Cryptography as a component of security

2003-11-13 Thread Russell Nelson 
I listened to yet another talk on computer security, which
incorporated security.  It got me to thinking two things:

  o Pseudo-random implies pseudo security.

If you're re-keying by running the old key through a pseudo-random
function without adding any new entropy, then you're not re-keying at
all.

  o Security is not an absolute value.  It only makes sense as a
relative value.

You cannot say that a system is secure.  You can only say that it is
secure against a certain threat.  It's quite reasonable to say that
GPG using a 2048-bit key is secure against all known attacks today.
You've defined the threat (all known attacks today) and the type of
cryptography.  Any kind of claim of security, without defining what
the expected attacks the system will withstand, are *inherently* snake
oil.

Let me say this again in the strongest possible terms: even if you are
using industry-standard cryptography (e.g. RSA, Triple-DES, AES, etc),
and yet you do not define your threat, then any claims that your
system is secure are claims about snake oil.

Maybe I'm preaching to the converted, but apparently you can get a PhD
and apply for funding without understanding these issues.

-- 
--My blog is at angry-economist.russnelson.com  | Can I recommend python?
Crynwr sells support for free software  | PGPok | Just a thought.
521 Pleasant Valley Rd. | +1 315 268 1925 voice | -Dr. Jamey Hicks
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Cryptography as a component of security

2003-11-13 Thread Jerrold Leichter 
| I listened to yet another talk on computer security, which
| incorporated security.  It got me to thinking two things:
|
|   o Pseudo-random implies pseudo security.
|
| If you're re-keying by running the old key through a pseudo-random
| function without adding any new entropy, then you're not re-keying at
| all.
That's not true.  Consider a stream cipher:  It stretches your original key
into a much longer stream.  By your argument, as soon as there is sufficient
generated stream to uniquely determine the key, no additional entropy is being
introduced, so all the rest is pseudo-security!  But in fact the unicity point
must be reached very quickly, or the generated stream would be too *indepen-
dent* of the key, and an attacker could guess most of the stream without even
knowing the key.

Or consider the following construct:  Suppose we have two encryption functions
E1 and E2, E1 is very fast, but breakable - there is an attack of concern to
us that becomes viable after an attacker has seen (or been able to partially
specify, if you want to think about chosen plaintext attacks) N plaintext/
ciphertext pairs.  E2 is slow, but we consider it to be secure against the
attacks of concern.  To encrypt the stream of plaintext P_i to ciphertext C_i,
do:

K - Master key
Choose n  N
for i = 0, 1, ...
// Begin new segment
SK_i - E2(K,i)
for j = 0 .. n-1
C_{n*i + j} = E1(SK_i,P_{n*i + j})

Even if an attacker breaks into a number of segments and gets those S_i's
(which, BTW, is an assumption about the form of the attack:  Some attacks
reveal the plaintext without revealing the key), what he's left with is a set
of plaintext/ciphertext pairs with which he now has to attack E2 - which is
assumed to be difficult.  (Even worse for the attacker, even if he could mount
a chosen ciphertext attack against E1, he has no control over the plaintexts
fed into E2.)

Note that we assumed E2 was actually very strong.  But even if we assume E2
has the same effective strength as E1 - it can be broken after seeing N
plaintext/ciphertext pairs - then the security guarantees (such as they are;
one would have to be more precise about the nature of attackable after N
pairs are seen vulnerability) are pretty much the same until about N^2
plaintext/ciphertext pairs have been sent.
-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]