Weekly Edition
Return to the Distributions page
| |||||||||||||
Ubuntu to store copies of all users' address books
Here's an
interesting note from Canonical's Elliot Murphy, noting that CouchDB
0.10.0 has been loaded into the nearly-ready "Karmic" release. It seems
they have big plans for how they plan to use it: "[B]y the time Ubuntu
9.10 is released on October 29th every single Ubuntu user will have an
address book stored in CouchDB that replicates with one.ubuntu.com, and
Tomboy notes that are replicated via a web API at the application but then
stored in CouchDB and carried along in the CouchDB replication that we have
set up. Optionally they can also store all their Firefox bookmarks in
CouchDB and have those replicated as well. We'll be doing our best to help
teach application developers to use CouchDB in order to 'cloud-enable'
their apps."
(Log in to post comments)
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:13 UTC (Wed) by jengelh (subscriber, #33263) [Link]
No thanks. God knows what they do with the data. (I.e. same critique as GMail initially got.)
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 18:47 UTC (Wed) by sbergman27 (guest, #10767) [Link]
Many (most?) people *radically* overestimate the value of their incredibly boring and useless "personal data". Credit card numbers, sure. SSN's... well... maybe. The rest is wishful thinking on our parts, fantasizing that we are in some way important.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 19:01 UTC (Wed) by alextingle (guest, #20593) [Link]
That's simply untrue. A very simple name/address/telephone number data-set can be sold for tens
of dollars per row.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 19:24 UTC (Wed) by sbergman27 (guest, #10767) [Link]
That's funny. Then the phone book that different entities leave on my doorstep a few times a year must be worth millions, at least.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 20:34 UTC (Wed) by dambacher (subscriber, #1710) [Link]
Yes! That's why some firms have some indian people tapping everything in again... because that's cheeper
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 15:00 UTC (Thu) by jengelh (subscriber, #33263) [Link]
They do not even need to tapper it in; since it's not handwritten, OCR should do.
Ubuntu to store copies of all users' address books Posted Oct 16, 2009 19:58 UTC (Fri) by mmahut (guest, #45550) [Link]
Not really, I'm sure many head hunters would love to have my address book which is full of specific targets, mostly of colleagues and friends with same technical/career orientation.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 21:43 UTC (Wed) by gjost (guest, #60613) [Link]
Would you mind posting your name/address/phone/email and other "useless" information to this comment thread, along with the info for your loved ones, and your friends, and any business associates? Please categorize them according to whatever labeling/grouping system you use in your inbox. Thx!
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 4:02 UTC (Thu) by rahvin (subscriber, #16953) [Link]
While you are at it, include all your bookmarks so your hobbies and interests can be indexed and categorized and targeted advertising delivered.
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 5:10 UTC (Thu) by lacostej (guest, #2760) [Link]
To me, targeted advertising is signal out of the random advertising noise...
Ubuntu to store copies of all users' address books Posted Oct 16, 2009 10:32 UTC (Fri) by cas (subscriber, #52554) [Link]
to me, blocking spam and ignoring/filtering advertising is extracting the tiny signal from all the noise.
if i want to buy something, i'll go looking for it. until then, i DO NOT WANT TO HEAR ABOUT IT. EVEN IF IT'S EXACTLY THE KIND OF THING I MIGHT WANT.
ads have one of two different effects on me:
1. i ignore them, filter them out, just plain don't notice them.
2. if they get past my mental filter, it's invariably because they're excruciatingly annoying or offensive. that product and company gets blacklisted by me, instantly, until i forget the annoyance (usually permanent because i have a good memory).
the creepiness factor of targeted advertising definitely qualifies as offensive for these purposes. that results in not only the product/company being boycotted but also whoever they got my details from - e.g. if it was a company i've bought from in the past, i am instantly and permanently an ex-customer.
from my POV, all advertising is spam (because 1. it drowns out the signal and 2. it's unsolicited - i *never* ask for advertising) and i don't want any of it. email spam, phone spam, tv spam, door-knocking spam, political spam, religious spam, pamphlet and flyer spam, billboard and other street spam - it's all the same, it's all just spam.
