What Encryption Do People In The Know Use? 59
A reader writes "What do cypherpunks in the know recommend for the paranoid types. I'm wondering because of the rising amount of protests. I look and most of these people seem clueless when using the net. Paranoia runs rampant (try taping a protest), yet they use stuff like real, which has been known to violate privacy.
So my question is, what would slashdot readers recommend for people who have privacy they actually wish to protect? Are there any good laymen level papers on this?"
Setec Astronomy (Score:1)
After all, you have to assume that with the equipment/manpower/intelligence the goverment has it is capable of breaking most popular encryptian methods. So obscurity would be a benefit when researching a method to encrypt. But obscurity doesn't always mean security, as unless you have in-depth knowledge of the encryptian method you can't be sure its safe.
But it would certainly be cool to have that box from sneakers....
Two suggestions: (Score:1, Insightful)
What in gods green earth does this dribble mean??
Two suggestions for you:
1. Turn your computer off
2. Learn to read and write. Pay particular attention to things like complete sentences and paragraphs.
Blowfish (Score:2, Informative)
Why?
Interoperability not a problem (Score:2)
serpant (Score:1)
why serpant ? because it stands up nicer to hardware implementation (-;
hardware implementations of RSA are common but remember that you are safe until someone finds a crack
nothing is given so use an obscure one that seems to be secure is often better than one that say the NSA have had a long hard look at (millions of man hours rather than thousands)
what they do not publish is whether they have found ways to attack it after all this is between them and their US lawyers not even the senate has access to this (-;
remember security is an illusion
regards john jones
Best encryption today (Score:3, Funny)
For high privacy, national security, etc, use ROT-14...that ought to confuse the (few) experts that are able to crack ROT-13.
Pig Latin may also work for text-only data.
Oh? What? The people who want to crack it are not under the age of 5? My bad.
Re:Best encryption today (Score:1)
Oh wait, DC filed for bankrupcy, my bad.
Re:Best encryption today (Score:1)
If you are SERIOUS, then you should only ever use ROT-26. It is TWICE as secure as ROT-13!
Well we could tell you... (Score:4, Informative)
...but then we'd have to kill you.
sorry,
davidu
Scheier recommends PGP (Score:4, Informative)
Re:Scheier recommends PGP (Score:2, Informative)
Re:Scheier recommends PGP (Score:2)
Applied Cryptography is old. (Score:2)
While these attacks don't extend to the full IDEA algorithm, cryptanalytic attacks only get better with time--never worse.
Short version: Schneier recommends against IDEA today. Last I heard, he was wholeheartedly endorsing RIJNDAEL, Twofish and TripleDES.
Re:Applied Cryptography is old. (Score:1, Troll)
It is always easier to state algorithms to steer clear of than ones to rely on. At this point IDEA is somewhat suspect, but when Applied Crypto 1 came out it was actually the best 128 bit cipher then available.
At this point most people are recommending AES (nee RIJNDAEL). The only reason to use 3DES is if you are forced to, there are still many banking applications that mandate DES. But 3DES is not a good cipher, it is slow and is subject to a meet in the middle attack that means that you do 3 times 56 bits of work to get 112 bits of security.
As far as software goes, practically all mail agents have S/MIME support built in. As far as security goes there are no serious attacks known against either S/MIME or PGP, beyond the fact that the chuckleheads in both IETF working groups flubbed the encryption of the subject line in both cases.
One problem with PGP is that it only really works well for confidentiality. It does not handle non-repudiation too well. Alice may know the message comes from Bob but proving it in court would be rather hard. Trusted Third Parties do have their uses.
The other technical problem with PGP is that it depends on the users being technically competent which most people are not.
The non-technical problem with PGP is the somewhat combustible nature of Phil Zimmerman. He is somewhat high maintenance. There is no reason why S/MIME and PGP use entirely different packaging formats except Phil's NIH policy, somewhat sad. The result being that Microsoft, Netscape, Lotus etc. implemented S/MIME and not PGP.
