In message <[EMAIL PROTECTED]>, John Denker writes: >Here's a challenge directly relevant to this group: Can you >design a comsec system so that pressure against a code clerk >will not do unbounded damage? What about pressure against a >comsec system designer? >
That is, of course, one of the primary goals of perfect forward secrecy -- to ensure that old messages are not readable when an endpoint is compromised. More generally, let me refer people to "Between Silk and Cyanide", the best description I know of the intersection between cryptosecurity and the real world. To oversimplify, the resistance agents in occupied Europe were originally using a cipher whose key was derived from a poem. THe poems were guessable; beyond that, converting the poem into the actual key was a time-consuming, error-prone process. The result was a lot of garbled messages which had to be retransmitted. Apart from the cryptographic significance, the retransmissions gave the Gestapo's direction finders a better shot at finding the radio. Leo Marks realized the problems. The poems were used so that the agents didn't need to have written keying material -- we'll all agree that that's a good idea. But it was misguided -- the Gestapo could, would, and did torture the key from people. Beyond that, they tortured the "duress signal" -- the variant to the message to show that it was being sent under pressure -- and verified that the recorded traffic did not contain that signal. Instead, Marks issued so-called "worked-out keys" -- pieces of silk with the actual encryption keys printed on them. After using a key, it would be burned, thus achieving forward secrecy. The duress code went with it, denying that check to the Gestapo, too. And it didn't matter that much that the agent had the keying material -- silk could sewn into a coat lining or the like, or it would feel like a handkerchief, which protected the possessor against a casual pat-down. If the Gestapo really suspected you, you were probably dead, anyway; the extra incriminating evidence was a minor problem. Besides, Marks' scheme tremendously reduced the garbles, which reduced the need for dangerous retransmissions, thus protecting the agents even more. Marks' was also one of the first to realize that the Germans had rolled up a resistance ring in the Netherlands, and were sending messages that purported to be from the agents. His clue? The messages were too perfect; the Gestapo had plenty of time to get the encryption correct. They weren't doing it furtively, under stress in poor conditions... In other words, he understood the threat model. (I should point here to Kerckhoffs' 6th principle: in effect, make the system easy to use under the actual circumstances. (In this case, it conflicts with his 3rd principle, which says not to use written keys. See http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual articles.) --Steve Bellovin, http://www.research.att.com/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
