Strong cryptography: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 22:50, 25 June 2023 edit Dimawik (talk \| contribs) Extended confirmed users 2,450 edits m →USA: style ← Previous edit		Latest revision as of 19:45, 6 February 2025 edit undo 47.191.2.254 (talk) →Cryptographically strong algorithms: Fixed typo Tags: Mobile edit Mobile web edit
(34 intermediate revisions by 9 users not shown)
Line 3: {{OriginalResearch\|date=November 2021}} '''Strong cryptography''' or '''cryptographically strong''' are general terms used to designate the [[cryptographic algorithm]]s that, when used correctly, provide a very high (usually ~~unsurmountable~~insurmountable) level of protection against any [[eavesdropper]], including the government agencies.{{sfn\|Vagle\|2015\|p=121}} There is no precise definition of the boundary line between the strong cryptography and ([[broken cipher\|breakable]]) '''weak cryptography''', as this border constantly shifts due to improvements in hardware and [[cryptanalysis]] techniques.{{sfn\|Vagle\|2015\|p=113}} These improvements eventually place the capabilities once available only to the [[NSA]] within the reach of a skilled individual,<ref name=nytm19940712> {{cncite news \|last=Levy\|first=Steven \|title=Battle of the Clipper Chip \|newspaper=[[New York Times Magazine]] \|date=~~June~~12 July 1994 \|pages=44–51 ~~2023~~}}</ref> so in practice there are only two levels of cryptographic security, "cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files" ([[Bruce Schneier]]).{{sfn\|Vagle\|2015\|p=113}} The strong cryptography algorithms have high [[security strength]], for practical purposes usually defined as a number of bits in the [[Key (cryptography)\|key]]. For example, the United States government, when dealing with [[Export of cryptography from the United States\|export control of encryption]], ~~considers~~considered {{asof\|1999\|lc=y}} any implementation of the [[symmetric encryption]] algorithm with the [[key length]] above 56 bits or its [[public key]] equivalent<ref>{{cite web \|title=Encryption and Export Administration Regulations (EAR) \|url=https://www.bis.doc.gov/index.php/policy-guidance/encryption \|website=bis.doc.gov \|publisher=[[Bureau of Industry and Security]] \|access-date=24 June 2023}}</ref> to be strong and thus potentially a subject to the [[Export control\|export licensing]].{{sfn\|Reinhold\|1999\|p=3}} To be strong, an algorithm needs to have a sufficiently long key and be free of known mathematical weaknesses, as exploitation of these effectively reduces the key size. At the beginning of the 21st century, the typical security strength of the strong symmetrical encryption algorithms is 128 bits (slightly lower values still can be strong, but usually there is little technical gain in using smaller key sizes).{{sfn\|Reinhold\|1999\|p=3}}{{update after\|2015}} Demonstrating the resistance of any cryptographic scheme to attack is a complex matter, requiring extensive testing and reviews, preferably in a public forum. Good [[algorithm]]s and protocols are required (similarly, ~~and~~good materials are required to construct a strong building), but good system design and implementation is needed as well.: ~~For~~"it ~~instance,~~is ~~the~~possible ~~operating~~to build a cryptographically weak system onusing strong algorithms and protocols" (just ~~which~~like the ~~cryptographic~~use ~~software~~of ~~runs~~good ~~should~~materials bein asconstruction ~~carefully~~does ~~secured~~not asguarantee ~~possible~~a solid structure). ~~Users~~Many ~~may~~real-life ~~handle~~systems ~~passwords~~turn ~~insecurely,~~out orto ~~trust~~be ~~'service'~~weak ~~personnel~~when ~~overly~~the ~~much,~~strong orcryptography ~~simply~~is ~~misuse~~not ~~the~~used properly, for example, random [[~~software~~Cryptographic nonce\|nonces]]. ~~(See~~are ~~[[social~~reused{{sfn\|Schneier\|1998\|p=2}} ~~engineering~~A ~~(security)~~successful attack might not even involve algorithm at all, for example, if the key is generated from a password, guessing a weak password is easy and does not depend on the strength of the cryptographic primitives.{{sfn\|~~social~~Schneier\|1998\|p=3}} ~~engineering]]~~A user can become the weakest link in the overall picture, for example, by sharing passwords and hardware tokens with the colleagues.){{sfn\|Schneier\|1998\|p=4}} ==Background== Line 20 ⟶ 21: An encryption algorithm is intended to be unbreakable (in which case it is as strong as it can ever be), but might be breakable (in which case it is as weak as it can ever be) so there is not, in principle, a continuum of strength as the [[idiom]] would seem to imply: Algorithm A is stronger than Algorithm B which is stronger than Algorithm C, and so on. The situation is made more complex, and less subsumable into a single strength metric, by the fact that there are many types of [[Cryptanalysis\|cryptanalytic]] attack and that any given algorithm is likely to force the attacker to do more work to break it when using one attack than another. There is only one known unbreakable cryptographic system, the [[one-time pad]], which is not generally possible to use because of the difficulties involved in