[ISN] REVIEW: "Brute Force", Matt Curtin

InfoSec News isn at c4i.org
Fri Jun 24 01:25:34 EDT 2005

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

BKBRTFRC.RVW   20050531

"Brute Force", Matt Curtin, 2005, 0-387-20109-2, U$25.00/C$33.50
%A   Matt Curtin http://ergo-sum.us/brute-force/
%C   233 Spring St., New York, NY   10013
%D   2005
%G   0-387-20109-2
%I   Copernicus/Springer-Verlag
%O   U$25.00/C$33.50 800-842-3636, 212-460-1500, fax: +1-212-254-9499
%O  http://www.amazon.com/exec/obidos/ASIN/0387201092/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/0387201092/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   291 p.
%T   "Brute Force: Cracking the Data Encryption Standard"

As the subtitle states, this is the story of the assessment of the
strength (and weakness) of the Data Encryption Standard, particularly
as computer power increased over time.  Specifically, it is the tale
of the formation and development of the DESCHALL operation, one of the
forerunners of distributed.net.  It is not just a story, though:
Curtin tells the tale from a specific social and political
perspective.  An indication of this position is given in the forward,
where John Gilmore reiterates the somewhat questionable assertion that
DES was "deliberately ... flawed."  Although this work does not
address more technical aspects of cryptography, using hyperbolic
arguments such as this may weaken the overall case of the book in
regard to cryptographic censorship.

There are forty-one very short chapters to the book, the first
describing the particular machine that found the key for the first
DESCHALL distributed cracking attempt.  A brief history and background
for cryptography is given in chapter two.

Chapter three outlines the process of transforming Lucifer into DES. 
However, there are numerous errors in the account.  Some are minor. 
(The Data Encryption Standard and the Data Encryption Algorithm are
not equivalent: the algorithm is the engine, while the standard
includes additonal functions for real world operations.)  Other
problems include issues such as the fact that the modification of
S-boxes (the substitution function, which the book refers to as
permutation) is mentioned, while that of the P-boxes (permutation) is
not.  Most references state that the Lucifer version finally submitted
for DES was 70 bit, rather than 112 bit.  It is quite misleading to
say that a 112 bit key is "fifty-six times" as strong as a 56 bit key. 
The Diffie-Hellman objections to the 56 bit key length are not given
in detail, which makes the arguments hard to assess.  Not all the
dates are given, which sometimes creates difficulty in following the
thread.  (In response to a first draft of this review, Curtin has
noted that he has collected a fairly extensive errata for the book,
and hopes to correct the issues in a second edition.)

Chapter four is a rather mixed bag: despite the "Key Length" title, it
touches on various algorithms, cryptanalytic concepts, and other
topics.  (There is a seeming confusion of the Vernam cipher with a
one-time pad, and triple DES is generally considered to have an
effective 112 or 113 bit key, rather than 168, due to the meet-in-the-
middle attack.)  The author's personal involvement with cryptology,
and analysis of the feasibility of cracking cryptosystems, is outlined
in chapters five through eight, culminating in a review of the
possibilities of distributed computing.  The technical, social, and
political factors involved in creating and operating the DESCHALL team
are discussed in chapters nine to thirty-eight.  (It is odd that
explanations of IP addresses almost always use the non-routable
192.168.x.x range.  Specific IP addresses have a depressing tendency
to changeand so non-routable addresses are often used in explanations,
but it seems particularly inappropriate when the subject deals with
identification and location of machines.)  The material is
fascinating, instructive, and even exciting at times.  Interspersed
are mentions of legislative debates and hearings into cryptographic
policy during that time.  Two chapters cover events subsequent to DES
Challenge I, while analysis and lessons learned are reviewed in forty-

The density of errors in the early chapters is unfortunate, since it
is not representative of the work as a whole, and yet it may lead
readers to distrust the facts in the book.  In reality, there are
significant points to be made, not only in terms of cryptography and
public policy, but also in regard to distributed computing itself. 
The book is certainly useful for those interested in the issue of
brute force attacks against cryptographic systems, and is an engaging
read for anyone into technology.

copyright Robert M. Slade, 2005   BKBRTFRC.RVW   20050531

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
           Keep your perspective: it's all only ones and zeros
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

More information about the ISN mailing list