64位RC2有多安全? [英] How secure is 64-bit RC2?
问题描述
使用安全(或不安全)一个64位RC2算法?
我可以期待多久才能进行暴力攻击来破解这种加密?
使用此算法可以保护什么样的数据? (例如,我猜测信用卡信息不可能用这个算法加密,因为算法不够安全)。
一般来说,等效的密钥大小并不意味着等效的安全性,原因有很多:
首先,一些算法是已知的攻击,别人没有。密钥的大小只是打破密码所需的努力的上限;在最糟糕的情况下,您可以随时尝试所有可能的密钥,并在检查一半密钥空间后成功(平均)。这并不意味着这是最好的攻击。这里有一个例子:具有128位密钥的AES使用10轮。如果您使用带有128位密钥的AES,但只能使用一个循环,即使该密钥的大小相同,也是简单易行的。对于许多算法,已知的攻击可以在搜索整个密钥空间时快速地破解算法。
在块密码的情况下,还有其他考虑。这是因为块密码以块的形式处理数据。开始加密大量数据后,有各种组合属性可以发挥作用。例如使用通用的CBC模式,在加密大约2 ^(n / 2)个块之后开始遇到问题(这个问题是CBC固有的)。对于像RC2这样的64位密码,这意味着2 ^ 32 64位的块,或者32Gb,尽管很大,但是很容易想象(例如,用它来加密磁盘映像)。而对于像AES这样的128位密码,问题仅在大约2 ^ 64个128位块之后才开始出现,或大致为295埃字节。在这样的情况下,具有64位密钥的AES实际上比使用64位密钥的RC2更安全。
这里我们来到认识论部分答案:即使没有已知的攻击,也不意味着没有可能的攻击。 RC2很旧,很少使用;即使它是一个相当现在的密码,对它的分析也比DES更少。在过去5年中,很可能没有人会回头看看如何用最新的攻击手段来破解RC2,只是因为在现代公共密码学研究运作的相对学术的发布或者灭亡模式中,少收益;如果您正在寻求任期(或希望加强您的声誉以获得更多的咨询工作),发布甚至攻击AES的边际改进比完全拆除RC2要好得多,因为没有人再使用它了。 / p>
使用64位密钥,您已经立即限制了自己的上限,而2 ^ 64的努力确实相当低;可能不仅仅适用于情报机构,甚至是适当规模的公司(或僵尸网络牧民)。
最后,我将指出,RC2旨在在286 / 386时代的处理器。在现代机器上,它比AES或类似密码在过去10年中大大减少(约4-6倍)。
我真的看不到使用RC2的任何东西,唯一的用途,我可以想象,这将是有意义的是兼容一些古代(在计算机时间)系统。使用AES(或其他4个AES入围者之一,如果您必须)。
In encryption, would two symmetric algorithms be considered to be equal in terms of security if their key sizes are equivalent? (i.e. does a 64-bit RC2 algorithm provide the same exact security that a 64-bit AES algorithm would?)
How secure (or insecure) would it be to use a 64-bit RC2 algorithm?
How long could I expect it to take for a brute force attack to crack this kind of encryption?
What kind of data would it be okay to secure with this algorithm? (e.g. I'm guessing that credit card info would not be okay to encrypt with this algorithm since the algorithm is not secure enough).
In general, equivalent key sizes does not imply equivalent security, for a variety of reasons:
First, it's simply the case that some algorithms are have known attacks where others do not. The size of the key is just the upper bound of the effort it would take to break the cipher; in the worst case, you can always try every possible key and succeed (on average) after checking half the key space. That doesn't mean this is the best possible attack. Here's an example: AES with 128 bit keys uses 10 rounds. If you used AES with a 128 bit key, but only one round, it would be trivially breakable even though the key is the same size. For many algorithms, there are known attacks which can break the algorithm much faster the searching the entire key space.
In the case of block ciphers, there are other considerations as well. That is because block ciphers process data in chunks of bits. There are various combinatorial properties which come into play after you've started encrypting large amounts of data. For instance using the common CBC mode, you start running into problems after encrypting about 2^(n/2) blocks (this problem is intrinsic to CBC). For a 64 bit cipher like RC2, that means 2^32 64 bit blocks, or 32 GiB, which while large is quite easy to imagine (eg you encrypt a disk image with it). Whereas for a 128 bit cipher like AES, the problem only starts to crop up after about 2^64 128 bit blocks, or roughly 295 exabytes. In a scenario like this, AES with a 64 bit key would in fact be much more secure than RC2 with a 64 bit key.
Here we get to the epistemology portion of the answer: even if there are no known attacks, it doesn't mean that there are no attacks possible. RC2 is quite old and is rarely used; even when it was a fairly current cipher there was rather less analysis of it than, say, DES. It's quite likely that nobody in the last 5 years has bothered to go back and look at how to break RC2 using the latest attack techniques, simply because in the relatively academic publish-or-perish model that modern public cryptography research operates under, there is less gain to be had; it's much much better if you're seeking tenure (or looking to beef up your reputation to get more consulting work) to publish even a very marginal improvement on attacking AES than it would be to utterly demolish RC2, because nobody uses it anymore.
And with a 64 bit key, you've immediately constrained yourself to that upper bound, and 2^64 effort is really quite low; possibly within reach not just for intelligence agencies but even reasonably sized corporations (or botnet herders).
Finally, I'll point out that RC2 was designed to be fast on 286/386-era processors. On modern machines it is substantially (roughly 4-6x) slower than AES or similar ciphers designed in the last 10 years.
I really can't see any upside to using RC2 for anything, the only use I can imagine that would make sense would be for compatibility with some ancient (in computer time) system. Use AES (or one of the 4 other AES finalists if you must).
这篇关于64位RC2有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
