Tracy R Reed wrote: > John H. Robinson, IV wrote: > >Ya know - people used to think this. Then they learned that having > >encrypted (well, hashed) data out in the open was A Bad Thing. Now we > >have /etc/shadow. > > But that was not encrypted. It was only trivially hashed.
It was not trivial, when it was first done. *NOW* it is trivially hashed, unless you are using md5. We should be using SHA1 or something now. > I can understand why you would repeat this mantra as a security > professional and a purist which I am all in favor of but we have to be > realistic and start saying things like "For all practical purposes..." > at some point. For today's practical purposes. Cryptopgraphy is a moving target. > No but it is far more likely to be stolen by clueless hoods than by the > feds or the Illuminati or some such group. I agree. This is why you have time to cancel credit cards, and change bank account numbers. It takes time to break the crypto. It takes time to find someone that can break the crypto. Or are you going to say that under all conditions that when your data is outside of your control, that no one at any time is ever going to break it? I am not saying be paranoid. I am saying practice due dilligence. When it is out of your control, consider it compromised. > In the highly unlikely event that a cryptographer ever looks at > something I have encrypted I use passphrases with high entropy and > choose algorithms which are less vulnerable to that sort of thing. RC4 was considered pretty solid. We know now that it is vulnerable to some vulnerabilities whn certain types of keys were chosen. Can we say that todays algorithms are immune? Again, not paranoia: due dilligence. > >Today's toughest encryption is tomorrow's quiant algorithm. CPU power > >growse, and grows fast. Brute force attacks get easier. Attacks against > >algorithms get more sophisticated. > > This is true to a point. But there has to come a point where we say > "This crypto is the best I can do for now and it's better than nothing." I agree. Absolutely. Be ready to take corrective action when the time is right. For financial data, that includes things like cancelling cards, changing account numbers. For stored passwords (do you let firefox cache passwords? Lots of people do), you have to change them. With crypto, you have time to do this. Without crypto, you need to do it the day before your data gets stolen. Cryptography is a good thing, but it is not a 100% solution. Nothing is. -john -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
