Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 30 Jul 2019 03:51:52 -0700
From: Eric Oyen <eric.oyen@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Question for experienced cryptographers

The fact of the matter is, AES with bit sizes greater than 256 is still the best encryption standard there is.

As for the criminal enterprise involved:
Well, they may have made it rather difficult, but there is no such thing as impossible.
Rule 1: there is no such thing as absolute security
Rule 2: if the same key and encryption gets used more than once, it’s chances of being cracked go up a lot. (One time pads are still the most secure methods)
Rule 3: some types of encryption can be broken with the use of large cluster farms. Believe me, the NSA has one such up in Utah. Also, if there is any kind of access to the program sources, There might be a solution gained from that. 

Given the above, AES and 3DES are still the best methods to use.


Unfortunately, those two methods have one glaring security hole, you have to share the key with your intended party and if you don’t have a way to securely share it and someone else gets hold of it, well, there goes your security.

Now, RSA can use those two and because it uses a shared key system where there are two keys (public and private), you can share the public key with whomever you want. Only the intended recipient will be able to decrypt it, and they have to use their own local passphrase to do it. I know, I use it here myself and I have run JTR on one sample I created using 4096 bits encryption with a 2048 bit key-space. So far, after more than a year of steady cracking, JTR has yet to get it.


Now, one rule of encryption is this: depending on the value of information over time, the longer it takes to crack, the lower the value of the information becomes. Information in todays world has a shelf life, and it’s an even shorter one where criminals are concerned.

So, if the police in the countries mentioned can’t crack it, they can always come to the NSA for help, or they can try the FSB in Russia. Either way, they will have to admit they are way outside their ability on this one.

-Eric


> On Jul 30, 2019, at 2:59 AM, Johny Krekan <krekan@...nykrekan.com> wrote:
> 
> Hello, I would like to ask whether someone of you (for example 
> Solardesigner as a John author) could estimate what is the real security of 
> an applications like Threema. The webpage states that encryption mechanism 
> used by this software should be secure enough and there is no chance for 
> people to break and decrypt communication between persons which are using 
> this software. What do you think what method could  be used by agencyes to 
> decrypt communication between criminals in Slovakia which are now bein 
> judged in most watched process in this time? The news stated that the 
> threema was used to encode their communication and then the news stated 
> that the communication was succesfully decrypted.
> I am looking to see your opinions about the security of such softwares.
> Nice day
> Johny Krekan

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.