BKBRTFRC.RVW 20050531 "Brute Force", Matt Curtin, 2005, 0-387-20109-2, U$25.00/C$33.50 %A Matt Curtin http://ergo-sum.us/brute-force/ %C 233 Spring St., New York, NY 10013 %D 2005 %G 0-387-20109-2 %I Copernicus/Springer-Verlag %O U$25.00/C$33.50 800-842-3636, 212-460-1500, fax: +1-212-254-9499 %O http://www.amazon.com/exec/obidos/ASIN/0387201092/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0387201092/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0387201092/robsladesin03-20 %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 291 p. %T "Brute Force: Cracking the Data Encryption Standard" As the subtitle states, this is the story of the assessment of the strength (and weakness) of the Data Encryption Standard, particularly as computer power increased over time. Specifically, it is the tale of the formation and development of the DESCHALL operation, one of the forerunners of distributed.net. It is not just a story, though: Curtin tells the tale from a specific social and political perspective. An indication of this position is given in the forward, where John Gilmore reiterates the somewhat questionable assertion that DES was "deliberately ... flawed." Although this work does not address more technical aspects of cryptography, using hyperbolic arguments such as this may weaken the overall case of the book in regard to cryptographic censorship. There are forty-one very short chapters to the book, the first describing the particular machine that found the key for the first DESCHALL distributed cracking attempt. A brief history and background for cryptography is given in chapter two. Chapter three outlines the process of transforming Lucifer into DES. However, there are numerous errors in the account. Some are minor. (The Data Encryption Standard and the Data Encryption Algorithm are not equivalent: the algorithm is the engine, while the standard includes additonal functions for real world operations.) Other problems include issues such as the fact that the modification of S-boxes (the substitution function, which the book refers to as permutation) is mentioned, while that of the P-boxes (permutation) is not. Most references state that the Lucifer version finally submitted for DES was 70 bit, rather than 112 bit. It is quite misleading to say that a 112 bit key is "fifty-six times" as strong as a 56 bit key. The Diffie-Hellman objections to the 56 bit key length are not given in detail, which makes the arguments hard to assess. Not all the dates are given, which sometimes creates difficulty in following the thread. (In response to a first draft of this review, Curtin has noted that he has collected a fairly extensive errata for the book, and hopes to correct the issues in a second edition.) Chapter four is a rather mixed bag: despite the "Key Length" title, it touches on various algorithms, cryptanalytic concepts, and other topics. (There is a seeming confusion of the Vernam cipher with a one-time pad, and triple DES is generally considered to have an effective 112 or 113 bit key, rather than 168, due to the meet-in-the- middle attack.) The author's personal involvement with cryptology, and analysis of the feasibility of cracking cryptosystems, is outlined in chapters five through eight, culminating in a review of the possibilities of distributed computing. The technical, social, and political factors involved in creating and operating the DESCHALL team are discussed in chapters nine to thirty-eight. (It is odd that explanations of IP addresses almost always use the non-routable 192.168.x.x range. Specific IP addresses have a depressing tendency to changeand so non-routable addresses are often used in explanations, but it seems particularly inappropriate when the subject deals with identification and location of machines.) The material is fascinating, instructive, and even exciting at times. Interspersed are mentions of legislative debates and hearings into cryptographic policy during that time. Two chapters cover events subsequent to DES Challenge I, while analysis and lessons learned are reviewed in forty- one. The density of errors in the early chapters is unfortunate, since it is not representative of the work as a whole, and yet it may lead readers to distrust the facts in the book. In reality, there are significant points to be made, not only in terms of cryptography and public policy, but also in regard to distributed computing itself. The book is certainly useful for those interested in the issue of brute force attacks against cryptographic systems, and is an engaging read for anyone into technology. copyright Robert M. Slade, 2005 BKBRTFRC.RVW 20050531