From: robichau@lambda.msfc.nasa.gov (Paul Robichaux)
Date: Wed, 7 Apr 93 08:59:02 PDT
To: cypherpunks@toad.com
Subject: PHRACK: my draft reply to the crypt article
Message-ID: <9304071558.AA12663@lambda.msfc.nasa.gov>
MIME-Version: 1.0
Content-Type: text/plain


Attached is a short rebuttal or reply to the PHRACK article I posted
last week. I'd appreciate comments and suggestions on how to improve
it- my knowledge is far behind Marc, Tim, Perry, and many of the
others on this list.

So, I got off my butt. Hopefully this will satisfy Doug :)

-Paul




My background: I've been into the scene for about 12 years. My day job
is writing unix s/w for a NASA contractor. My night job... well, never
mind that. I have a strong amateur interest in crypto, and I'd like to
share some of what people in the usenet/internet community have been
kind enough to teach me.

Racketeer sez:
>        If you think that the world of the Hackers is deeply shrouded with
>extreme prejudice, I bet you can't wait to talk with crypto-analysts.  These
>people are traditionally the biggest bunch of holes I've ever laid eyes on. In
>their mind, people have been debating the concepts of encryption since the 
>dawn of time, and if you come up with a totally new method of data encryption,
> -YOU ARE INSULTING EVERYONE WHO HAS EVER DONE ENCRYPTION-, mostly by saying 
>"Oh, I just came up with this idea for an encryption which might be the best
>one yet" when people have dedicated all their lives to designing and breaking
>encryption techniques -- so what makes you think you're so fucking bright?

One real reason for this reaction is that people _have_ been studying
encryption for 100 years or so. As a result, many simple cryptosystems
are continuallly being reinvented by people who haven't ever made even
a simple study of cryptosystems.

Imagine if someone came up to you and said "Wow! I just found a
totally K00L way to send fake mail! It's radical! No one's ever
thought of it before!"

You'd laugh, right? _Anyone_ can figure out how to forge mail.

Well, _anyone_ can come up with the n-th variation of the Vigniere or
substitution cipher.

An even more important reason for their 'tude is that cypherpunks are
suspicious by nature.  A key principle of crypto is that you can only
trust algorithms that have been made public and thoroughly picked
over. Without that public scrutiny, how can you trust it?

The feds' Digital Signature Standard (DSS) got raked in the crypto and
industry press because the feds wouldn't disclose details of the
algorithm. "How do we know it's secure?" the cypherpunks asked. "We
won't use it if we don't know it's secure!"

Point being: (for those of you who skipped over) cypherpunks trust NO
ONE when the subject is encryption algorithms. Maybe J. Random Hacker
has come up with a scheme faster and more secure than, say, RSA. If
JRH won't share the details, no one will use it.

Racketeer goes on to talk about DES. It's fairly clear that for a
known-ciphertext attack (i.e. you have a block of encoded text, but
neither the key nor the plaintext) will, at worst, require 2^56
decryption attempts. Various schemes for parallel machines and so
forth have been posted in sci.crypt. Does the NSA have something that
can crack DES? Probably.

My claim would be that cracking passwords is (at minimum)
order-of-magnitude faster than a known-ciphertext attack against a
"typically secure" ciphertext. By typically secure, I mean one
encrypted with DES in CBC mode (_not_ the more common and
easier-to-implement ECB mode) using a strong key (not a password of
"123", for example.)

Remember that DES is mostly used for short-lived session keys. ATMs
are a good example; they typically use a DES key for one communication
session with the central bank. New session, new key. DES is _not_ very
well suited for long-term encryption, since it can probably be
attacked in "reasonable" time by a determined, well-equipped opponent.

Now, on to PGP. Pretty Good Software was indeed threatened with a
lawsuit by Public Key Partners (PKP). PKP holds the patent on the RSA
public-key algorithm. (Many people, me included, don't think that the
patent would stand up in court; so far, no one's tried.)

The nice thing about PGP is that it offers IDEA and RSA in a single,
well-integrated package. When you encrypt a file, PGP generates an
IDEA session key, which is then encrypted with RSA. An opponent would
have to either a) exhaustively search the entire IDEA key space or b)
break RSA to decrypt the file without the password.

Racketeer also mentions that PGP can optionally compress files before
encryption. There's a solid crypto reason behind this, too. One
well-known and successful way to attack an encrypted file is to look
for patterns of repeated characters. Since the statistical frequencies
of word and letter use in English (and many other languages; some
folks have even compiled these statistics for Pascal & C!) are
well-known, comparing the file contents with a statistical profile can
give some insight into the file's contents.

By compressing files before encrypting them, PGP is moving the
redundancy out of the text and into the small dictionary of
compression symbols. You'd still have to decrypt the file before you
could do anything useful with that dictionary, or even to determine
that it _had_ a signature!

-- 
Paul Robichaux, KD4JZG                | May explode if disposed of improperly.
NTI Mission Software Development Div. | RIPEM key on request.