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 4:25 UTC (Thu) by lysse (guest, #3190) [Link]
But nor do I particularly want to give anyone else the opportunity to examine in forensic detail just how sad and featureless my life is...
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:15 UTC (Wed) by rfunk (subscriber, #4054) [Link]
Because that's what every Ubuntu user has always wanted: Canonical having a
copy of their contacts list.
Wow. Someone just didn't think this through.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:56 UTC (Wed) by whacker (guest, #55546) [Link]
Calm down people!
Obviously they will need to get the user to register with the service first!
And if this turns out to be a good idea, then general frameworks will be
If this idea succeeds, not only will Canonical have made a revenue stream for
Good luck.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 19:49 UTC (Wed) by Kit (guest, #55925) [Link]
>No one will ever accuse the GNU/Linux desktop of not being innovative again!
It doesn't really seem that innovative at all to me. MobileMe from Apple has been doing this and more for quite a long time, and there has been other services to sync various things (many for file storage, address books, etc).
I'll take privacy over innovation Posted Oct 14, 2009 21:53 UTC (Wed) by coriordan (guest, #7544) [Link]
When I sit down at my computer, I don't think to myself "Oh, I hope the applications I'm using are innovative".
My privacy, on the other hand, is something I do think about.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:26 UTC (Wed) by ccchips (guest, #3222) [Link]
All I wanted was a system I could use to compose music.
I don't get it.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:28 UTC (Wed) by msebast (guest, #57130) [Link]
I sure hope this is disabled on a default install. One of the reasons I use Linux is to avoid this kind of crap... Do I need to plan a transition to Debian?
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 21:54 UTC (Wed) by coriordan (guest, #7544) [Link]
No. You can transition without planning :-)
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 1:36 UTC (Thu) by sitaram (subscriber, #5959) [Link]
awesome... I hate to decrease SNR on LWN, but this was a fantastic one-liner :)
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 12:46 UTC (Thu) by sourcejedi (guest, #45153) [Link]
From experience, I don't recommend it though :-). There's another one-liner that goes 'Ubuntu is African for "person who cannot configure debian'. You have to plan on a spending some time up-front on configuration.
E.g. on Ubuntu, setting automatic updates works out of the box. On Debian, "anacron" isn't part of the default desktop task (only the laptop one). If you turn your computer off to save your electricity bill, it won't pick up the updates at midnight or whenever they are scheduled for. You need "anacron" to catch up on the scheduled task(s) which you "missed" while the computer was turned off.
-
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:40 UTC (Wed) by days_of_ruin (guest, #58404) [Link]
I don't really understand what this means, its sounds like the users address
book has a copy stored in ubuntu one. I don't see canonical having access to it just like the don't have access to your files stored in U1.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 18:00 UTC (Wed) by rfunk (subscriber, #4054) [Link]
How do you figure that they don't have access to your files in U1? It's
their disk space!
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:40 UTC (Wed) by flewellyn (subscriber, #5047) [Link]
If it's opt-in, and used only as a form of backup, that's fine.
If it's opt-out, or worse, not optional, that's not fine. They need to clarify this.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:52 UTC (Wed) by jhigdon (guest, #16261) [Link]
he did clarify; and even said which part is optional.
We're putting the final touches on the server side of
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 18:01 UTC (Wed) by bboissin (subscriber, #29506) [Link]
Using Ubuntu One is optional (the applet doesn't seem to be launched by
default, and you need to login on launchpad for it to be active, ...).
