Encryption techniques play an important role in building security algorithms. In this article, Mr. Luc shares his thoughts on various hashing parameters and encryption techniques that can help you to understand them deeply.
Here is the conversation with Mr. Luc:
- How do you see the growth of MD6 hash against MD5 as it is better than MD5 hash?
Currently the answer is YES. MD6 is more secure than MD5. However, keep in mind that MD6 is not widely used and relatively new (2008); there might be several undiscovered issues.
In addition, because it is not widely deployed it is relatively uninteresting to study and crack.
I would personally not use MD6 in a production system where high-security is a requirement, though it is probably fine as underlying hashing algorithm in password hashing schemes (such as bcrypt, scrypt and pbkdf2).
This is because password hashing has a different set of requirements than cryptographic signatures (which is what hashing algorithms are designed for; they are not for password storage), and even if MD6 turns out to be broken in some way, it is probably still safe for use in password hashing systems. But then again, why use MD6 instead of a known and trusted standard such as SHA-256?
- Currently, if you have been asked to compare between RC4 and RC6 with whom you will go?
Once again, RC6 is newer than RC4, and RC4 is still secure when it is a) used correctly and b) the first few kilobytes of output are discarded. However, it proves to be rather hard to implement this correctly even by experts, as shown in WEP encryption, which is badly broken.
RC6 is an interesting algorithm because it is a block cipher, which allows an arbitrary key size, configurable block size, and arbitrary number of rounds. It also participated in the competition for AES and made it to the final five, which definitely gives it some credit for being a decent algorithm. That it did not win just means that another algorithm was even better at what the judges were looking for, not that it is less secure. It was insecure (or not proven resistant to certain attacks), it would not have made it to the second round (like MD6).
I think we might be hearing more about RC6 in the future, though right now I would still rely on the current AES standard for high security encryption.
- Because of evolving cyber attacks according to you what should be the height of Public key cryptography in future?
The height of public key cryptography… Well if there is one thing that history has shown, it is that the future will change very rapidly in ways we cannot really foresee. However, if I should take a guess, there might be a day where everybody uses public key cryptography instead of plastic identity cards and easy-to-spoof (or copy) ink signatures.
I cannot understand the current system. Anybody able to reproduce public information is legally allowed to; for example, write arbitrary checks under my name? In addition, because it has a signature they are legally valid. All my identity information is stored on a single piece of plastic in my pocket (my identity card), something which could be stolen at any time. Right now, I do not think thieves really realize what they have and there is relatively little abuse, but there are statistics that show an ever-increasing trend of identity fraud. Some day we may all be using cryptographic signatures instead.
Actually, EMV chips and SIM-cards already do this: these incredibly tiny mobile computers (because that is what they are) are capable of running complex algorithms such as RSA and AES and already do cryptographic verifications. This functionality could easily be expanded. Only then, we have the issue of support for this kind of identity verification, both online and offline.
- The whole cyber world is murmuring about upcoming ECC cryptography, saying better than RSA. Will it be successful than RSA cryptography?
A rumor has been going on lately about the impending doom of RSA public-key cryptography. ECC, or Elliptic Curve Cryptography, is supposed to replace it. However, there is no evidence that RSA is about to be broken, except what has been going on for decades: computers get faster and keys can eventually be broken. RSA cryptography from the eighties or nineties can probably be broken today, and cryptography from today can be broken in another decade or two. You cannot really encrypt things for lifetime; you can only encrypt them long enough that the information becomes irrelevant. See also Ron Rivest’s time lock puzzle named LCS35.
However, besides that RSA is not yet broken does not mean that ECC has no advantages – or disadvantages. There is currently one big issue with ECC: Certicom (owned by BlackBerry) holds most of the patents on it and does not allow others to freely use it. There are some conditions under which you may use it, but I am not entirely sure what the limitations are. Because of this legal issue, most developers like those that I stay away from it. This again shows how important free software (such as GNU/Linux) is for us as users, even if you use a closed-source system like Windows or Mac OS X.
That said, ECC also has advantages. Keys in public key encryption are much longer than keys for symmetric key cryptography. 1024-bits RSA keys have been deprecated since 2010 (according to the US NIST), while AES-128 is still holding up great and AES-256 is even pretty resistant to quantum computers. 2048-bit RSA keys are roughly equivalent to 128-bit AES keys. That is a factor 16, and all that data has to be transmitted before an https connection (or another ssl/tls connection) can be initiated. ECC roughly has a factor two, meaning that a 256-bit ECC key would be roughly equivalent to 128-bits AES encryption. This makes ECC slightly faster to use.
Finally, another advantage of ECC is the way it is used: Instead of having one master private key, it generates session keys, which then get signed. This is important when government agencies start demanding private keys, or when a private key would be stolen. Only very recent traffic can be decrypted with a stolen or obtained private key because previously used keys are deleted, which limits the privacy and security impact.
I think ECC is surely something worth looking into, and I think it should be freely available without restrictions.
About Author: Luc (@lucb1e) is a software engineer located in The Netherlands who also specializes in network security and cryptography. Connect with Luc on G+.
