"The State of Crypto" and simple use protocols
From: RDJ (r_at_d.j)
Date: 12/18/03
- Next message: DJohn37050: "Re: RSA vs DH"
- Previous message: David Wagner: "Re: CryptoPhone source and CryptoPhone for Windows released"
- Next in thread: Tim Smith: "Re: "The State of Crypto" and simple use protocols"
- Reply: Tim Smith: "Re: "The State of Crypto" and simple use protocols"
- Reply: John Savard: "Re: "The State of Crypto" and simple use protocols"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Dec 2003 12:34:00 -0500 (EST)
I recently saw Adi Shamir give a 50,000 ft. view of "The State of Crypto" today. His assessment was that the crypto community is doing pretty well: we have solid mathematical foundations for much of the field, with stream ciphers being the only area where he thinks the intelligence community is far ahead. This seems accurate; 3DES and DH PKC have more-or-less withstood three decades of cryptanalysis in the open literature, and even quantum computing won't radically alter the status quo, as Chaitin pointed out recently while giving his opinion that P!=NP.
This in mind, the main problem is safely using the crypto. The infinite variety of ways to subvert everything outside the cryptosystem means that we should find a simple method of transferring files that requires only reasonable assumptions, minimally that you can find two tamper-free commodity computers with ethernet and CD-ROM & floppy drives, and that the most widely analyzed software implementations we need (OpenSSH and PGP) are crypto-safe with their default settings. Given that, how does this sound:
first use protocol:
1. insert config floppy, boot from CD-ROM, unplugged from ethernet.
2. configure IP info, generate server host keys.
3. save configuration to config floppy1, remove.
4. insert local user key floppy, generate local user crypto keys, save to floppy2, remove.
second use protocol:
1. insert config floppy, boot from CD-ROM, unplugged from ethernet.
--server boots, configures IP info & host keys from floppy1
2. remove config floppy
3. take incoming connection, receive remote user public key, save to floppy3, remove floppy.
reuse protocol:
1. insert config floppy, boot from CD-ROM, unplugged from ethernet.
--server boots, configures IP info & host keys from floppy1
2. remove config floppy, insert remote user public key floppy3, install key, remove floppy.
3. plug into ethernet, take incoming connection,
authenticate with remote user public key, receive encrypted files.
4. unplug from ethernet, copy received files to floppy4.
6. insert local key floppy2, install key, remove floppy.
7. decrypt, etc.
The reason for all of these separate floppies is that software seems much less trustworthy than crypto right now. Set floppy1,2,3 read-only after first write, combine with a CD-ROM boot, be careful about when you're plugged into ethernet, and it seems to me that you've greatly minimized your risk, excepting a tampered BIOS/floppy drive/hardware keystroke logger/other exotica. I think these protocols minimize risk that anyone will steal or damage your key material or decrypted material using this system, with a few caveats.
For instance, at reuse step 4, if your copy utility were vulnerable (not so far-fetched if you remember past problems with eg. tar & cpio) and you were using the same disk to store all of your received files, it could put you at risk of losing previously received files.
Beyond that, I don't see any other obvious problems, except possibly an over-reliance on PKC. It might be useful to assume the ability to pre-share keys (incidentally, in the above protocols I'm assuming that you've taken the necessary step of confirming the host and remote public keys out-of-band) and then use those keys to encrypt the transferred files. Additionally, there is the possibility of losing your host keys if someone utilizes the window of time open while you're transferring files to break in. This would make only the encrypted material available, so it shouldn't be a serious problem.
I'd appreciate any comments or objections.
RDJ
- Next message: DJohn37050: "Re: RSA vs DH"
- Previous message: David Wagner: "Re: CryptoPhone source and CryptoPhone for Windows released"
- Next in thread: Tim Smith: "Re: "The State of Crypto" and simple use protocols"
- Reply: Tim Smith: "Re: "The State of Crypto" and simple use protocols"
- Reply: John Savard: "Re: "The State of Crypto" and simple use protocols"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
