Interrogate Crypto Luminary Bruce Schneier 146
Most people who have any involvement with or interest in cryptography have heard of Bruce Schneier. If you haven't, check his online biography, check the home page for his consulting company, Counterpane Systems, or learn about his seminal book on the subject, Applied Cryptography (assuming you haven't already read it). Our usual interview rules apply: one question per post; moderators select their favorites; editors choose 10 - 15 of the highest-moderated questions and send them to Bruce on Tuesday; Bruce's answers appear on Friday.
the future of crypto (Score:1)
bruce schneier question (Score:1)
Re:Quantum Crypto (Score:1)
I hope this clears things up a bit.
-Alec C.
Re:Why should we trust the entire world to Twofish (Score:1)
Not a Crypto genius.
How so? Please, tell us exactly where his grounding in the mathematics of crypto is deficient.
This guy is on the verge of landing the AES with TwoFish and you people have the nerve to tell him he doesn't know anything because he doesn't have a Ph.d.
If you actually had attended graduate school you would know how stupid your argument is.
Critical Issues (Score:1)
Re:"Password Safe" for the Palm (Score:1)
--Phil (If only there were more GPLed Pilot apps...)
Authentication without encryption (Score:1)
I understand that this provides an opportunity for strong message authentication codes which are less restricted by cryptographic export controls. As I recall you covering such schemes as HMAC in your book, I was wondering how important you think these codes might become, given that they conceivably might see wider distribution.
DOJ vs. Bernstein (Score:1)
-- rot13 my email address for the real thing
Consumer Crypto (Score:1)
Re:Digital sgnatures (Score:1)
--
Where's moderator access when you need it? (Score:1)
----
Re:Unsolved Problems (Score:1)
It is therefore not very interesting cryptographically.
----
Soliataire: Related Question (Score:1)
You mention in your explanation of the Solitaire system that, if confronted by the Secret Police, one would have to explain the presence of jokers shuffled into the deck. Are there any games of solitaire that do make use of (both of) the jokers?
Re:Quantum Computing (Score:1)
"hard" (as being np-complete or the like)
yet nor is it IMHO likely to be.
Regarding your question, I cannot say if there
are "quantum hard" problems that could be
used as a trapdoor or anything useful. But
there are hard problems even for quantum
computers. Hell, there are even UNcomputable
problems
Large upsets (Score:1)
"Bugs are harder to cope with than features, because they are less well defined and less well designed."
cryptanalisis (Score:1)
Take a look on counterpane, there IS a cryptanalysis course there!
Development v. Adoption (Score:1)
Do you have any thoughts on projects such as FreeS/WAN [xs4all.nl] which are strategically aimed in that direction?
--------
Proving in Court, Security in email: incompatible? (Score:1)
PKI can provide security, but without some third-party post-office/FedEx like entity which can track documents, this is not an alternative for many professionals who require receipt-like assuredness.
My question is, how do you combine security and provability?
"Password Safe" for the Palm (Score:1)
I could really use a utility like this -- although first, I have to save up enough quarters to get a Palm machine -- but even if I had source code, I wouldn't be able to distinguish a good security implementation from a bad one.
A crypto-quote challenge :-) (Score:1)
"MGWDD VCI YDDT C ODLWDM, FN MPX XN MGDV CWD JDCJ."
- EDZSCVFZ NWCZYQFZ
Sometimes I try my newspaper's crypto-quote - usually takes me 1/2 to 1 hr
I'm just wondering, ahem, if you can solve this one (and if you did, how long it took you & what combination of hardware/software you used)
Snake Oil (Score:1)
Recommended home security resources? (Score:1)
I've read before where you point out that cryptography != security, that is, you can't sprinkle the magic pixie dust of crypto over software and expect that the resulting system is therefore secure.
Now that everybody and their sister is connecting to the Internet, via dial-up or even 24x7 cable modem or DSL connections, what level of paranoia is appropriate, and where do you recommend beginning?
