Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:What should happen and what will happen (Score 1) 139

If you are a large organization, you can afford more.

Yes, but the point is the way it scales; If you are tiny you can reasonably assume that the almost no occasions will occur when you need to do multiple hashes in a small amount of time. If you are larger then you end up with a lot of extra RAM that you aren't going to use regularly but will need to use during peak log-in times. I agree that you can probably afford more, but getting corporations to do so is difficult; at the end of the day, everyone cares about their bottom lines.

RSA is old, broken crypto which should be migrated away from.

This suggests that you have some very opinionated and somewhat unique views.

I hate to resort to appeal to authority, but the actual analysis required to prove it is way more effort than I have time for this morning. Take a look at keylength.com, it has a host of authoritative references.

I'm familiar with many of the references there, so if there are specific ones you'd like to point to (given the large number there) it might be helpful. But I will note that what they say there agrees to a large extent with what I wrote earlier, in that they explicitly say that they are trying to provide key sizes for a desired level of protection.

It's a valid counterexample because RSA key generation, and, to a much lesser extent, RSA private key operations, are computationally expensive enough to stress low-end devices (an issue I often have to deal with... I'm responsible for some of the core crypto subsystems in Android). But it's a weak counterexample because RSA is not modern crypto. It's ancient, outmoded, we have some reasons to suspect that factoring may not be NP hard, using it correctly is fraught with pitfalls, and it's ridiculously expensive computationally. And even still, the common standard of 2048-bit keys is secure for quite some time to come. As that stackoverflow article you linked mentions, the tendency has been to choose much larger-than-required keys (not barely large enough) rather than tracking Moore's law.

As discussed in the same stackexchange link, the key choice is due to infrastructural reasons (and in fact I specifically mentioned that in the part of my above comment you apparently decided not to quote). What actually happens is that we use keys that are larger than required and then use them for a *long time* before jumping to larger key sizes when we really need too. Again, the failure to perfectly track Moore's law (or even improvements in algorithms) is infrastructural, and similar issues will apply to many other crypto systems.

Frankly, I'm concerned that you claim to be someone who has done serious crypto work when you say that "we have some reasons to suspect that factoring may not be NP hard, using it correctly is fraught with pitfalls" because this indicates some serious misconceptions; first it isn't that a suspicion that factoring may not be NP-hard. We're very certain of this. If factoring were NP hard then a whole host of current conjectures that are only slightly stronger than P != NP would have to be true. Since factoring is in NP intersect co-NP if factoring were NP-hard then we'd have NP=co-NP we'd have the polynomial hierarchy collapse. Moreover, since factoring is in BQP by Shor's algorithm we'd also have NP in BQP, which we're pretty confident doesn't happen.

But there's a more serious failure here; which is pretty much no major cryptographic system today relies on an NP-hard problem, and reliance on such is not by itself a guarantee of success. For example, Merkle–Hellman knapsack was based on a problem known to NP-hard and it was broken. Similarly, NTRUE has a closely related NP-hard problem but it isn't actually known to be equivalent.

There's also another serious failure here; being reliant on an NP-hard problem isn't nearly as important as being reliant on a problem that is hard *for a random instance*. It isn't at all hard to make an NP-complete problem where the vast majority of instances are trivial. In fact, most standard NP-complete problems are easy for random instances under most reasonable distributions. 3-SAT is a good example of this; while there are distributions which seem to give many hard instances with high probability, naive or simple distributions don't do that.

I do agree that RSA is not ideal in terms of some aspects especially concerns about computational efficiency. But the idea that RSA is "broken" is simply not accurate. And criticizing it as old misses that that is one of its major selling points; the older an encryption system is the most eyes that have looked at it. In contrast, far fewer people have looked at elliptic curve cryptographic systems. Moreover, the one unambiguous way that RSA is actually broken (in the sense of being vulnerable to quantum attacks) applies just as well to ECC.

I suspect that some of our disagreement may stem from the fact that many of the terms we have been using have not been well-quantified, so the degree of actual disagreement may be smaller than we are estimating.

Comment Re:What should happen and what will happen (Score 1) 139

But this is exactly why good password hashing algorithms are moving to RAM consumption as the primary barrier. It's pretty trivial for a server with many GiB of RAM to allocate 256 MiB to hashing a password, for a few milliseconds, but it gets very costly, very fast, for the attacker. And if you can't afford 256 MiB, how about 64?

