Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

A few questions about Encryption

Options
  • 12-02-2004 9:26pm
    #1
    Ivan
    Moderators, Computer Games Moderators Posts: 4,560 Mod ✭✭✭✭


    Just wondering abit about encryption, how secure is it?

    I remember this time last year (in 2nd year maths) we discussed how prohibitively difficult (a good few years required) it would be to decrpyt 512 bit encryption and even 256 & 128 bit.

    However I have since discussed it with a friend who is fairly well up on other computer related news and he believes that the U.S military would be capable of cracking such encryption in a number of minutes/hours.

    I must admit I know feck all about the topic, I think in order to decrypt something you need to factorise extremely large numbers, which is extremely difficult even using complex & powerful super computers.

    Was wondering if anyone has any info/thoughts or links to information about this.

    On another note, this all came about because we were discussing how an ISP could monitor users information that is sent & received. Is this the case, if it is can it be used to press charges (as the RIAA would like when it comes to Mp3's) or can it be used to prosecute people who distribute warez?

    I.e. is it legal to monitor data sent/received along leased internet connections and can any information gathered by this monitoring be used to send people to jail?

    I realise this is maybe not the best suited place for this thread, so please feel free to move it wherever you want.

    Thanks in advance.

    Ivan


Comments

  • Options
    #2
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by Ivan
    Just wondering abit about encryption, how secure is it?

    How long is a piece of string?
    I remember this time last year (in 2nd year maths) we discussed how prohibitively difficult (a good few years required) it would be to decrpyt 512 bit encryption and even 256 & 128 bit.
    I must admit I know feck all about the topic, I think in order to decrypt something you need to factorise extremely large numbers, which is extremely difficult even using complex & powerful super computers.

    Bitsizes don't mean very much unless you say which algorithm you're talking about.

    The second bit quoted there is related to RSA, which is an asymmetric algorithm (factoring large semi-primes being the known method to break that but I don't think it has been proved that it is the only method to break that), and keylengths of 128 or 256 would certainly not be good enough for RSA (in fact, RSA-576 was broken a little while ago, I posted a link to it on this forum a while back). A minimum of 1024 bits would have been recommended for RSA up to lately, with 2048 starting to become more recommended by some.

    For a good symmetric algorithm the security of the scheme should be directly proportional to the keysize. Breaks in the security of the strength of an algorithm often mean that the actual keyspace tha must be searched is reduced by some number of bits, for example, so the advertised strength isn't the actual strength. In this case a key size of 128 bits is fine, although some will feel safer pushing that up to 256.
    However I have since discussed it with a friend who is fairly well up on other computer related news and he believes that the U.S military would be capable of cracking such encryption in a number of minutes/hours.

    *shrug*

    Maybe. I don't know. There's enough "evidence" out there to support either view of that. I have heard reliable anecdotal evidence (I'd normally say that those words make no sense when said in that order, so make what you will of them) that certain government security agencies have constructed very fast purpose built giant key cracking machines for certain algorithms, and that's hardly surprising. I think that if the US military are trying to read your data then they will probably not just attack the encryption algorithms you use.


  • Options
    #3
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 90,695 Mod ✭✭✭✭Capt'n Midnight


    I think that if the US military are trying to read your data then they will probably not just attack the encryption algorithms you use.

    In theory the NSA (why do I think this is a cover for the real organisation) could house gigantic lookup tables to speed up the process and could run multiple queries at the same time - so you aren't breaking passwords one at a time might take X days for a 50% chance of breaking one, but in their case they would have 50% of the passwords broken at that stage.

    AFAIK ISP's have to keep records of source and destination addresses - but aren't supposed to keep emails or traffic contents (grey area since our Gov't in the national interest wanted ISP's to keep all emails for three years !)

    BUT you mentioned Warez/MP3z/RIAA in which case encryption is a red herring. If you connected to a known IP rip off site and downloaded a few Gigabytes, it doesn't take a rocket scientist to figure out that on the basis of probabililty what you were doing. Especially if it can be shown that there was nothing legal of that size there. BTW: before you use the word circumstantial evidence, might I remind you that in many murder trials the lack testemony from the victim means evidence about circumstances plays a large role. Means, Motive, Opportunity etc.


  • Options
    #4
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    wrt lookup tables, precomputed dictionary attacks don't seem relevant to the question.


  • Options
    #5
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 90,695 Mod ✭✭✭✭Capt'n Midnight


    The point being that if you are trying to crack multiple passwords (of the same strength and algorithm) then for many algorithms there are certain speed up's you don't have to calculate everthing every time.

    Lookup tables would be most useful in the case of something like 128 bit WEP where the weakness in the algoritham means that for certain weak packets there are a lot less than 2^128 combinations.

    Re: Factorising big numbers - that's where the encryption method is based on Fermats Little Theorm or similar. An extremely over simplistic comparison would be a right angled triangle. If the data is the length of one side and the hypotneous (SP) is the key then encrypted data would be length of the other side of the triangle. The key length would then be similar to the number of decimal places you use.

    If you are paranoid about encryption the simplist thing to do is to cross encrypt using different algorithms - that way if some one ever finds a speed up to cracking one of them they still have to get through the others.


  • Options
    #6
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    *sigh*


  • Advertisement
  • Options
    #7
    jmcc
    Registered Users Posts: 7,291 ✭✭✭jmcc


    Originally posted by Capt'n Midnight
    In theory the NSA (why do I think this is a cover for the real organisation) could house gigantic lookup tables to speed up the process and could run multiple queries at the same time - so you aren't breaking passwords one at a time might take X days for a 50% chance of breaking one, but in their case they would have 50% of the passwords broken at that stage.

    Huh? It may not be unlikely that NSA cryppies have developed a more elegant factoring algorithm. As for the commonly used encryption programs, some of them are encrypting files that would contain clearly identifiable plaintext cribs that could be used to speed up the attack. It is extremely inefficient to attack the passwords. Most of the work would be aimed at coming up with a general solution for the problem.

    Another problem with popular cryptography, as ecksor pointed out, is that the key size may not have any bearing on the algorithm used for the core of the encryption program itself. The key size may just be used for an input to a key generation algorithm that produces a 64 bit key for the main encryption algorithm.

    One of the main things about attacking an encrypted system is to reduce the problem from a Brute Force Attack to one where the resources can be used more wisely. There is quite a difference between reading about how crypto systems are broken and breaking crypto systems.

    I would not put too much trust in cross-encrypting. If the encryption is too hard to break, there are always those very effective approaches known as rubber hose and blackbag cryptanalysis. :)

    Companies could monitor data on a line in the interests of line quality. However using data to convict people would be iffy as there would have to be a clear chain of evidence and perhaps a warrant to monitor (and thus use the taps as evidence).

    For a good overview of crypto check out the library section on http://www.counterpane.com and http://www.schneier.com

    Regards...jmcc@nsa.ie


Advertisement