Re:Does the possibility exist... (Score:1)
[*] I Am Not An Expert
Re:Does the possibility exist... (Score:1)
Since the key is _random_ (and it has to be really random), you can get _anything_ out by changing the decryption key... So there's no way for an attacker to be sure they have guessed the right key when they get a message out that looks sensible.
IIRC, there are also ciphers for which breaking by means better than brute force would mean P != NP, but I don't remember the details on how they work.
Torrey (Azog)
Re:keys IN the person? (Score:1)
Current use of TwoFish in SSH and GnuPG (Score:1)
I wonder however what you think about the recent inclusion of TwoFish in popular products like SSH and GnuPG. Isn't this against the standard procedure in the cryptography world that algorithms should be tested and analyzed extensively before they are trusted and used?
Re:Quantum Computing (Score:1)
To continue the question... as I understand it the impact of Quantum Computing is in its ability to factor immense numbers extremely quickly. Does all cryptography depend on factoring large numbers, or only a certain subset?
Anonymous Cash and Crypto Anarchy? (Score:1)
For a few years, back in the early nineties, we were being treated with a vision of the future in which all money would be anonymous tokens and monitoring commerce would become impossible. Tim May called this future "Crypto Anarchy."
Since you're still subscribed to one or two of the cypherpunks mailing lists, it appears as if you still consider this a possibility.
What effect do you see cryptography having on our wallets and on our financial institutions? Will anonymous commerce ever make it big?
Re:books (Score:1)
any business ideas? (Score:1)
The Next Big Thing (Score:1)
Add "some thing you have" (Score:1)
Here is an excerpt from their site
The iButton(TM) is a 16mm computer chip armored in a stainless steel can. Let's start with the package. Because of this unique, durable package, up-to-date information can travel with a person or object. The steel button is rugged enough to withstand harsh outdoor
environments; it is durable enough for a person to wear everyday on a digital accessory like
a ring, key fob, wallet, watch, metal card or badge.
2.Java(TM)-powered cryptographic iButton. A microprocessor and high-speed
arithmetic accelerator generate the large numbers needed to encrypt and decrypt
information. The Java-powered iButton adds its complete cryptographic circuitry to
a Java Virtual Machine (VM) that is Java Card(TM) 2.0-compliant, enabling the
world's large pool of Java programmers to tap into a powerful development tools to
get an application up and running quickly. The Java-powered iButton's greatest
promise lies in its capacity to interact with Internet applications to support strong
remote authentication and remotely authorized financial transactions. In practical
terms, that means you can jump into the age of electronic commerce with both feet:
your messages are sent over the Internet scrambled and can only be unscrambled at
the other end by someone with an authorized iButton. By establishing a means to
transmit and protect user identity, the iButton becomes the user's digital credential.
Re:Digital sgnatures (Score:1)
Re:Quantum Computing (Score:1)
Regardless of whether or not a given cryptographic algorithm works with products of large primes (and thus would take a breakthrough in factoring such primes to defeat), most cryptography (that is cryptography based on algorithms and not on the security of the physical channel) relies on trapdoor one-way functions. These functions have keys. The keys are the special bits of information that allow you to reverse the one way function, something that would normally be very difficult. The value of quantum computing is the ability to try every key in parallel, rather than sequentially.
So quantum computing can apply to virtually any crypto system.
Re:Is IDEA still your favorite? (Score:1)
Have we won the War? (Score:1)
Have we the public and our commerce taken the lead in cryptography? Will it hold? Or is the scene much more serious, have gov'ts broken most all of our ciphers and no longer fear what was once the empowering act or encryption?
Gaining Experience (Score:1)
I am currently a student and am taking a graduate class in Data Security (AC has helped me more than I can say here). I am very interested in this field, and was wondering what you would recommend a young person like myself do in order to gain experience in the field. For example, NSA internship, working for a software company, research assistant, working for you
-Andrew
Trusted Hardware (Score:1)
Re:AES (Score:1)
In fact, if the cipher were key-size independent, then the manufacturers would be able to easily balance cost and security. Perhaps cell-phones only need 64 bit keys? (One popular system nowadays has 40 bit keys, but is severely broken, and can be cracked after 40 packets have been intercepted -- 1 second!) Not a problem. Better yet-- imagine phones with settable security (you want 128 bit security, then accept a lousy job of compression 'cause there's only so much this $2 CPU can do per packet)
So even if twofish isn't selected as AES, the fact that it has been very carefully and publically scrutinized gives Counterpane an excellent leg up on the embedded market. Now all they have to do is figure out how to sell it, as it is free. (perhaps auditing implementations?)
