On Sep 5, 2013, at 10:19 PM, Jon Callas wrote:
> I don't disagree by any means, but I've been through brittleness with both 
> discrete log and RSA, and it seems like only a month ago that people were 
> screeching to get off RSA over to ECC to avert the "cryptocalypse." And that 
> the ostensible reason was that there are new discrete log attacks -- which 
> was just from Mars and I thought that that proved the people didn't know what 
> they were talking about. Oh, wait, it *was* only a month ago! Silly me.
> "Crypto experts issue a call to arms to avert the cryptopocalypse"
> http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/
> Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a 
> finite field that's hard to understand. It all sucks.
Perhaps it's time to move away from public-key entirely!  We have a classic 
paper - Needham and Schroeder, maybe? - showing that private key can do 
anything public key can; it's just more complicated and less efficient.

Not only are the techniques brittle and increasingly under suspicion, but in
practice almost all of our public key crypto inherently relies on CA's - a 
structure that's just *full* of well-known problems and vulnerabilities.  
Public key *seems to* distribute the risk - you "just get the other guy's 
public key" and you can then communicate with him safely.  But in practice it 
*centralizes* risks:  In CA's, in single magic numbers that if revealed allow 
complete compromise for all connections to a host (and we now suspect they 
*are* being revealed.)

We need to re-think everything about how we do cryptography.  Many decisions 
were made based on hardware limitations of 20 and more years ago.  "More 
efficient" claims from the 1980's often mean nothing today.  Many decisions 
assumed trust models (like CA's) that we know are completely unrealistic.  
Mobile is very different from the server-to-server and dumb-client-to-server 
models that were all anyone thought about the time.  (Just look at SSL:  It has 
the inherent assumption that the server *must* be authenticated, but the client 
... well, that's optional and rarely done.)  None of the work then anticipated 
the kinds of attacks that are practical today.

I pointed out in another message that today, mobile endpoints potentially have 
access to excellent sources of randomness, while servers have great difficulty 
getting good random numbers.  This is the kind of fundamental change that needs 
to inform new designs.
                                                        -- Jerry

The cryptography mailing list

Reply via email to