Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Security

Interrogate Crypto Luminary Bruce Schneier 146

Most people who have any involvement with or interest in cryptography have heard of Bruce Schneier. If you haven't, check his online biography, check the home page for his consulting company, Counterpane Systems, or learn about his seminal book on the subject, Applied Cryptography (assuming you haven't already read it). Our usual interview rules apply: one question per post; moderators select their favorites; editors choose 10 - 15 of the highest-moderated questions and send them to Bruce on Tuesday; Bruce's answers appear on Friday.
This discussion has been archived. No new comments can be posted.

Interrogate Crypto Luminary Bruce Schneier

Comments Filter:
  • by Anonymous Coward
    recent optical computing theories published by dr. shamir and advances in quantum computing just around the corner (15-20 years before the men in black have this stuff in hand) appear to be able to create crypto-crackers which can solve problems whice used to theoretically require trillions of cpu-cycles over trillions of years to brute force. how will cryptographic algorithms change to defeat these new "multi-state computers"... will it require a quantum cpu to defeat a quantum cpu? should we give up and just go back to using plaintext now? other possibilities?
  • by Anonymous Coward
    i would like to know why guys always post crypto code, but not their crypto BREAKING code? i have always read by the top guys that in order to write good crypto you gotta try and break it, which i attempt to do. why not put out some stuff, like index of coincidence filters, or other utilities so we can see from your code that our stuff works too... but then again many of us know you got the market cornered (and deservedly so) so why add to the skill level of the wannabees... m1ck f0l3y have a nice day
  • by Anonymous Coward
    Okay, I'm no expert, but IIRC semetric block cryptography (such as twofish) is safe under quantum cryptanalysis. The reason RSA can be theoretically broken so easily with a quantum computer is that a quantum computer makes factoring RSA keys a trivial matter. RSA's security depends on the fact that factoring the product of two primes takes way too much computer time.

    I hope this clears things up a bit.

    -Alec C.
  • Bruce Schneier is an author, and a popularizer.

    Not a Crypto genius.

    How so? Please, tell us exactly where his grounding in the mathematics of crypto is deficient.

    This guy is on the verge of landing the AES with TwoFish and you people have the nerve to tell him he doesn't know anything because he doesn't have a Ph.d.

    If you actually had attended graduate school you would know how stupid your argument is.

  • I recently finished reading The Electronic Privacy Papers, as a counterpart to Applied Cryptography. I was left wondering now that it's been two years since you wrote that book, what political and technological actions do you feel are most vital for individuals to take with regard to cryptography?
  • The program you're looking for is Strip [zetetic.net] (Secure Tool for Recalling Important Passwords). It is a GPLed program for the PalmOS that manages usernames and passwords. It stores all of its information in encrypted form, and you must enter the correct password un decrypt it for use. I'm currently using it to keep track of all of the users at the office, since I run of the network here.


    --Phil (If only there were more GPLed Pilot apps...)
  • I was a little surprised and fascinated to learn and understand that authentication mechanisms can employ message digest algorithms ("hashes") instead of encryption algorithms.

    I understand that this provides an opportunity for strong message authentication codes which are less restricted by cryptographic export controls. As I recall you covering such schemes as HMAC in your book, I was wondering how important you think these codes might become, given that they conceivably might see wider distribution.
  • Do you think a win in the Bernstein case [eff.org] will deregulate encryption export, or will the result just be more political dodging?
    -- rot13 my email address for the real thing
  • Very few non-server systems seem to be built with crypto in mind. Cisco finally putting ssh on their routers is a good example. With the whole "smart appliances everywhere" right around the corner I find this disconcerting. What do you think it will take to put crypto on all devices esp consumer devices?
  • Sorry... not mine. I can't even train my own hands to duplicate my own signature reliably. :)

    --
  • Although I don't agree with the contents of the above post, I think it would make a good question to Mr. Schneier.


    ----
  • Secure distribution of digital media depends, by definition, on tamper-proof hardware/software.

    It is therefore not very interesting cryptographically.


    ----
  • You mention in your explanation of the Solitaire system that, if confronted by the Secret Police, one would have to explain the presence of jokers shuffled into the deck. Are there any games of solitaire that do make use of (both of) the jokers?

  • AFAIK factoring has not been proven
    "hard" (as being np-complete or the like)
    yet nor is it IMHO likely to be.

    Regarding your question, I cannot say if there
    are "quantum hard" problems that could be
    used as a trapdoor or anything useful. But
    there are hard problems even for quantum
    computers. Hell, there are even UNcomputable
    problems ...
  • The field of cryptography seems to be characterized both by steady progress and large upsets. Where do you think steady progress will take us in ten years, and what are some possible upsets that might occur during that time?

    "Bugs are harder to cope with than features, because they are less well defined and less well designed."
  • Take a look on counterpane, there IS a cryptanalysis course there!