Johan
Re:What is the danger of layering crypto systems? (Score:1)
I'm at a loss for seeing how that would occur.
Re:AES (Score:1)
Re:Does the possibility exist... (Score:1)
Symmetric ciphers are in NP, as you can verify the correctness of a guess in P time, once you have guessed it. So by proving it unbreakable (ie not in P), then you prove them different.
Mind you this says nothing about the converse; ie if we hypothesise that indeed P !=NP, this does not imply that your cipher isn't in P.
Johan
Effects of RSA's patent expiring. (Score:1)
Also, as it happens, I was investigating the interoperability of GnuPG with PGP and, therefore, had the occasion to download the latest free PGP (6.5.1, it appears) and that software does indeed recommend an algorithm other than RSA. This is one that, presumably, was patented well after RSA was or is patent pending now.
I have an interest, I've been waiting for The Patent to expire so that I can run certain pieces of software, and I was unsatisfied with the answers I saw on /., so I ask you: What will be the effect of the expiration of the RSA patent. In particular, are the people who currently license PGP going to be successful in moving people to a new algorithm? They seemed bound to try.
Kryptos sculpture (Score:1)
E-mail Security (Score:2)
How is the AES process going? (Score:2)
How is this process going?
What ciphers have been eliminated due to successful, critical attacks? (Successfully attacking a couple rounds worth of a Feistel-like cipher obviously being less critical than providing cryptanalysis for "all 16"...)
Cryptography vs. Cryptographers (Score:2)
What's your gut feeling on this -- is cryptography as a field in danger of wiping itself out, or do you feel encryption has a secure long-term future?
Does the possibility exist... (Score:2)
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Re:Quantum Computing (Score:2)
All cryptography that's not one-time pad depends on some one-way function to produce its results -- the idea being that the attacker has to go back the other way, which is hard.
Factoring is certainly an excellent example of such a "trapdoor" function. But not that much in cryptography depends on factoring. The only symmetric cypher I know of that depends exactly on factoring is Blum squaring -- though there are certainly others that are equally un-well known.
RSA really depends on the Euler Phi function, which has yet to be proved equivalent to factoring.
Standard DES and the AES candidates are less secure than that, even, since they trade off speed for a measure of security.
I can't remember how closely Diffie-Helman depends on factoring, but I think it's pretty close. Someone correct me if I'm wrong.
Someone want to add some other cipher types?
We're implementing an Enigma machine on our FPGAs in Fundamentals of CE (18-240)...that's definitely not as secure as factoring
Viability of elliptic curves (Score:2)
Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]
Freedom by ZKS (Score:2)
Patents (Score:2)
--
Verification and Certification? (Score:2)
Given that we'll soon see more Voice over IP, and we're currently seeing IPSec in routers, is there any other way the international community can be sure that a particular implementation hasn't been (legally or illegally) trojaned by a manufacturer or that they can gain a high level of trust in their vendors' implementation?
So long, and thanks for all the fish!
Paul
Thoughts on expiration of RSA patent? (Score:2)
I would like to hear your thoughts on the expiration of the RSA patent next September. Do you think that RSA will finally be free, or will RSADSI tangle it up in some type of legal mess?
Quantum Crypto (Score:2)
Re:Digital sgnatures (Score:2)
Currently almost all ink signatures (and by extension legal documents in general) are based on the fact that signatures are currently difficult to duplicate.
I would trust a digital signature FAR more than a "real" signature. I can train a plotter to duplicate your "real" signature in under an hour.
Keeping crypto keys secret (Score:2)
Possibilities I can think of right now are:
Any thoughts?
