[plug] Encyption algorithms

Beau Kuiper ekuiperba at cc.curtin.edu.au
Sat Nov 13 17:29:52 WST 1999 

On Sat, 13 Nov 1999, you wrote:
> Beau Kuiper wrote:
> > 
> > Hi all,
> > 
> > I am playing with encryption/decryption stuff. I am wondering does anyone know
> > about this and can anyone tell me how good the CAST-128 algorithm is (there is
> > an RFC that describes it saying it is quite good).
> 
> I'm no expert on cryptography and I don't really know very much about
> CAST-128 but I'll toss in my 2c anyway. :)  Basically, depending on
> exactly what you want to do with it there are probably better choices. 
> I don't think CAST-128 would have been cryptanalysed as much as
> something like IDEA or Blowfish and certainly nowhere near as much as
> DES.  As I said, depending on exactly what you want to do with it, the
> following would probably be my choice:

Well, DES is as good as useless unfortunately. There probably are better
choices. You are probably right about CAST-128 not being as well cryptanalysed
as other algorithms. But I think I will stick with CAST-128 since it is well
described, there are no weak keys, it is fast, has 128-bit protection, and it
hasn't got any patent problems. If any major problems are found with CAST-128
in the future, then it would be pretty simple to replace it with blowfish or
triple DES.

> 1. 3DES:  The major weakness with DES being the short keylength mandated 
> (56 bits).  If you use 3DES (Triple DES) the effective keylength
> supposedly goes up to around 112-bits which should certainly be enough
> for now.  The major advantage of this algorithm is that DES has probably
> been examined by more cryptanalysts than any other algorithm so the
> probability that a weakness will be discovered is unlikely.
> 
> 2. Blowfish:  Pretty popular algorithm due to it's free nature and the
> fame of it's inventor (Bruce Schneier).  The advantages of it are this,
> the fact that it has been cryptanalysed a fair bit and also the variable
> key length (32 to 448 bits).  It's also pretty fast.  There have been
> some weaknesses found in Blowfish but they're generally fairly minor I
> think.  You could also possibly try Twofish which is Schneier's
> candidate for the new AES (Advanced Encryption Standard) to replace DES.
> 
> 3. IDEA:  Generally regarded as quite a good algorithm but has patent
> problems.  Bear in mind that if you use this then it limits the "free"
> nature of your program.  I think the most recent "license" for using
> their patent is that its free for non-commercial use.  So this means if
> you were to GPL or BSD license your program, it would have this
> unfortunately constraint on it.

Yeah, it is GPL.

> Of course, it really depends on the purpose you need the encryption
> for...

It is intended to encrypt both control and data connections on an ftp
communication link.
 
> > I plan to be adding security commands/features to an ftp server I have 
> > programmed.
> 
> Really?  That sounds interesting... how do these new (non-standard
> *cough*) security features work?  Let me know how it goes...

You should have a read of RFC 2228, It describes security extensions for the
FTP protocol. Of course, I will have to modify a client to actually use these
security extensions too.

Beau Kuiper
ekuiperba at cc.curtin.edu.au

> Regards,
> 
> Christian.
> 
> -- 
> Portability is for people who cannot write new programs.
> 				- Linus Torvalds, jokingly, on Linux's
> 				  perceived non-portable design in 1992

More information about the plug mailing list