Question on encryption algorithms brittleness

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on encryption algorithms brittleness

Ido Regev

We have a requirement from one of our customers regarding the encryption algorithms – "Make use of published public encryption algorithms that are considered to be practically unbroken. Contracting Authority considers an algorithm practically unbroken when a key can’t be recovered within 1 year with hardware costing less than 1,000,000 euro. We should have a life cycle process for the encryption algorithms in place to ensure the 1 year duration is kept despite the every increase computing power. Describe the process."

 

We would greatly appreciate if you could help us with this question.

 

Best regards,

Ido

This e-mail message is intended for the recipient only and contains information which is CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this transmission in error, please inform us by e-mail, phone or fax, and then delete the original and all copies thereof.

Reply | Threaded
Open this post in threaded view
|

Re: Question on encryption algorithms brittleness

Matt Caswell (frodo@baggins.org)
This site would be a good place to start:

http://www.keylength.com/

Matt

On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:

We have a requirement from one of our customers regarding the encryption algorithms – "Make use of published public encryption algorithms that are considered to be practically unbroken. Contracting Authority considers an algorithm practically unbroken when a key can’t be recovered within 1 year with hardware costing less than 1,000,000 euro. We should have a life cycle process for the encryption algorithms in place to ensure the 1 year duration is kept despite the every increase computing power. Describe the process."

 

We would greatly appreciate if you could help us with this question.

 

Best regards,

Ido

This e-mail message is intended for the recipient only and contains information which is CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this transmission in error, please inform us by e-mail, phone or fax, and then delete the original and all copies thereof.


Reply | Threaded
Open this post in threaded view
|

Re: Question on encryption algorithms brittleness

Jason Gerfen-3
NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See FIPS 200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric algorithms) & FIPS 185 (PKI escrow)


On Wed, Mar 6, 2013 at 7:15 AM, Matt Caswell <[hidden email]> wrote:
This site would be a good place to start:

http://www.keylength.com/

Matt


On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:

We have a requirement from one of our customers regarding the encryption algorithms – "Make use of published public encryption algorithms that are considered to be practically unbroken. Contracting Authority considers an algorithm practically unbroken when a key can’t be recovered within 1 year with hardware costing less than 1,000,000 euro. We should have a life cycle process for the encryption algorithms in place to ensure the 1 year duration is kept despite the every increase computing power. Describe the process."

 

We would greatly appreciate if you could help us with this question.

 

Best regards,

Ido

This e-mail message is intended for the recipient only and contains information which is CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this transmission in error, please inform us by e-mail, phone or fax, and then delete the original and all copies thereof.





--
Jason Gerfen
[hidden email]

http://www.github.com/jas-
http://dev.in-my-cloud.com/pow-mia
http://in-my-cloud.com
http://awesomealaskaadventures.com
http://phpdhcpadmin.sourceforge.net
Reply | Threaded
Open this post in threaded view
|

RE: Question on encryption algorithms brittleness

Ido Regev

Hi,

 

I haven't found a reply to the specific question the customer is asking me.

Any other direction will be greatly appreciated.

 

Ido

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jason Gerfen
Sent: Wednesday, March 06, 2013 4:29 PM
To: [hidden email]
Subject: Re: Question on encryption algorithms brittleness

 

NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See FIPS 200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric algorithms) & FIPS 185 (PKI escrow)

 

On Wed, Mar 6, 2013 at 7:15 AM, Matt Caswell <[hidden email]> wrote:

This site would be a good place to start:

http://www.keylength.com/

Matt

 

On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:

We have a requirement from one of our customers regarding the encryption algorithms – "Make use of published public encryption algorithms that are considered to be practically unbroken. Contracting Authority considers an algorithm practically unbroken when a key can’t be recovered within 1 year with hardware costing less than 1,000,000 euro. We should have a life cycle process for the encryption algorithms in place to ensure the 1 year duration is kept despite the every increase computing power. Describe the process."

 

We would greatly appreciate if you could help us with this question.

 

Best regards,

Ido

This e-mail message is intended for the recipient only and contains information which is CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this transmission in error, please inform us by e-mail, phone or fax, and then delete the original and all copies thereof.

 




--
Jason Gerfen
[hidden email]

http://www.github.com/jas-
http://dev.in-my-cloud.com/pow-mia
http://in-my-cloud.com
http://awesomealaskaadventures.com
http://phpdhcpadmin.sourceforge.net

This e-mail message is intended for the recipient only and contains information which is CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this transmission in error, please inform us by e-mail, phone or fax, and then delete the original and all copies thereof.

