[Discuss] Good and Bad Crypto

Jerry Feldman gaf at blu.org
Wed Apr 23 15:05:27 EDT 2014


On 04/23/2014 10:37 AM, Edward Ned Harvey (blu) wrote:
>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Jerry Feldman
>>
>> that nearly any primate could break it.  We could have used DES because
>> we did use DES for part of the project. But, anyone who knows what they
>> are doing certainly would use a standard library implementation.
> Even DES isn't secure these days.  56 bit key, even if DES had no weaknesses, would be crackable by brute force with a laptop in a reasonable amount of time (hours? days? weeks?).  But DES also has some weaknesses that make its cryptographic strength closer to 37 bits.  If you know how to attack DES intelligently, this is extremely doable.
>
> 3DES is literally just 3 rounds of DES, with 3 different keys, bringing the total key material up to 168 bits and cryptographic strength around 112.  Which is generally still considered to be strong enough for nearly all purposes.
>
> How many years ago did you see the lower life form rolling his/her own crypto like an idiot?  I will actually be shocked if it's anytime within the last decade.  Unless it was just an archaic system put in place over a decade ago and still in operation today.
>
>
That was a while ago, I hope he joined the human race :-)
But, it was at a time when DES 56-bit was available and we could copy
the source code.

But even the code used for that product had some really stupid things.
For instance they had a large struct. They computed the size of the
array by taking the address of an int following the array and the start
of the array. (I guess they never heard of the sizeof operator. That
worked well on the current compiler, but if they used a newer compiler
it crashed because the new compiler moved things around. so:
struct foo;
int bar;
The int bar did not immediately follow foo. Compilers are free to move
variables anywhere unless they are grouped. I think some of that code
was written by interns who were just learning about C.

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90 
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66  C0AF 7CEA 30FC 3BC1 EB90



More information about the Discuss mailing list