John Kelsey wrote: > > At 10:29 AM 5/30/03 -0400, Anton Stiglic wrote: > > >So what happened to passphrase guessing? That's got to be > >one of the weakest links. Unless their private key wasn't > >stored on the device? > > One thought: How hard would it be to write a Palm app to use the > interaction between several devices to derive a key or password, using the > IR ports? The whole thing could easily be encrypted under a common > key. Require the attacker to get a device from each member of the cell (or > 3/5 or some such)
Certainly, if all the cell members had a PDA, with IR, then that would allow a much more robust multi-factor system. But... > before recovering the actual encrypted secrets. I wouldn't be surprised if > technologically sophisticated terrorists and spies were doing stuff like > that. (You could easily do this with pen and paper, too, for simple > control structures. Each member of the cell holds some parts of the > password written down, and 4/5 of them have to get togther to reconstruct > the full password.) This sounds workable in theory, but in practice, one has to work with the skills base of the users and the stress of the work. Terrorists are generally not adept at technical work. They are not really chosen for their skills; more their loyalty, their anger, and often their simplistic belief in "some other bad guy" stories. Terrorists are like soldiers, mostly drawn from the lower echelons of society, with a small smattering of bright sparks who rise to the top (if they survive at all). If they could master technically challenging tools like crypto then they'd not be terrorists, they'd be out there making a living. Giving them a complex technical tool means an awful lot of training. Which means: they may be able to master this, as they are not totally dumb, but, this means they are not training in some other thing. There is a reason that the AK47 is the weapon of choice: it is an extraordinarily simple weapon. Training is probably about half the requirements of say the M16. That makes a difference, much more so than, say, the increased accuracy of the M16! There is a huge premium in a simple tool. In practice, I'd suspect that a single factor crypto system would win out in the end, as anything more complex would bog down under fire. (In fact, I am surprised they are using crypto *at* *all*, I'd be very nervous about the amount of data that could end up being compromised by a lost PDA and a tortured terrorist!) There is this pervasive image that terrorists are technologically adept. I don't think I've ever seen much real evidence of that. I think there are two factors in this unrealistic belief. 1. The media love to portray terrorists as a wiley enemy. I can only put that down to a need to explain how they managed to do this terrible thing to us: mentally, we feel better if the enemy is really smart, a challenge to us, as it's ok for him to win once or twice. (As long as we are smarter, and can rise and win in the end...) Recall, we all love and admire the Germans because they were a smart adept enemy in the first half of the 20th century. We have almost as much admiration for the Japanese, but pretty much no admiration for the Chinese and the Koreans, who resort too quickly to human wave tactics. (The Vietnamese, and Russians, we feel quixotic about...) Phsycologically, it makes us unhappy to realise that the 911 attackers were actually quite simple, so we don't. We build up Osama bin Laden to be a mastermind, a sort of James Bond-qualified evil guy who constructs plans of insidious cunning. 2. Also, the counter-terrorist forces have a vested interest in presenting the terrorists as more capable than they really are (hence, that article, as many have observed). This is a simple and pervasive technique to get more support for their activities. For example, it's now pretty much clear that a lot of the threat assessments of the Soviet Union were routinely exaggerated dramatically by money-seeking companies and generals. Also, you can't really be "wrong" and embarressed if you over-exaggerate the threat. All this is a long winded way of saying your average terrorist is much more like your grandma when it comes to tech. Highly competant in the kitchen, but can't send an email to save herself. -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]