[149083] in cryptography@c2.net mail archive
Re: [Cryptography] Boing Boing pushing an RSA Conference boycott
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Thu Jan 16 09:18:37 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <E1W3ly4-0000F1-A5@login01.fos.auckland.ac.nz>
Date: Thu, 16 Jan 2014 07:58:15 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Jonathan Hunt <j@me.net.nz>, "Salz, Rich" <rsalz@akamai.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2124329280905236673==
Content-Type: multipart/alternative; boundary=089e01419b0690868d04f015faf7
--089e01419b0690868d04f015faf7
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Jan 16, 2014 at 7:22 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>wrote:
> Jonathan Hunt <j@me.net.nz> writes:
> >On Wed, Jan 15, 2014 at 12:48 PM, Phillip Hallam-Baker <hallam@gmail.com>
> wrote:
> >> What then should we do about all the folk clinging to 3DES? How about
> the
> >> people who stuck with MD5? How about the people who have not junked
> SHA-1?
> >
> >I don't think anyone recommends using these broken constructs in new
> projects
> >(i.e. sets them as default in a cryptography library).
>
> Since when was 3DES a broken construct? In fact in the early-mid 2000's
> there
> were several papers published that made AES look a bit shaky (none of the
> attacks were developed much further, but we didn't know that at the time),
> so
> sticking to 3DES, with its extra quarter century of provenance, was a
> perfectly sensible move. Even now, it's unlikely that any algorithm has
> received as much attention and analysis as 3DES.
>
The problem is the same problem as usual with DES: Adi Shamir. Remember
when he got bounced from that NSA conference? He gave a talk at MIT
instead. And what he showed generalizes the meet in the middle approach.
It isn't a break of 3DES but the approach does show how the construction
approach is weak.
The reason I point it out is that what we had in 2007 was very similar.
There was no proof that the algorithm is backdoored. I am not aware that we
have an actual smoking gun in the Snowden docs even today. No 'Time for
some backdoor in DUAL_EC_DRNG'.
But what there is today on 3DES is certainly enough for those of us who
went to the right talks to be able to say in 5 or 6 years, 'told you 3DES
was vulnerable'. It wouldn't really be fair, it would be using a huge slice
of hindsight. But so are the people complaining about RSA.
--
Website: http://hallambaker.com/
--089e01419b0690868d04f015faf7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Thu, Jan 16, 2014 at 7:22 AM, Peter Gutmann <span dir=3D"ltr">&l=
t;<a href=3D"mailto:pgut001@cs.auckland.ac.nz" target=3D"_blank">pgut001@cs=
.auckland.ac.nz</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div class=3D"im">Jonathan Hunt <<a href=3D"mailto:j@me=
.net.nz">j@me.net.nz</a>> writes:<br>
>On Wed, Jan 15, 2014 at 12:48 PM, Phillip Hallam-Baker <<a href=3D"m=
ailto:hallam@gmail.com">hallam@gmail.com</a>> wrote:<br>
>> What then should we do about all the folk clinging to 3DES? How ab=
out the<br>
>> people who stuck with MD5? How about the people who have not junke=
d SHA-1?<br>
><br>
>I don't think anyone recommends using these broken constructs in ne=
w projects<br>
>(i.e. sets them as default in a cryptography library).<br>
<br>
</div>Since when was 3DES a broken construct? =A0In fact in the early-mid 2=
000's there<br>
were several papers published that made AES look a bit shaky (none of the<b=
r>
attacks were developed much further, but we didn't know that at the tim=
e), so<br>
sticking to 3DES, with its extra quarter century of provenance, was a<br>
perfectly sensible move. =A0Even now, it's unlikely that any algorithm =
has<br>
received as much attention and analysis as 3DES.<br></blockquote><div><br><=
/div><div>The problem is the same problem as usual with DES: Adi Shamir. Re=
member when he got bounced from that NSA conference? He gave a talk at MIT =
instead. And what he showed generalizes the meet in the middle approach.</d=
iv>
<div><br></div><div>It isn't a break of 3DES but the approach does show=
how the construction approach is weak.=A0</div><div><br></div><div>The rea=
son I point it out is that what we had in 2007 was very similar. There was =
no proof that the algorithm is backdoored. I am not aware that we have an a=
ctual smoking gun in the Snowden docs even today. No 'Time for some bac=
kdoor in DUAL_EC_DRNG'.</div>
<div><br></div><div>But what there is today on 3DES is certainly enough for=
those of us who went to the right talks to be able to say in 5 or 6 years,=
'told you 3DES was vulnerable'. It wouldn't really be fair, it=
would be using a huge slice of hindsight. But so are the people complainin=
g about RSA.</div>
<div>=A0</div></div><div><br></div>-- <br>Website: <a href=3D"http://hallam=
baker.com/">http://hallambaker.com/</a><br>
</div></div>
--089e01419b0690868d04f015faf7--
--===============2124329280905236673==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2124329280905236673==--
