Re: Security of Secret Algorithm encruption
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: Security of Secret Algorithm encruption

From: Andrew Swallow <am.swallow@btopenworld.com>
Date: Sun Sep 18 2005 - 01:08:15 CEST



William L. Bahn wrote:


> "Andrew Swallow" <am.swallow@btopenworld.com> wrote in message


> news:dghh12$4fi$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...


> 


>>William L. Bahn wrote:


>>


>>


>>>"Andrew Swallow" <am.swallow@btopenworld.com> wrote in


> 


> message


> 


>>>news:dgh60k$i7b$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com...


>>>


>>>


>>>>John E. Hadstate wrote:


>>>>


>>>>


>>>>


>>>>>"William L. Bahn" <william@toomuchspam.net> wrote in message


>>>>>news:-aGdnfWD9dFsVbbeRVn-3g@pcisys.net...


>>>>>


>>>>>


>>>>>


>>>>>>What I'm trying to get a feel for is how much harder


>>>>>>performing a


>>>>>>cryptanalysis is when the algorithms aren't known - or at


>>>>>>least


>>>>>>until they are known.


>>>>>


>>>>>


>>>>>Laying aside the technique of simply guessing a solution,


>>>>>the cryptanalyst must discover an algorithm that decrypts


>>>>>the ciphertext.


>>>>>


>>>>>I'm going to go out on a limb here and speculate that the


>>>>>minimum number of bits required to express this algorithm


>>>>>(which implicitly includes the "secret key") minus the


>>>>>amount of entropy in the "secret key" itself is the amount


>>>>>of entropy contributed by keeping the algorithm secret.


>>>>


>>>>The people making the code are probably beginners.  All the


>>>>beginner's mistakes have known attacks.  Simply go down the


>>>>list of attacks until one of them works.


>>>>


>>>


>>>


>>>In practice, I would certainly agree. But what if they didn't


>>>make all of the beginner's mistakes? Asked another way,


> 


> perhaps,


> 


>>>is how complicated does the "simplest" algorithm need to be


> 


> while


> 


>>>avoiding all of the "beginner's mistakes"?


>>


>>Simplest with no mistakes = AES or 3DES.


>>


>>The government does not pay extra for unnecessary complexity.


> 


> 


> And which we can also pretty safely assume that the attacker


> knows the algorithms for. The whole point of the thread is to get


> a feel for the degree of difficulty imposed by having to attack


> an algorithm when the algorithm is not known.



If you think about it I answered your question.


You need something the same complexity as AES.



Andrew Swallow


Received on Thu Sep 29 21:55:21 2005