Re: My little something...

Tom St Denis wrote:

Peter Fairbrother wrote:
Tom St Denis wrote:

Look at Differential or Linear cryptanalysis.
Suppose you used Khafre+Khufu as your ciphers. DC broke both of them.
It's entirely possible to chain an attack through both and recover the
key.

It is? Any idea of the complexity of eg a chosen plaintext key recovery
attack on the 16-round versions using independant keys?

I said possible, not that it exists.

I'd guesstimate a conservative minimum of 2^90 time with as many chosen
plaintexts. I think it might be a whole lot more. I haven't time to do a
real analysis though, any ref's?

See Bihams papers from the 90s.

That's what I based the estimate on, I lay awake for some time last night
trying to work it out. I actually think it is far too low, and the time
complexity is probably more than 2^512, making the attack worse than
mitm+brute force - and therefore not an effective attack.

Assuming I am in the correct ballpark, Khufu or Khafre individually would in
practice have been broken by DC attack, especially Khafre, and both fall to
simple and practical boomerang attacks. But the combination doesn't.

What can we learn from that? That in this historic example, chosen by you,
an attack that worked in practice on one cipher (actually both) didn't work
on a combo - and yet you still think using combo's is not worthwhile?


We could go back and forth on this all day. The problem is though that
we're both effectively talking about something we don't know about.
That is, future unknown attacks.

Yes. But can we take some precautions to defend against them, and would they
have some reasonable chance of success? I think the answer to both is "yes",
and history seems to agree with me, while you just sit with your head in
your "proper crypto design methodology is like this" space, and no other
method is useful or secure.

I tend to take a defense-in-depth approach, so if one layer fails the whole
remains secure - and my first layer is almost exactly the same as your
whole, I use the normal design philosophies, just I go several steps
further.

Assuming we are otherwise equally skilled, which of us is protecting their
clients better?

And when it comes down to it, you're more likely to need security from
the average crook with a home PC than from the NSA. Despite what you
may think, the government is not out to get you [at least not
personally, it's been my experienced any organized mob, er, government
indiscriminantly screws people].

I have never said they were interested in my puny secrets. I said that they
would be interested in my clients' secrets.

[]This is an undeniable fact[]

It is real-world crypto, with a real-world role. The government here is
bringing in a law that allows a Policeman to demand keys and/or plaintext,
with no Court oversight, and you go to jail if you refuse to comply.



m-o-o-t is designed to defeat attacks by demands for keys made by Policemen,
and it _will_ be attacked by Police forensic examiners, NCIS, CESG and
almost certainly by GCHQ (we tend to have four-letter agencies in the UK).

This is a real threat, not a wild guess or paranoia. If it doesn't withstand
attack by those sorts of people it is no good. m-o-o-t is designed mainly to
protect against such attacks, not just against attacks by people's kid
sisters or crooks with PCs.


The law will be applied, and people will use m-o-o-t to defend against it
because no other crypto suite or program is designed to defeat such an
attack, they simply don't work against it.

This of course leaves most normal crypto useless in the face of such a
demand / attack. Specialised crypto and security design can be used, it is
not difficult to work out how to defend against such attacks, although it is
extemely hard to implement.


ps m-o-o-t does use multiple encryption, but mostly in order to give
conditional access rather than to defend against future unknown
cryptanalytic or protocol attacks, that is just a side benefit.


--
Peter Fairbrother

.

Relevant Pages

  • Re: 3.x: rebalancing fighters vs spellcasters vs monsters
    ... To be taken serious you have to prove or show that PF has the design ... Post your version of Whirlwind Attack for a start. ... of enemies that are not flat out immune means only +1/7th damage. ... The Ftr is not entirely defined by his feats. ...
    (rec.games.frp.dnd)
  • Re: The Pain of Cryptography
    ... "In this report, I tried every attack I could think of. ... I have heard from a member of one top-class crypto group that this is ... cipher design. ...
    (sci.crypt)
  • Re: Multiple layers of encryption
    ... the keys are not independent all bets are off. ... cryptographers consider chosen-plaintext attack as the /weakest/ attack ... It's very easy to prove that a cascade of independently keyed encryption ... around screwing around with block modes or implementing crypto stuff ...
    (sci.crypt)
  • Re: Spyware S&D vs Spywarebot? ??
    ... useful work; and there are no design errors; and there are ... possible attack can cause; having people not involved in the ... every airline passenger to take their shoes off at the Security ... existence of Windows XP Service Pack 2 in the real ...
    (rec.arts.sf.fandom)
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... Wouldn't you want to test your security controls periodically? ... security, that would mean that you have a security design, ... THERE SHOULD BE NO KNOWN POINT OF ATTACK ... then that's a "design review" coupled with an "implementation ...
    (Firewall-Wizards)