A cryptographic algorithm E is strong if:
Note that each of those features implies the others. For strong asymmetric cryptography, an additional feature is:
What if someone says that they just invented a new and very secure cipher algorithm?
That means that they must be either a mathematical genius or a fool. Which is the far more likely explanation?
What if someone says that a cipher algorithm must be kept secret for security?
We have known that "security through obscurity" is ineffective for well over a century. Auguste Kerckhoffs (1835-1903) mathematically proved that the security of a cryptosystem must not depend on keeping its algorithm secret, as discussed on a previous page. See his article "La cryptographie militaire", from Journal des sciences militaries, vol IX, pp 5-38, Jan 1883.
19th century computing pioneer Charles Babbage wrote the following in his autobiography, Passages from the Life of a Philosopher:
One of the most singular characteristics of the art
of deciphering is the strong conviction possessed by every
person, even moderately acquainted with it, that he is able
to construct a cipher which nobody else can decipher.
I have also observed that the cleverer the person,
the more intimate is his conviction.
In my earliest study of the subject, I shared in this
belief, and maintained it for many years.
In a conversation on that subject which I had with the
late Mr. Davies Gilbert, President of the Royal Society,
each maintained the he possessed a cipher which was
absolutely inscrutable.
On comparison, it appeared that we had both imagined
the same law.
Both men had re-invented the flawed autokey system of Cardano and Vigenère.
When a cryptanalyst says than a cipher or hash algorithm is flawed or weak, or that it can be successfully attacked, they do not necessarily mean that it can be trivially broken. They mean that it was not quite as strong as we thought it was. The attack very likely remained theoretical rather than practical.
But keep in mind that a defined algorithm stays exactly the same for all time, while attacks only get better. The mathematical understanding and computer speed used in attacks will improve over time. A theoretical weakness now may turn into something very serious in the future.
The key needs to be hard to guess — for example, something better than the binary representation of the string secret — and so they need to look fairly random.
English text has little randomness. The entropy, or unpredictability, of typical English text is between 1.0 and 1.5 bits per character, as low as 0.6 to 1.3 bits per character for some samples. [Shannon, Claude E.: Prediction and entropy of printed English, The Bell System Technical Journal, 30:50-64, January 1951]
What's more, some algorithms have some specific key patterns that are called weak. These weak keys inadequately obscure the cleartext information, the ciphertext leaks information about the cleartext or about the key itself. These weak keys are typically those with large blocks of all zeros or all ones, or large blocks of alternating 01010101...
Keys should appear to be highly random binary patterns.
For example, a randomly generated 64-bit key
in hexadecimal (base 16):
79baed51c147dc5d
And the binary equivalent:
111100110111010111011010101000111000001010001111101110001011101
Oh, it's even worse than that....
Encrypting twice in a row, using the same algorithm and two keys, does produce ciphertext:
plaintext --> encrypt --> encrypt --> ciphertext
^ ^
| |
K1 K2
However, if the encryption algorithm is what is called a cryptographic group, then there exists some third key K3 where a single encryption with K3 alone produces the same ciphertext. Consider this from the attacker's point of view — all you need to decrypt is K3, so double encryption as above uses twice the work and provides no more security than one encryption step!
Even if the cipher is not a cryptographic group (and DES is not), there is something called a meet in the middle attack that makes the sequence of encryption operations no more secure against a brute-force attack than just encrypting it once.
OK, so chaining multiple encryption steps is not useful...
Triple-DES works by encrypting with one key, then decrypting with a second key, and then encrypting with a third key:
plaintext --> encrypt --> decrypt --> encrypt --> ciphertext
^ ^ ^
| | |
K1 K2 K3
Yes, that should be 168 bits. However, due to that pesky meet in the middle attack mentioned above, the complexity (meaning the computational work required) for an attacker is no greater than it would be for encrypting with one key, decrypting with the second, and then encrypting again with the first key:
plaintext --> encrypt --> decrypt --> encrypt --> ciphertext
^ ^ ^
| | |
K1 K2 K1
Since you get no better security against determined cryptanalysis, the effective strength is no better than that of a 112-bit symmetric key no matter if you use (K1,K2,K3) or just (K1,K2,K1) as above. [see ref 1 below]
Now, in 1990 a known-plaintext attack on two-key 3DES was found, and US NIST rates two-key (K1,K2,K1) 3DES at 80 bits equivalent strength, and three-key (K1,K2,K3) 3DES at 112 bits equivalent strength. [see ref 2 below, and note the vast amounts of plaintext-ciphertext data required!] I find it very interesting that the NSA's formerly classified Skipjack cipher has an 80 bit key. The coincidence of 80 bit key length is a bit striking....
