Re: That 70's Crypto Show (Remailers, science and engineering)
On Fri, 29 Dec 2000, Greg Broiles wrote: But - several, if not many times - the security we've achieved has been broken, because of implementation errors on the part of creators, installers, or users. That's right - that's part of the fact that cryptographic engineering (as opposed to "cryptographic science") is still in its infancy. This is the downside of the current approach, which focuses on getting the protocol right first, and only later considers the "real world." Bruce Schneier had another way of putting it - something along the lines of "The math is perfect, the hardware is so-so, the software is a mess, and the people are awful!" (not an exact quote, but I remember it from one of his DEF CON speeches). That being said, there is some benefit to considering the protocols in an ideal, polite model - because in the past we haven't even been able to get security in *that* model. So in some sense this is a case of "publishing what we can prove." It's only comparatively recently that we've had protocols which we can prove secure, even in weak models -- the first real definitions of security from Yao, Goldwasser and Micali, and probably others weren't until the early to mid 1980s. Truly practical cryptosystems which meet these definitions of security didn't arrive until the 1990s. (Some would argue that they still aren't here - Bellare and Rogaway's Optimal Asymmetric Encryption Padding (OAEP) satisfies a strong definition of security, but only if you buy the "random oracle assumption.") Now on the "science" side we can and should extend the model to deal with more of the real world. You might find the recent paper I posted a link to by Canetti interesting - he sets out to deal with an asynchronous network with active adversaries. I didn't see torture included yet, but maybe next version. Birgit Pfitzmann and Michael Waidner are considering something called "reactive systems" which may also yield results. http://citeseer.nj.nec.com/297161.html On the engineering side -- well, there's a long way to go. Ross Anderson has a new book coming out which may help a little bit. http://www.cl.cam.ac.uk/~rja14/book.html The fact remains that I don't think we have enough experience implementing protocols beyond encryption and signatures. At least not on a wide scale. Take digital cash and voting protocols as an example. Digital cash has been implemented and re-implemented several times. It's even had a "live" test or two. But how many people have managed to buy something tangible with it? and how does that compare to the amount cleared by credit cards? Electronic voting seems to be on the upswing - at least with votehere.com and the recent election debacle hanging over our heads. Still, who has implemented, tested, and deployed a truly large-scale voting system based on cryptographic protocols? The one which comes to mind is the MIT system built on the FOO protocol - and while that *works* (modulo operator error), that's only a few thousand undergrads. It's at times like this that I wish I knew more about formal verification of protocols... Consider the computing power assembled for the DES or RC5 cracks, instead applied to dictionary attacks versus a PGP keyring, or SSH keyfile. How long until the average user's passphrase is recovered? If the passphrase is in the dictionary, nearly no time at all. Some take this to mean that now we should write passphrases down, and use the opportunity to pick long random ones unlikely to be in any dictionary... -David
Re: That 70's Crypto Show (Remailers, science and engineering)
On Wed, 27 Dec 2000, Bill Stewart wrote: fewer talks on new stuff people are doing and more on some commercial business (maybe or maybe not run by cypherpunks) doing their product or non-technical talks by EFF lawyer types. I'm in the midddle of composing a reply to Tim's message (which is getting bigger every time I sit down to finish it, ominously enough). One of the points that has popped into my mind so far is that while we've had academic crypto research since the 80s, thanks to Rivest, Shamir, Aldeman, Diffie, Hellman, and others willing to defy the NSA, we have _not_ had a similar tradition of commercial cryptography - or at least, not a tradition of companies obtaining money for cryptographic *protocols* as opposed to ciphers. It seems to me that it took a long while for people to even recognize that there was more to cryptography than secrecy. Maybe it happened quickly in academia, but it doesn't seem to have filtered out quickly (and then there's still the chilling effect from export controls). This is one of the reasons why the early Cypherpunk work is so damn important -- it showed the amazing, powerful things you can do given cryptography and a little cleverness, and it did so to a (comparatively) wide audience! Even after "everyone" knows that you can do, say, cryptographic voting, there's still the question of "who's going to pay for it?" That question seems to have found a partial answer with the Internet/Web/"e-commerce" frenzy. The thing is, that is *new*, only 4 or 5 years old. Before, you could go out and say "I want to go commercialize neat protocol X," and good luck to you...today, you might get funding. Until you get that funding, you can't start the engineering work that's required to take a protocol from the "cool CRYPTO paper" stage to the "real world product." Before Tim jumps on me, yes, I know there were early electronic markets, and yes, electronic trading was around before the Web. Yes, these could have been viable markets for digital cash, fair exchange protocols, whatever. Even electronic voting could and did get started earlier (though not using cryptographic techniques AFAIK) I do not dispute this! It simply seems to me that the climate today has the possibility of demand for such protocols (and more) on a wider scale than previously. of crypto out of math and CS areas and into engineering. Mojo Nation, for example, is partly interesting because it's not just Yet Another Encrypted Music Sharing Product - it's mixing the crypto with economic models in ways that are intellectually complex, even if they're somewhat at the hand-waving level rather than highly precise. Maybe it will force smart people to move the mix from the hand-waving level to something highly precise. Insh'allah. Cool. Are the proceedings on line anywhere? (Or is it only for people who know the secret keys...) The 2nd and 3rd are, via Springer-Verlag LINK service. Tables of contents are free; you should be able to recover the papers from their authors' home pages (use Google!). If you can't find something, e-mail me. Page for past proceedings: http://chacs.nrl.navy.mil/IHW2001/past-workshops.html Page for IHW 2001: http://chacs.nrl.navy.mil/IHW2001/ Unfortunately, the TOC for the first IHW is not online, nor do the papers seem to be available. You can extract the papers from Petitcolas' bibliography at http://www.cl.cam.ac.uk/users/fapp2/steganography/bibliography/index.html and may be able to get some of the papers that way. I note a previous message from Hal Finney which has some links as well http://www.inet-one.com/cypherpunks/dir.1997.05.15-1997.05.21/msg00298.html (I haven't tried them) I should state up front that the workshops are a little heavy on watermarking papers, which may not be of too much interest to cypherpunks. The papers on breaking watermarks, on the other hand, may be of more interest. :-) On the other hand, we can oppose this to the fact that we have a bunch of remailers, and they seem to work. They may be unreliable, but no one seems to have used padding flaws to break a remailer, as far as we know. Arrgh! Dave, just because nobody's known to have broken them doesn't mean that nobody's succeeded in breaking them (without us knowing they've succeeded), [snip a well-deserved beating] Well, this is what I get for trying to moderate myself. Everything you say is correct - of course. I actually agree with you! I mentioned this because I wanted to avoid playing the part of a "theoretical Cassandra," which is something I do too often. (In fact, if I'm not mistaken, that's part of what Tim's response about different adversary models attempts to speak to - the fact that traditional cryptographic models assume a maximally powerful adversary, while we might want a finer grained hierarchy of adversaries and their effects...) -David
Re: That 70's Crypto Show (Remailers, science and engineering)
On Wed, 27 Dec 2000, Bill Stewart wrote: There's some hope. There was a workshop on "Design Issues in Anonymity and Unobservability" this past summer which brought people together to talk about these issues. The Info Hiding Workshops are still going strong. With luck, this year's IHW may have a paper on reputations in it... Cool. Are the proceedings on line anywhere? (Or is it only for people who know the secret keys...) Uh, it just occurs to me that I may have misread you. The Design Issues in Anonymity and Unobservability is currently being turned into Springer-Verlag LNCS 2009. So the proceedings aren't online as a whole yet (indeed, we just submitted our final final draft two weeks ago). You can find a list of papers at http://www.icsi.berkeley.edu/~hannes/wsprogram.html our paper is at http://www.freehaven.net/doc/berk/freehaven-berk.ps and searching for authors' home pages or e-mail may reveal other papers. -David
Re: That 70's Crypto Show (Remailers, science and engineering)
