Deep packet inspection in the USA?

[Rev. Stanley Baldwin]

you never heard of illegal numbers, see, that the problem...

this is a waste of time

[Bebek Sincap Ratatosk]

Actually, since I was tangentially involved with DeCSS, I am aware of illegal numbers. I'm also aware that they are entirely meaningless in the context of this discussion.

uh, I think you implicitly agreed to all and then qualified by adding "hard to do"

Sure, "hard to do" as in "It would require a period of time from the esitmated creation of the Universe until now, to brute force PGP".

Any encryption system can be brute forced... its simply a matter of trying all the keys. The advantage lies in a key space that is so large, it is infeasible to actually get through enough of the keyspace to have any real chance of finding the key.

In theory any keysystem could be broken immediately, if you had a really reall really lucky guess. 1:2^2048 is pretty low odds though... 1:2^256 is pretty low odds as well (AES 256, the current standard for symmetric encryption).

[Rev. Stanley Baldwin]

right, which is why you are happy w/ RSA, good luck
and the key word, iIS tangentially

[Rev. Stanley Baldwin]

why would one need to brute-force RSA...?

[Rev. Stanley Baldwin]

and please do not be bamboozled by thermodynamic arguments
on the heat-death of the universe, those calcs are all based on
brute force...

RSA = USA piglatin...

[LMNO]

Well, it took him 60 posts to go from incomprehensible to asshole.

[Bebek Sincap Ratatosk]

why would one need to brute-force RSA...?

Because, as long as the proper padding is used.... brute-force is the only form of attack that is feasible. It's faster than trying to solve the RSA problem or factor all of the large primes. All of these attacks are hard (in the crypto sense meaning 'not yet solvable'). Could something change, sure. Could the government have a sooper seekrit solve for the RSA problem? Sure.

Is it likely? Fuck no.

[Rev. Stanley Baldwin]

really, no one believes that bubble-fish and RSA are compromised?

[Bebek Sincap Ratatosk]

really, no one believes that bubble-fish and RSA are compromised?

Blowfish, I assume you mean?

Well, people believe lots of things. For example, some people believe that YHVH is getting ready to destroy the world and rapture up the Christians. Some people believe the Illuminati controls everything and some people think the NSA has secret crypto technology that can decrypt PGP.

Generally, in conversing with these people I find a number of reasons to consider anything they believe suspect. Like you, for instance...

[Rev. Stanley Baldwin]

PGP is a shell...

its the algorythm that counts...

really, are you the ones that repackaged it?

[Rev. Stanley Baldwin]

Assigned reading:  Applied Cryptography circa '1997 ed....

[Bebek Sincap Ratatosk]

PGP is a shell...

its the algorythm that counts...

PGP is an application which uses algorithms. I have in fact, worked through the code (back when it was easily available). At the time I was doing a lot of work with Bruce Schneier (author of blowfish, infact) and Matt Curtin. PGP was my "I'm a n00b, teach me" work while they were busy doing cool new shit that was way over my head.

Now, is the current version I have running in this corporation completely free of backdoors and NSA spooks, I don't know. We have legal agreements in place with PGP corp. which states that such things don't exist. if the company deemed it necessary we could get the source code and have it analyzed by a professional cryptographer. However, we have decided not to do that since a business that we partner with regularly paid for just such an assessment about a year before we purchased our solution.

In short, IF NSA doors exist they are so well hidden that the company can allow cryptographers and programmers to look through their code without concern. That seems highly unlikely.

The code for GPG is still publicly available and I have a high level of confidence in its current incarnation.

Now, please explain what the fuck illegal numbers or 'quantum' has to do with this conversation, other than buzzwords that you heard through your tinfoil hat?

Assigned reading:  Applied Cryptography circa '1997 ed....

Read it, own first and second edition... cut my teeth on crypto with its author (see above)

[Triple Zero]

Yep, I use Trucrypt almost every day Though I haven't used it in combination with Stego, that's an interesting idea. The hidden encrypted disk option is nice and I use it on a thumb drive for transferring encryption keys from one environment to another.

when I browsed the TrueCrypt docs, first thing I noticed was you can hide a TC partition in any file and still mount it.

I've used PGP since 1994. I remember people then saying exactly the same thing... "We gotta get everyone to encrypt email"

yeah I know, but times have changed a lot since 1994 and so has usability. we just gotta keep trying, right?

hey, how am I going to be sure this won't take off if i don't even try it myself?

However, until Outlook Express and GMail do it automatically, I don't think its gonna happen. People are just too ignorant of the security issues involved or fail to see what value they get out of the extra work. It's not like a Web of Trust is all that easy to explain to the world at large. And at the end of the day, unless we have huge signing parties on a very regular basis, among people we can trust implicitly, there are a lot of potential holes and abuses a malevolent government could implement.

I'm pretty sure there are already enough easy-to-use plugins for most popular software out there.

the Web of Trust and key-signing parties stuff I don't know enough about yet to judge how easy or hard that will be. but carrying an USB stick with my public key and giving it to my friends and family every time I meet one, would be a good start, no? And once I got that, I could securely email those I have IRL shared my public key with any public keys of others I happen to obtain, right?

and

1. I'm pretty sure Rev.Stan is trolling by now.
2. I'm also pretty sure he's trying to hide his lack of knowledge by obtuse language.
3. "Illegal numbers", or "Illegal primes" refer to, afaik, some algorithm that used to be classified and therefore illegal in certain countries such as the USA, encoded as a hex number and then padded with extra digits to yield a prime number. Legally this prime number used to be illegal and that's kinda funny so it got famous.
4. Indeed Quantum Computing is nowhere near factoring or solving any encryptions. A friend of mine used to work on the topic and no, it doesn't do much yet. Only theoretical in machines that cannot be built yet.
5. I've read quite a bit lately about the current state of crypto algorithms, and it led me to believe that even using a slightly tougher variation of the old Playfair cipher would still foil anything except a targeted attack. And therefore it would foil DPI as well if it would be widely used. Now RSA is several orders of magnitude harder to crack, so yeah, widespread use of RSA would definitely prevent DPI Big Brother scenarios.
6. There is no algorithm yet to easily crack RSA. If it had been found, I don't see how the USA gov could keep it to itself. But maybe that's wishful thinking, if someone can argue how they could keep it to themselves, I'd like to hear about it.

etc

[Bebek Sincap Ratatosk]

As usual Trip, you are riding the correct motorcycle

[Rococo Modem Basilisk]

For what it's worth, there *is* a history of NSA backdooring of production cryptography tech. That said, the last I have heard of that was something in the mid-nineties for *hardware crypto devices*, and there was such a stink about that that I can't see the NSA bothering with it again. Furthermore, it isn't as though the internet is americans-only; to my knowledge, encryption standards cannot be controlled (I have no idea if that 'crypto is munitions' thing is still around, but I know that it was gotten around back in the day).

That said, I have minimal knowledge and minimal interest in cryptography. Ratatosk and 000 are most likely to be riding the correct motorcycle, and if some of what I am posting is BS, let it be reasonably clear that it's probably because I suck at crypto and am not phrasing this stuff right.