Also see the well-written Wikipedia article on Triple DES, which points to further papers.
References:
[1] R. C. Merkle and M. Hellman,
"On the Security of Multiple Encryption",
Communications of the ACM,
vol 24, no 7, 1981, pp 465-467.
This is summarized as
"Triple encryption, with three independent keys, is as secure
as one might naively expect double encryption to be"
in Bruce Schneier,
Applied Cryptography,
John Wiley, 1996,
ISBN 0-471-12845-7,
sections 11.3 and 15.1-15.3.
[2] "A known-plaintext attack on two-key triple
encryption",
van Oorschot, et al., EuroCrypt '90,
and
NIST Special Publication 800-57,
"Recommendation for Key Management",
August 2005, p 63,
http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
and
http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf
The algorithms work differently, so you cannot simply compare key lengths to decide which is more secure against a brute-force search.
Very generally speaking, to get the same strength as an N-key symmetric cipher, an elliptic curve algorithm or a cryptographic hash needs to have a key 2N times as long, and an asymmetric cipher needs to have a key roughly 10N times as long or longer. Sorry, that's just the way the math goes. This is why asymmetric encryption is nice for key management, but symmetric algorithms are then used for bulk data encryption. [See section 1.8.4 of Handbook of Applied Cryptography, Menezes, van Oorschot, and Vanstone, 1997, available as a free PDF download]
One analysis of this is found in Applied Cryptography, Bruce Schneier, ISBN 0-471-12845-7. Thanks to Naftali Fasten for a really nice summary of parts of its chapter 7. A table based on that is:
| Symmetric Encryption | 56 | 64 | 80 | 112 | 128 | 256 | 448 | 1024 |
| Cryptographic Hash | 112 | 128 | 160 | 224 | 256 | 512 | 896 | 2048 |
| Asymmetric Encryption | 384 | 494 | 768 | 1792 | 2304 | 10753 | 39031 | 234205 |
And, from NIST and NSA:
| Symmetric Encryption | 80 | 112 | 128 | 192 | 256 |
| Elliptic Curve encryption | 160 | 224 | 256 | 384 | 521 |
| RSA (asymmetric encryption) | 1024 | 2048 | 3072 | 7680 | 15380 |
And now, some specific examples of cipher algorithms:
| Algorithm | Key Length | Notes |
| DES | 56 | No longer considered secure enough against brute-force attacks, because 256 = 72,057,594,037,927,936 is not a big enough search space given today's hardware. See the EFF project to build dedicated DES-cracking hardware. |
| FEAL | 64 | |
| LOKI | 64 | LOKI89 is insecure, LOKI91 is secure |
| RC2 | 64 | Patented, proprietary algorithm, requires license |
| Skipjack | 80 | |
| 3DES | 112 | |
| CAST-128 or CAST5 | 128 | Available royalty-free worldwide for commercial and non-commercial applications, despite earlier CAST work being patented. |
| IDEA | 128 | Patented, requires license |
| REDOC | 160 | Patented, requires license |
| CAST-256 or CAST6 | 256 | Available royalty-free worldwide for commercial and non-commercial applications, despite earlier CAST work being patented. |
| RC6 | 256 | Variable length key, up to 2040 bits |
| AES | 256 | Advanced Encryption Standard, replaces DES. Algorithm was originally known as "Rijndahl" |
| GOST | 256 | Gosudarstvennyy Standart Soyuza SSR, Государственный Станарт Союза ССР, Russian for "Government Standard of the Union of Soviet Socialist Republics", which dates it |
| Blowfish | 448 | See: http://bt.counterpane.com/blowfish.html |
| Khufu | 512 | |
| Khafre | 512 | |
| RC4 | 1024 | Optionally usable in SSL and WEP, but recommended against as weaknesses are well known. Variable length key, typical applications used 40-1024 bits. |
| RC5 | 2040 | Variable length key, up to 2040 bits |
| CA-1.1 | 1088 | Patented, free for non-commercial use. Requires parallel hardware for practicality on large data sets. |
| Algorithm | Key Length | Notes |
| DSA | 1024 | U.S. government standard for a component of digital signatures |
| El Gamal | 1024-4096 | Used in GNU Privacy Guard. Key size is variable, 1024-4096 bit keys are used in GnuPG. |
| RSA | typically 1024-4096 | At least 2048 bits are recommended today. Your computer should be fast enough to comfortably handle that key size or larger, while your attacker's computer might be getting close to being able to discover 1024-bit keys |
|
|
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Feb 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