Public vs. NSA? (Score:2)
DES and papers by Don Coppersmith show that the NSA and at least a few private researchers have known about some techniques, like differential cryptanalysis for over a decade before the general public learned of them. With the current boom in interest in cryptography and judging by the designs of current ciphers like Coppersmith's SEAL and skipjack, it seems plausible to assume that the gap has been closed substantially. How big do you think the gap is between the NSA and the public and what hurdles to you see in closing it if you believe that the NSA still knows vastly more than the public about cryptography?
(I mean the cryptographer public when I say "public," not the masses.)
Thanks again for your wonderful books. Any plans for AC 3rd edition? Maybe with AES covered?
Your intimate relationship with cDc (Score:2)
New Technologies Affecting Cryptography (Score:2)
What are the emerging technologies from the last few years which most affect cryptography? How important are:
IPSEC (Score:2)
Zero-Knowledge Proofs (Score:2)
Considering that now a days we implicitely trust ATMs or resellers not to tinker with credit card readers or not remember our PIN numbers, since this relatively new field offers incomparable advantages for identification protocols (such as the inability to replicate a session) that could be used in these situations and that the litterature is, by now, relatively well developped (with work from Jacques Stern for example),
a) Would you tend to agree that this would be an interesting addition to the privacy protection of customers ?
b) Do you know of any real world implementation for the general customer ?
c) What do you believe it would take for large banks and Credit Card compagnies to decide to implement these schemes ?
Public crypto libraries (Score:2)
Would the cause of secure algorithms be furthered by the construction of a cross-platform crypto toolkit, open sourced, peer reviewed, clean and well-documented, which could be reused across different platforms and projects? Or would this create hindrances, since each project may need ever-so-slightly different features from its cryptographic infrastructure?
(And if anyone's got a clean, standalone El Gamal library, *please* EMail me at the above address. The El Gamal code in GPG is just plain frightening.)
The future... (Score:2)
---
Re:The future... (Score:2)
Are there any similar pitfalls that apply to the multi-round Fiestel w/ s-boxes that are the current state of the art for symmetric ciphers?
Johan
Fingerprints, retinal scans and the like (Score:2)
Not a reasonable concern (Score:2)
-konstant
PGP Compromised? (Score:2)
new algorithms/more strenght? (Score:2)
I think what many people are wondering including mysef is:
1) Is there any ongoing effort to build another encryption algorithm as we speak?
2) The plausibility of a security breach on the Blowfish Algorithm, tho is not very likely at this time, are you planning on strengthening it any way in nearby future? thats mostly question of those self-called... paranoid...like myslef ;)
Thanks,
Effective Encryption without 3rd party? (Score:2)
Peter Pawlowski
rely on courts to free crypto? (Score:2)
Re:Quantum Computing (Score:2)
In order to perform DRoot, you need Euler's Phi, and in order to get that, you need to factor the public key. This is, of course, unless someone finds a better way.
The point is, that someone may find a way to do DRoot, and bypass the factoring, as well as Euler's Phi, problem.
I think we can conclude that factoring complexity >= finding Phi >= finding DRoot.
As for Diffie-Helman, it is based on the difficulty of DLog. The base modulo for DH is a prime number itself. Factoring, therefor, does not enter into it at all.
Future of Cryptology (Score:2)
+ fiestel networks
+ combining operators (like in IDEA)
+ data dependent rotations (like in RC)
Do you believe that quantum cyrptography is the next foreseable step.
What do you believe the effect quantum computers will have on cryptanalysis, and the development of cryptology.
If you can generate a one time pad through quantum cryptology, you only need xor, as that is secure as its otp.
I understand, that quantum compuetrs would be able to solve "very hard" problems, like solving discreet logarithms in a fine field.
What major algorithms would be deemed insecure, when quantum computers came about.
Many entries to the AES are essentially fiestel networks, do you foresee this system ever being broken (I know you think that giving dates is stupid)
Also, what AES submission did you least expect to be dropped for round 2. And apart from your submission, what do you think has the most chance of becoming the aes.
Many people are finding ways around the key escrow policies, and the export policies. Like the private doorbell system. Do you think that these embargos on freedom will ever be lifted, or will the us government remain as privicy envading, and paranoid as ever.
