On Fri, May 20, 2016 at 12:14 AM, Nico Williams
<nico(_at_)cryptonector(_dot_)com>
wrote:
On Tue, May 17, 2016 at 08:04:17PM -0400, Phillip Hallam-Baker wrote:
Crypto doesn't actually solve any of your security problems. Not one,
zilch, zero.
What cryptography does is to reduce the size of your information security
problem. It can reduce it in size from megabytes or even terrabytes to a
128 bit key or deciding whether or not to trust one of millions of Web
sites to whether or not to trust the 50 WebPKI CAs (or ICANN if you are
feeling really brave). But that is all cryptography does for you. It
reduces the size of your security problem.
You still have to work out how to keep that key secure or make sure you
have the right trust anchor. Reducing problems in size is good but you
still have to solve them.
Yes, indeed. However, you can make HW that protects a small secret like
that really well, and that's what the dust up between the FBI and Apple
was about. It turns out that Apple can make that HW even better, and
they even might. The better that piece of hardware, the more expensive
to defeat it, the less likely it is that it will be defeated by
criminals -- and tyrants, but also legitimate state actors; HW and SW
doesn't know the difference.
The point I am driving at is that security is a property of the system and
the role of cryptography is to reduce the system to manageable size so that
the problem becomes solvable.
I think that during the cryptowars a lot of us, myself included got way to
invested in crypto and failed to see the broader picture. We also got
rather too invested in public key over symmetric. Yes, public key is cool
but it doesn't reduce the role of symmetric to being a mere support
infrastructure like we suggested in the 90s.
Now, of course *convenience* is the achilles heel of any plan to secure
even a small secret. Thus we see courts demanding that people unlock
their mobile devices (and why should this surprise anyone? there's
nothing special about crypto in this regard).
And I think Apple's approach is broken because they failed to put the
device beyond their power in the first place.
I am not going to pledge to go to jail rather than release the keys that
unlock the Mathematical Mesh. Nor am I going to pledge not to release the
keys if someone puts a gun to my head or my children's head.
Therefore to make the Mesh secure, I have to put it beyond my capability to
compromise it. That is the approach Apple should have taken.
What that leaves of course is the possibility of a backdoor built into the
hardware or the algorithms. A choice of DH modulus that has been cracked,
an RNG that is broken. But those types of backdoor would greatly compromise
everyone's national security, including the US. 99% of the civil service
would end up using the compromised devices which are made in China anyhow,
That said, see the techniques I demonstrated for hardening key generation.
But dead people don't care about convenience, which is how one murderous
terrorist bastard managed to single-handedly greatly increase the tempo
of the current crypto war. One wonders whether that was their plan!
I doubt it. They physically destroyed all the phones that they might have
used in their attack.
The 1990s cryptowar was led by the NSA. I have recently spoken to people
who are in the very top ranks of that organization and I really do not
think they are leading the effort this time. What worries them today is
that they are losing the defensive side of cyber-engagement. Whatever
happens, US cyber command is never going to disable or destroy an ISIS
nuclear power plant because they haven't got any. We have hundreds and they
are all connected to the net in multiple ways in spite of all the airgap
requirements.
The important thing is to provide a clear and correct understanding of
the issues to the bureaucrats and politicians, and also of the
trade-offs implied by any proposed policy. And the public too (but
that's much harder).
Well my contribution there is that I will shortly be giving a course
'Cryptography for Everyone'. It looks like the live course is
oversubscribed but the material will be on the Web as a series of free
podcasts.
First thing is to set the baseline for what cryptography is about. Yes we
all learn C.I.A. stands for Confidentiality, Integrity and something
starting with A.
But currently it takes us a decade of experience in the field to understand
that security is really all about integrity, not confidentiality and then
another decade to realize that it is availability.