Hacker News new | ask | show | jobs
by tialaramex 144 days ago
It's true that 64 bits was known not to be enough when DES shipped decades ago, but there is some difference between "We know that's a bad idea" and a demo showing why, and so I think I'm OK with the word "broken" in that context.

There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.
2 comments
fc417fc802 144 days ago
I'm not a cryptographer but to me "broken" seems to imply that the core algorithm itself can be attacked. If merely applying it in certain ways as part of some larger system can fail then aren't most (possibly all) ciphers broken? It's entirely possible to do all sorts of stupid things.

Granted, a 2^32 block limit is pretty severe by modern standards.

link
upofadown 144 days ago
Si (2^32)*8 works out to 34GB for TDES. How many applications involve encrypting that much data in one go?
link
fc417fc802 144 days ago
Sorry, calling that a block limit was an error by omission on my part. 2^32 yields a 50% chance of reuse. If we pick a sane security margin it's a lot smaller. Assuming I did the math correctly just now, 2^-32 only gives you ~2^17 blocks; dropping that to 2^-24 yields ~2^21 blocks.
link
upofadown 144 days ago
Off the top of my head, NIST was suggesting something like 8GB as the working limit. It would depend on your risk tolerance and the application in practice I guess. For something like video you might not really care about exposing a few 8 byte blocks here and there where the exposure is one block XORed with the other.
link
fc417fc802 144 days ago
An aside, personally I quite like TDES for the purpose of generating secure handles and the like. The larger block sizes of pretty much every other common algorithm yield URLs and integers that are more difficult to work with. 64 bits is a manageable enough length and you don't have to implement the algorithm yourself (at which point you'd have rolled your own crypto).
link
tptacek 142 days ago
Further aside, note that there are constructions designed specifically for that problem and its relatives:

https://www.cs.ucdavis.edu/~rogaway/papers/subset.pdf

link
tptacek 144 days ago
This semantic argument was more plausible before the original commenter claimed 3DES can be "broken with little effort".
link
tialaramex 144 days ago
That's fair, I won't defend "broken with little effort".
link