| Welcome to Crypto. We hope you enjoy your visit. You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free. Join our community! If you're already a member please log in to your account to access all of our features: |
| Kerckhoff's Principle; A must-read for would-be cryptographers | |
|---|---|
| Topic Started: Oct 18 2005, 05:55 AM (495 Views) | |
| insecure | Oct 18 2005, 05:55 AM Post #1 |
|
Elite member
  ![]](http://209.85.122.85/static/1/pip_r.png)
|
It is very tempting, when designing your own cryptographic algorithm, to use it to generate some ciphertext, show people the ciphertext, say "bet ya can't crack this", and - when nobody does - to assume your cryptographic algorithm is unbreakable. It is possible that your assumption is correct. It is, however, not terribly likely. The most likely reason that nobody cracks your ciphertext is that nobody cares enough. Sorry, but it's true - there are lots of people, even nowadays in this caring, sharing world, who don't give tuppence about you or your algorithm. Here at CryptoForum, of course, we do. Well, we probably won't give you tuppence, but we are quite likely to have a go at your ciphertext if you want us to (and, if you don't, the solution is easy - don't post any). It would, of course, be very unwise to trust to the "unbreakability" of a cipher, simply because nobody you've showed it to has even bothered to look at it. Another reason people might not crack your ciphertext is that you haven't provided enough of it. It only takes a moment's thought to realise that the more ciphertext the attacker has, the easier it is for him to attack it. Giving would-be attackers just a little ciphertext and then crowing when they can't/don't crack it may be fun, but if you then draw the conclusion that your cipher is attack-proof, you could just end up in trouble if you start to trust it to protect lots of data. Consider, for example, a simple polyalphabetic cipher - give the attacker six bytes of plaintext, and he'll ignore it as a waste of time. Give him sixty bytes, though, and he might just crack it. Give him six hundred, and he'll crack it easily. And even a simple letter to a friend could easily take up a thousand or more bytes. Yet another reason that some people might not crack your ciphertext is that you haven't explained how the algorithm works. Now, some people have the not unreasonable notion that keeping the algorithm secret improves security. Oddly enough, though, it doesn't. (There is an exception to this rule which I'll come to in a minute, which turns out not to be an exception after all.) Here's why a secret algorithm damages security: As we have seen, it is sometimes possible to figure out key aspects of the algorithm just by inspecting the ciphertext. For example, a frequency analysis can generally tell us whether a monoalphabetic cipher has been used, or perhaps a transposition cipher. A Kasiski attack can show us whether a simple polyalphabetic cipher is in use. So, just because you don't tell people what the algorithm is, that doesn't necessarily mean they can't figure it out anyway. If your cipher is more complex, though, it may not be possible to decrypt your ciphertext without knowing the algorithm in advance; but consider this: if it's that complicated, you've almost certainly written a computer program to do the encryption and decryption. So anyone who cares enough about your ciphertext can get at the algorithm, even if it means breaking into your home and ghosting your hard disk whilst you're out shopping or at work or at school or something. If that sounds like overkill, it just means you can't think of any reason why anyone would care enough to do it - which, for most if not all of us - is probably fair enough. Nevertheless, if you have BIG secrets to hide, your level of "justifiable paranoia" ought to increase in proportion. If it matters enough, people will find out. The British, for example, managed to get hold of the design of the military version of the Enigma machine because the French found a guy in the Chiffrierstelle in 1931 (when Germany was not at war) who was prepared to sell them some vital documents which made this design clear; the French didn't care enough to do anything about it, so they gave it to the Poles, who made lots of progress against Enigma before they ran out of time and handed all they had to the British. So trying to keep your algorithm secret doesn't actually work. Indeed, the Germans realised this. In their security assessments of Enigma, they rightly started with the basic assumption that the enemy (the British) would find a way to get hold of an Enigma machine. This assumption has become known as "Kerckhoff's Principle" (Kerckhoff was a 19th century Dutchman, by the way - the Germans didn't invent the assumption!). To quote Bruce Schneier, author of "Applied Cryptography", 'if the strength of your new cryptosystem relies on the fact that the attacker does not know the algorithm's inner workings, you're sunk. If you believe that keeping the algorithm's insides secret improves the security of your cryptosystem more than letting the academic community analyze it, you're wrong. And if you think that someone won't disassemble your code and reverse-engineer your algorithm, you're naive.' And here's the important point - letting other people see your algorithm allows them to analyse it and point out weaknesses in it that you didn't spot. It's like show and tell - if you don't show them, they can't tell you. And once they've told you, you have the opportunity to fix that flaw, and thus make your algorithm stronger - and then go round again for the next weakness. The exception I mentioned is that of governments. They generally don't let the workings of their cryptographic algorithms become public knowledge if they can avoid it. That doesn't