryptography) area
> of identifying unknown encryption algorithms.
>
>
>>Assuming weak schemes have "fingerprints" would it be worth a
>>developer's time to make a program that encrypts with one scheme, and
>>then mutates the result to look like another program's output to
>>confuse those who would try to attack the ciphertext using methods
>>that only work against the weaker program...
>
>
> No, serious security professionals don't try to base their security on
> "security by obsurity". It fails far too often in real life.
Yes.
Suppose you base your security on obscurity. What happens then when
somebody leaks information about your encryption algorithm? Are you to
then distribute entirely new software to all users with some new obscure
algorithm? Think how much engineering effort must be wasted everytime
the details of your algorithm are leaked. Think how impossible it would
be to keep an algorithm secret if the software that contains it is to be
used by many people.
Wouldn't it be nice if you could just design a whole range of these
algorithms in advance, and identify which one of these you are using by
some magic (secret) number? All algorithms in this set would look
exactly alike to the outsider, so if someone ever did somehow figure out
which one of this large class of algorithms you were using, you could
just distribute a new secret number identifying a different one of these
algorithms. Then, you'd only have to engineer this class of algorithms
once. You could put more effort into it to make it more secure, you
could even subject the class of algorithms to peer review to increase
confidence, because you aren't requiring that the set of algorithms be
secret - only which particular member of this set is in use at a given
time. If that magic number is ever compromised (the one that identifies
which member of this set is in use), all you need to redistribute is a
new magic number, and no re-engineering is needed. What should we call
this magic identifier? How about, a key?
That's the direction that public cryptography has gone. A field of
cryptography developed by the public must be, well, public. If the
algorithms had to be secret, then there would be no way to develop and
use them in a public forum. If algorithms had to be kept secret, then
almost nobody could use them before their popularity would render them
insecure. The secret protecting the communications of the sender and
receiver is thus condensed to a single small number - the key.
Attempts to disguise the algorithm in use are not taken seriously in the
public field of cryptography partly because such strategies, by
definition, can not be public.
Ben
- Next message: Michael Amling: "Re: A stupid text trick - Example of the redundancy of English text"
- Previous message: Michael Amling: "Re: Cryptanalasys of SRP protocol ??"
- In reply to: M.S. Bob: "Re: Newbies: part duex"
- Next in thread: Jonathan Baker: "Re: Newbies: part duex"
- Reply: Jonathan Baker: "Re: Newbies: part duex"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