  • To my interested layman's point of view, the key issue in strong crypto is not (or rather is no longer) development and is now adoption. PGP was a big step in the right direction, but not enough. Now that we have practical strong crypto on the desktop, where do we go from here to insure its adoption as the expected way to do communications on networks?

    Do you have any thoughts on projects such as FreeS/WAN [xs4all.nl] which are strategically aimed in that direction?

    --------
  • With the major certificate authorities (like, say, Verisign) no longer issuing people anything but level 1 certificates, and the myriad difficulties in sending important/confidential/contractual data through PGP to stand up in court (who can prove that someone didn't change the computer's time/date, or even if the intended computer actually downloaded the files?), what's a guy to do?

    PKI can provide security, but without some third-party post-office/FedEx like entity which can track documents, this is not an alternative for many professionals who require receipt-like assuredness.

    My question is, how do you combine security and provability?
  • Can you recommend a program available for PalmOS that has the same features (and the same level of security) as Password Safe [counterpane.com]?

    I could really use a utility like this -- although first, I have to save up enough quarters to get a Palm machine -- but even if I had source code, I wouldn't be able to distinguish a good security implementation from a bad one.


  • "MGWDD VCI YDDT C ODLWDM, FN MPX XN MGDV CWD JDCJ."
    - EDZSCVFZ NWCZYQFZ

    Sometimes I try my newspaper's crypto-quote - usually takes me 1/2 to 1 hr :-(

    I'm just wondering, ahem, if you can solve this one (and if you did, how long it took you & what combination of hardware/software you used)
  • Snake oil continues to be a big issue in the encryption industry and something that you write about frequently. As computers increasingly become consumer items and cryptography becomes something everybody does do you hold out hope that consumer watchdogs will move against companies making the more gratuitous claims ?
  • I've read before where you point out that cryptography != security, that is, you can't sprinkle the magic pixie dust of crypto over software and expect that the resulting system is therefore secure.

    Now that everybody and their sister is connecting to the Internet, via dial-up or even 24x7 cable modem or DSL connections, what level of paranoia is appropriate, and where do you recommend beginning?

  • IANAE*, but I believe the one-time pad method is damn close to unbreakable.

    [*] I Am Not An Expert


  • One-time pads are provably unbreakable, (and it's easy to prove).

    Since the key is _random_ (and it has to be really random), you can get _anything_ out by changing the decryption key... So there's no way for an attacker to be sure they have guessed the right key when they get a message out that looks sensible.

    IIRC, there are also ciphers for which breaking by means better than brute force would mean P != NP, but I don't remember the details on how they work.

    Torrey (Azog)
  • That has the problem that you can't revoke the keys if they're compromised - that's why I'd store the key somewhere you can only get at by proving that you're you somehow. Still not perfect.
  • Your algorithm TwoFish has already received a great deal of positive reactions and also in my opinion it is one of the best AES candidates (though I also really like Rijndael)

    I wonder however what you think about the recent inclusion of TwoFish in popular products like SSH and GnuPG. Isn't this against the standard procedure in the cryptography world that algorithms should be tested and analyzed extensively before they are trusted and used?
  • To continue the question... as I understand it the impact of Quantum Computing is in its ability to factor immense numbers extremely quickly. Does all cryptography depend on factoring large numbers, or only a certain subset?

  • For a few years, back in the early nineties, we were being treated with a vision of the future in which all money would be anonymous tokens and monitoring commerce would become impossible. Tim May called this future "Crypto Anarchy."

    Since you're still subscribed to one or two of the cypherpunks mailing lists, it appears as if you still consider this a possibility.

    What effect do you see cryptography having on our wallets and on our financial institutions? Will anonymous commerce ever make it big?

  • FYI, he wrote an appendix to it, and consulted on part.
  • Do you have any ideas about where you can use cryptography to start a new business?
  • Knapsacks have been tossed by the wayside; quantum computing, if it'll work, is blasting away at factoring (if the NFS doesn't beat it into the ground all by itself); elliptic fields are being restrained by patents. What's the Next Big Thing for crypto gonna be?
  • Since something you know is limited to 7 +- 2 rule. Adding something you have can increase the entropy if done right. I think Dallas Semicondutcor has done just that with thier IButton

    Here is an excerpt from their site

    The iButton(TM) is a 16mm computer chip armored in a stainless steel can. Let's start with the package. Because of this unique, durable package, up-to-date information can travel with a person or object. The steel button is rugged enough to withstand harsh outdoor
    environments; it is durable enough for a person to wear everyday on a digital accessory like
    a ring, key fob, wallet, watch, metal card or badge.