exchanging one-time pads without ~~their~~them being compromised. So any encryption algorithm can be compared to the perfect algorithm, the one-time pad. The usual sense in which this term is (loosely) used, is in reference to a particular attack, [[Brute force attack\|brute force]] key search — especially in explanations for newcomers to the field. Indeed, with this attack (always assuming keys to have been randomly chosen), there is a continuum of resistance depending on the length of the key used. But even so there are two major problems: many algorithms allow use of different length keys at different times, and any algorithm can forgo use of the full key length possible. Thus, [[Blowfish (cipher)\|Blowfish]] and [[RC5]] are [[block cipher]] algorithms whose design specifically allowed for several [[Key size\|key lengths]], and who cannot therefore be said to have any particular strength with respect to brute force key search. Furthermore, US export regulations restrict key length for exportable cryptographic products and in several cases in the 1980s and 1990s (e.g., famously in the case of [[Lotus Notes]]' export approval) only partial keys were used, decreasing 'strength' against brute force attack for those (export) versions. More or less the same thing happened outside the [[United States\|US]] as well, as for example in the case of more than one of the cryptographic algorithms in the [[Global System for Mobile Communications\|GSM]] cellular telephone standard. Line 38 ⟶ 39: ==Legal issues== {{see also\|Cryptography#Forced disclosure of encryption keys}} Widespread use of encryption increases the costs of [[surveillance]], so the government policies aim to regulate the use of the strong cryptography.{{sfn \| Riebe \| Kühn \| Imperatori \| Reuter \| 2022 \| p=42}} In the 2000s, the effect of encryption on the surveillance capabilities was limited by the ever-increasing share of communications going through the global social media platforms, that did not use the strong encryption and provided governments with the requested data.{{sfn \| Riebe \| Kühn \| Imperatori \| Reuter \| 2022 \| p=58}} Murphy talks about a legislative balance that needs to be struck between the power of the government that are broad enough to be able to follow the quickly-evolving technology, yet sufficiently narrow for the public and overseeing agencies to understand the future use of the legislation.{{sfn\|Murphy\|2020}} Since use of strong cryptography makes the job of intelligence agencies more difficult, many countries have [[Key disclosure law\|enacted laws or regulations]] restricting or simply banning the non-official use of strong cryptography.{{cn}} === USA === Line 46 ⟶ 47: The export control in the US historically uses two tracks:{{sfn\|Diffie\|Landau\|2007\|p=727}} * military items (designated as "munitions", although in practice the items on the [[United States Munitions List]] do not match the common meaning of this word). The export of munitions is controlled ty the [[Department of State]]. The restrictions for the munitions are very tight, with individual export licenses specifying the product and the actual customer; * [[dual-use]] items ("commodities") need to be commercially available without excessive paperwork, so, depending on the destination, broad permissions can be granted for sales to civilian customers. The licensing for the dual-use items is provided by the [[Department of Commerce]]. The process of moving an item ~~form~~from the munition list to commodity status is handled by the Department of State. Since the original applications of cryptography were almost exclusively military, it was placed on the munitions list. With the growth of the civilian uses, the dual-use cryptography was defined by [[cryptographic strength]], with the strong encryption remaining a munition in a similar way to the guns ([[small arms]] are dual-use while artillery is of purely military value).{{sfn\|Diffie\|Landau\|2007\|p=728}} This classification had its obvious drawbacks: a major bank is arguably just as systemically important as a military installation,{{sfn\|Diffie\|Landau\|2007\|p=728}}, and restriction on publishing the strong cryptography code run against the [[First Amendment]], so after experimenting in 1993 with the [[Clipper ~~(cipher)\|Clipper~~chip]]~~, a security algorithm~~ (where the US government kept special decryption keys in [[escrow]]), in 1996 almost all cryptographic items were transferred to the Department of Commerce.{{sfn\|Diffie\|Landau\|2007\|p=730}} === EU === The position of the EU, in comparison to the US, had always been tilting more towards privacy. In particular, EU had rejected the [[key escrow]] idea as early as 1997. [[European Union Agency for Cybersecurity]] (ENISA) holds the opinion that the [[backdoor (cryptography)\|backdoors]] are not efficient for the legitimate surveillance, yet pose great danger to the general digital security.