How secure is Kong?

Kong uses widely used and widely known algorithms that have long withstood attack from the worlds greatest cryptographers, and it uses them with key lengths long enough to withstand any brute force attack, even a brute force attack by a major superpower on an issue vital to national security.

Of course none of that will help you if the adversary gets to your computer and finds the clear text, or gets to your computer, finds your secret file, and guesses your passphrase.

If you use a reasonably lengthy passphrase, even someone who steals your computer should not be able to decrypt messages sent to you. However you may well have copies of those messages stored to your disk in the clear, in which case Kong is no help to you whatever should someone seize your computer. Should you receive anything that your really do not want others to discover, do not store it in the clear.

If you use a secret file with a short passphrase, or no passphrase at all, then anyone who steals your computer, or has access to your computer, can decrypt your messages and forge your signature, but no one can forge your signature or decrypt your messages without access to your computer.

If you fear your adversary may have access to your computer, you will need a passphrase capable of resisting a dictionary attack. To resist a dictionary attack, a passphrase needs to be quite long. If it is an ordinary english sentence, it should be at least sixty characters long.


How strong are Kong's keys and cryptography algorithms?

I have everywhere employed widely used, widely known, and widely studied codes, and given them longer key length than is usual.

The standard symmetric encryption algorithm used almost everywhere by just about everyone is RC4, which is identical to the algorithm called Arc4 in some situations in order to avoid lawsuits.

Most people use 128 bits arc4. I use 160 bits, though it hardly makes any difference, for no one can break 128 bits by brute force. Indeed 128 bits is already overkill. Governments can break forty bit arc4, but forty bits are enough to stop most private individuals, though not a wealthy and determined one.

For the asymmetric encryption, the one way operations that make it possible for Kong to tell that two documents were signed using the same secret when it does not know that secret and make it possible for Kong to encrypt a document so that only the possessor of a certain secret can decrypt it, when it does not know that secret, I use an elliptic curve with an order slightly higher than 2240, which is again the same algorithm as is commonly used, and widely studied, plus a bit more overkill than the overkill that everyone else is already using.

In the terminology used in Certicom's discussion of public key strength, the field size for Crypto Kong is 255 bits, and n is 240 bits, which is about four thousand times as hard to crack as 2048 bit PGP public key. This technology provides compact signatures and encrypted messages, though we lose a little in signing speed.

The asymmetric encryption is described in greater detail in How Kong works


by jamesd@echeque.com

Back to main CryptoKong page