[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Introducing TGP...
- To: "stuart@xxxxxxxxxxxxxx" <stuart@xxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Introducing TGP...
- From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
- Date: Mon, 14 Jun 2010 19:41:32 +0000
You keep talking about DES being cracked as if you had something to do with
it... everyone here knows that encryption is math, and that as computers get
faster, it will be easier and faster to break encryption algorithms. Yet you
say things like "you've archived your data and people will be able to come back
to it" as if it is some sort of epiphany. I KNOW I've archived it. That's the
POINT. See if you can understand this: "By the time it gets cracked, it won't
matter anymore. The value of the data will not survive the time it takes to
crack it."
It took decades for DES to be practically cracked, and it was simply 56-bit
block encryption. Yet it still took 22 hours for supercomputers specifically
designed to crack a less-than-20-character cypher, at which point they were
only 22% through the keyspace. You don't seem to get that both the AES256 key
*and* the AESIV are BOTH RSA2048 bit encrypted. But actually, it doesn't
matter that you don't get it: you've already illustrated that you can't do the
math, so I'm not too concerned about your claiming that AES256 and RSA2048 will
be, quote, "ancient" in 5 tiny little years.
All you've been able to do is say, "it's insecure because it will be decrypted
at some point in the future." Well thank God YOU'RE here to point out the
obvious!!
At this point, I'd like to change my request to the FD list: Rather than "if
you have any comments," what I am asking now is, "if you have any intelligent
comments that will help forward the security of TGP in a meaningful way, please
feel free to chime in."
You know, like Jeffery's question about SHA256 - that was meaningful and
helpful. I mean, saying "surely it is better to keep the cypher text
inaccessible" really shows that you are ignoring the fact that if the cypher
text were inaccessible, then it wouldn't have to be cypher text in the first
place. If it were inaccessible there would be no reason to protect it.
Stu, what you don't seem to get is that the very point of encryption is for
data to be secured when completely exposed. That's the POINT. It's not a
"would be nice if" or a "man, it would be super keen if"... It is *why* we
have encryption. There is NO REASON why I should not be able to post a scan
of my passport and expect it to be secure for longer than the expected life of
the value of the data. If it can't be, then we need better algo, not FUD.
t
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of lsi
Sent: Monday, June 14, 2010 12:08 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Introducing TGP...
On 14 Jun 2010 at 9:52, Thor (Hammer Of God) wrote:
> You don't think I considered it? Really? You think that I would go
> through the trouble of designing and implenting a standards based
> encrytion application without considering that it could be cracked?
The USG put a lot more into DES, but that didn't save it.
> You are incorrect. I certainly considered it. I just know that when
> brute forcing AES256 becomes feasible, a scan of mynpssport will be
> the last thing on anyone mind.
As the data is archived, an attacker can come back anytime, once they have
finished with the interesting stuff... ;)
> How does this differ from SSL, and why do you think I would have to be
> "live on the wire" to crack it?
It doesn't differ from SSL, which also could be captured and eventually cracked.
> If your entire argument is "it can be cracked at some point" then you
> argue against *any* type of encrytion.
I'm saying security is an onion, and by posting your ciphertext you are
irreversibly removing several layers of it. Surely it's better to keep the
ciphertext inaccessible, this way an attacker has to get access to it, in
addition to cracking it.
Stu
---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/