{{sfn \| Riebe \| Kühn \| Imperatori \| Reuter \| 2022 \| p=42}} === Five Eyes === The [[Five Eyes]] (post-[[Brexit]]) represent a group of states with similar views one the issues of security and privacy. The group might have enough heft to drive the global agenda on the [[lawful interception]]. The efforts of this group are not entirely coordinated: for example, the 2019 demand for Facebook not to implement [[end-to-end encryption]] was not supported by either Canada or New Zealand, and did not result in a regulation.{{sfn\|Murphy\|2020}} === Russia === Line 61 ⟶ 68: ===Weak=== {{sources\|section\|date=July 2023}} Examples that are not considered cryptographically strong include: * The [[Data Encryption Standard\|DES]], whose 56-bit keys allow attacks via exhaustive search. * Triple-DES (3DES / EDE3-DES) can be subject of the "SWEET32 Birthday attack"<ref>[https://www.ibm.com/support/pages/security-bulletin-sweet32-vulnerability-impacts-triple-des-cipher-affects-communications-server-data-center-deployment-communications-server-aix-linux-linux-system-z-and-windows-cve-2016-2183 Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher]. IBM Security Bulletin, 2016.</ref> * Triple-DES (3DES / EDE3-DES). see DES - this also suffers a meanwhile known phenomenon, called the "sweet32" or "birthday oracle" * [[Wired Equivalent Privacy]] which is subject to a number of attacks due to flaws in its design. * [[Transport Layer Security\|SSL]] v2 and v3. TLS 1.0 and TLS 1.1 are also deprecated now [see RFC7525] because of irreversible flaws which are still present by design and because they do not provide elliptical handshake (EC) for ciphers, no modern cryptography, no CCM/GCM ciphermodes. TLS1.x are also announced off by the PCIDSS 3.2 for commercial business/banking implementations on web frontends. Only TLS1.2 and TLS 1.3 are allowed and recommended, modern ciphers, handshakes and ciphermodes must be used exclusively. * The [[MD5]] and [[SHA-1]] hash functions, no longer immune to collision attacks. * The [[RC4]] stream cipher. * The [[Clipper Chip]], a failed initiative of the U.S. government that included key escrow provisions, allowing the government to gain access to the keys. * The 40-bit [[Content Scramble System]] used to encrypt most [[DVD-Video]] discs. * Almost all [[classical cipher]]s. * Most rotary ciphers, such as the [[Enigma machine]]. * Some flawed RSA implementations{{which\|date=January 2022}} exist, leading to weak, biased keys and other vulnerabilities ("[[Bleichenbacher’s attack\|Bleichenbacher Oracle]]", "ROBOT" attack). * RSA keys weaker than 2048 bits. * DH keys weaker than 2048 bits. * ECDHE keys weaker than 192 bits; also, not all known older named curves still in use for this are vetted "safe". * DHE/EDHE is guessable/weak when using/re-using known default prime values on the server * The [[Cipher block chaining\|CBC]] block cipher mode of operation is considered weak for TLS (the CCM/GCM modes are now recommended). ==Notes== Line 88 ⟶ 90: * {{cite journal \|last1=Vagle \|first1=Jeffrey L. \|title=Furtive Encryption: Power, Trusts, and the Constitutional Cost of Collective Surveillance \|journal=[[Indiana Law Journal]] \|date=2015 \|volume=90 \|issue=1 \|url=https://www.repository.law.indiana.edu/cgi/viewcontent.cgi?article=11134&context=ilj}} * {{cite book \|last1=Reinhold \|first1=Arnold G. \|title=Strong Cryptography The Global Tide of Change \|date=September 17, 1999 \|publisher=[[Cato Institute]] \|url=https://www.cato.org/briefing-paper/strong-cryptography-global-tide-change \| series=Cato Institute Briefing Papers No. 51}} * {{cite book \| ~~last~~last1=Diffie \| ~~first~~first1=Whitfield \| last2=Landau \| first2=Susan \| title=The History of Information Security \| chapter=The export of cryptography in the 20th and the 21st centuries \| publisher=Elsevier \| pages = 725–736 \| year=2007 \| doi=10.1016/b978-044451608-4/50027-4\| isbn=978-0-444-51608-4 }} * {{cite journal \| last=Murphy \| first=Cian C \| title=The Crypto-Wars myth: The reality of state access to encrypted communications \| journal=Common Law World Review \| publisher=SAGE Publications \| volume=49 \| issue=3–4 \| year=2020 \| issn=1473-7795 \| doi=10.1177/1473779520980556 \| pages=245–261 \| url = https://journals.sagepub.com/doi/10.1177/1473779520980556 \| hdl=1983/3c40a9b4-4a96-4073-b204-2030170b2e63 \| hdl-access=free }} * {{cite journal \| last1=Riebe \| first1=Thea \| last2=Kühn \| first2=Philipp \| last3=Imperatori \| first3=Philipp \| last4=Reuter \| first4=Christian \| title=U.S. Security Policy: The Dual-Use Regulation of Cryptography and its Effects on Surveillance \| journal=European Journal for Security Research \| publisher=Springer Science and Business Media LLC \| volume=7 \| issue=1 \| date=2022-02-26 \| issn=2365-0931 \| doi=10.1007/s41125-022-00080-0 \| pages=39–65 \| url = https://link.springer.com/content/pdf/10.1007/s41125-022-00080-0.pdf?pdf=button}} * {{cite journal \| last=Feigenbaum \| first=Joan \| title=Encryption and surveillance \| journal=Communications of the ACM \| publisher=Association for Computing Machinery (ACM) \| volume=62 \| issue=5 \| date=2019-04-24 \| issn=0001-0782 \| doi=10.1145/3319079 \| pages=27–29 \| doi-access=free }} * {{cite web \|last1=Schneier \|first1=Bruce \|title=Security pitfalls in cryptography \|url=http://www.madchat.fr/crypto/papers/pitfalls.pdf \|access-date=27 March 2024 \|date=1998}} ==See also==