More recently the stale PKI/PGP debate has been rendered obsolete by technology such as XKMS which allows a client to use any PKI back end at all and not have to worry about how it works or how to configure it.
Re:Applied Cryptography is old. (Score:3, Interesting)
On the contrary. I'm in the field, and I regard him as part of the very front rank. I wouldn't say he's another Coppersmith, but he is undoubtedly top-drawer. I'd rank him above Rabin, in fact--unlike Rabin, Schneier knows his limits. (See Rabin's brain-damaged "unbreakable encryption scheme" if you want to see what I mean.)
The only reason to use 3DES is if you are forced to
... Or if you absolutely must have the most well-regarded, most-trusted cipher in history. Remember that the best attack against DES has complexity 2**37, and that's with 2**47 chosen plaintexts. This is a lot... one thousand terabytes of chosen plaintext.
That's a minimum of a complexity 2**74 attack against 3DES, requiring 2**97 bytes of chosen plaintext. If you want to call that a practical attack, you can... but I'm not that bold.
But 3DES is not a good cipher
Please tell your doctor that your antipsychotic dosage needs to be upped. You're hallucinating madly again.
it is slow and is subject to a meet in the middle attack
Slow, yes. Susceptible to a meet-in-the-middle, no. Schneier, 12.3: "[If DES were a group], DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 2**28 steps".
DES is, however, not a group.
One problem with PGP is that it only really works well for confidentiality. It does not handle non-repudiation too well.
Please point me in the direction of an implementable protocol which does provide perfect repudiability.
The non-technical problem with PGP is the somewhat combustible nature of Phil Zimmerman. He is somewhat high maintenance.
I know Phil. He's one of the lowest-maintenance people I've ever met. Friendly as all get out, and patient with newbies. Would you care to enlighten me as to his ``combustible'' nature?
except Phil's NIH policy
Strange. Bass-o-Matic was IH, and Phil ditched it like a hot potato for IDEA (NIH) when it turned out Bass-o-Matic was trivially weak.
If you're going to slander a man, you could at least be bothered to make sure your accusations are accurate.
Re:Applied Cryptography is old. (Score:3, Interesting)
In other word you would not put Bruce on the same level as Coppersmith, Shamir, Rivest, Rogaway and so on, or as I put it not of the very front rank. Bruce is the Issac Azimov of cryptography, not its Einstein or Newton.
It is somewhat rich for Bruce to imply in 'Secrets and Lies' that he has suddenly discovered that security is about risk control not risk elimination. If he has only just realised that then he should probably give me credit for putting him straight since I pointed out precisely that point to him when we talked at RSA some years back. Not that I was the first to think of it by a long way.
Slow, yes. Susceptible to a meet-in-the-middle, no. Schneier, 12.3: "[If DES were a group], DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 2**28 steps".
DES is not vulnerable to a meet in the middle attack but 3DES is in such a way that the complexity of breaking 3DES is only twice that of breaking DES, despite having three times the key length. That is what makes it a bad cipher, the fastest known attack is well short of brute forcing the keyspace.
The details of the attack are discussed in AP with respect to 2DES, to break 2DES you simply construct an in-memory table of encrypting forwards from the known plaintext (cost = O(2^56)), construct another backward from the known ciphertext (cost = O(2^56)) and look for a match (cost = O(2^56)), total cost = O(2^56). The attack can be extended to 3DES at the cost of performing two steps together, giving overall compexity O(2^112). It is a very well known result in the field and one the reason why those in the know are depricating 3DES, it is not a good cipher, it is merely an extension of a previously broken cipher.
Please point me in the direction of an implementable protocol which does provide perfect repudiability.
None gives perfect non-repudation, however PGP is designed to give pretty good PRIVACY even when the participants are pseudo-anonmous. It does not attempt to support a legal infrastructure, allow parties to place legally enforceable constraints on the liabilities they incur in authenticating a keyholder. As a result PGP is widely used amongst geeks but has a very limmited enterprise use. The vast majority of RFPs issued stipulate a PKIX conformant PKI.