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:53 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Ubuntu One is a subscription service to allow you to back up files, view them
online and sync them between multiple computers. It really looks like a similar service to Apple's MobileMe. I'm having trouble logging in at the moment so I can't check to see if this costs money but it certainly requires a Launchpad account and is very unlikely to automatically subscribe you.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 17:56 UTC (Wed) by raraavis (guest, #7387) [Link]
Hi! Elliot Murphy here. It seems I was overenthusiastic when sending that email to the couchdb dev list, and left out an important word: 'can' be replicated :)
Ubuntu 9.10 will have an address book in Evolution called "Ubuntu One". Users may choose to store contacts there, and other tools such as Macaco Contacts and Akonadi are integrating with the same data store. I hope this will enable some progress on a cross-desktop unified address book on Linux. Optionally, users may choose to subscribe to the Ubuntu One service, and replicate their files and contacts database to one.ubuntu.com. The service has a free plan with 2GB of storage space, so I consider that as being available to every singe Ubuntu user. It's totally optional though. At some point, we'll also be offering over-the-air syncing of the contacts in the cloud with your mobile phone, and I think round-trip syncing of contacts between your phone, your linux desktop, and the web is something that many people will enjoy.
If people don't want to use the cloud, thats totally understandable. I think some portion of the userbase will always want to avoid cloud services, preferring instead to keep all their data under their own direct control. One of the reasons I'm excited about using CouchDB for this system is that at last we don't have to force people to choose between replicated convenience and maintaining total control over their data. It's also easy for a user to set up peer-to-peer replication of their CouchDB to their own machines without going through Canonical servers at all. There is even a little GUI tool to make this easier in the desktopcouch-tools package.
Sorry to have alarmed people, I hope this explains things a bit better. I'm always interested in hearing feedback about how to make the design better, and I'm very passionate about designing cloud services that provides much more user autonomy than the current common practice, while also providing a lot of user convenience that makes so many cloud services appealing. The ubuntuone-users mailing list is a great place to send feedback, and can be found here: https://launchpad.net/~ubuntuone-users
cheers!
Thanks! Posted Oct 14, 2009 18:10 UTC (Wed) by rfunk (subscriber, #4054) [Link]
Thank you for the clarification!
I know how tough it can be to remember that, as cool and exciting as
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 18:19 UTC (Wed) by BeS (subscriber, #43108) [Link] >I'm always interested in hearing feedback about how to make the design better, and I'm very passionate about designing cloud services that provides much more user autonomy than the current common practice, while also providing a lot of user convenience that makes so many cloud services appealing. One possibility would be to encrypt the data locally and store them encrypted in the cloud. This would make sure that only the user can read the data. Of course this would add some extra work for the user: Distribute the key on all clients and take care of the key. But I think it would be good to have this possibility at least as an option for people who want real privacy while using the cloud.
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 19:14 UTC (Wed) by zooko (subscriber, #2589) [Link]
Tahoe-LAFS (which also comes with Karmic) automatically encrypts all data stored in it. It has a
novel approach to ease the pain of key-management, which is the critical stumbling block for such ideas. http://allmydata.org
It's not perfect, but I think it is better than any current alternative.
Regards,
Zooko
Yes, encryption option would solve all problems Posted Oct 14, 2009 22:04 UTC (Wed) by coriordan (guest, #7544) [Link] I'm also interested to hear if this has been discussed.
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 9:51 UTC (Thu) by jamesh (guest, #1159) [Link]
One of the planned offerings is mobile synchronisation (via the SyncML found in most handsets capable of synchronisation). I'm not sure how client side encryption would work with that.
But all the client code is free software, so if you didn't care about the mobile sync feature you could implement something like this.
Ubuntu to store copies of all users' address books Posted Oct 15, 2009 15:57 UTC (Thu) by zooko (subscriber, #2589) [Link]
Hm, actually Tahoe-LAFS might fit into that use case pretty well... But again I'm pushing my own
idea here when this thread is about Canonical's UbuntuOne. If you are interested in exploring privacy-compatible storage and sync and then maybe join the tahoe-dev mailing list. :-)
Regards,
Zooko
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 19:51 UTC (Wed) by jspaleta (subscriber, #50639) [Link]
Can you explain how the communication between local applications and he local couchdb works?
Is there a daemon running by default that brokers communication between the local applications like evolution and the local couch? Is this communication driven through D-BUS.. or is there a local unix socket or tcp port opened as part of the desktop session?