    2.Java(TM)-powered cryptographic iButton. A microprocessor and high-speed
    arithmetic accelerator generate the large numbers needed to encrypt and decrypt
    information. The Java-powered iButton adds its complete cryptographic circuitry to
    a Java Virtual Machine (VM) that is Java Card(TM) 2.0-compliant, enabling the
    world's large pool of Java programmers to tap into a powerful development tools to
    get an application up and running quickly. The Java-powered iButton's greatest
    promise lies in its capacity to interact with Internet applications to support strong
    remote authentication and remotely authorized financial transactions. In practical
    terms, that means you can jump into the age of electronic commerce with both feet:
    your messages are sent over the Internet scrambled and can only be unscrambled at
    the other end by someone with an authorized iButton. By establishing a means to
    transmit and protect user identity, the iButton becomes the user's digital credential.

  • The problem with this, as I believe Bruce has said in a crypto-gram (which is available from the counterpane homepage), is that once a digital signature is forged it can be forged perfectly everytime by anyone who you share the secret with. Ink signatures on the other hand take some skill every time. The people with the skills to do such things are few. A broken digital signature can be used by any jamoke whose buddy gave him the info.
  • Most of the replies to this seem to be pointing out that not all crypto depends on factoring, but this is missing a more important point, i.e. that quantum computing can do more than just factor large numbers. Factoring is simply a very useful example to show the power of quantum computing.

    Regardless of whether or not a given cryptographic algorithm works with products of large primes (and thus would take a breakthrough in factoring such primes to defeat), most cryptography (that is cryptography based on algorithms and not on the security of the physical channel) relies on trapdoor one-way functions. These functions have keys. The keys are the special bits of information that allow you to reverse the one way function, something that would normally be very difficult. The value of quantum computing is the ability to try every key in parallel, rather than sequentially.

    So quantum computing can apply to virtually any crypto system.
  • In sci.crypt a while ago he said that although IDEA was still a good algorithm, he wasn't anywhere near as enamored of it as he was a few years ago.
  • The German gov't has lifted crypto exports. Canadian gov't is buying it's crypto from industry. The US gov't has lifted (mostly) their crypto export rules.

    Have we the public and our commerce taken the lead in cryptography? Will it hold? Or is the scene much more serious, have gov'ts broken most all of our ciphers and no longer fear what was once the empowering act or encryption?

  • Hi Bruce-

    I am currently a student and am taking a graduate class in Data Security (AC has helped me more than I can say here). I am very interested in this field, and was wondering what you would recommend a young person like myself do in order to gain experience in the field. For example, NSA internship, working for a software company, research assistant, working for you :), etc. Thanks.

    -Andrew
  • It has recently been reported that Russian banks under criminal control modified their ATM machines to capture customer PINs, then used the PINs to withdraw money from the customer accounts. How severe do you consider this problem and what can be done about it? In particular are there any software only solutions or does it require some sort of hardware key?
  • Given the sad state of proprietary ciphers for use with cheap hardware (for example Cell Phones, whose ciphers seem to be broken every other week) if it were possible to use the [presumably] very thoroughly cryptanalysed AES wiiner, then this would be an immediate win.

    In fact, if the cipher were key-size independent, then the manufacturers would be able to easily balance cost and security. Perhaps cell-phones only need 64 bit keys? (One popular system nowadays has 40 bit keys, but is severely broken, and can be cracked after 40 packets have been intercepted -- 1 second!) Not a problem. Better yet-- imagine phones with settable security (you want 128 bit security, then accept a lousy job of compression 'cause there's only so much this $2 CPU can do per packet)

    So even if twofish isn't selected as AES, the fact that it has been very carefully and publically scrutinized gives Counterpane an excellent leg up on the embedded market. Now all they have to do is figure out how to sell it, as it is free. (perhaps auditing implementations?)

    Johan
  • Could you (n2kiq, not bruce) expand on the compromise danger of 3DES layering, please?

    I'm at a loss for seeing how that would occur.
  • this is currently modded to 4. I'm asking a moderator to please up it to 5. Best Q so far, w/o a doubt.
  • If you are referring to symmetric ciphers with a shorter key than message, then a provably unbreakable cipher would imply that P != NP.

    Symmetric ciphers are in NP, as you can verify the correctness of a guess in P time, once you have guessed it. So by proving it unbreakable (ie not in P), then you prove them different.

    Mind you this says nothing about the converse; ie if we hypothesise that indeed P !=NP, this does not imply that your cipher isn't in P.

    Johan
  • Recently, a question was asked of /. about the effects of the RSA algorithm's patent expiring next year. The point was made (and I'm expanding upon this and paraphrasing the actual question that was asked) that most companies issue whole rafts of strategically-timed patents to extend their legal monopolies beyond the 17 years.

    Also, as it happens, I was investigating the interoperability of GnuPG with PGP and, therefore, had the occasion to download the latest free PGP (6.5.1, it appears) and that software does indeed recommend an algorithm other than RSA. This is one that, presumably, was patented well after RSA was or is patent pending now.

    I have an interest, I've been waiting for The Patent to expire so that I can run certain pieces of software, and I was unsatisfied with the answers I saw on /., so I ask you: What will be the effect of the expiration of the RSA patent. In particular, are the people who currently license PGP going to be successful in moving people to a new algorithm? They seemed bound to try.