I know Phil. He's one of the lowest-maintenance people I've ever met. Friendly as all get out, and patient with newbies. Would you care to enlighten me as to his ``combustible'' nature?
He has mellowed considerably since the FBI got off his case. However when the PEM vs. PGP war broke out, which is the time in question Phil was definitely of combustible nature. The FBI certainly did not help, but were certainly not the original cause.
Unfortunately rather than simply fix the parts of PEM that were monumentaly broken (the hierarchical CA system) Phil introduced competing formats all the way along the line.
There are 100 million email clients that ship with high quality crypto built in. However rather than leverage that deployed base you and the rest of the OpenPGP community spend your time explaining to people why they shouldn't use it.
Re:Applied Cryptography is old. (Score:2)
Asimov had a PhD in biochemistry and taught at Harvard. In addition, he's one of a (very) few authors who ever published in every single categorization of the Dewey Decimal System. Asimov was one of the world's true Renaissance men, the last of a dying breed.
I would suggest you examine Asimov's curriculum vitae if you really wish to claim that Asimov was not among the top rank of scientists.
3DES is in such a way that the complexity of breaking 3DES is only twice that of breaking DES, despite having three times the key length. That is what makes it a bad cipher, the fastest known attack is well short of brute forcing the keyspace.
As I said, have your doctor up your antipsychotic medication. 3DES is not a bad cipher. It has its share of warts and foibles, but those warts and foibles are extremely well-known and no-one, absolutely no-one in the published world of cryptanalysis has ever come up with even a marginally feasible attack against it.
Regarding it needing 196 bits of key (3 64-bit keys) to get 112 bits of entropy, who cares? Really? Use a cryptographically secure PRNG and you can generate 196 bits trivially. If you've got a really sensitive secret, then invest in a true RNG and generate 196 bits that way. It's not a limitation in any sense of the word.
Regarding it being slow, fine, I'll grant you that. It's slow. That means it's unsuitable for certain applications which operate in extremely narrow time constraints. But for the rest of them, 3DES is a champ.
it is merely an extension of a previously broken cipher
DES has never been broken.
Its keyspace has been exhausted by brute force. That doesn't mean DES has weaknesses which have been exploited via cryptanalysis. That's what the word ``break'' means in the cryptanalytic field.
None gives perfect non-repudation
Thank you for conceding the point.
He has mellowed considerably since the FBI got off his case
Well, gee. If I was facing a Federal investigation and multiple felony counts, I'd be prickly, too. But, as you say, he has ``mellowed considerably''. Which means he is no longer ``combustible''. Thank you for conceding this point.
However rather than leverage that deployed base you and the rest of the OpenPGP community spend your time explaining to people why they shouldn't use it.
Please find me a single post I've made, either on USENET or on Slashdot, where I've come down opposed to any reasonable email encryption standard.
As I said before, if you're going to slander a man, you should at least check the facts first.
Re:Applied Cryptography is old. (Score:2)
You are wrong, DES has been broken repeatedly. The world record for breaking DES is held by John Gilmor and Paul Kocher who built custom hardware to break it in less than two days. You can buy the book from Amazon. Or you can read the EFF press release [eff.org]
People might take you a bit more seriously as a 'Senior Security Specialist' if you bothered to read some of the basic litterature in the field before advising people with rather more knowledge, experience and standing in the field than yourself to "have your doctor up your antipsychotic medication".
3DES has not been broken to date. However it is 2^16 times less secure than other ciphers that have been equally intensively studied, execute considerably faster and require less keying material. That makes it a bad cipher according to most of the generally accepted definitions in the field - which by the way you will find in Bruce's book as well.
Re:Applied Cryptography is old. (Score:2)
Re:Applied Cryptography is old. (Score:1)
Nah, rjh is just a crypto-groupie who read Applied Cryptography and thinks he knows it all.