-jef
Ubuntu to store copies of all users' address books Posted Oct 14, 2009 20:19 UTC (Wed) by james_w (subscriber, #51167) [Link]
"Can you explain how the communication between local applications and he
local couchdb works?"
https://launchpad.net/desktopcouch
"Is there a daemon running by default that brokers communication between
desktopcouch runs a couchdb for each user session. It's started by D-Bus
couchdb is a webservice, so communication is then using HTTP.
Thanks,
James
Howto fix the problem: Posted Oct 14, 2009 21:49 UTC (Wed) by drag (subscriber, #31333) [Link]
The way you get around this syncing and lingering re and fear about handing
over personal information to a corporation is through encryption.
That is the data is encrypted on the client prior to being sent up into the
Very simple, very effective and should quell people's fear. AES256 should be
Howto fix the problem: Posted Oct 14, 2009 23:42 UTC (Wed) by gdt (subscriber, #6284) [Link] Even with encryption, traffic analysis can still reveal information you'd rather keep private.
Howto fix the problem: Posted Oct 15, 2009 0:11 UTC (Thu) by drag (subscriber, #31333) [Link]
Like what? That I use Evolution or not? How much information I feel like
backing up?
I really doubt there is much useful information that anybody could gleam from
Traffic analysis can surprise Posted Oct 15, 2009 2:27 UTC (Thu) by jreiser (subscriber, #11027) [Link]
The date and time of contact with the database are useful to those who might want to track you and those with whom you communicate. A Snoop can learn a lot by correlating that data with all the other data that is available. Many times the result is "only" classification into broad categories, but sometimes a very specific inference can be drawn.
Traffic analysis can surprise Posted Oct 15, 2009 4:15 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
if someone is after you specifically, _anything_ you do can be significant.
however, if someone is not after you specifically, but is just after things that they can sell, it becomes much easier to have reasonable defenses
"I don't have to outrun the bear, I just have to outrun you"
with "you" being enough other users that the bad guys don't get around to bothering with me.
yes, this is security by obscurity, and if someone decides to go after you it doesn't help much, but the reality is that for the vast majority of people this really is good enough.
Howto fix the problem: Posted Oct 15, 2009 1:19 UTC (Thu) by msebast (guest, #57130) [Link]
Yes. Encryption should be part of the marketing message. Make it clear that the only thing Canonical knows is that you stored some data and they can't tell what's in there.
I guess Elilot Murphy's email was intended for people who already know what couchDB is.
I've heard about couchDB a few times but never seen any mention of encryption. So I've always assumed this is something I don't want and didn't investigate further.
Howto fix the problem: Posted Oct 15, 2009 2:18 UTC (Thu) by drag (subscriber, #31333) [Link]
Yeah. I don't think that couchdb does any sort of encryption either.
I am very uninterested in any sort of "cloud" backup scheme that does not
Why? (a person may ask) A few reasons. Whether or not a person should trust
The other thing is that it makes storage side a lot cheaper and a lot
This makes things cheaper; I only have to keep a database of hashes and
As you can imagine that if I was a third party provider of storage that
Howto fix the problem: Posted Oct 15, 2009 4:09 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
the only issue with encrypting the data before you send it up to the cloud is where you store your encryption keys.
if you loose those keys you loose your data, so it does no good to store your data in multiple places if your keys only exist on one machine.
for many people who do not have good ways to store the keys, they are actually better of in many ways with the data in the clear so that they can pull it back down to a replacement machine if something happens to the first one.
yes, this is not good from a security point of view, but in this case the security risks need to be balanced against the availability risks. which one is more important will vary from person to person.
Howto fix the problem: Posted Oct 15, 2009 5:33 UTC (Thu) by drag (subscriber, #31333) [Link]
For important things I write down my passwords and put them in my wallet.
Then I also save another copy somewhere else.
The choice is simple really.
Do you want to keep track of a password..
All in all it is a massive undertaking trying to keep data safe and
And it's hugely expensive undertaking, to boot. It is virtually impossible
Meanwhile if your job is to handle already encrypted data then it is much
It is not difficult to print out copies of your keys into ascii armor
(and, frankly, the notion that you should never write down your passwords
If you value your data and want to be able to use Ubuntu's cloud service
Howto fix the problem: Posted Oct 15, 2009 7:22 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
do you want to run the risk of loosing everything if you loose the password? or are you willing to take the risk that someone will break in through the Canonical security, download your data, dig through it to find something interesting, and take action on it?
