McEliece encryption system cracked

Researcher Tanja Lange at TU/e in the Netherlands reported to have succeed in cracking the McEliece crptosystem.

The software that was used can crack the McEliece encryption system within fourteen days, with the help of the computing power of one hundred computers. This feat was carried out recently by means of several dozens of computers, scattered throughout the world, according to Lange.

Authentication – Part I, the Achille’s heel.

Most practitioners will agree that state of the art encryption systems (including quantum encryption) provide an adequate level of protection of the information trusted to them. In fact, other than the existence of programming errors in the encryption functions, the only hope an attacker has to gain access to encrypted information, is to fool the authentication measures and impersonate a legitimate user.
The fact that there is no bullet proof authentication system (still an open problem) is indeed the Achille’s heel of modern data security systems.
In a broad sense Authentication has been associated with identification, however a more stringent criterion can be applied if we define it as:

Authentication, the process of verifying that the user has the credentials that authorize him/her to access certain service.

The difference between Identification and Authorization is important and has been analyzed at length by Jim Harper in his book Identity Crisis.

Traditionally, user authentication is based on one or more of the following:

  • Something you know, for example a password or PIN number
  • Something you have, for example, a smart card or an ATM card
  • Something that is physically connected to the user such as biometrics, voice, handwriting, etc.

A fourth factor to be considered is Somebody you know, which has been recently added to the list of factors for electronic authentication, although it has always been a very common form of identification within social networks.


You can hear about this subject at Steve Gibson’s podcast

Block Ciphers

Contrary to stream ciphers in which the message, represented as a stream of binary digits (bits), is encrypted, bit by bit, a Block Cipher is symmetric-key cipher which encrypt fixed-length groups of bits into fixed length group of bits. The message is broken up into substrings (called blocks) of a fixed length n>1 and encrypted block by block. The integer n is called the block-length.
A block ciphers consists of a reversible algorithm that takes two inputs, a block of length n and a key of length n_k and outputs a block of length n. For example in the case of (the superseded) DES, n=64, i.e. the block-length is 64 bits long and the key-length is 56 Thus, for each block, the input is 64 bits, the output is 64 bits and the key-length is 56, so there are 2^{56} possible transformations.

Currently NIST approves only 3 types of block ciphers AES, Triple-DES and Skipjack.

At a basic level, block ciphers are a combination of the two fundamental techniques for construction of ciphers advocated by Shannon in 1949, namely, confusion and diffusion.

Confusion tends to block the cryptanalyst from obtaining statistical patterns and redundancies in the cipher text arising from the plain text. Thus, the statistical dependency of the cipher text on the plain text is obfuscated. The easiest way to cause confusion is through the use of substitutions. In the case of a binary string, we substitute various ones and zeros by zeros and ones respectively, according to a pre-determined formula.

Diffusion dissipates the redundancy of the plain text by spreading it over the cipher text. For the moment, we can think of it informally as statistical patterns. Diffusion implies that, if we change just one letter or character in the plain text, we cause a big change in the cipher text. Thus, we will need a large amount of cipher text to capture redundancy in the plain text.