Talk:Strong cryptography
This article has not yet been rated on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
Russian ban?
[edit]Does Russia really has banned using of strong crypto? Where is the source of that info?! — Preceding unsigned comment added by 213.85.50.2 (talk • contribs)
oppose merger w/ cryptographically strong
[edit]Strong cryptography is a noun, referring to any of a semi-mythical group of cryptosytems which are especially hard (or even impossible) to break. Cryptographically strong is a related adjective which applies to various cryptographic entities such as algorithms, protocols, and even cryptosystems. These are not the same concepts, though related. Putting them in the same article will induce confusion in the mind of many Average Readers (who are confronting a twisty subject anyway) and this should be avoided. Parsimony is an admirable thing, but not when it increases the opportunity for confusion. ww 21:19, 8 August 2006 (UTC)
Differences wrt Security level
[edit]Note that Security level formally defines the cipher strength. The lead of this article should explain the difference (if none, a merge should be discussed) and explicitly point to the Security level article. Based on the sources, this seems to be an article about a legal definition. Comments are hereby solicited, especially from @Maxal, Alexander Davronov, and ArnoldReinhold: Dimawik (talk) 19:14, 23 June 2023 (UTC)
- Tried to improve. Note that the lead still contains a paragraph (starting with "Demonstrating the resistance") that has no cites, and, while technically correct, has little to do with the subject of the article. My proposal is to delete it entirely. Dimawik (talk) 09:21, 24 June 2023 (UTC)
- This article is more about a cybersecurity context of cryptography rather than about its technical definition. Personally I only wrote a part on the Russian law. I didn't edit the rest of the article. AXONOV (talk) ⚑ 10:12, 25 June 2023 (UTC)
- Thank you for a quick reaction. Still, it does not seem that the subject has any connections to, say, social engineering or password cracking, so it is related to hard knowledge. Am I correct? Dimawik (talk) 19:23, 25 June 2023 (UTC)
- Fixed my reply's grammar. What do you mean by the "hard knoledge"? AXONOV (talk) ⚑ 19:27, 25 June 2023 (UTC)
- I coined this by analogy with hard skills / soft skills demarcation. The solution to password cracking, for example, is outside of the algorithmic arena: the education of the users and/or business decision to use alternative means of authentication can help (both do not require any knowledge of cryptography, and are based mostly on common sense, thus the "soft" label). The subject of this article, on the other hand, belongs to the intersection of technical/government policy intersection and involves understanding of the laws - and some general ideas of the current and future state of codebreaking. In my opinion, the strong encryption is the encryption that, at a given time, is unbreakable if properly used, is a major impediment to surveillance, and therefore frequently regulated. Dimawik (talk) 19:44, 25 June 2023 (UTC)
- Fixed my reply's grammar. What do you mean by the "hard knoledge"? AXONOV (talk) ⚑ 19:27, 25 June 2023 (UTC)
- Thank you for a quick reaction. Still, it does not seem that the subject has any connections to, say, social engineering or password cracking, so it is related to hard knowledge. Am I correct? Dimawik (talk) 19:23, 25 June 2023 (UTC)
My understanding of strong cryptography is security systems that use or attempt to use the best available cryptographic primitives, as opposed to systems whose security is limited by restrictions on key length, built in weaknesses or back doors or other restrictions mandated by laws or regulations. Examples include the Clipper Chip, export controls and recent demands that tech companies allow authorities to inspect messages for child pornography.—agr (talk) 16:17, 27 June 2023 (UTC)
- I almost 100% agree with you (almost, because - being outside the walls of the security agencies - we do not quite know what the state of the art is). I tried to shape the lead in the direction "strong one is impossible for a three-letter agency to mathematically crack if no blunders were made in implementation or use, weak one complicates the life of an aspiring hacker kid, but not too much - and definitely not for long", but the sources I had chosen made me to write what I have written. I would very welcome any sources that point to your definition as I understand it: strong cryptography is not the weak one, with the latter defined as intentionally crippled by the government regulations. Dimawik (talk) 21:15, 27 June 2023 (UTC)
- See the first full paragraph on page 3 of my 1999 Cato Institute report, currently ref 4, where I attempt to define Strong. The rest of the report contrasts that def with attempts to restrict what is available. I agree with you that statements about what TLAs can break are speculative at best. What’s changed since 1999 is the realization that state actors and the like do not need to brute force ciphers; instead they exploit weaknesses in protocols, operating systems and even hardware, some of which they likely plant. So the very term Strong Cryptography is a little quaint at this point.—agr (talk) 15:58, 28 June 2023 (UTC)
- I will try to add your definition (directly attributing to you, unless you object), but I am also looking for a source that clearly states something like "the brute-forcing or using backdoors in the modern popular ciphers is no longer feasible, thus making these ciphers strong and the importance of the divide between the weak and strong cryptography moot"
- state actors and the like do not need to brute force ciphers - I completely agree with you, and wanted to write about this (witness the mention of the social networks), but found no good sources. I will try searching again, but will appreciate any hints.
- Dimawik (talk) 21:15, 28 June 2023 (UTC)
- See the first full paragraph on page 3 of my 1999 Cato Institute report, currently ref 4, where I attempt to define Strong. The rest of the report contrasts that def with attempts to restrict what is available. I agree with you that statements about what TLAs can break are speculative at best. What’s changed since 1999 is the realization that state actors and the like do not need to brute force ciphers; instead they exploit weaknesses in protocols, operating systems and even hardware, some of which they likely plant. So the very term Strong Cryptography is a little quaint at this point.—agr (talk) 15:58, 28 June 2023 (UTC)
Weak examples
[edit]The list is too large and contains no sources. Buggy implementations definitely do not belong in this section. Dimawik (talk) 23:47, 13 July 2023 (UTC)
- With no objections for a month, trimming the list. Dimawik (talk) 09:38, 16 August 2023 (UTC)