Friday, January 29, 2010
Encryption is not the answer
By itself !
This story here is a very good reason why companies stating, " we use AES 256" etc. are on the right track but it's only half the story. They have chosen a good symmetric encryption standard (Advanced Encryption Standard) in this case. This is ONLY stating that a solid algorithm has been chosen. There are lots more to do yet, such as selecting the appropriate initialisation vectors, selecting the internal block mode (ECB, CFB etc.) and implementing all this properly (NIST certification my help show this part has been done as in the above cases).
This is only the first part of the answer to the problem of protecting something with encryption, sort of like stating you have created a really strong padlock for data. So great "what's the problem?", well the problem is after all this work some vendors of USB keys for instance have taped the key to this lock on the underside of it and hoped nobody would notice it, now the strong padlock is no more than a small delay, it's not protection any more. Worse still some vendors may even use the SAME KEY for all devices.
Although this seems incredible it is what happens, then these same vendors issues "we use AES 256, the industries strongest encryption" statements and we all fall for it assuming they would not be so silly as to do anything as crazy as I have mentioned, but they do!
In maidsafe we use AES 256 and RSA 4096 but we take immense precautions to ensure uniqueness of all keys and secondly to ensure all keys are very strong (for the 'techie's' we use a PBKDF version 2 algorithm) and then we also make sure the initial access to all this information is created by the user and used to access the system. It seems quiet easy and actually it is (although we hold a patent for the access system we have created).
Not only is this a 'nice thing', it's pretty much a requirement if you want to secure information and especially in a peer to peer network with no central repository of usernames or passwords or any ability to censor or monitor peoples communications and data.
I hope this helps clear up the AES is broken or has massive problems as it does not (there is a related key attack on AES 256, which can reduce the security substantially but this does not affect maidsafe either, this requires a much longer and very mathematical explanation, you will find it here).
Bottom line stating you use a strong algorithm does not preclude you from implementing it in a manner that negates all the benefits that algorithm brings you.
http://bit.ly/aGFoP5
This story here is a very good reason why companies stating, " we use AES 256" etc. are on the right track but it's only half the story. They have chosen a good symmetric encryption standard (Advanced Encryption Standard) in this case. This is ONLY stating that a solid algorithm has been chosen. There are lots more to do yet, such as selecting the appropriate initialisation vectors, selecting the internal block mode (ECB, CFB etc.) and implementing all this properly (NIST certification my help show this part has been done as in the above cases).
This is only the first part of the answer to the problem of protecting something with encryption, sort of like stating you have created a really strong padlock for data. So great "what's the problem?", well the problem is after all this work some vendors of USB keys for instance have taped the key to this lock on the underside of it and hoped nobody would notice it, now the strong padlock is no more than a small delay, it's not protection any more. Worse still some vendors may even use the SAME KEY for all devices.
Although this seems incredible it is what happens, then these same vendors issues "we use AES 256, the industries strongest encryption" statements and we all fall for it assuming they would not be so silly as to do anything as crazy as I have mentioned, but they do!
In maidsafe we use AES 256 and RSA 4096 but we take immense precautions to ensure uniqueness of all keys and secondly to ensure all keys are very strong (for the 'techie's' we use a PBKDF version 2 algorithm) and then we also make sure the initial access to all this information is created by the user and used to access the system. It seems quiet easy and actually it is (although we hold a patent for the access system we have created).
Not only is this a 'nice thing', it's pretty much a requirement if you want to secure information and especially in a peer to peer network with no central repository of usernames or passwords or any ability to censor or monitor peoples communications and data.
I hope this helps clear up the AES is broken or has massive problems as it does not (there is a related key attack on AES 256, which can reduce the security substantially but this does not affect maidsafe either, this requires a much longer and very mathematical explanation, you will find it here).
Bottom line stating you use a strong algorithm does not preclude you from implementing it in a manner that negates all the benefits that algorithm brings you.
Revision 336: Removed files for TCP implementation of Transport as not implemented yet:
Changed Paths:
D.. http://bit.ly/a3SWa8
Changed Paths:
D.. http://bit.ly/a3SWa8
Wednesday, January 27, 2010
Saturday, January 16, 2010
Wednesday, January 13, 2010
Sunday, January 10, 2010
maidsafe has a new blog on line now http://bit.ly/6lpPkY just some idea suggestions and industry comments
Subscribe to:
Posts (Atom)