Using memory dependent hashes works better if one is a small server since one will rarely have a lot of people sending in their passwords at the same time, so the RAM space you need isn't that large. If you are a large organization then this doesn't work as well because you then need room to be able to do many such calculations functionally simultaneously.

Nope. The leverage factor in the password hashing case is linear, since the entropy of passwords is constant (on average). The leverage factor for cryptographic keys is exponential. The reason we don't use much longer keys for public key encryption, etc., is because there's no point in doing so, not because we can't afford it. The key sizes we use are already invulnerable to any practical attack in the near future. For data that must be secret for a long time, we do use larger key sizes, as a hedge against the unknown.

I agree that there's a linear v. exponential difference there(although for many of these it is more like linear and subexponential due to algorithms like the number field sieve), but the rest of your comment is essentially wrong. We keep keys just long enough that we consider it to be highly unlikely that they are going to be vulnerable, but not much more than that. That's why for example we've been steadily increasing the size of keys used in RSA, DH and other systems. Note by the way that part of the concern also is that many of these algorithms require a fair bit of computation not just on the server side but on the client side as well which may be a small device like a tablet or phone. In fact, it would be a lot safer if we increased key sizes more than we do, but there are infrastructural problems with that. See e.g. discussion at http://crypto.stackexchange.com/questions/19655/what-is-the-history-of-recommended-rsa-key-sizes The only way that the linear v. exponential(or almost exponential) comes into play is how much we need to increase the underlying key size or how long we need to make the next hash system if we want it to be secure. Keys only need to be increased a tiny bit, whereas hashes need to grow a lot more. But in both cases we're still not making them any longer than we can plausibly get away with for most applications.

Comment Re:Practical? (Score 1) 139

There's one context in which their concern isn't unreasonable: the default assumption is that if any crypto system (key exchange, public key encryption, hashing system, etc.) becomes common then people are going to think about it pretty hard. That's going to lead to a lot of insight in how to do better than brute force. The classic example of this is RSA where RSA-129 was estimated by Rivest that it would take on the order of quadrillions of years to factor even assuming the same improvement rate in computational power. But now RSA-129 is factorable in a few hours with a standard implementation of the number field sieve. This isn't as much about improvement in hardware as it is in improvement in algorithms (modern sieves were inspired in a large part due to RSA). So if you aim for your key to be large enough that any brute force method will be physically impossible, you can be more confident that even with algorithmic improvements, cracking will still take very long.

The real problem with their idea is that given current hardware, demanding long keys is computationally intensive for all involved (and as you pointed out for the vast majority of these what they want to hide just isn't worth that).

Comment Re:What should happen and what will happen (Score 1) 139

The problem with that is on the other practical end: if you massively increase the resources needed will also increase the server side resources; it won't be as bad as it will be on the cracking end, but server resources are expensive. There's a point beyond which you aren't going to get people to agree to do it and a certain point where that insistence really does become reasonable. This is similar to why we don't use much longer keys for public key encryption and use really large primes for DH key exchange.

Comment What should happen and what will happen (Score 4, Interesting) 139

If one looks at the history of what happened the last time a major hash was broken, there was a large gap between when MD5 has its first collisions and when it became practical to detect collisions. There was about a little under a decade between when the first collisions were found and when it became easy to find collisions. The general expectation is that hash systems will fail gracefully in a similar way so we have a large amount of warning to switch over. Unfortunately, we've also seen that in practice people don't adopt new hash algorithms nearly as fast as they should. The second to last Yahoo security breach was so bad in part because the passwords were hashed with a completely unsalted MD5 https://nakedsecurity.sophos.com/2016/12/15/yahoo-breach-ive-closed-my-account-because-it-uses-md5-to-hash-my-password/. The lack of salting would have been by itself a problem even when MD5 was still considered insecure. That in 2015, a decade after MD5 was broken for almost all purposes, Yahoo was still using it, is appalling. Unfortunately, they likely aren't the only one. And I fully expect that if Slashdot is around in a decade we'll read about someone who has foolishly stored passwords using SHA-1.

Comment Re:EU Governments need to ban Windows 10. (Score -1) 161

Well I don't think MSFT or any corp is gonna have to worry about the EU for much longer as it looks like France along with several other countries are getting ready to bail and leave Mama Merkel and her Syrian migrants to it. Can't say as I blame 'em, ever since Merkel opened the floodgates its been a disaster, rape has risen several thousand percent, countries like Sweden having to tell their women not to go out alone at night in their own country for fear of rape gangs, and a bill of 50 billion and counting just for Germany to keep all these uneducated men on the dole.

