On 25/09/13 17:17, ianG wrote:
On 24/09/13 19:23 PM, Kelly John Rose wrote:

I have always approached that no encryption is better than bad
encryption, otherwise the end user will feel more secure than they
should and is more likely to share information or data they should not
be on that line.

The trap of a false sense of security is far outweighed by the benefit
of a "good enough" security delivered to more people.

We're talking multiple orders of magnitude here.  The math that counts is:

    Security = Users * Protection.

No. No. No. Please, no? No. Nonononononono.

It's Summa (over i) P_i.I_i where P_i is the protection provided to information i, and I_i is the importance of keeping information i protected.

Actually it's more complex than that, as the importance isn't a linear variable, and information isn't either - but there's a start.

Increasing i by increasing users may have little effect on the overall security, if the protecting the information they transmit isn't particularly valuable.

And saying that something is secure - which is what people who are not cryptographers think you are doing when you recommend that something - tends to increase I_i, the importance of the information to be protected.

And if the new system isn't secure against expensive attacks, then overall security may be lessened by it's introduction. Even if Users are increased.

I have about 30 internet passwords, only three of which are in any way important to me - those are the banking ones. I use a simple password for all the rest, because I don't much care if they are compromised.

But I use the same TLS for all these sites.

Now if that TLS is broken as far as likely attacks against the banks go, I care. I don't much care if it's secure against attacks against the other sites like my electricity and gas bills.

I might use TLS a lot more for non-banking sites, but I don't really require it to be secure for those. I do require it to be secure for banking.

And I'm sure that some people would like TLS to be secure against the NSA for, oh, let's say 10 years. Which 1024-bit DHE will not provide.

If you really want to recommend 1024-bit DHE, then call a spade a spade - for a start, it's EKS, ephemeral key setup. It doesn't offer much in the way of forward secrecy, and it offers nothing at all in the way of perfect forward secrecy.

It's a political stunt to perhaps make trawling attacks by NSA more expensive (in cases where the website has given NSA the master keys [*]) - but it may make targeted attacks by NSA cheaper and easier.

And in ten years NSA *will* be able to read all your 1024-bit DHE traffic, which it is storing right now against the day.

[*] does anyone else think it odd that the benefit of introducing 1024-bit DHE, as opposed to 2048-bit RSA, is only active when the webserver has given or will give NSA the keys? Just why is this being considered for recommendation?

Yes, stunt.

-- Peter Fairbrother


The cryptography mailing list

The cryptography mailing list

Reply via email to