  • Have you tried decoding the CIA's sculpture, and have you made any further progress than the rest of the world on it?
  • Your book E-mail Security offers an analysis of some of the more popular commercial e-mail systems at the date of publication. What, in your eyes, are the most dangerous potential problems with current non-commercial e-mail systems and their likely direction of development?
  • The AES process to provide a new cipher has been ongoing for a while now...

    How is this process going?

    What ciphers have been eliminated due to successful, critical attacks? (Successfully attacking a couple rounds worth of a Feistel-like cipher obviously being less critical than providing cryptanalysis for "all 16"...)

  • A few years back, an Israili mathematician claimed that it was possible to break any encryption algorithm, regardless of key length, in a usefully short timespan. Apparently, he provided a method by which this could be done, but it would never have been practical to use for real. It was argued at the time that this did not mean that there was a general, useful attack on encryption. However, I never saw any satisfactory proof of either claim.

    What's your gut feeling on this -- is cryptography as a field in danger of wiping itself out, or do you feel encryption has a secure long-term future?

  • Does the possibility exist for an unbreakable code or is this a 'Holy Grail' of sorts?

    ----------------

    "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
  • First, I note that quantum computers haven't factored jack (yet, anyhow) :)

    All cryptography that's not one-time pad depends on some one-way function to produce its results -- the idea being that the attacker has to go back the other way, which is hard.

    Factoring is certainly an excellent example of such a "trapdoor" function. But not that much in cryptography depends on factoring. The only symmetric cypher I know of that depends exactly on factoring is Blum squaring -- though there are certainly others that are equally un-well known.

    RSA really depends on the Euler Phi function, which has yet to be proved equivalent to factoring.

    Standard DES and the AES candidates are less secure than that, even, since they trade off speed for a measure of security.

    I can't remember how closely Diffie-Helman depends on factoring, but I think it's pretty close. Someone correct me if I'm wrong.

    Someone want to add some other cipher types?

    We're implementing an Enigma machine on our FPGAs in Fundamentals of CE (18-240)...that's definitely not as secure as factoring :)
  • Unfortunately, they won't be practical for widespread use for another 10-20 years, when the patents encumbering them expire.
    Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]
  • What do you think of the upcoming Freedom package by Zero Knowledge Systems?

  • by ruud ( 7631 )
    Do you think that the many existing (and future) patents on cryptographic protocols and algorithms will stand in the way of widespread adoption of cryptography?
    --
  • With IPSec starting to gain some momentum as well as the current VPN craze (which seems to ignore the traditional encryption boundary issue completely), do you see a role in the testing and certification of vendor implementations to include checksumming of binary-only closed-source products and services?

    Given that we'll soon see more Voice over IP, and we're currently seeing IPSec in routers, is there any other way the international community can be sure that a particular implementation hasn't been (legally or illegally) trojaned by a manufacturer or that they can gain a high level of trust in their vendors' implementation?

    So long, and thanks for all the fish!

    Paul
  • Bruce,

    I would like to hear your thoughts on the expiration of the RSA patent next September. Do you think that RSA will finally be free, or will RSADSI tangle it up in some type of legal mess?
  • I have heard that quantum cryptanalysis will only help crack certain forms of crypto, such as RSA. What makes a cryptographic system resistant to quantum cryptanalysis, and is twofish such a system?
  • Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.

    Currently almost all ink signatures (and by extension legal documents in general) are based on the fact that signatures are currently difficult to duplicate.

    I would trust a digital signature FAR more than a "real" signature. I can train a plotter to duplicate your "real" signature in under an hour.
  • If/when using cryptography becomes widespread and everyone's mother uses it, I see the main problem as keeping the secret keys secret, while not losing them/forgetting the passphrase etc. What do you see as viable solutions to this problem?

    Possibilities I can think of right now are:
    1. Keys stored on the person (eg jewelry, implants, whatever)
    2. Keys are encrypted/hidden behind some kind of biometric "lock"
    3. People adapt, and find it just as natural to deal with their cryptographic keys as their car and house keys


    Any thoughts?
  • What's your opinion on the current state-of-the-art in cryptography? Do you think the public sector has caught up to the NSA and the governments of the world yet or do you think they still hold a commanding lead?

    DES and papers by Don Coppersmith show that the NSA and at least a few private researchers have known about some techniques, like differential cryptanalysis for over a decade before the general public learned of them. With the current boom in interest in cryptography and judging by the designs of current ciphers like Coppersmith's SEAL and skipjack, it seems plausible to assume that the gap has been closed substantially. How big do you think the gap is between the NSA and the public and what hurdles to you see in closing it if you believe that the NSA still knows vastly more than the public about cryptography?

    (I mean the cryptographer public when I say "public," not the masses.)

    Thanks again for your wonderful books. Any plans for AC 3rd edition? Maybe with AES covered?