Reply | Threaded
Open this post in threaded view
|

Re: Question on encryption algorithms brittleness

Ben Laurie-2
On 11 March 2013 11:09, Ido Regev <[hidden email]> wrote:
> Hi,
>
>
>
> I haven't found a reply to the specific question the customer is asking me.
>
> Any other direction will be greatly appreciated.

The problem is that the spec is rather vague - who knows what I might
invent as a custom build to break their particular encryption? It
seems to me to be impossible to predict such a thing, e.g. look at
Deep Crack (http://en.wikipedia.org/wiki/EFF_DES_cracker), which
turned out to be substantially cheaper than off-the-shelf computers,
or TWINKLE (http://en.wikipedia.org/wiki/TWINKLE), which no-one has
built yet, AFAIK.

For this to be actionable, it probably needs to specify the type of
thing one would spend the million euros on (e.g. commodity PCs).

>
>
>
> Ido
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jason Gerfen
> Sent: Wednesday, March 06, 2013 4:29 PM
> To: [hidden email]
> Subject: Re: Question on encryption algorithms brittleness
>
>
>
> NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See
> FIPS 200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric
> algorithms) & FIPS 185 (PKI escrow)
>
>
>
> On Wed, Mar 6, 2013 at 7:15 AM, Matt Caswell <[hidden email]> wrote:
>
> This site would be a good place to start:
>
> http://www.keylength.com/
>
> Matt
>
>
>
> On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:
>
> We have a requirement from one of our customers regarding the encryption
> algorithms – "Make use of published public encryption algorithms that are
> considered to be practically unbroken. Contracting Authority considers an
> algorithm practically unbroken when a key can’t be recovered within 1 year
> with hardware costing less than 1,000,000 euro. We should have a life cycle
> process for the encryption algorithms in place to ensure the 1 year duration
> is kept despite the every increase computing power. Describe the process."
>
>
>
> We would greatly appreciate if you could help us with this question.
>
>
>
> Best regards,
>
> Ido
>
> This e-mail message is intended for the recipient only and contains
> information which is CONFIDENTIAL and which may be proprietary to ECI
> Telecom. If you have received this transmission in error, please inform us
> by e-mail, phone or fax, and then delete the original and all copies
> thereof.
>
>
>
>
>
>
> --
> Jason Gerfen
> [hidden email]
>
> http://www.github.com/jas-
> http://dev.in-my-cloud.com/pow-mia
> http://in-my-cloud.com
> http://awesomealaskaadventures.com
> http://phpdhcpadmin.sourceforge.net
>
> This e-mail message is intended for the recipient only and contains
> information which is CONFIDENTIAL and which may be proprietary to ECI
> Telecom. If you have received this transmission in error, please inform us
> by e-mail, phone or fax, and then delete the original and all copies
> thereof.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Question on encryption algorithms brittleness

Green, Paul
In reply to this post by Ido Regev

Ido,

 

Perhaps you should hire Bruce Schneier or a similar expert. Or read his books, which cover this topic in depth and are quite understandable to any well-educated software engineer. Also, see his web site and blog for much useful information.

 

My own personal take is that these requirements, while perhaps well-motivated, are misguided and naïve. The whole point of periodically standardizing on new encryption algorithms is to compensate for the increase in computing power (on the one hand) and the increase in theoretical knowledge about weaknesses in existing encryption algorithms (on the other hand). There are many aspects to creating and maintaining the secrecy and integrity of encrypted data over time. In my opinion, the choice of an encryption algorithm, while important, is by no means the end of the design and implementation process.

 

I am also of the opinion that the clause that refers to the price of the key-breaking hardware should be ignored. Anyone can create a supercomputer now by simply using crowd-sourcing techniques on the public internet, at no (or at least low) cost. Frankly, in my opinion, you need an algorithm that will withstand a much more formidable attack than the customer has considered.

 

Also, nothing in these requirements speaks to performance. Since the speed of various public encryption algorithms can vary by at least two orders of magnitude, the choice of an appropriate algorithm must take performance into consideration.

 

As for keeping up with the expected improvements in knowledge and performance, the simple answer is that you can monitor the actions of the IETF, ISO, IEEE, NIST, and other standardization bodies. For knowledge about known risks, follow CERT or similar alerting organizations.

 

The safe answer is “go hire an expert”.

