Symmetric encryption: why not use private keys? - PGP

This is a discussion on Symmetric encryption: why not use private keys? - PGP ; "Suzanne Skinner" wrote in message news:slrncjnubl.9i.tril@miranda.igs.net... > On 2004-09-05, Beretta wrote: > >> I'm rather curious, as to why trunacating something to 160 bits would be >> worrisome? BTW, this means that the key files on your hard drive only ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 22 of 22

Thread: Symmetric encryption: why not use private keys?

  1. Re: Symmetric encryption: why not use private keys?

    "Suzanne Skinner" wrote in message
    news:slrncjnubl.9i.tril@miranda.igs.net...
    > On 2004-09-05, Beretta wrote:
    >
    >> I'm rather curious, as to why trunacating something to 160 bits would be
    >> worrisome?


    BTW, this means that the key files on your hard drive only have 160-bit
    protection; the mail you send using those keys can have more or less
    strength depending on the cipher chosen (and the entropy used during
    temporary key generation). Realistically, if someone can read your key
    files odds are they can also trap keystrokes, catch temporary files before
    encryption, etc. -- in other words, there will surely be easier ways to get
    your data than going through SHA1 to get your private key.

    > Because I'd like my private files to be just as private 20 years from now
    > :-)


    There's no danger on that front unless a severe defect is found in AES.
    There's several other viable 128-bit (and higher) block ciphers if that
    happens.

    >> 160 bits and 256 bits, etc are all out of the reach of even the fastest
    >> computers on the planet for decades (maybe centuries) to come.

    >
    > So you say. But within my lifetime, DES went from becoming the official
    > government standard, to being breakable in 24 hours. What's to stop that
    > from
    > happening to AES 128? It's not that I think there's a vast conspiracy out
    > to
    > get me. I just don't want to be susceptible to casual snooping, now or
    > later.


    AES-128 is 2^72 times more difficult to brute-force than DES, meaning it'll
    be a century before Moore's Law puts you in any danger. If you're concerned
    about living that long, switch to AES-256 and even your
    great-great-great-grandchildren shouldn't be able to read your email.

    DES was insufficient because (a) when it was designed, Moore's Law wasn't
    yet evident, and (b) the government didn't replace DES until a decade after
    it was clearly obsolete. IDEA, AES, and other recent ciphers do not suffer
    from the same "failure of imagination".

    S

    --
    Stephen Sprunk "Those people who think they know everything
    CCIE #3723 are a great annoyance to those of us who do."
    K5SSS --Isaac Asimov


  2. Re: Symmetric encryption: why not use private keys?

    Suzanne Skinner writes:
    > I'm curious why GnuPG (and presumably PGP) uses only a passphrase
    > for traditional symmetric encryption. As I understand it, this means
    > that you have to be very careful to choose a passphrase with enough
    > entropy, and then the passphrase has to be hashed to generate a
    > key. Why not do things the same way as PGP does asymmetric
    > encryption? Use /dev/random or another good random source to
    > directly generate a private key of the right length, then protect
    > that key with a passphrase. This would mean rock-solid encryption as
    > long as your private key is not compromised, with a second tier of
    > protection via the passphrase. I can't find any way to tell GnuPG to
    > do this :-(


    Hmm, your message dated 3 September just arrived here.

    Anyway, you'd have to keep the secret key in a key ring similar to the
    secret key ring used for public key crypto. That's another file that
    you have to be sure to not lose. Philip Zimmermann once designed a
    scheme like that for PGP, but it was never implemented because it
    wasn't important enough. The issue back then was that computers were
    slow enough that public key decryption took a long time (over a minute
    on the original 4.77 MHz PC/XT). So the idea was that you'd send
    someone a public-key encrypted message and use it to establish a
    persistent secret key for future traffic. When computers got faster,
    it became more convenient to just use public-key all the time.

    The usual use of symmetric (passphrase-based) crypto in PGP and GnuPG
    is to be able to encrypt a file so that you can decrypt it later
    without needing any additional info like keyring files. For example,
    you can encrypt a file with a passphrase and send or store it
    somewhere, without having to store a keyring along with it.

    > My wish here is to encrypt off-site backups in a way that is
    > lastingly secure. I trust my own machine not to get hacked (all
    > ports closed), others not so much. I could just use public key
    > encryption, but from the research I've been doing on sci.crypt, it
    > sounds like symmetric encryption is generally regarded as faster and
    > tighter.


    There is some sense to the notion that symmetric crypto is less
    vulnerable to unforeseen future theoretical breakthroughs than public
    key. Of course, "less vulnerable" doesn't mean "invulnerable".
    Nobody can predict unforeseen future breakthroughs. That's why
    they're called unforeseen.

    The speed difference really isn't an issue. Remember that GPG's
    public key implementation, as is normal, just uses a public key to
    encrypt a temporary secret key, then uses the secret key to encrypt
    the file. So using public key adds the overhead of just one public
    key operation, a small fraction of a second on today's PC's.

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2