SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    Ran,
    
    > At 15:20 07/02/01, Joshua Tseng wrote:
    > 
    > >It's often been said that the only thing worse than NO SECURITY
    > >is the ILLUSION of security.  
    > 
    > Some security keeps the kiddies away, no security doesn't.
    > I'd much rather have DES-CBC than nothing, because it visibly
    > increases the work function for the adversary.
    > 
    > >Single DES is known to be cracked.
    > 
    > That is a false statement.  It hasn't been cracked.  The best
    > attack known in the public literature is Biham-Shamir, which 
    > requires ~O(2^^56) operations and some non-trivial preconditions.  
    > There have been some specific brute-force attacks on DES that worked, 
    > but they weren't real-time attacks and required a significant amount 
    > of computational power.
    
    Yes, thank you.  Cracked is the wrong word.  Brute-forced is
    the term I meant to use.
    
    While we're on the topic of security, my source (Schnieder)
    indicates that in 1995, it takes 3.5 hrs average to brute-force
    single DES.  They also estimated that by 2000, the CPU power
    available would reduce that time to an average of 21 minutes. 
    On the other hand, with 128-bit keys (and 3DES has 168-bit keys) 
    would still require on the  10**17 years.
    
    This attack doesn't need to happen real-time.  All I need is
    a sniffer, and I could do all the attacks offline.  Once I have
    the key(s), all your data is mine.
    
    Regardless, your point is well taken.  Some encryption is better
    than nothing--in MOST cases.
    
    Josh
    > 
    > I'm not arguing against 3DES in preference to DES-CBC, but it 
    > is just wrong to claim either that DES-CBC is cracked or 
    > that running in the clear is better than running with DES-CBC
    > (assumes reasonable cryptographic authentication in all cases).
    > Note also that my comments are constrained to what is in the 
    > published literature...
    > 
    > Ran
    > rja@inet.org
    > 
    > 
    > 
    


Home

Last updated: Tue Sep 04 01:05:34 2001
6315 messages in chronological order