  • How do you feel about your ongoing association with internationally famous super-hackers, cDc? Judging by our last meeting, I would suggest that you are perfectly content, but we like to keep our friends happy, so let us know.
  • What are the emerging technologies from the last few years which most affect cryptography? How important are:

    • The internet as a tool for distributed computing?
    • Quantum computing?
    • (semi-seriously) B30wulf Clust3rs
  • The IP Security (IPSEC) standard has been around for several years, yet it hasn't taken off as expected. What do you see as the future of IPSEC?
  • Zero-Knowledge proofs were discovered/invented over 15 years ago and are now usually covered in most studies of this science (Although I, unfortunately, haven't had time to go through your book).

    Considering that now a days we implicitely trust ATMs or resellers not to tinker with credit card readers or not remember our PIN numbers, since this relatively new field offers incomparable advantages for identification protocols (such as the inability to replicate a session) that could be used in these situations and that the litterature is, by now, relatively well developped (with work from Jacques Stern for example),

    a) Would you tend to agree that this would be an interesting addition to the privacy protection of customers ?

    b) Do you know of any real world implementation for the general customer ?

    c) What do you believe it would take for large banks and Credit Card compagnies to decide to implement these schemes ?
  • There are a great many cryptographic libraries available, but many of them suffer from poor documentation, cluttered APIs, bad interfaces, or unwise addition of platform-specific code (Counterpane, Inc., isn't immune, either -- your Yarrow code is strictly MSVC++ and hence, Win32 only).

    Would the cause of secure algorithms be furthered by the construction of a cross-platform crypto toolkit, open sourced, peer reviewed, clean and well-documented, which could be reused across different platforms and projects? Or would this create hindrances, since each project may need ever-so-slightly different features from its cryptographic infrastructure?

    (And if anyone's got a clean, standalone El Gamal library, *please* EMail me at the above address. The El Gamal code in GPG is just plain frightening.)
  • What do you predict will be happening to cryptography techniques over the next year? 5 years? 10 years?
    ---
  • Hrm. I'd be more interested in what you hope (for the good of all concerned... yadda blah) doesn't happen. For example, if an efficient factoring algorithm were discovered tommorow,this would be a disaster for the RSA folks, and everyone who uses it.

    Are there any similar pitfalls that apply to the multi-round Fiestel w/ s-boxes that are the current state of the art for symmetric ciphers?

    Johan
  • Do you think that "bio" technologies for authentication -- fingerprints, retinal scans and the like -- are really feasible for widespread use?
  • Don't worry about consolidation of the CA structure into one or two "elite" trees. If you are running Internet Exploder, you can see quite easily that there is no such threat. Tools|Internet Options|Content|Certificates Click on the tab that says Trusted Root Certification Authorities. You'll see that there are about four other CA's in the root store that ships with Windows. Since everyone under Windows has those root certs, there is nothing to prevent those CA's from becoming just as powerful as Verisign or Thawte save capitalistic competition. Now, you could legitimately disparage Verisign for distributing certs in such a promiscuous fashion (their "30 day trial" keys), but hopefully as consumers become savvier, they will not reward such behavior.
    -konstant
  • Do you think PGP has been compromised, and is there any way to really know?
  • I think what many people are wondering including mysef is:

    1) Is there any ongoing effort to build another encryption algorithm as we speak?

    2) The plausibility of a security breach on the Blowfish Algorithm, tho is not very likely at this time, are you planning on strengthening it any way in nearby future? thats mostly question of those self-called... paranoid...like myslef ;)

    Thanks,

    ..............
  • Do you believe that an effective Client/Server encryption model can exist, at the current stage of progress, without a trusted 3rd party? If no, what is your opinion on what this 3rd party should be? What other alternatives do you see?

    Peter Pawlowski
  • Given that the administration and congress appear unable to refrain from placing absurd restrictions on how we do math, how optimistic are you that the courts will consistently act sensibly in this matter? Much like CDA could only be defeated through legal challenge, should free crypto activists be turning their attention to the Judicial branch? What do you feel our chances are in this arena and who shall carry the torch?
  • The way I understand this, Euler Phi is not the limiting factor either. The limiting factor is the ability to perform DRoot (descreat root).

    In order to perform DRoot, you need Euler's Phi, and in order to get that, you need to factor the public key. This is, of course, unless someone finds a better way.

    The point is, that someone may find a way to do DRoot, and bypass the factoring, as well as Euler's Phi, problem.

    I think we can conclude that factoring complexity >= finding Phi >= finding DRoot.

    As for Diffie-Helman, it is based on the difficulty of DLog. The base modulo for DH is a prime number itself. Factoring, therefor, does not enter into it at all.

  • In the field of cryptology, i think there have been many major advances like

    + fiestel networks
    + combining operators (like in IDEA)
    + data dependent rotations (like in RC)

    Do you believe that quantum cyrptography is the next foreseable step.

    What do you believe the effect quantum computers will have on cryptanalysis, and the development of cryptology.

