Dan Kaminsky wrote:
> I am saying operating systems are not like passwords. I don't think
> this exactly controversial.
Who was talking about operating systems? That smells like at attempt to
redefine the argument. We were talking about secret URLs, keys passwords
and the like. I think that makes a much better playing fields for the
moment.
> I can quantify this with the rate of change of complexity of a system.
> If you add one kilobyte of complexity to Windows (consuming literally
> 8192 bits extra space on the DVD), you have not done much to the
> difficulty of breaking Windows. If you add one kilobyte of complexity
> to an RSA key (literally, adding another 4096 bits to p and q
> respectively), you most assuredly have done much to to the difficulty
> of breaking this particular RSA key.
So is it the relative change then? How about change over time?
>
> I will grant that we could use better words than "obscure" and
> "secret" to represent the difference. But I consider "obscure"
> fundamentally different than "utterly unknown". An obscure band is
> not a secret band. An obscure illness is not a secret illness.
Mixing it real-world analogies has never been terribly helpful when
dealing with purely digital security.
Let me attempt some examples:
-Is XOR'd with a 4096-bit key obscure or secure?
-Is RSA-encrypted with a 40696-bit key obscure or secure?
-Is a crypt(3) password obscure or secure? Has that changes over time?
-Is a URL with a random 4096-bit component obscure or secure?
BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