On Thu, 28 Dec 2000, Tim May wrote: At 3:56 AM -0500 12/28/00, dmolnar wrote: I'm in the midddle of composing a reply to Tim's message (which is getting bigger every time I sit down to finish it, ominously enough). Sounds good to me! One of the points that has popped into my mind so far is that while we've had academic crypto research since the 80s, thanks to Rivest, Shamir, Aldeman, Diffie, Hellman, and others willing to defy the NSA, we have _not_ had a similar tradition of commercial cryptography - or at least, not a tradition of companies obtaining money for cryptographic *protocols* as opposed to ciphers. Not enough energy by half has been focused on protocols. I think there's probably a good set of programs to be written here. Basically, I'm thinking in terms of the old unix philosophy -- "A good program does exactly one thing, and does it well.". If somebody designs a good set of command-line programs, which produce output usable by each other so that they can be piped together in useful ways on a unix command line, then protocols should be easy to implement as shell scripts. But a proper building block would have to be scriptable from the word "go." You'd have to fix it so that anything it could do, at all, it could do "in a straight run". A command line, a command file, whatever. And you'd have to do it so your keys didn't wind up in unencrypted batch files. Maybe a reference to keys' locations in an encrypted file system would be what went on the command line. Such energy as has been focused on protocols has been at the level of applications -- basically fixing them in source code so the users can't as easily pick them apart and stick them back together again different. Hmmm. More later. Some ideas are percolating through my head but they're not very well developed. Bear
Re: That 70's Crypto Show (Remailers, science and engineering)
Tim May wrote: In other words, it's time to get crypto out of the math and computer science departments and put it in the engineering departments where it belongs. Tim's complained for a while that the cypherpunks meetings and discussions have declined in quality, partly because we've tended to rehash old material rather than doing new and interesting work, and partly because we've tended to have fewer talks on new stuff people are doing and more on some commercial business (maybe or maybe not run by cypherpunks) doing their product or non-technical talks by EFF lawyer types. While I'm not disagreeing with him here, I think a lot of this is _precisely_ related to the movement of crypto out of math and CS areas and into engineering. Mojo Nation, for example, is partly interesting because it's not just Yet Another Encrypted Music Sharing Product - it's mixing the crypto with economic models in ways that are intellectually complex, even if they're somewhat at the hand-waving level rather than highly precise. At 02:42 AM 12/26/00 -0500, dmolnar wrote: There's some hope. There was a workshop on "Design Issues in Anonymity and Unobservability" this past summer which brought people together to talk about these issues. The Info Hiding Workshops are still going strong. With luck, this year's IHW may have a paper on reputations in it... Cool. Are the proceedings on line anywhere? (Or is it only for people who know the secret keys...) On the other hand, we can oppose this to the fact that we have a bunch of remailers, and they seem to work. They may be unreliable, but no one seems to have used padding flaws to break a remailer, as far as we know. Arrgh! Dave, just because nobody's known to have broken them doesn't mean that nobody's succeeded in breaking them (without us knowing they've succeeded), or that anybody's put serious effort into an attack. The basic remailer network is known to be breakable by anybody doing a thorough eavesdropping attack, because you can learn a lot from message sizes. Mixmasters are much safer, because message sizes are constant (though message counts aren't), but it's not clear whether they're good enough, given a good attack. Pipenets are probably secure enough against most attacks, but they're annoying economically - not surprising that Zero Knowledge's initial service didn't fully implement them. The reason remailers have been Good Enough so far is that as far as we know, nobody's had the motivation to do a proactive eavesdropping attack on them, or a proactive deployment of untrustworthy remailers the attacks have either been after-the-fact attempts to get information that wasn't logged (they're strong enough for that, if run by trustable people on uncracked machines), or proactive attempts to close the remailers (many of those attacks have been successful.) Small numbers of remailers (there are typically about 20) aren't good enough to resist shutdown-forcing attacks. The cool thing about Zero Knowledge was that they had a business model they thought could get large numbers of service providers to support, which increases the security against loss of individual remailers as well as reducing the likelihood of an individual remailer shutting down. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639