    If you can generate a one time pad through quantum cryptology, you only need xor, as that is secure as its otp.

    I understand, that quantum compuetrs would be able to solve "very hard" problems, like solving discreet logarithms in a fine field.

    What major algorithms would be deemed insecure, when quantum computers came about.

    Many entries to the AES are essentially fiestel networks, do you foresee this system ever being broken (I know you think that giving dates is stupid)

    Also, what AES submission did you least expect to be dropped for round 2. And apart from your submission, what do you think has the most chance of becoming the aes.

    Many people are finding ways around the key escrow policies, and the export policies. Like the private doorbell system. Do you think that these embargos on freedom will ever be lifted, or will the us government remain as privicy envading, and paranoid as ever.

    Do you see people using stenography instead of encryption. Especially for file systems ?

    Do you think deniable encryption would stand up in court ? (E.g using rivest's chaffing and winnowing system)

    Is it possible to have a deniable and probablicstic crypto system ?

    And what do you feel is the most secure algorithm, and hash function now, as before in your book it was idea, but now wiht the aes systems ? which is the most secure?
  • I have recently started to question the wisdom of using multiple encryption algorithms over a communications channel.

    SSH and HTTPS (for example) have become staples for secure administration and E-commerce. With expanding use of IPSEC for company access from home, what are the dangers behind using SSH over a VPN?

    I understand there is a potential for compromise when layering two 3DES channels, one each for SSH and IPSEC; has any analysis been done of the security of a Blowfish (TwoFish/CAST/etc...) and 3DES combination?

  • by substrate ( 2628 ) on Monday October 25, 1999 @06:41AM (#1589377)
    Bruce, what is your view of what many have said is the governments relaxation of export controls on commercial cryptography? In particular are there any actual dangers to the requirement that the algorithms and code be submitted for review? My personal feeling is that rather than protecting the consumer the review process is more likely to be to ensure that any cryptography is sufficiently weak to please the government. So maybe crypto for credit card transactions is somewhat safe since the businesses involved can be subpoenaed, but crypto for obsfucating personal communications is less secure since there may be more chance of evidence being withheld.
  • by Signal 11 ( 7608 ) on Monday October 25, 1999 @06:44AM (#1589378)
    The latest on digital signatures appears to be legislation being passed in several states (and some stuff moving through congress now on the federal level) to make "digital signatures" as valid as your john hancock RealWorld signature.

    Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.

    Based on these two facts, do you think legally binding digital signatures are secure; why?

    --

  • by Seth Scali ( 18018 ) on Monday October 25, 1999 @07:17AM (#1589379)
    You have stated, time and again, that while picking a good cryptographic algorithm with an adequate key length is important to security, it is only one link in the chain. There are numerous examples of this, including the attacks on Netscape's PRNG's and attacks against smart cards that measure power consumption, timing, etc. to determine the key. Any one of these methods can effectively render the rest of the system useless.

    Now for the question: what do you think is the most overlooked aspect of designing a secure system? For example, PRNGs, ineffective key management, mismanaged trust, bad authentication, etc... What can people writing software do (aside from peer review, which is a *must*) to reduce the risks of common problems?

    Thanks!
  • by YoJ ( 20860 ) on Monday October 25, 1999 @01:15PM (#1589380) Journal

    Back in the "good old days" of cryptography, the algorithms used were understandable by non-mathematicians. Most modern cryptographic systems in use are still mathematically "simple". By this I mean that once you understand the complexities of the algorithm, the mathematical basis is understandable to someone who has, say, a college degree in mathematics or physics.

    The cryptographic systems being developed today are often based on much more sophisticated mathematical ideas. Elliptic and hyper-elliptic curves spring to mind. The algorithms may be understandable, but the mathematical basis may be complicated enough that it takes a PhD in mathematics to understand.

    These systems are the future generation of cryptography. Some have suggested that their security is based more on mathematical obscurity than anything else (i.e. the number of people able to even understand what the algorithm is doing is very small). Do you think this is accurate? Do you see cryptography moving exclusively into the domain of mathematicians, so that it is totally inaccessible to motivated non-mathematicians (such as yourself)?

  • by FascDot Killed My Pr ( 24021 ) on Monday October 25, 1999 @06:49AM (#1589381)
    I am in the midst of reading Applied Cryptography (1st edition). Amazing book so far, thanks for all the hard work you obviously put into it.