 

PG

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Ido Regev
Sent: Monday, March 11, 2013 7:09 AM
To: [hidden email]
Subject: RE: Question on encryption algorithms brittleness

 

Hi,

 

I haven't found a reply to the specific question the customer is asking me.

Any other direction will be greatly appreciated.

 

Ido

 

From: [hidden email] [[hidden email]] On Behalf Of Jason Gerfen
Sent: Wednesday, March 06, 2013 4:29 PM
To: [hidden email]
Subject: Re: Question on encryption algorithms brittleness

 

NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See FIPS 200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric algorithms) & FIPS 185 (PKI escrow)

 

On Wed, Mar 6, 2013 at 7:15 AM, Matt Caswell <[hidden email]> wrote:

This site would be a good place to start:

http://www.keylength.com/

Matt

 

On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:

We have a requirement from one of our customers regarding the encryption algorithms – "Make use of published public encryption algorithms that are considered to be practically unbroken. Contracting Authority considers an algorithm practically unbroken when a key can’t be recovered within 1 year with hardware costing less than 1,000,000 euro. We should have a life cycle process for the encryption algorithms in place to ensure the 1 year duration is kept despite the every increase computing power. Describe the process."

 

We would greatly appreciate if you could help us with this question.

 

Best regards,

Ido

 



Reply | Threaded
Open this post in threaded view
|

RE: Question on encryption algorithms brittleness

Salz, Rich
In reply to this post by Ben Laurie-2
Find an unhappy employee and offer them a couple-hundred thousand Euro for their password.

The question/requirement as stated is unanswerable, and certainly not by the well-meaning volunteers who frequent this list.

        /r$
--  
Principal Security Engineer
Akamai Technology
Cambridge, MA

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Question on encryption algorithms brittleness

Yair Elharrar
In reply to this post by Ben Laurie-2
Ido,
I believe your customer is simply looking for a statement that you're only using modern public algorithms, with key sizes above 128 bit, and not some proprietary encryption.

Regarding the "life cycle process", you can refer the customer to ECRYPT's yearly report on key sizes, http://www.ecrypt.eu.org/documents/D.SPA.20.pdf - which takes hardware costs into account and claims 128-bit AES is considered safe for 30 years.
You can recommend that the customer follow the yearly reports; as soon as AES-128 is no longer considered safe, upgrade all keys to 256-bit.

Good luck.

________________________________________
From: [hidden email] [[hidden email]] on behalf of Ben Laurie [[hidden email]]
Sent: Monday, March 11, 2013 14:16
To: [hidden email]
Subject: Re: Question on encryption algorithms brittleness

On 11 March 2013 11:09, Ido Regev <[hidden email]> wrote:
> Hi,
>
>
>
> I haven't found a reply to the specific question the customer is asking me.
>
> Any other direction will be greatly appreciated.

The problem is that the spec is rather vague - who knows what I might
invent as a custom build to break their particular encryption? It
seems to me to be impossible to predict such a thing, e.g. look at
Deep Crack (http://en.wikipedia.org/wiki/EFF_DES_cracker), which
turned out to be substantially cheaper than off-the-shelf computers,
or TWINKLE (http://en.wikipedia.org/wiki/TWINKLE), which no-one has
built yet, AFAIK.

For this to be actionable, it probably needs to specify the type of
thing one would spend the million euros on (e.g. commodity PCs).

>
>
>
> Ido
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jason Gerfen
> Sent: Wednesday, March 06, 2013 4:29 PM
> To: [hidden email]
> Subject: Re: Question on encryption algorithms brittleness
>
>
>
> NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See
> FIPS 200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric
> algorithms) & FIPS 185 (PKI escrow)
>
>
>
> On Wed, Mar 6, 2013 at 7:15 AM, Matt Caswell <[hidden email]> wrote:
>
> This site would be a good place to start:
>
> http://www.keylength.com/
>
> Matt
>
>
>
> On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:
>
> We have a requirement from one of our customers regarding the encryption
> algorithms – "Make use of published public encryption algorithms that are
> considered to be practically unbroken. Contracting Authority considers an
> algorithm practically unbroken when a key can’t be recovered within 1 year
> with hardware costing less than 1,000,000 euro. We should have a life cycle
> process for the encryption algorithms in place to ensure the 1 year duration
> is kept despite the every increase computing power. Describe the process."
>
>
>
> We would greatly appreciate if you could help us with this question.
>
>
>
> Best regards,
>
> Ido
>
> This e-mail message is intended for the recipient only and contains
> information which is CONFIDENTIAL and which may be proprietary to ECI
> Telecom. If you have received this transmission in error, please inform us
> by e-mail, phone or fax, and then delete the original and all copies
> thereof.
>
>
>
>
>
>
> --
> Jason Gerfen
> [hidden email]
>
> http://www.github.com/jas-
> http://dev.in-my-cloud.com/pow-mia
> http://in-my-cloud.com
> http://awesomealaskaadventures.com
> http://phpdhcpadmin.sourceforge.net
>
> This e-mail message is intended for the recipient only and contains
> information which is CONFIDENTIAL and which may be proprietary to ECI
> Telecom. If you have received this transmission in error, please inform us
> by e-mail, phone or fax, and then delete the original and all copies
> thereof.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]