I would not use their service personally (I would do the client-side encryption and keep track of the key), but I know a lot of users who I would recommend use something like this so that when they trash their system badly enough that they need to reinstall their systems they will still have their data. Many of these users have trouble remembering one password for their system, let alone taking appropriate actions to protect an encryption key.
Howto fix the problem: Posted Oct 15, 2009 8:02 UTC (Thu) by ekj (guest, #1524) [Link]
I have a laptop, it does backups to a fileserver in the basement. It also does encrypted backups to a backup-service on the internet. The latter is there for the case that our house is burglarised, or burn down, or some other disaster destroys BOTH laptop AND fileserver at the same time.
And yes, if that happens AND I've forgotten the password for the encryption, it's acceptable for me to suffer data-loss. We're talking miniscule probabilities here. (I'd have to forget the password I use for logging in every day at the precise same time that something catastrophic happens at home. That's a level of risk that is entirely acceptable to me.)
Sending my entire digital world to some random company on the internet, for them and anyone that aquires, breaks into, subpoenas or otherwise gains access to their servers ? No thank you, not interested.
Howto fix the problem: Posted Oct 15, 2009 17:39 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
you are not the common case (neither am I), we can and do take steps like this so that we do not have a single point of failure.
we also don't need a service like this because we can replicate and protect things ourselves.
this service is intended for people who otherwise are not backing things up, let alone replicating an encryption key for the backup.
Howto fix the problem: Posted Oct 15, 2009 13:19 UTC (Thu) by sourcejedi (guest, #45153) [Link]
Won't help. They still need their launchpad password.
If you can trust someone to hold your launchpad password in escrow, you can surely trust them to do the same with your encryption password.
In practice, I suspect you can just reset your launchpad password by email. So you have to rely on your ISP resetting your email password when you forget _that_. And that they don't go bust or disconnect you for using too much bandwidth making online backups :-)...
Yes, many people are likely to accept this service given the choice. But this is a pretty low bar to pass. We can and should do better.
Howto fix the problem: Posted Oct 15, 2009 16:23 UTC (Thu) by drag (subscriber, #31333) [Link]
> do you want to run the risk of loosing everything if you loose the
password? or are you willing to take the risk that someone will break in through the Canonical security, download your data, dig through it to find something interesting, and take action on it?
It is easy to keep a password or key safe. Print it out into a hard copy
Then it is win on both sides. As long as you make it absolutely known that
I suppose if customers trust Canonical then they can just send them the
Howto fix the problem: Posted Oct 15, 2009 17:37 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
you would be amazed at the number of people so do not protect their important documents like this.
Howto fix the problem: Posted Oct 15, 2009 10:14 UTC (Thu) by nix (subscriber, #2304) [Link]
If the encryption key is relatively 'bare' (i.e. it's not made clear in the keyfile what service's data it's encrypting), just keep the encryption key on a USB key. Even if you drop it on a train, nobody who picks it up will have a clue what it's meant to decrypt.
(Now everyone else can tell me how stupid this idea is.)
Howto fix the problem: Posted Oct 15, 2009 16:33 UTC (Thu) by drag (subscriber, #31333) [Link]
I save my important passwords on a LUKS-encrypted SD card. (it is small and
fits in my wallet and my laptops have SD support)
The LUKS password is relatively simple (plain english phrase), but it
When you plug it into a Linux Gnome desktop automatically prompts you for
I can't recommend this approach to normal folks because it only works if
But what is better (in terms of security) would be to print out keys into
Howto fix the problem: Posted Oct 15, 2009 17:36 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
and a flood or fire would destroy your printout as well as your computer.
Howto fix the problem: Posted Oct 15, 2009 11:06 UTC (Thu) by endecotp (guest, #36428) [Link]
> I am very uninterested in any sort of "cloud" backup
> scheme that does not integrate encryption on the client > side.