    Here's my question: Your short timeline at the beginning of AC notes that public research in cryptography didn't really get under way until 1976 but that the NSA (and it's predecessors) started during WWII. What far ahead do you think the NSA (or whoever) is? In particular, do you have any reason to believe they have cracking algorigthms for some of today's hardest problems (NP-completeness, etc)?
    ---
  • by lelitsch ( 31136 ) on Monday October 25, 1999 @07:45AM (#1589382)
    Most of the discussions I hear and work I see is towards makeing algorithms safer. On the other hand a lot of security gets compromised by a large number of protocol violations, human errors (like dictionary passwords, pet names etc) and other means like reading electromagnetic emissions, bugging or bribing. Where do you see the optimal division of effort?
  • by _ghent_ ( 47634 ) on Monday October 25, 1999 @01:06PM (#1589383)


    I have read your papers on Yarrow and was impressed both with the algorithm and your discussions of the importance/vulnerablities of Pseudorandom Number Generators. It seems to me that PRNGs can be just as important a component of a protocol as the algorithm or keys themselves. How important do feel they are? Do you see this role increasing/decreasing in the future with new technologies and developments (Quantum Computing/Encryption)? What do you see as their future?

    thanks
  • by Get Behind the Mule ( 61986 ) on Monday October 25, 1999 @06:45AM (#1589384)
    When Applied Cryptography was published, CAST was looking very promising but was still very new. How IYO has CAST held up since then?
  • by asad ( 65703 ) on Monday October 25, 1999 @06:33AM (#1589385)
    What did you think of Neal Stephenson's Cryptomonicom ?
  • by DeadSea ( 69598 ) on Monday October 25, 1999 @07:20AM (#1589386) Homepage Journal
    Encryption only works if A) the encrytion is secure, and B) People use it.

    I know that you have done a lot of work in the area of A. But what about B? Specifically, what do you think it will take, to get people to use cryptography with their email on a regular basis? Most of us here agree that it should be as standard as putting your letter in an envelope instead of using a postcard.

    However, even I don't regularly use encryption. I have tried encryption packages and they are easy to use, but I can't seem to be able to convince my friends an family to go through the trouble. Because the people that I communicate with, don't use encryption, it seems that I can't either.

    Because of its inclusion with web browsers, some level of encryption is now used for much of e-commerce. Most people just know that their transaction is somehow secured and know nothing of the details. But the same hasn't happened for other mediums.

    What do you think it will take? An personal electronic Pearl Harbor in which many people have their secrets spread throughout the world? Inclusion of crypto with the most popular free email clients? Or maybe people just don't care and they will never encrypt their email?

  • by scotpurl ( 28825 ) on Monday October 25, 1999 @07:02AM (#1589387)
    Many government officials are opposed to encryption on the grounds that it will somehow impede investigation and prevent prosecution.

    I beleive this is the same feint magicians use to misdirect the audience from the real action. Currently, prosecutors must only provide phone records as evidence, and not a tape of the actual phone call. The evidence that something transpired, and not the actual "what" is all that's required. Records of wire transfers are acceptable, even if you can't seize the actual money. The classic tenets of motive and opportunity suffice, without someone having to provide a videotape of the crime. In other words, I think you can prosecute, and convict, even if you can't decrypt.

    So, first, any idea what the Feds are really worried about? (It's got to be more than just Eschelon.) And second, how do we present the privacy issues to the public so that the average citizen understands what's at stake? (e.g. encryption = privacy = good thing)
  • by ryanr ( 30917 ) <ryan@thievco.com> on Monday October 25, 1999 @06:23AM (#1589388) Homepage Journal
    I've heard you say many times that unless a particular crypto alg. has undergone lots of public review, it should not be considered safe. Unless possibly it's from the NSA. (Excluding, of course, the NSA stuff that is INTENTIONALLY backdoored.)

    The implication there is that the NSA has applied some many resources to the crypto problems,that they are as good as the rest of the cryptographers put together.

    My question is: Do you really think that a private process, no matter how many resources applied, can equal the public process?
  • by Hobbex ( 41473 ) on Monday October 25, 1999 @07:16AM (#1589389)

    One would think that cryptographers, who study the mathematical means for controling information (not just secrecy, but also signatures, zero knowledge proofs etc) would be the least inclined to support the articial limits to information set up by our legal system, and yet the field is littered with patents (probably more so than any other field of mathematics).

    You, on the other hand, have been very generous with your algorithms and cryptos. Is there a political, ideological, or practical reason behind this?

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • by jovlinger ( 55075 ) on Monday October 25, 1999 @09:06AM (#1589390) Homepage
    Bruce,

    in a recent cryptogram, you write that most symmetric ciphers need more entropy than people can remember and hence supply. Even with bio-metrics adding more bits, it is not really worth the effort to construct ciphers with more than 128 bits of entropy in the key, because people won't give them more than that much entropy in the pass phrase.

    However, social and technological pressures make longer and longer keys a necessity. What promising approaches do you see for making remembering and entering -- even though I have long passages of text memorised, I don't want to type them in for each email I want to send -- usefully long passphrases?

    Ie, to paraphrase, would you discuss the state of the art of cipher/human interaction, as it pertains to key management.

    Johan
  • by Enoch Root ( 57473 ) on Monday October 25, 1999 @07:14AM (#1589391)
    It was noted in your biography that you hold a degree in Physics in addition to your M.S. in Computer Science. This seems to be a developping trend in IT, as many Physics graduates turn to CS. Neal Stephenson undertook studies in Physics before becoming a writer. I am myself a physics graduate turned computer geek.