So MSFT frankly ought to just ignore them, the EU will be nothing but a memory soon enough.

Comment Re:And, I might start buying more from them again. (Score 1) 183

That is the same reason the wife and I have been using Walmart for our online shopping, as it often has prices the same or less than Amazon, cheaper shipping and as a nice bonus a full 2/3rds of the items we purchased last holiday had a "free ship to store" option with many having same day or next day pickup.

Maybe now that Amazon have lowered the shipping we might do more shopping there...then again Walmart recently lowered their free shipping minimum to $25 and most small items we can get free shipping to our local Walmart so I don't have to come up with a bunch of stuff to put in the cart when I just need a flash stick or MicroSD card.

Comment Can you say "move the goalposts" boys and girls? (Score 5, Insightful) 224

Because if Google's proprietary OSes that are more locked down than Windows ever was (say what you want about Windows but I can grab a windows laptop and inside of 10 minutes be booting into anything from BSD to Zorin OS, just try that on a Chromebook) now counts as "Linux" because it uses the kernel, which even the community acknowledges that "the kernel is not Linux"? Well sheeit, by that metric you could claim Linux "won" half a decade ago since all those cheapo locked down routers used by millions are using the Linux kernel as part of the embedded OS.

It certainly doesn't come anywhere close to being open or supporting the four freedoms so if this is what it takes to "win" I'd say "well what exactly did you "win" other than replacing one corporate master for another?

Comment Re: As opposed to a great American . . . (Score 0) 56

Because Obama was such a great peace loving man...oh wait a tick, he bombed the countries that Trump banned, killing thousands in the process, but of course the press didn't say shit about that. I guess murdering them is okay, its only banning them that is racist...maybe Trump should follow Obama's example then and start letting loose the drones?

Hey maybe if he racks up as big a body count as Obama he can get a peace prize too!

Comment Re:Too bad Mozilla needs to be forked again (Score 0) 47

Except they are getting rid of the only reason anybody uses their product so tell me again how its all about security? If you are arguing the web will be more secure when Mozilla is gone? Alright then argue that, but this move is completely pants on head retarded and considering how many users they've lost since the Australis debacle this could not have come at a worst time.

To use a /. car analogy it would be like the only car your company has enough sales of to keep you afloat is the convertible line so the CEO goes "Ya know what? Convertibles are unsafe, we're getting rid of them! The customers will love our attention to keeping them...hey where did everybody go?"

Meanwhile I'd love to see the figures from the Pale Moon guys about how many downloads they've been getting the past few months as I bet its through the roof, I know every article with another Mozilla stupid move in it has a comment section with users advising to bail on FF and go for Pale Moon instead. Ya know what? Can't say as I blame 'em, I switched to PM myself when I finally got tired of FF screwing with the UI and its actually a really nice browser, all my extensions work (and for the few that don't they have a handy list with links to the previous version of said extension that works with the latest PM), my theme worked, and for the couple of websites that put up a fit? One quick change of the UA string and it was all golden. Its like FF used to be before they went down the road to suckage, which just FYI I'm betting by Xmas they will be just another rebranded Chrome like Opera and a year or so after that they'll close up shop. After all what is the point of using FF now if it looks and acts like chrome and only uses chrome extensions? If I wanted chrome I'd bloody well use chrome!

Comment Re:Pale Moon is very nice (Score 2) 225

Most of the FF extensions work OOTB but they have a list of known incompatible extensions and in nearly every case they have a link to a previous version that works with Pale Moon.

I've been using it for a couple of years now, since it was obvious Mozilla was gonna commit suicide by turning FF into a badly support Chrome-Lite, and I have to say Pale Moon is a really solid browser. All of my extensions work, my theme works, and the few sites that didn't like Pale Moon were placated easy enough by changing the UserAgent. All in all I think its a great browser and hope my fellow /. readers do as I do and ask your favorite extension devs that are being left in the cold by Moz to switch to Pale Moon, which with extension dev support could be the solid replacement to FF we've been wanting since Moz shit the bed with Australis

Slashdot Top Deals

The next person to mention spaghetti stacks to me is going to have his head knocked off. -- Bill Conrad