On Fri, May 20, 2016 at 12:14 AM, Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
On Tue, May 17, 2016 at 08:04:17PM -0400, Phillip Hallam-Baker wrote:
> Crypto doesn't actually solve any of your security problems. Not one,
> zilch, zero.
>
> What cryptography does is to reduce the size of your information security
> problem. It can reduce it in size from megabytes or even terrabytes to a
> 128 bit key or deciding whether or not to trust one of millions of Web
> sites to whether or not to trust the 50 WebPKI CAs (or ICANN if you are
> feeling really brave). But that is all cryptography does for you. It
> reduces the size of your security problem.
>
> You still have to work out how to keep that key secure or make sure you
> have the right trust anchor. Reducing problems in size is good but you
> still have to solve them.
Yes, indeed. However, you can make HW that protects a small secret like
that really well, and that's what the dust up between the FBI and Apple
was about. It turns out that Apple can make that HW even better, and
they even might. The better that piece of hardware, the more expensive
to defeat it, the less likely it is that it will be defeated by
criminals -- and tyrants, but also legitimate state actors; HW and SW
doesn't know the difference.
The point I am driving at is that security is a property of the system and the role of cryptography is to reduce the system to manageable size so that the problem becomes solvable.
I think that during the cryptowars a lot of us, myself included got way to invested in crypto and failed to see the broader picture. We also got rather too invested in public key over symmetric. Yes, public key is cool but it doesn't reduce the role of symmetric to being a mere support infrastructure like we suggested in the 90s.
Now, of course *convenience* is the achilles heel of any plan to secure
even a small secret. Thus we see courts demanding that people unlock
their mobile devices (and why should this surprise anyone? there's
nothing special about crypto in this regard).
And I think Apple's approach is broken because they failed to put the device beyond their power in the first place.
I am not going to pledge to go to jail rather than release the keys that unlock the Mathematical Mesh. Nor am I going to pledge not to release the keys if someone puts a gun to my head or my children's head.
Therefore to make the Mesh secure, I have to put it beyond my capability to compromise it. That is the approach Apple should have taken.
What that leaves of course is the possibility of a backdoor built into the hardware or the algorithms. A choice of DH modulus that has been cracked, an RNG that is broken. But those types of backdoor would greatly compromise everyone's national security, including the US. 99% of the civil service would end up using the compromised devices which are made in China anyhow,
That said, see the techniques I demonstrated for hardening key generation.
But dead people don't care about convenience, which is how one murderous
terrorist bastard managed to single-handedly greatly increase the tempo
of the current crypto war. One wonders whether that was their plan!
I doubt it. They physically destroyed all the phones that they might have used in their attack.
The 1990s cryptowar was led by the NSA. I have recently spoken to people who are in the very top ranks of that organization and I really do not think they are leading the effort this time. What worries them today is that they are losing the defensive side of cyber-engagement. Whatever happens, US cyber command is never going to disable or destroy an ISIS nuclear power plant because they haven't got any. We have hundreds and they are all connected to the net in multiple ways in spite of all the airgap requirements.
The important thing is to provide a clear and correct understanding of
the issues to the bureaucrats and politicians, and also of the
trade-offs implied by any proposed policy. And the public too (but
that's much harder).
Well my contribution there is that I will shortly be giving a course 'Cryptography for Everyone'. It looks like the live course is oversubscribed but the material will be on the Web as a series of free podcasts.
First thing is to set the baseline for what cryptography is about. Yes we all learn C.I.A. stands for Confidentiality, Integrity and something starting with A.
But currently it takes us a decade of experience in the field to understand that security is really all about integrity, not confidentiality and then another decade to realize that it is availability.