ip4w...@gmail.com (J.P.) writes: > Would just like to add what I've heared from several sources: > Crypto is mostly solid, but implementations are weak.
re: http://www.garlic.com/~lynn/2013l.html#55 "NSA foils much internet encryption" http://www.garlic.com/~lynn/2013l.html#56 "NSA foils much internet encryption" How a Crypto "Backdoor" Pitted the Tech World Against the NSA http://www.wired.com/threatlevel/?p=85661 other recent refs http://www.garlic.com/~lynn/2013m.html#0 UK NHS £10bn project failure http://www.garlic.com/~lynn/2013m.html#2 UK NHS £10bn project failure recent posts about long ago and far away realizing that there were 3 kinds of crypto 1) the kind they don't care about, 2) the kind you can't do and 3) the kind you can only do for them. http://www.garlic.com/~lynn/2013d.html#1 IBM Mainframe (1980's) on You tube http://www.garlic.com/~lynn/2013g.html#31 The Vindication of Barb http://www.garlic.com/~lynn/2013i.html#69 The failure of cyber defence - the mindset is against it http://www.garlic.com/~lynn/2013k.html#77 German infosec agency warns against Trusted Computing in Windows 8 http://www.garlic.com/~lynn/2013k.html#88 NSA and crytanalysis we had been brought in to small client/server startup as consultants because they wanted to do payment transactions on their server; the startup had also invented this technology called "SSL" they wanted to use, the result is now frequently called electronic commerce. somewhat as a result of having worked on electronic commerce, in the mid-90s we were invited to participate in the x9a10 financial standards working group which had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments. the result was the x9.59 financial transaction standard. other experience from the 80s was the internal network (larger than arpanet/internet from just about hte beginning until sometime late '85 or early '86) http://www.garlic.com/~lynn/subnetwork.html#internalnet which required all links to be encrypted ... in the mid-80s comment was that the internal network had more than half of all link encryptors in the world. there was usually lots of problems with national govs. over encryption ... especially when links cross national boundaries (and argument that helped was that the link went solely from one corporate location to another). old reference to internal network passing 1000 nodes 30yrs ago ... and a list of all corporate locations that had one or more new nodes added during 1983. http://www.garlic.com/~lynn/2006k.html#8 in any case, the experiences help motivate the direction of x9.59 to be purely authentication and didn't require encryption to hide information. I've periodically commented that the current payment paradigm has problem that account information is effectively used for authentication ... which requires that it be kept confidential and never be divulged ... while at the same time, the same information is required in dozens of busines processes at dozens of business processes at millions of locations around the globe. As a result, I've periodically commented that even if the globe was buried under miles of information hiding encryption, that it would stop information leakage. In any case, one of the things x9.59 standard did was slightly tweak the current paradigm and separate authentication informaion from business processes information ... eliminating the requirement for information hiding encryption in order to achieve the retail payment integrity (which would then also eliminate the major use for "SSL" in the world today ... aka hiding account information in electronic transactions). In some of the old key escrow meetings ... I would stress that exposing authentication keys was a fundamental security violation ... however there were some quarters that would complain that people might cheat and use authentication keys for encryption purposes. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN