 |
This article or section is missing citations or needs footnotes. Using inline citations helps guard against copyright violations and factual inaccuracies. (December 2007) |
Strong cryptography or cryptographically strong are general terms applied cryptographic systems or components that are considered highly resistant to cryptanalysis. Demonstrating the resistance of any cryptographic scheme to attack is a complex matter, requiring extensive testing and reviews, preferably in a public forum. Good algorithms and protocols are required, and good system design and implementation is needed as well. For instance, the operating system on which the crypto software runs should be as carefully secured as possible. Users may handle passwords insecurely, or trust 'service' personnel overtly much, or simply misuse the software. (See social engineering.) "Strong' thus is an imprecise term and may not apply in particular situations.
Contents |
Legal issues
Since use of strong cryptography makes the job of intelligence agencies more difficult, many countries have enacted law or regulation restricting or simply banning the non-official use of strong crypto. For instance, the United States has defined cryptographic products as munitions since World War II and has prohibited export of cryptography beyond a certain 'strength' (measured in part by key size), and Russia banned its use by private individuals in 1995 [1]. It is not clear if the Russian ban is still in effect. France had quite strict regulations in this field, but has relaxed them in recent years.
Examples
- PGP is generally considered an example of strong cryptography, with versions running under most popular operating systems and on various processor platforms. The open source standard for PGP operations is OpenPGP, and Gnupg is an implementation of that standard from the FSF.
- The Advanced Encryption Standard (AES) encryption algorithm is considered strong after being selected in a lengthy selection process that was open and involved numerous tests.
Examples that are not considered cryptographically strong include:
- The Data Encryption Standard, whose 56-bit keys allow attacks via exhaustive search.
- Wired Equivalent Privacy which is subject to a number of attacks due to flaws in its design
- The Clipper Chip, a failed initiative of the U.S. Government that included key escrow provisions, allowing the government to gain access to the keys.
- Almost all classical ciphers
The Secure Sockets Layer protocol, used to secure Internet transactions, is generally considered strong, but an early "international" version, with a 40-bit effective key to allow export under pre-1996 U.S. regulations, was not.
References
- Strong Cryptography - The Global Tide of Change, Cato Institute Briefing Paper no. 51