Do you see people using stenography instead of encryption. Especially for file systems ?
Do you think deniable encryption would stand up in court ? (E.g using rivest's chaffing and winnowing system)
Is it possible to have a deniable and probablicstic crypto system ?
And what do you feel is the most secure algorithm, and hash function now, as before in your book it was idea, but now wiht the aes systems ? which is the most secure?
What is the danger of layering crypto systems? (Score:2)
I have recently started to question the wisdom of using multiple encryption algorithms over a communications channel.
SSH and HTTPS (for example) have become staples for secure administration and E-commerce. With expanding use of IPSEC for company access from home, what are the dangers behind using SSH over a VPN?
I understand there is a potential for compromise when layering two 3DES channels, one each for SSH and IPSEC; has any analysis been done of the security of a Blowfish (TwoFish/CAST/etc...) and 3DES combination?
Government imposed cryptography review (Score:3)
Digital sgnatures (Score:3)
Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.
Based on these two facts, do you think legally binding digital signatures are secure; why?
--
The most overlooked link in the chain of security? (Score:3)
Now for the question: what do you think is the most overlooked aspect of designing a secure system? For example, PRNGs, ineffective key management, mismanaged trust, bad authentication, etc... What can people writing software do (aside from peer review, which is a *must*) to reduce the risks of common problems?
Thanks!
Security through mathematical obscurity (Score:3)
Back in the "good old days" of cryptography, the algorithms used were understandable by non-mathematicians. Most modern cryptographic systems in use are still mathematically "simple". By this I mean that once you understand the complexities of the algorithm, the mathematical basis is understandable to someone who has, say, a college degree in mathematics or physics.
The cryptographic systems being developed today are often based on much more sophisticated mathematical ideas. Elliptic and hyper-elliptic curves spring to mind. The algorithms may be understandable, but the mathematical basis may be complicated enough that it takes a PhD in mathematics to understand.
These systems are the future generation of cryptography. Some have suggested that their security is based more on mathematical obscurity than anything else (i.e. the number of people able to even understand what the algorithm is doing is very small). Do you think this is accurate? Do you see cryptography moving exclusively into the domain of mathematicians, so that it is totally inaccessible to motivated non-mathematicians (such as yourself)?
Public vs "Private" sector (Score:3)
Here's my question: Your short timeline at the beginning of AC notes that public research in cryptography didn't really get under way until 1976 but that the NSA (and it's predecessors) started during WWII. What far ahead do you think the NSA (or whoever) is? In particular, do you have any reason to believe they have cracking algorigthms for some of today's hardest problems (NP-completeness, etc)?
---
Overconcentrating on crypto? (Score:3)
Cryptographic PRNGs... (Score:3)
I have read your papers on Yarrow and was impressed both with the algorithm and your discussions of the importance/vulnerablities of Pseudorandom Number Generators. It seems to me that PRNGs can be just as important a component of a protocol as the algorithm or keys themselves. How important do feel they are? Do you see this role increasing/decreasing in the future with new technologies and developments (Quantum Computing/Encryption)? What do you see as their future?
thanks
How has CAST fared? (Score:3)
books (Score:3)
Crypto for the masses (Score:3)
I know that you have done a lot of work in the area of A. But what about B? Specifically, what do you think it will take, to get people to use cryptography with their email on a regular basis? Most of us here agree that it should be as standard as putting your letter in an envelope instead of using a postcard.
However, even I don't regularly use encryption. I have tried encryption packages and they are easy to use, but I can't seem to be able to convince my friends an family to go through the trouble. Because the people that I communicate with, don't use encryption, it seems that I can't either.
Because of its inclusion with web browsers, some level of encryption is now used for much of e-commerce. Most people just know that their transaction is somehow secured and know nothing of the details. But the same hasn't happened for other mediums.
What do you think it will take? An personal electronic Pearl Harbor in which many people have their secrets spread throughout the world? Inclusion of crypto with the most popular free email clients? Or maybe people just don't care and they will never encrypt their email?