    What impact do you think your science studies have on your current career? I suspect the high mathematical background of physics prepared you for cryptology, but what other aspects of a science degree come into play in your line of work? Would you call your B.S. in Physics an advantage or a disadvantage?
    "Knowledge = Power = Energy = Mass"

  • by Get Behind the Mule ( 61986 ) on Monday October 25, 1999 @06:37AM (#1589392)
    Bruce, thanks very much for making cryptography so much more accessible to us all.

    You wrote in Applied Cryptography that IDEA was your "favorite" symmetric cipher at the time. Is that still true today?
  • by Sajma ( 78337 ) on Monday October 25, 1999 @06:27AM (#1589393) Homepage
    Your book describes a slew of interesting applications for crypto protocols, including electronic money orders, digital time-stamping, and secure multi-party computation. What are the remaining crypto problems of interest to the general public which have not been solved? (secure distribution of digital media comes to mind -- can you sell someone a music file, allow them to use the file anywhere, but make sure no one else can use it?)
  • by randombit ( 87792 ) on Monday October 25, 1999 @06:30AM (#1589394) Homepage
    OK, hypothetical question. You rub a magic lamp, and a genie comes out. Specifically, a cryptographic protocol genie. He can come up with an effecient, secure protocol for any activity you want (assuming a protocol is possible, of course). What would you pick, and more importantly, why?
  • by Christopher B. Brown ( 1267 ) <cbbrowne@gmail.com> on Monday October 25, 1999 @08:01AM (#1589395) Homepage
    Several announcements have been made lately about ciphers being assortedly vulnerable/invulnerable against Quantum cryptography.

    Quantum physics seems to be the "magical" form of physics, and its application to cryptography even more magical. I don't think I properly understand "quantum cryptography," and I don't think that most of the people that have made public comment on it understand it terribly well either.

    Could you comment on the present state of Quantum cryptography, and its probable relevance in public matters short term (which appears nonexistent), medium term (where the research of today may be in 5-10 years), and longer term?

  • by Tet ( 2721 ) <slashdot@nOsPam.astradyne.co.uk> on Monday October 25, 1999 @06:45AM (#1589396) Homepage Journal
    Scott McNealy claims we've already fought and lost the war for personal privacy. Do you agree with him or not, and why?
  • Given that most cryptographic algorithms are well known and understood worldwide, can governments control their use effectively by legal means? Do you think legal restrictions on cryptography are likely to become more or less strict over the coming years?
  • by aheitner ( 3273 ) on Monday October 25, 1999 @07:19AM (#1589398)
    Bruce --

    As many know, your twofish algorithm is one of the (many) submissions to become the AES standard. The goal for these algorithms is to be able to implement them extremely cheaply in hardware -- say on a 6800 with 256 bytes of RAM. In other words, cheaply enough to put on a smart card.

    But IBM's team alleges that any algorithm that simple can be fairly easily cracked by doing a power usage analysis on the chip (by watching fluctuations in the electrical contacts with the reader) and that the necessary equipment to protect against power analysis would be equivalent to a much more complex processor -- so much so you might as well just implement a different and more complex (and hopefully power-random) algorithm. Of course IBM suggests their own implementation.

    What do you think? Is there a way to build a simple smart card so that power analysis isn't a problem? Perhaps the whole question will become irrelevant since we'll be carrying around so much processing power in our PDAs that we'll just use them?
  • I bought your first edition of Applied Cryptography, and you say two things that bother me, with respect to your submission of Twofish as a Federal standard for encryption.

    In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.

    Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.

    Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?

    The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.

    thad

  • by nano-second ( 54714 ) on Monday October 25, 1999 @06:36AM (#1589400)
    What are your thoughts on the recent reports of quantum computing and its effects on encryption?


    ---
  • by Neville ( 88610 ) on Monday October 25, 1999 @08:13AM (#1589401)
    What's your response to the notion that the web's reliance on centralized Certificate Authorities for secure commerce is ultimately flawed? There are those, like the Meta Certificate Group [slashdot.org], who feel that a hierarchical chain of certificates leading back to only a couple of elite organizations won't hold up in the distributed envirionment of the Internet. The entire framework of e-commerce seems to stand on the private keys of Verisign and Thawte. Do you feel this is a danger, and will there be viable alternatives.

    Thanks again,
    PS Neville

  • by rise ( 101383 ) on Monday October 25, 1999 @06:56AM (#1589402) Homepage
    As one of the stronger voices behind the proposition that only peer reviewed, open, and thoroughly tested algorithms can be trusted you've widely disseminated several algorithms, Solitaire [counterpane.com] and Yarrow [counterpane.com] among them. What attacks or interesting analyses have surfaced since their release?

It is now pitch dark. If you proceed, you will likely fall into a pit.

Working...