lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: fw at deneb.enyo.de (Florian Weimer)
Subject: Time Expiry Alogorithm??

* Andrew Farmer:

> On 23 Nov 2004, at 15:02, Florian Weimer wrote:
>> * Andrew Farmer:
>>> Especially considering that there aren't enough atoms in the
>>> universe to store all that precalculated data, nor enough energy
>>> to do all the calculations.
>>
>> Typically, such estimates ignore the possibilities of quantum
>> superpositions.
>
> On the other hand, we have yet to create a practical quantum computer.

But you can't rule it out, either.  If you are after a theoretic upper
bound on computation, you have to take such possibilities into
account.  I don't claim that some particular algorithm or key size is
insecure.  I just want to point out that entropy-based arguments for
the security of some algorithm against brute-force attacks are
incorrect.  (This still doesn't make the attacks feasible, of course.)

> If quantum computing comes through (and I doubt it will), we'll all
> start using quantum encryption.

Quantum encryption doesn't help much because it does not protect
against reencryption of the quantum channel by the attacker, only
passive eavesdropping is impossible.  From a practical point of view,
the quantum key distribution algorithms we know today are as safe as
Diffie-Hellman.  The only thing QKD offers are some provable security
properties.  Current systems have a major drawback, too: You can't run
the QKD protocols with someone who doesn't share some physical
communication channel with you.  This means that if some of the
current quantum encryption protocols are deployed, it's likely that
network operators can eavesdrop traffic at relay stations (which have
to perform reencryption).

Relying on well-designed symmetric ciphers with fairly large keys is
probably the best choice indeed.


Powered by blists - more mailing lists