1996-01-22 - Re: The Lotus Position

Header Data

From: Herb Sutter <herbs@connobj.com>
To: cypherpunks@toad.com
Message Hash: 37292a30588fdb4ff9b577d8b8097c3e45bcd4358bddedd160b9053adbee8eeb
Message ID: <2.2.32.19960122012052.006d87c0@mail.interlog.com>
Reply To: N/A
UTC Datetime: 1996-01-22 02:08:53 UTC
Raw Date: Sun, 21 Jan 96 18:08:53 PST

Raw message

From: Herb Sutter <herbs@connobj.com>
Date: Sun, 21 Jan 96 18:08:53 PST
To: cypherpunks@toad.com
Subject: Re: The Lotus Position
Message-ID: <2.2.32.19960122012052.006d87c0@mail.interlog.com>
MIME-Version: 1.0
Content-Type: text/plain


At 23:17 01.19.1996 -0800, Timothy C. May wrote:
>Like many, I take it for granted that 40-bit RC4 can be broken for "small
>change." Moreover, my guess is that foreign traffic is routinely cracked if
>it is encrypted.

On Friday morning, Whit Diffie took five minutes to announce a report that
he and other big names (including Rivest, Wiener, etc.) produced a week or
two ago in Chicago.  The subject of the report was recommended minimum
symmetric key lengths... the paper should be published at http://www.bsa.org
(Whit threatened them if they didn't get it up by Monday morning<g>, but the
BSA site currently just says that they'll add a pointer to the report within
the next week).

To avoid keeping everyone in suspense, here's the basic result Diffie
announced: the world's leading cryptographers (outside the walls of the NSA)
agree that 75-bit keys are the minimum (I think this was for protecting
commercial communications).  To build in time-sensitivity, add one bit per
year... i.e. if the information needs to be kept secret for 20 years, use at
least 95 bits.

That said, talk to the NSA about 40-bit keys -- and to Lotus about its max.
64-bit keys, for that matter!  When he made the announcement on Wednesday
morning, Ray Ozzie (of Notes fame) knew he might get flak about keeping
Notes at 64 bits, so as soon as he mentioned it he added a phrase something
like (going from memory) 'but let's leave aside for now the question about
whether 64 bits is enough.'  Interesting comment in light of Diffie et al's
answer announced two days later. :-/

In answer to a question from the floor, Ozzie did say that yes, the
agreement reached with the NSA was scalable -- IOW, that you could use
128-bit keys and give the government 88 of them, instead of 64-and-give-24
-- but in retrospect I wonder whether keeping Notes at 64 bits was a
condition of the NSA deal.  I'm not normally a conspiracy theorist, but
considering that Ray was clearly aware that the 64-bitness was going to
raise eyebrows and still somehow didn't get around to simply strengthening
it...  well, it makes you wonder.

>And in a few years, 40-bit RC4 will be even more ludicrously weak.
>
>The Lotus position is untenable.

Hear hear... but unfortunately industry doesn't seem to "hear hear" well
enough yet, though they've been learning lately.  Instead of hammering
Markoff for his NYT articles, we should be thanking him that at least he's
helping to raise public awareness -- even if he does tend to overplay things.

Herb

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Herb Sutter (herbs@connobj.com)

Connected Object Solutions     2228 Urwin - Suite 102     voice 416-618-0184
http://www.connobj.com/      Oakville ON Canada L6L 2T2     fax 905-847-6019






Thread