________________________________

This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.

If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Question on encryption algorithms brittleness

toorandom

AES 256 can be reduced a lot, I think your 128 bit AES recommendation is better

El mar 11, 2013 12:26 PM, "Yair Elharrar" <[hidden email]> escribió:
Ido,
I believe your customer is simply looking for a statement that you're only using modern public algorithms, with key sizes above 128 bit, and not some proprietary encryption.

Regarding the "life cycle process", you can refer the customer to ECRYPT's yearly report on key sizes, http://www.ecrypt.eu.org/documents/D.SPA.20.pdf - which takes hardware costs into account and claims 128-bit AES is considered safe for 30 years.
You can recommend that the customer follow the yearly reports; as soon as AES-128 is no longer considered safe, upgrade all keys to 256-bit.

Good luck.

________________________________________
From: [hidden email] [[hidden email]] on behalf of Ben Laurie [[hidden email]]
Sent: Monday, March 11, 2013 14:16
To: [hidden email]
Subject: Re: Question on encryption algorithms brittleness

On 11 March 2013 11:09, Ido Regev <[hidden email]> wrote:
> Hi,
>
>
>
> I haven't found a reply to the specific question the customer is asking me.
>
> Any other direction will be greatly appreciated.

The problem is that the spec is rather vague - who knows what I might
invent as a custom build to break their particular encryption? It
seems to me to be impossible to predict such a thing, e.g. look at
Deep Crack (http://en.wikipedia.org/wiki/EFF_DES_cracker), which
turned out to be substantially cheaper than off-the-shelf computers,
or TWINKLE (http://en.wikipedia.org/wiki/TWINKLE), which no-one has
built yet, AFAIK.

For this to be actionable, it probably needs to specify the type of
thing one would spend the million euros on (e.g. commodity PCs).

>
>
>
> Ido
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jason Gerfen
> Sent: Wednesday, March 06, 2013 4:29 PM
> To: [hidden email]
> Subject: Re: Question on encryption algorithms brittleness
>
>
>
> NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See
> FIPS 200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric
> algorithms) & FIPS 185 (PKI escrow)
>
>
>
> On Wed, Mar 6, 2013 at 7:15 AM, Matt Caswell <[hidden email]> wrote:
>
> This site would be a good place to start:
>
> http://www.keylength.com/
>
> Matt
>
>
>
> On 6 March 2013 13:56, Ido Regev <[hidden email]> wrote:
>
> We have a requirement from one of our customers regarding the encryption
> algorithms – "Make use of published public encryption algorithms that are
> considered to be practically unbroken. Contracting Authority considers an
> algorithm practically unbroken when a key can’t be recovered within 1 year
> with hardware costing less than 1,000,000 euro. We should have a life cycle
> process for the encryption algorithms in place to ensure the 1 year duration
> is kept despite the every increase computing power. Describe the process."
>
>
>
> We would greatly appreciate if you could help us with this question.
>
>
>
> Best regards,
>
> Ido
>
> This e-mail message is intended for the recipient only and contains
> information which is CONFIDENTIAL and which may be proprietary to ECI
> Telecom. If you have received this transmission in error, please inform us
> by e-mail, phone or fax, and then delete the original and all copies
> thereof.
>
>
>
>
>
>
> --
> Jason Gerfen
> [hidden email]
>
> http://www.github.com/jas-
> http://dev.in-my-cloud.com/pow-mia
> http://in-my-cloud.com
> http://awesomealaskaadventures.com
> http://phpdhcpadmin.sourceforge.net
>
> This e-mail message is intended for the recipient only and contains
> information which is CONFIDENTIAL and which may be proprietary to ECI
> Telecom. If you have received this transmission in error, please inform us
> by e-mail, phone or fax, and then delete the original and all copies
> thereof.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]

________________________________

This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.

If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]