Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:29 ADT
Michael Paul Johnson (mpj@csn.net)
Thu, 16 Jul 1998 15:52:12 -0600
At 02:35 PM 7/16/98 -0500, Bruce Schneier wrote:
>>Twofish is a well-designed, conservative cipher, but it's young enough
>>that a break is still a big risk. Therefore, I'd reccomend using a
>>more-analyzed cipher like CAST-128 for now, or at least something which
>>can't be less secure than it (i.e., use CAST-OFB on zeroes to generate
>>from the XORed-together keys a CAST key and a Twofish key, then use
>>Twofish-over-CAST for encryption).
>
>While I agree that Twofish is new, I give a big yuk to CAST-128. Blowfish
>is basically the same, but with key dependent S-boxes. If you want to be
>conservative, use Triple-DES.
Actually, newness is a cryptographic advantage (as well as disadvantage).
Older cryptographic algorithms:
+ Have been well analyzed and it is likely that the most significant
weaknesses, if any, have been published.
+ Are well supported in hardware and software toolkits.
+ Are accepted as standards for secure information interchange.
+ Are easily endorsed by conservative cryptographic experts.
+ May have patents expired.
- Have been well analyzed by adversaries who would not publish weaknesses
found.
- Are much more likely to have custom cracking solutions actually secretly
in use.
- Often give a false sense of security due to pure age, without actual
determined effort to crack the algorithm being applied by knowledgeable
publishing adversaries.
- Frequently are targeted to a world with less computing horsepower than
today or the next 20-30 years.
- Often are difficult to extend to longer key lengths or wider block sizes
without exposing weaknesses or creating significant inefficiencies.
- May or may not have been designed by someone who qualified to do such
things.
Newer cryptographic algorithms:
+ Have not had much public scrutiny UNLESS they are an "interesting" target
(like SKIPJACK).
+ Usually come with at least a reference implementation in software.
+ Have not been seriously analyzed by adversaries.
+ Are generally not supported by specialized cracking machines.
+ Are often in the Public Domain or freely usable anyway.
+ Are more likely to be targeted to contemporary computing horsepower.
- May or may not be seriously looked at, depending on the source, where
published (if at all).
- Are not generally accepted as standards, but may end up in practical
applications, anyway.
- May or may not have a serious flaw in the design.
- May or may not have been designed by someone who qualified to do such
things.
What is the line between an "old" and a "new" cryptographic algorithm? That
is a fuzzy line, indeed. I tend to think more in terms of amount of review
than pure time. For example, SKIPJACK has been extensively internally
reviewed at the NSA by people paid to do so, and now by many people who
were naturally curious about this unique cipher. Blowfish has been
published widely and discussed heavily. The Diamond 2 Block Cipher is
"older" than both of them, and probably stronger (AES-sized blocks and keys
give it a head start), but it hasn't been published as widely. Being too
lazy to submit it for AES evaluation probably contributed to that. Anyway,
I think that I'd be comfortable with any of the AES submissions that
survive the selection process scrutiny without weaknesses being found as
far as security goes. Then again, I still like Diamond 2...
Where interoperability is not a major concern, there is some value in
trying to use something that isn't widely used, but that has been
reasonably well scrutinized for problems. You be the judge of what
"reasonably well" means.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:29 ADT