Government Policies on encryption (Score:4)
I beleive this is the same feint magicians use to misdirect the audience from the real action. Currently, prosecutors must only provide phone records as evidence, and not a tape of the actual phone call. The evidence that something transpired, and not the actual "what" is all that's required. Records of wire transfers are acceptable, even if you can't seize the actual money. The classic tenets of motive and opportunity suffice, without someone having to provide a videotape of the crime. In other words, I think you can prosecute, and convict, even if you can't decrypt.
So, first, any idea what the Feds are really worried about? (It's got to be more than just Eschelon.) And second, how do we present the privacy issues to the public so that the average citizen understands what's at stake? (e.g. encryption = privacy = good thing)
Resources vs. public review (Score:4)
The implication there is that the NSA has applied some many resources to the crypto problems,that they are as good as the rest of the cryptographers put together.
My question is: Do you really think that a private process, no matter how many resources applied, can equal the public process?
Laws of state vs mathematics. (Score:4)
One would think that cryptographers, who study the mathematical means for controling information (not just secrecy, but also signatures, zero knowledge proofs etc) would be the least inclined to support the articial limits to information set up by our legal system, and yet the field is littered with patents (probably more so than any other field of mathematics).
You, on the other hand, have been very generous with your algorithms and cryptos. Is there a political, ideological, or practical reason behind this?
-
Limit of useful encryption (Score:4)
in a recent cryptogram, you write that most symmetric ciphers need more entropy than people can remember and hence supply. Even with bio-metrics adding more bits, it is not really worth the effort to construct ciphers with more than 128 bits of entropy in the key, because people won't give them more than that much entropy in the pass phrase.
However, social and technological pressures make longer and longer keys a necessity. What promising approaches do you see for making remembering and entering -- even though I have long passages of text memorised, I don't want to type them in for each email I want to send -- usefully long passphrases?
Ie, to paraphrase, would you discuss the state of the art of cipher/human interaction, as it pertains to key management.
Johan
Physics and Crypto (Score:4)
What impact do you think your science studies have on your current career? I suspect the high mathematical background of physics prepared you for cryptology, but what other aspects of a science degree come into play in your line of work? Would you call your B.S. in Physics an advantage or a disadvantage?
"Knowledge = Power = Energy = Mass"
Is IDEA still your favorite? (Score:4)
You wrote in Applied Cryptography that IDEA was your "favorite" symmetric cipher at the time. Is that still true today?
Unsolved Problems (Score:4)
Needed Protocols (Score:4)
Quantum Cryptography (Score:5)
Quantum physics seems to be the "magical" form of physics, and its application to cryptography even more magical. I don't think I properly understand "quantum cryptography," and I don't think that most of the people that have made public comment on it understand it terribly well either.
Could you comment on the present state of Quantum cryptography, and its probable relevance in public matters short term (which appears nonexistent), medium term (where the research of today may be in 5-10 years), and longer term?
Have we already lost? (Score:5)
Can cryptography be controlled by law? (Score:5)
AES (Score:5)
As many know, your twofish algorithm is one of the (many) submissions to become the AES standard. The goal for these algorithms is to be able to implement them extremely cheaply in hardware -- say on a 6800 with 256 bytes of RAM. In other words, cheaply enough to put on a smart card.
But IBM's team alleges that any algorithm that simple can be fairly easily cracked by doing a power usage analysis on the chip (by watching fluctuations in the electrical contacts with the reader) and that the necessary equipment to protect against power analysis would be equivalent to a much more complex processor -- so much so you might as well just implement a different and more complex (and hopefully power-random) algorithm. Of course IBM suggests their own implementation.
What do you think? Is there a way to build a simple smart card so that power analysis isn't a problem? Perhaps the whole question will become irrelevant since we'll be carrying around so much processing power in our PDAs that we'll just use them?
Why should we trust the entire world to Twofish? (Score:5)
In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.
Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.
Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?
The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.
thad
Quantum Computing (Score:5)
---
CA's vs An Open Internet (Score:5)
Thanks again,
PS Neville
Solitaire (Peer Review Status) (Score:5)