If you talk to cryptographers you will find that Shamir, Rivest and Diffie are considered the Newtons and Einsteins of the field. Bruce has not yet made it into that rank, nor for that matter has 'Zeinfeld'.
Re:Applied Cryptography is old. (Score:2)
DES has been cracked by brute force. Never cracked via cryptanalytic means.
I suggest you start paying attention to detail.
Re:Applied Cryptography is old. (Score:2)
I suggest that you take your own advice and pay attention to detail yourself. I said that 3DES is simply an extension of a broken cipher. Brute force is a perfectly respectable attack.
Or was your attempt to frame the argument that way simple dishonesty?
There have in fact been several attacks against DES that have lower complexity than brute force, however in practice the trivial parallelism and lower complexity of brute force tends to win. The fact that nobody has built a machine to implement Adi's attacks is irrelevant. The fact that the AES contenders were designed with the knowledge of Adi's recent techniques and DES was not is significant.
The key size of DES was reduced to 56 bits for a good reason, to ensure that the aparent strength of the cipher matched the actual strength. That may not be a big thing to you, in the cryptography community it is.
It is pretty easy to 'win' an argument like this on slashdot where most of the posters are like yourself journeymen at best and do not have the internal knowledge of the field. However you are going to find it much harder in the group you aspire to call your peers.
Oh, and if you think this is flaming, I suggest you get on the wrong end of an argument with Phil Z. or Bruce S.
My Opinion: (Score:3, Informative)
I'm going to go out on a limb here and assume that you are talking about Email security. If you use windows, you want to use one of the PGPckt builds found at http://www.ipgpp.com [ipgpp.com] These are pretty much the standard in the Windows PGP world, as commercial PGP has gone closed-source and GPG isnt perfect on windows. *nix/*BSD users should use GPG.
What you want to avoid with the recent PGP's and GPG is an interoperability problem. GPG doesnt ship with IDEA encryption, and that was the standard in PGP for years. It can be added easily, and I suggest you do that. If you do use GPG, please enable all of the PGP compatability options, or it will come back to bite you later. As for choice of algorithm, there is no reason not to use the RSA/IDEA combo that has been used with PGP for years, just boost up the length of your public key to 2048 or so. Oh, and dont bother going past 3000 or so, as that key would be harder to break that the 100(?) byte IDEA key that is actually used to encrypt the message.
As for computer security, there isn't much you can do asside from patching regularly, reading BUGTRAQ, choosing secure passwords, and never allowing unsecured logins. It also helps if you get to know your system and check up on anything that starts acting different that what you are used to.
Disk encryption under windows is best done by ScramDisk (found at http://www.scramdisk.clara.net [clara.net]), which is a disk encrypter that whose source code is available online. OpenBSD people should enable encrypted swap partitions, though that may be done by default, I dont know. Linux has several encrypted filesystems. Use One.
Re:My Opinion: (Score:1)
(Score: 5, Funny)
DES (Score:1)
DES is by far the most analysed algorythm around and it has withstood everything that has been thrown at it. The key size is much too small but there is no known method of attack that is faster then key exhaustion.When it is extended to 3DES we have a equivalent key length of 112 bits (minimum, some research say 128+). It is not feasable to brute force 112+ bits of key.
In time the other algorythms may analysed enough to match the trust that 3DES has but until then I will stick with tried and true.
Re:DES (Score:1)
Actually, that's untrue. Most of the modern work in cryptography has focused on methods that have some well-defined notion of security that can be proven under a simple assumption. Now we don't know for sure (say) that factoring can't be done in polynomial time, but if the security of our cryptosystem is equivalent to the difficulty of factoring, we have a good reason to assume its security.
DES is by far the most analysed algorythm around and it has withstood everything that has been thrown at it. The key size is much too small but there is no known method of attack that is faster then key exhaustion.When it is extended to 3DES we have a equivalent key length of 112 bits (minimum, some research say 128+). It is not feasable to brute force 112+ bits of key.
