× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2016

Re: Encryption algorithm used for the IBMi OS passwords.

On Thu, Apr 7, 2016 at 11:17 AM, Nathan Andelin <nandelin@xxxxxxxxx> wrote:
Regarding my concern about those who have vested financial interests in
promoting publicly disclosed algorithms - I hope you're not taking my
comments too personally. You and others have been raising points in this
discussion which I've heard for years, which shows that their marketing has
been effective.

I'm not taking anything personally. I think you're misrepresenting the
"call" for public algorithms.

The problem with your argument is that it consists of "well, what
they/you are saying is just marketing". Or in other words, "that's
just they want you to think". Which simply is not an argument.
Everyone can just as easily say the same thing about the military
practice of secrecy. The military certainly wants us to think that
they should keep their algorithms secret. That's just the Kool-Aid
that the military has been feeding you. Which of the opposing
viewpoints is right? There isn't a way to determine that.

But I do subscribe to the philosophy behind the scientific method. You
may not. That's certainly your prerogative. But if you accept the
scientific method, then you start from a position of skepticism, and
demand verification and proof for everything.

Maybe you also believe that mathematics is a sham, perpetrated by
self-interested mathematicians. Fine. You are welcome to believe that,
but it leaves no path for meaningful, rational discussion.

Regarding lost keys, an extreme example would be having all ones data
encrypted with a key-based algorithm, then say losing the key to the
repository which holds the encryption keys. You're stuck without having any
way to decipher your data. You've effectively lost all your data. I raise
the point for the sake of discussion - not that I advocate for back doors.

There wouldn't be a "repository of encryption keys". The cryptosystems
under discussion would use randomized keys. (And yes, a key can be
stolen, and even the randomizer can be stolen. But the point of
Kerckhoffs's is actually that the keys and randomizer are *supposed*
to be the weakest links in the chain. The algorithm itself should
ideally be unassailable without the key.)

Your example doesn't really affect my argument. Mathematically
speaking, the algorithm's sole purpose is to prevent *anyone* without
the key from accessing the data it's protecting. Yes, if I don't have
the key, then I don't have the data. That's the algorithm doing its
job. That's the whole definition of "secure algorithm".

Regarding algorithms, whether publicly disclosed or not, their
implementations could include say spyware without the public knowing about
it. So other factors should be employed to assure trust in the source.

It's true that implementations can include spyware. That is precisely
the backdoor concept I was talking about, and it is precisely the
reason a lot of folks are more comfortable with *open source*
implementations.

You mentioned in an earlier post that open source software isn't
necessarily higher quality than closed source. Mathematically
speaking, that is absolutely, irrefutably true. I would certainly
expect closed source written by Scott Klement to be higher quality
than open source written by me. But when faced with closed source
written by an unknown author, a lot of folks would be more comfortable
with an implementation that is subject to public scrutiny.

Given the era and the context of Kerckhoff's 2nd tenet, it's pretty clear
that he was advocating for key based encryption.

No one is disputing that.

Cryptography devices at
the time were crudely mechanical and prone to fall into enemy hands. There
was no point in hiding how they worked. But that's a far cry from "calling"
for public disclosure of algorithms.

The fact that you keep bringing this up shows you either haven't read
or haven't understood what I wrote. Let me say it again:

"The desire of some people to have and rely on public algorithms isn't
logical fallacy. It isn't misunderstanding or twisting of Kerckoffs.
It's just the same skepticism that is the driving force behind
science, pure and simple."

Let me put it another way. The following assertion is NOT my argument:

"The call for public algorithms is a direct, logical consequence of
Kerckhoffs's principle."

Some people may make that argument. I am not making it here. What I am
saying is:

"The call for public algorithms is a manifestation of rational
people's natural desire for verification and proof."

John Y.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.