Us Versus Them: Encryption

Via Cryptome, I stumbled across Dancho Danchev’s post on technical mujahid, issue two – something along the lines of 2600, only for wannabe terrorists, not wannabe hackers.

I normally really couldn’t care less about this stuff, but one item he mentions interests me – rather than advocating PGP for encryption, the new encryption tool of choice is Mujahideen Secrets, which looks like it might be little more than a flashy front-end to PGP or GPG. The reason for the switch has nothing to do with security – there is still no verifiable information that PGP or GPG have been compromised or contain government backdoors; indeed, if anything, there’s evidence to the contrary – rather, it seems to have been done for branding purposes. That’s the story, anyway. I guess young wannabe mujahdeen would rather use “Mujahideen Secrets” than “Pretty Good Privacy”, which, of course, was developed by Phil Zimmerman. Oy…

The illustration on Danchev’s page shows a screenshot of “Secrets”, displaying a menu of several 2048-bit RSA keys. He’s curiously silent on what recommendations the secret masters of information jihad make regarding key lengths, but 2048-bit keys are far from unreasonable for these sorts of things, given today’s software and hardware.

Despite the proven strengths and track record of PGP, it isn’t approved for military or government use in this country (except, possibly, the National Security Agency). This has less to do with technical shortcomings, and much more to do with key-management issues. What they generally use, however, is S/MIME, which is limited to anemic 128-bit keys, and in many implementations (not necessarily in goverment or military use, please note) defaults to a relatively insecure 40-bit key.

There’s much more to cryptography than just key length, of course, but it’s still a bit discouraging to think that the government is securing the contents of email using encryption weaker, by most metrics, than that commonly used by commercial systems to encrypt and secure the exchange of email (TLS with 256-bit keys), let alone what the bad guys are using.

Published in: General, Security | on June 10th, 2007| Comments Off on Us Versus Them: Encryption

Both comments and pings are currently closed.

Comments are closed.