Re: Introducing TGP...

["Thor (Hammer of God)" <Thor () hammerofgod com>]

You keep talking about DES being cracked as if you had something to do with it...  everyone here knows that encryption 
is math, and that as computers get faster, it will be easier and faster to break encryption algorithms.  Yet you say 
things like "you've archived your data and people will be able to come back to it" as if it is some sort of epiphany.  
I KNOW I've archived it.  That's the POINT.  See if you can understand this:  "By the time it gets cracked, it won't 
matter anymore.  The value of the data will not survive the time it takes to crack it."  

It took decades for DES to be practically cracked, and it was simply 56-bit block encryption.  Yet it still took 22 
hours for supercomputers  specifically designed to crack a less-than-20-character cypher, at which point they were only 
22% through the keyspace.   You don't seem to get that both the AES256 key *and* the AESIV are BOTH RSA2048 bit 
encrypted.   But actually, it doesn't matter that you don't get it: you've already illustrated that you can't do the 
math, so I'm not too concerned about your claiming that AES256 and RSA2048 will be, quote, "ancient" in 5 tiny little 
years.  

All you've been able to do is say, "it's insecure because it will be decrypted at some point in the future."  Well 
thank God YOU'RE here to point out the obvious!!  

At this point, I'd like to change my request to the FD list:  Rather than "if you have any comments," what I am asking 
now is, "if you have any intelligent comments that will help forward the security of TGP in a meaningful way, please 
feel free to chime in."  

You know, like Jeffery's question about SHA256 - that was meaningful and helpful.    I mean, saying "surely it is 
better to keep the cypher text inaccessible" really shows that you are ignoring the fact that if the cypher text were 
inaccessible, then it wouldn't have to be cypher text in the first place.  If it were inaccessible there would be no 
reason to protect it. 

Stu, what you don't seem to get is that the very point of encryption is for data to be secured when completely exposed. 
 That's the POINT.  It's not a "would be nice if" or a "man, it would be super keen if"...  It is *why* we have 
encryption.   There is NO REASON why I should not be able to post a scan of my passport and expect it to be secure for 
longer than the expected life of the value of the data.  If it can't be, then we need better algo, not FUD.

t



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
lsi
Sent: Monday, June 14, 2010 12:08 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Introducing TGP...

On 14 Jun 2010 at 9:52, Thor (Hammer Of God) wrote:

> You don't think I considered it?  Really?  You think that I would go 
> through the trouble of designing and implenting a standards based 
> encrytion application without considering that it could be cracked?

The USG put a lot more into DES, but that didn't save it.

> You are incorrect. I certainly considered it. I just know that when 
> brute forcing AES256 becomes feasible, a scan of mynpssport will be 
> the last thing on anyone mind.

As the data is archived, an attacker can come back anytime, once they have finished with the interesting stuff... ;)

> How does this differ from SSL, and why do you think I would have to be 
> "live on the wire" to crack it?

It doesn't differ from SSL, which also could be captured and eventually cracked.

> If your entire argument is "it can be cracked at some point" then you 
> argue against *any* type of encrytion.

I'm saying security is an onion, and by posting your ciphertext you are irreversibly removing several layers of it.  
Surely it's better to keep the ciphertext inaccessible, this way an attacker has to get access to it, in addition to 
cracking it.

Stu

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

---
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/