>>>>> "Bernd" == Bernd Eckenfels <lists @
lina .
inka .
de> writes:
>> People smarter than me tell me that 3des and IDEA are both very
>> good. RSA with key sizes greater than 1024 bits are probably good
>> for a while longer. Both 3des and IDEA will take longer than you
>> have left here to brute force search, assuming no clever short cuts
>> are found.
Bernd> RSA is not suited to encrypt large amounts of data (like all
Bernd> the Public Key systems). Usually rc4, idea, 3des, blowfish and
Bernd> all those cryptographic block-chifres are secure against
Bernd> brute-force attacks as long as the key is long enough. (128bits
Bernd> are save quite some time i guess).
True. This is precisely why software based on public key cryptosystems
typically use the public key system (such as RSA) for the session key
exchange mechanism *only*, and then using that session key for actual
encryption or decryption of the data itself via a symmetric cipher
(like IDEA or 3DES.)
Good suggestions have alredy been made. The best, in my opinion, would
depend on what level of security you require, to arrive at some
combination of what's already been suggested. The most paranoid of
organizations might wish to combine all of the following, and maybe
other things as well):
* have their people on this network protected behind a firewall
that keeps them separate from the rest of the corporation's
nets.
* keep sensetive information on a shared disk (a la NFS, AFS, or
something) exported to the appropriate workstations, and
physically stored in a controlled-access location.)
* use something like CFS (Crypto File System, by Matt Blaze) to
keep the data encrypted on the disk. This way, backups will not
contain the sensitive info in the clear
* make sure their people aren't boneheads. Anyone who has
legitimate access to the data could copy the stuff to a disk,
tape, or email it off to a buddy in Iraq. (Maybe for reasons of
good intention, like working from home, or something, but the
danger is still there every time a copy is made.)
For info on CFS, see
ftp://ftp.research.att.com/dist/mab/cfs.announce
ftp://ftp.research.att.com/dist/mab/cfs.ps
ftp://ftp.research.att.com/dist/mab/cfs.notes.ms
ftp://ftp.research.att.com/dist/mab/cfskey.ps
--
C Matthew Curtin MEGASOFT, LLC Director, Security Architecture
I speak only for myself. Don't whine to anyone but me about anything I say.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
cmcurtin @
research .
megasoft .
com http://research.megasoft.com/people/cmcurtin/
References:
|
|