Again, untrue. Key Exhaustion may be in fact the most practical attack, but there are other attacks which involve gathering a lot of data but then analyzing the date in far less time than an exhaustive key search attack.
In time the other algorythms may analysed enough to match the trust that 3DES has but until then I will stick with tried and true.
There is certainly something to tried and true, but myself, I'd rather sacrifice some efficiency and use provably secure techniques. But I think the original question is a little odd, since anyone who hacks systems will tell you the way to go is NOT through the cryptography. It's important to have good encryption, but even single DES is too much of a pain to break as a cryptosystem: a cracker would try to find some other way to compromise the security.
Re:DES (Score:1)
I would say that needing a lot of data is an understatement. The best Differential Cryptanalysis Attack would require 2^47 chosen plaintexts. Thats one million gigabityes of chosen data run through the private key. In theory that is a much easier attack than brute force but its so impractical as to be impossable outside of an acedemic context.
But I think the original question is a little odd, since anyone who hacks systems will tell you the way to go is NOT through the cryptography. It's important to have good encryption, but even single DES is too much of a pain to break as a cryptosystem: a cracker would try to find some other way to compromise the security.
Agreed, although someone with a few hundred thousand to spend can build a cracker for single DES, you are much better off trying find other weaknesses in the system or the people. If all else fails you can turn to rubber hose cryptography.
Use your own... (Score:2, Interesting)
Re:Use your own... (Score:1)
Of course you don't really want to use the same bit of CD twice, and you really want to XOR the data with the key rather than add. And again, you need to give a copy of the CD to the recipient if you're transmitting the data.
On a practical note, why not do this? two CDs, ZIP the data first, prepend an offset into the CD at the beginning of each message.
100% uncrackable encryption (albeit a pain in the ass)
Re:Use your own... (Score:1)
And yes, one-time keys are absolutely unbreakable when used correctly. That means never using the same bits more than once, and ensuring that no one else can access the keys.
However, as Neal Stephenson pointed out at the CFP 2000 conference, encryption is like a fence thats a mile high and a foot wide--it's powerful, sure, but it's still pretty easy to just sneak a key logger onto most computers.
~=Keelor
Re:Use your own... (Score:1)
Re:Use your own... (Score:1)
BTW, what you guys are talking is called a Verman Cipher, and was demostrated unbreakable by Shannon on the 40's IIR
Re:Use your own... (Score:1)
Re:Use your own... (Score:1)
Re:Use your own... (Score:1)
Dangerous, ill-considered and wrong. (Score:5, Informative)
The reason why? Collisions. If the numbers were totally random, you'd expect any given group to repeat itself after a random interval. You don't see that with the output of pseudorandom number generators, or ciphers running in OFB8.
That tells a cryptanalyst that you're not using random numbers, which means the data wasn't encrypted with a one-time pad.
And that, my friend, means it's 100% breakable encryption.
Using a good pseudorandom number generator like YARROW-160 will provide you with 160 bits of entropy. Using a bad pseudorandom number generator, like, say, a cipher in OFB8 mode, is tempting but wrong.
The reason why is that people naievely believe that "well, if I seed my Blowfish key with 448 bits of entropy--its maximum--then my output will have 448 bits of entropy." Which is true, as far as it goes... but it goes periodic after only 2^32 bits. Or about 512 Mb.
That means if you fill a CD-ROM with the random-seeming output of Blowfish in OFB8 mode, you'll wind up repeating your output for the last 140Mb or so. And at that point, it's trivial cryptanalysis to recover the original plaintext.
Short version: if you want to use a one-time pad, you ABSOLUTELY MUST USE REAL RANDOM VALUES, NOT GENERATED PSEUDORANDUM VALUES. If you don't do this, then it's not a one-time pad and it doesn't enjoy the unbreakable nature of a one-time pad.
Re:Dangerous, ill-considered and wrong. (Score:2)
The premise of a one-time pad (OTP) being unbreakable is sound provided the key is used once and only once and the positively destroyed.