mean those algorithms don't get peer review. If you're a red-hot cryptanalyst, the chances are good that you'll end up working for your government, providing that peer review yourself - inside a large, but closed, cryptographic community. In other words, the peer review - by top-ranking experts, no less - still happens, but not in the full glare of public discussion. That doesn't mean that the governments concerned are ignoring Kerckhoff's Principle; they still use algorithms that could withstand public knowledge - but they are in the happy position that they can hire a huge number of experts who can be relied on to keep their mouths shut, so they get the best of both worlds. So it's not really an exception after all, because the government does make its algorithm known - to its own pool of internal crypto experts! If an enemy finds out the algorithm, though, it shouldn't matter - and generally doesn't matter. Finding out the algorithm is just an extra obstacle the enemy must tackle. It's like putting a fence around your outpost. It won't stop a tank, but it might slow the tank down a little. And it keeps the riff-raff out. "But I have to keep my XYZ algorithm secret, or I won't be able to make a profit out of it." Yeah, right. We already have Rijndael (which was adopted as the Advanced Encryption Standard, the successor to DES), and TwoFish - both are highly-acclaimed cryptographic algorithms. Both are public knowledge. Both are freely available for anyone to use without charge. Both have been exhaustively analysed. Nobody has found any significant weaknesses in either of them. Now let's think about a corporate security guy, looking to upgrade his crypto. He has whittled his algorithm choice down to three: 1) Rijndael. Adopted as the latest crypto standard. Algorithm is publicly available for me to inspect. Lots of hostile (that is, independent) expert peer review, but no attacks have emerged. Free. 2) TwoFish. AES candidate. Written by Bruce Schneier, David Wagner, and several other top names in crypto. Algorithm is publicly available for me to inspect. Lots of hostile peer review, but no attacks have emerged. Free. 3) XYZ. Written by Joe No-name. Algorithm not available for public inspection. No peer review whatsoever. Costs money. Well, it's not an easy choice, but I think we can all see which one would place third. None of the above means you can't post ciphertext-only challenges here on CryptoForum. You can - and people do. But if you do, and nobody cracks your challenge, don't make the mistake of thinking you can now trust that cipher algorithm to protect your sensitive data, simply because a few guys on a Web forum never got around to cracking your stuff. |
 |
 
|
| cows | Oct 18 2005, 02:38 PM Post #2 |
Advanced Member
|
Very good points raised here, umm, i guess you explained it all... If the government works by itself, and passes their new ciphers to the crypto team to find flaws in, how did twofish become publically available as you said that
Surely all of these people would have been working for the government - or were they hired by the government afterwards? |
|
Everything is possible, The impossible just takes longer If we do not know what a particle is doing then it is allowed t do everything possible simultaneously. "Anyone who can contemplate Quantum Mechanics without getting dizzy, didn't understand it." | |
|
|
|
| insecure | Oct 18 2005, 06:34 PM Post #3 |
|
Elite member
|
Twofish was not developed by the US Government. It was a collaborative effort between a number of people, none of whom (as far as I know) works for the NSA. The people I mentioned (Schneier, Wagner and so on - was Roger Schlafy one? I don't recall) are indeed among the "top names in crypto"; these are (some of) the best cryptographers in the world that we know about. I don't actually know the names of many cryptographers at the NSA. In fact, I can only think of one, and as far as I can tell he's a cryptanalyst rather than a cipher designer. He would certainly count as a "top name"; in fact, some people here will have a book with his name in it, although they probably don't realise the fact, since it's buried in the acknowledgements. (I even have a book with his name on the cover!) |
|
|
|
| Revelation | Oct 18 2005, 06:46 PM Post #4 |
Administrator
|
This is a nice intro
 Thank you for spending - and I absolutely don't mean wasting - your time on this!
|
|
RRRREJMEEEEEPVKLWENFNVJKEEEEEAOLKAFKLXCFZAASDJXZTTTTTTTLSIOWJXMOKLAFJNNKFNXN RAGRBAQEMHIGDJVDSEOXVIYCELFHWLELJFIENXLRATALSJFSLCYTKLASJDKMHGOVOKAJDNMNUITN RRRRLJVEEEEECLYVYHNVPFTAEEEEEMWLMEIRNGLARWJAKJDFLWNTIERJMIPQWOTZEOCXKNUBNXCN RJIRPOWEANFUSNCZVDVZNMSFEKLOEPZLDKDJWSAAAAAAAOERHJCTNCKFRIMVKSOFOMKMANREWNBN RZUDRGXEEEEENFQIDVLQNCKNEEEEEDGLLLLLLAWIOSNCDARLODMTOEJXMILDFJROTKJSDNLVCZNN | |
|
|
|
| Donald | Oct 19 2005, 04:43 AM Post #5 |
|
Elite member
|
They had a big competition and asked experts to send in algorithms. You see, the problem was, they wanted a seriously good crypto algorithm that would be adopted by BUSINESS as well as government. They wanted it to become a standard (Hence the S in AES) If the NSA had come up with it's own algorithm and suggested it, a lot of people would have avoided it, assuming the NSA had built in a back door. Heck, the really paranoid people STILL think that. But by having the algorithm come from non government sources they managed to convice MOST people to start using AES as the standard.I use AES and TwoFish both. And when I'm feeling like being overly paranoid, I use pgp to encrypt using twofish, then zip the result using AES encryption (using a different strong passphrase). Total and complete overkill. But I CAN do it, so why not. Donald |
|
|
|
| 1 user reading this topic (1 Guest and 0 Anonymous) | |
| « Previous Topic · General · Next Topic » |
2:11 PM Nov 26