Does anyone know how to get rsync-like functionality with the data at the other end stored encrypted?
I currently use rsync over ssh for some of my backups, so the data is encrypted on the wire but unencrypted on the remote disk. When I set this up I tried to find a way of storing the remote copy encrypted without losing rsync's efficient incremental transfers, but I didn't find anything satisfactory. Any ideas?
Check out Tarsnap Posted Oct 15, 2009 12:26 UTC (Thu) by fghorow (subscriber, #5229) [Link]
From Colin Percival, the (Free?)BSD Security officer.
Just a happy user of the service.
(Be aware, it is a *for a fee* service, but the micropayments are truly micro!)
Howto fix the problem: Posted Oct 15, 2009 13:09 UTC (Thu) by sourcejedi (guest, #45153) [Link]
Try encfs + rsync. Encfs will encrypt both file content and names. (It won't hide filesizes, directory topology, permissions, and the approximate _lengths_ of filenames).
http://ubuntuforums.org/showthread.php?t=148600
Howto fix the problem: Posted Oct 15, 2009 16:01 UTC (Thu) by zooko (subscriber, #2589) [Link]
Tarsnap seems like a well-engineered system, from reading the author's blog, but as far as I know
the server-side code is proprietary. The Tahoe-LAFS project (I'm a contributor) has excellent encryption and erasure-coding features and if you like duplicity you can use Tahoe-LAFS as a backend for duplicity. Also Tahoe-LAFS comes with its own integrated backup system which has different trade-offs than the duplicity backend. (Duplicity does deltas for you, but you can't view or download your files without going through duplicity. The Tahoe-LAFS integrated backup doesn't do deltas, but it stores the files in a time-machine-style layout which you can browse and download through the web.)
AES security Posted Oct 15, 2009 8:25 UTC (Thu) by job (guest, #670) [Link]
If you are paranoid you should use AES128 instead of 256 as there are indications that the larger key isn't diffused properly.
AES security Posted Oct 16, 2009 7:40 UTC (Fri) by brouhaha (subscriber, #1698) [Link] I'm sufficiently paranoid that I much prefer 3DES to either AES128 or AES256. AES hasn't been subjected to anywhere near the amount of cryptanalysis as DES. If I didn't think 112 bits of key was enough to withstand brute-force attacks, I'd use two rounds of 3DES with different sets of keys (6DES).
AES security Posted Oct 16, 2009 13:02 UTC (Fri) by pharm (guest, #22305) [Link]
Just using the same encryption algorithm twice with two different keys of size N does not increase
the exhaustive search time from 2^n to 2^2n, thanks to meet-in-the-middle attacks, which reduce the time to 4^n. IOW in return for doubling your key size you've increased the search time by a factor of 2: That doesn't seem a good tradeoff.
Leave designing encryption algorithms to the experts: Personally, I know just enough to know that I
AES security Posted Oct 16, 2009 19:22 UTC (Fri) by brouhaha (subscriber, #1698) [Link]
The meet in the middle attack reduces the time from 2^(2n) to 2^(n+1). This is why 3DES (even with 168 bits of keying) only effectively gives 112 bits of security. That's why I didn't propose 4DES, which wouldn't have any improvement in security over 3DES. However, my proposed 6DES would give 168 bits of security, or 8DES sould give 224, etc. 6DES has the advantage that you can use an existing 3DES implementation twice.
However, that's just the time complexity. The meet in the middle attack also requires storage for 2^n blocks, which is obviously not available for n=112, let alone larger values of n.
AES security Posted Oct 16, 2009 20:08 UTC (Fri) by ABCD (subscriber, #53650) [Link]
> Just using the same encryption algorithm twice with two different keys of
> size N does not increase the exhaustive search time from 2^n to 2^2n, > thanks to meet-in-the-middle attacks, which reduce the time to 4^n.
I think there is a mistake somewhere in there, because 2^(2n) = (2^2)^n = 4^n.
AES security Posted Oct 18, 2009 16:08 UTC (Sun) by pharm (guest, #22305) [Link]
Yes, a thinko on my part.
|
|||||||||||||