With the OTP, as in any encryption scheme, there are at least two points of failure when exchanging messages....the sender and the intended receiver. Failure to complete the key destruction process at either end or key compromise (intercept) will render even the most powerful encryption scheme moot.
You're wrong, too. (Score:2)
You're wrong, too. Let's say that the last 140Mb of the PRNG output is the same as the first 140Mb, since after 512Mb it went periodic. Now let's say you've got the Gettysburg Address stored at location 0 on the CD-ROM.
Well, gee, great. You can't read what's at position 0, because you don't have the corresponding part of the pseudo-OTP... wait, yes you do, because 513Mb-rest-of-disk is exactly the same as the pseudorandom output used to encrypt the plaintext in the first place.
XOR it with itself and you recover the Gettysburg Address.
Thus, even if the plaintext is vastly smaller than the repetition rate, you're still in jeopardy.
Moral of the story: don't use a scheme this naieve.
The trick is conveying this sequence to the intended receiver in a secure fashion.
The trick is creating the random numbers in the first place. There are some PRNGs which have outputs suitable for Monte Carlo simulations; others which are suitable for quick randomish values; others which are good for this, that and the other. Cryptographically secure PRNGs are extremely difficult to come by, and unless someone has done formal cryptanalysis on a PRNG, I won't use that PRNG.
The premise of a one-time pad (OTP) being unbreakable is sound provided the key is used once and only once and the positively destroyed.
The pads don't have to be destroyed; they just have to never, ever fall into the hands of the enemy. Destruction is not a necessary condition. A necessary condition that you did not mention is that the key material must be absolutely, totally entropic. Not pseudorandom, not random-seeming... absolutely, totally entropic.
Re:Use your own... (Score:1)
If your're smart (Score:5, Insightful)
My call would be to use GnuPG [gnupg.org]. It uses strong algorithms, uses a well know and fairly intensivley studied format, open source, and the people who did it seem to know what they're doing pretty well. If you're feeling paranoid, use the TripleDES or Rijndael-256 options to encrypt, though personally I feel perfectly safe encrypting even very personal things with CAST5.
If you're actually interested in papers, etc, I would start it out with more practical-oriented things (for example, the specifications of Blowfish, MD5, SHA-1, and RSA - not what you find in Applied Crytography or whatever, but the original academic papers - with fairly minimal experience in programming you should be able to understand things like this fairly easily). From there, you can start to read the more involved papers, with complex algorithms and protocols, weird mathematical systems, etc.
Basicaly "in the know" people know that it's not encryption that breaks a secure system. It's the fact that your OS has a remote root hole (or equivalent), or the FBI put a keylogger in your keyboard, or there is a microphone planted in your room. It's much, much simpler to do any of those things than actually break modern encryption algorithms (consider that the FBI actually carried out my keylogging point in order to grab a PGP passphrase that some mob guy was using to encrypt his books). So unless you're sure that the FBI (or anyone else) can't do something like that, there is no point in using anything that might theoretically be more secure cryptographically speaking.
Depends on what you're protecting (Score:5, Informative)
RSA and Pegwit are excellent public key systems, where it is impossible to safely convey a secret key from one machine to another, or where a secret key could be stolen from a machine.
For ultra-solid security for archive material, 3DES and Serpent are probably the best. They're slow, but they're very very solid. Nobody is going to be breaking them in a hurry.
If you're ultra-paranoid, though, you can always take the Square algorithm out of Pegwit and replace it with Serpent, making other changes as needed. Elliptic Curve encryption is faster than classic Public Key encryption, but (so far) it's about as secure.
Re:Depends on what you're protecting (Score:5, Interesting)
As for symmetric algorithms: take your pick.
A lot of programmers and cryptographers are familiar with Blowfish, and it's very popular. It's easy to understand and implement (the F-function is dirt simple, and the key schedule is only a little more complicated), so there are a lot of products using the algorithm. So far, there haven't been any successful attacks against the full, 16-round algorithm, and lots of cryptologists have tried.
