On Fri, 2006-11-03 at 09:40 -0600, Robert J. Hansen wrote: > Ryan Malayter wrote: > > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with > > a passphrase-to-key function based on SHA-256. This is actually > > stronger than most cipher preferences on OpenPGP keys. > > This may be just my own personal quirk, but it seems misleading to me to > describe AES256 as "stronger" than, say, AES128. The threshold just to > break AES128 is so immense that it may as well be a brick wall; > describing AES256 as "stronger" just means the brick wall is, well, > still a brick wall. Once you reach a certain threshold point as far as > resistance to brute-force attacks, to really make something "stronger" > requires introducing resistance to other kinds of attacks. > > E.g., I'd say that an 3DES hardware token guarded by a fireteam of armed > Marines is far stronger than an AES256 key stored on a PC running > unpatched Windows 95 on an always-on unfirewalled Internet connection, > despite the fact the AES256 key has about 144 bits more keyspace. > > Let's just describe 7zip as using strong crypto, and leave it at that. :)
I already told Ryan that WinZip also has both AES128 and AES256. I did a download of it yesterday and found that out for sure. I also asked Ryan to do a test to find if WinZip <-> 7-Zip can share their AES encrypted files. You are absolutely correct in saying that they are both brick walls. The weakness is not in the algorithm or even the number of bits you use. I primarily use TWOFISH, but it is still that brick wall. It just has different colored bricks. The weakness is normally in the pass-phrase (password). Trying as hard as I can, I have had nothing but grief in trying to train people in how to create them and have finally understood it is going to be "pencil", no matter what for some people. That is the limit of their memory and imagination. Well, even the smart ones will resort to using "joshua" (case-insensitive of course). Go look at War-Games if you don't know where the pass-phrases came from. I gave Ryan the humorous example of a fellow student who locked their terminal at school while they went to the restroom. I told him I could hack through his screen password. I did, and changed it to another one. I had noticed him looking at the pictures of nature on the wall and fixating on a green frog. I hacked in with only about four attempts, then locked it again with a pass-phrase indicating the hack. The strongest encryption in the world is useless without a GOOD password or pass-phrase. It may be useless even then with a keyboard logger. Kevin Mitnick didn't exploit weaknesses in systems so much as exploiting the weaknesses in people. This all kind of begs the question though. I can't even get the files to another security researcher (Mike Burgess) because the Symantec AV scanner on Comcast's SMTP server barfs on a PLAIN zipped file right now. It attaches my message (with the ZIP attachment) to a message saying it can't scan the zip file. It will ALWAYS do that if I encrypt the zip file (whether I use the salt-cipher or AES) that I zip. But I can attach a normal zipped file and use GnuPG (OpenPGP) encryption and it sails right on through. I can see my zip attachments that are bounced in both Thunderbird and Evolution, but Mike can't see them in Outlook (any pointers Outlook people?). If the message doesn't make it the other side and that is what you wanted to do in the first place the encryption is useless. Systems depend on EACH AND EVERY ELEMENT that go into their creation. Passwords and pass-phrases are what I will attack every time, not the brute force of something even as lowly as CAST5 or 3DES. I GUARANTEE that unless people are trained in how to create novel passwords and pass-phrases AND *DO* IT, I WILL probably be successful. And I only have a normal IQ. Don't go up against the geniuses like Mitnick, Schneier and Werner and others. They will beat you every time. HHH _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
