Talk:Kerckhoffs' principle
From Wikipedia, the free encyclopedia
A nit, but a philiosophically important one. In his law, K noted something, which happens to be true about crypto use and about what its users should assume about the threat environmetn and how they can / should best respond. It is only because this is true that 'the majority of civilian crypto...'. It is not because of his statement of it. One might equally say the same thing about Shanno's Maxim, and be equally skew to the actual situation.
It is this, among many related points, that I'm struggling with at crypt engineering and crypto system. That's why they've been under construction for so long. ww 16:09, 17 Apr 2004 (UTC)
- OK, I've gone with "In accordance with", not "because of". Note that here (and presumably cryptoengineering and cryptosystem), we cannot assert that Kerckhoffs' law is true because of NPOV, even if we think it is. — Matt 16:39, 17 Apr 2004 (UTC)
I've never heard of this principle referred to as a "law", except in Wikipedia (and I just checked three different independently-authored crypto books). I've heard of the circuit-theoretic "Kirchhoff's laws", but I've never heard the term used in cryptology. I think the author of the article was confused, and I think this article should probably be renamed as "Kerckhoff's principle" (or, alternatively, "Kerckhoff's assumption"). -- Wonderstruck 05:26, 17 May 2006 (UTC)
- I think you might be right. — Matt Crypto 20:41, 18 May 2006 (UTC)
- Ok, I've moved the article to "Kerckhoffs' principle". I chose "principle" over "assumption" to be consistent with the corresponding non-english articles. Wonderstruck 07:28, 12 June 2006 (UTC)
[edit] Secret cryptosystems
I removed the following text from the article, which was added by 85.178.217.26 on 7 July 2006:
It's possible to have a secret cryptosystem while still reaping the benefits of public cryptography research: make a non-weakening change to a public algorithm, like changing the Nothing up my sleeve numbers, or, in the case of Symmetric-key algorithms, chaining the public cipher with an unrelated secret cipher.
I have a few problems with this paragraph:
- The paragraph's wording is confusing:
- "chaining" is easily confused with cipher block chaining (the technique this paragraph refers to is called "cascading");
- "public algorithm/cipher" is easily confused with public-key cryptography; and
- "secret cipher" is easily confused with secret-key cryptography.
- The claim that making "non-weakening" private modifications to published algorithms allows one to "[reap] the benefits of public cryptography research" is controversial if not factually incorrect:
- Schneier's Law makes this form of security through obscurity likely to be ineffective, since the people making the modifications are unlikely to know what modifications are "non-weakening".
- It is well-established that small changes to an algorithm can have a large impact on its security. For example:
- SHA-1:
"SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security."
- The resistance of DES to differential cryptanalysis:
"It was noted by Bamford in Puzzle Palace that DES is surprisingly resilient to differential cryptanalysis, in the sense that even small modifications to the algorithm would make it much more susceptible"
- SHA-1:
- The paragraph advocates cascading published and unpublished ciphers:
- Dealing with multiple encryption algorithms is error prone. In this example, if you use identical or related keys for both the published and unpublished ciphers, you risk having one of the ciphers (or the interaction of both ciphers) leak information about the key. A similar problem occurred with GSM. Quoting the article on A5/1:
"In 2003, Barkan et al published several attacks on GSM encryption. The first is an active attack. GSM phones can be convinced to use the much weaker A5/2 cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm."
- Cascades do not necessarily add security, and can reduce it. Furthermore, if the security of the published algorithms isn't enough for you (the U.S. government has certified AES for protecting TOP SECRET information, for example), then adding more cryptography probably isn't the solution to your problem. [1]
- Cascades add complexity, and complexity is the worst enemy of security.
- Dealing with multiple encryption algorithms is error prone. In this example, if you use identical or related keys for both the published and unpublished ciphers, you risk having one of the ciphers (or the interaction of both ciphers) leak information about the key. A similar problem occurred with GSM. Quoting the article on A5/1:
For at least those reasons, I think the paragraph I removed should stay removed.
-- Wonderstruck 11:52, 13 February 2007 (UTC)
[edit] New Research?
I saw this tidbit on the article that I think should be removed or at least completely reworked because they compromise new research.
It is worth expanding on what Schneier means by brittleness: after all, any security system depends crucially on keeping some things secret. What Schneier means is that the things which are kept secret ought to be those which are least costly to change if inadvertently disclosed. A cryptographic algorithm may be implemented by hardware and software which is widely distributed among its users; if security depended on keeping that secret, then disclosure would lead to major logistic headaches in developing, testing and distributing implementations of a new algorithm. Whereas if the secrecy of the algorithm were not important, but only that of the keys used with the algorithm, then disclosure of the keys would require the much less arduous process of generating and distributing new keys.