Triple-DES is, of course, based on DES. DES has been analyzed thoroughly over the years, and has held up relatively well-- none of the attacks found were within practical ranges. Triple-DES hasn't been broken-- and likely won't be.
Rijndael is, of course, the AES. It's based on some very innovative concepts, and I'm comfortable with it. It's a little unconventional (most ciphers nowadays seem to be Feistel ciphers, or variants thereof-- Rijndael is a step in a different direction), but it's been analyzed extensively. Nothing too damning has been found. It's probably good enough to use right now without worry, but the ultra-paranoid will wait a few years to watch for new analysis.
Serpent was an AES candidate algorithm. It was based on VERY conservative design principles; this has led to a rock-solid cipher. Serpent doesn't do anything truly unconventional-- everything in the cipher spec is based on sound reasoning and is backed up by YEARS of analysis. A little slower than other algorithms, Serpent still has a lot going for it, and I'd recommend it as soon as any other algorithm.
As for public-key algorithms:
RSA and ElGamal. Old, trusted, and well-understood. RSA has been analyzed since the early 1980's, and has held up VERY well. ElGamal has received a boatload of analysis, as well-- it's not likely to crack soon.
ECC is a very open field, currently, and it holds a LOT of potential. But the comfort level isn't quite there, for me. I'd give it another year or two-- there's a lot of research because of the advantages ECC can bring to public-key cryptography.
Programs:
PGP/GPG. Take your pick. I like GPG, partially for the more intensive peer review, partially for the licensing. PGP has been around longer, however, so it may be more comfortable.
Re:Depends on what you're protecting (Score:1)
Speaking of Rijndael, where can you download a good implementation that is free and licensed for commercial use? I recently had to choose an encryption package for a program my group was writing and our client (government affiliated) wanted to go with Rijndael since it was the new AES standard. The NIST implementation [nist.gov] is not licensed for commercial use and other implementations [kuleuven.ac.be] don't seem to come from trustworthy enough sources. I couldn't find anything that I felt comfortable recommending so we ended up going with Blowfish.
Depends a lot on your needs. (Score:4, Interesting)
Rabin, on the other hand, is based on two totally unproven conjectures:
... Yes, Rabin has some problems--the ciphertext tends to be much larger than with RSA--but on the whole, it's on a much stronger mathematical foundation. There have been some interesting hints, throughout the years, that the third of RSA's assumptions is not valid--nothing to make any but the most out-there mathematicians drool, but hints nonetheless.
By dodging the third issue, Rabin manages to be (theoretically) safer than RSA for a given modulus size. The word `theoretical' is extremely important, though; putting algorithms into practice is a far different thing than analyzing them in theory!
For this reason, although I prefer Rabin in theory, in practice I really don't care much which algorithm you use--RSA, El Gamal or Rabin are all just fine.
For symmetric algorithms, there is one and only one option for the hardcore and paranoid cryptogeek. That option is TripleDES--either two or three subkeys doesn't matter all that much, but three is definitely preferred. No other symmetric algorithm in history has been cryptanalyzed as heavily as DES. No other symmetric algorithm in history has established as much trust as DES. While at 56 bits of key DES is too weak for anything serious, TripleDES (at somewhere between 112 and 168 bits of key, depending on who you believe) is solid as a rock.
Of course, it's slower than hell and rekeying takes forever. But hey. If you want only the best, most secure, most-trusted, nothing else even comes close.
Re:Depends a lot on your needs. (Score:1, Funny)
My concern over security (Score:1)
I'd like to setup my own web server, and encrypt everything, making it that much harder on any potential adversary.
It would be nice to make the feds decrypt a weeks worth of spam, before getting to the juicy emails.
Re:My concern over security (Score:2, Interesting)
Why? Encryption 'costs' cycles. (Score:2)
A site that used HTTPS urls for every page, every graphic, every click, would 'feel' slower to the end user, and the server would not be able to handle as many concurrent users as a site which makes