[IP] more on on crypto systems from CTO PGP

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on on crypto systems from CTO PGP
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 10 Jul 2006 12:39:17 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <a06210203c0d7e5eb2882@[128.240.148.85]>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Brian Randell <Brian.Randell@xxxxxxxxx>
Date: July 10, 2006 7:31:12 AM EDT
To: Jon Callas <jon@xxxxxxx>
Cc: dave@xxxxxxxxxx
Subject: Re: [IP] on crypto systems from CTO PGP

Hi Jon:

I'm pleased  you responded to my humour so informatively - many thanks.

I have no expertise in cryptology - which probably aided my gettingpartial permission from the UK Government to investigate and (in avery limited way) document the Colossus project back in the 1970s.However, my comment was I'm sure prompted by the fact that I've justfinished reading the two recently published books that at lastprovide what seems likely to be almost the whole story of theColossus. Amongst many other things these reveal in detail howBletchley Park's initial breaking of the Lorenz teleprinter (Fish)cipher was due to just one mistake by one German cipher clerk!

(Incidentally, I recall how years ago when the late Donald Daviesgave a lecture here on the DES chip I brought the ensuing discussionover its likely strength to a screeching halt by saying: "I hope sometime in the future to obtain a DES chip to sit alongside my Enigma,since I fear that both by then will have become famous because of theimportance of the messages that they failed to protect!" :-)

But none of the above is intended as in any way to challenge yourcomments, for which again my thanks.


Cheers

Brian

Begin forwarded message:

From:
Date: July 9, 2006 5:56:15 PM EDT
To: dave@xxxxxxxxxx
Cc: Jon Callas <jon@xxxxxxx>
Subject: Re: [IP] more on FBI plans new Net-tapping push

Brian Randell said:
Just because the government *claims* it can't break a givencode ... :-)
I realize that there was a smiley face at the end of this, and Imight be showing humorlessness about this, but this concerns myprofession in general, and my software in particular. Consequently,I have no choice but to comment on this remark.
Modern cryptographic systems are essentially unbreakable,particularly if an adversary is restricted to intercepts. We haveargued for, designed, and built systems with 128 bits of securityprecisely because they are essentially unbreakable. It is very easyto underestimate the power of exponentials. 2^128 is a very bignumber. Burt Kaliski first came up with this characterization, andif he had a nickel for every time I tell it, he could buy a latteor three.
Imagine a computer that is the size of a grain of sand that cantest keys against some encrypted data. Also imagine that it cantest a key in the amount of time it takes light to cross it. Thenconsider a cluster of these computers, so many that if you coveredthe earth with them, they would cover the whole planet to theheight of 1 meter. The cluster of computers would crack a 128-bitkey on average in 1,000 years.
If you want to brute-force a key, it literally takes a planet-fulof computers. And of course, there are always 256-bit keys, if youworry about the possibility that government has a spare planet thatthey want to devote to key-cracking.
Now of course, there are other ways to break the system.
They could know something we don't. They could know somefundamental truth about mathematics (like how to factor reallyfast), some effective form of symmetric cryptanalysis, or somethingelse. They could know about quantum computers, DNA computers,systems based upon non-Einsteinian physics, and so on. Yes, it'spossible. But this quickly gets into true paranoid thought. Thereisn't a lot of difference between the *presumption* that they havesuch things and the presumption that they have aliens in a vault inNevada. It isn't falsifiable. It gets irrational quickly. Theevidence that we have about this suggests quite the opposite, butmore on that later.
They could have something we don't. For example, they could knowabout software flaws in my or other people's computer systems. Yes,that's possible, too. At PGP Corporation, we guard against this bymaking our software available to people for their examination.Approximately 2,000 people per month do that. If you want to be oneof them, go to <http://www.pgp.com/downloads/> and look at ityourself. While you're at it, take a look at our quality assuranceletter at <http://www.pgp.com/company/pgpassurance.html>.
They could be hacking people's systems. This is a much morereasonable worry. If I were going to be doing this, it's what Iwould do. The state of computer operational security is such thatit makes much more sense to invest time, money, and effort intorootkits than into cryptanalysis.
However, there are things that we know that they *are* doing. Oneof them is relevant to this particular case. That is work oncracking the passphrases that people use to protect their keys. Thecryptography we're using is itself uncrackable, but about 2/3 ofthe people in the world use a password (not even a passphrase) thatdirectly relates to a pet or loved one. The order of frequencyseems to be pets (living or dead), then children, then ex-loves. Weknow that at least one government has a password cracker that isbased upon building a psychometric model of person who owns the keyand constructing passphrases on that model. If you're a Hollywoodprivate eye and they seize your computer and find on it that you'rea basketball fan from your browser cache, then "Lak3rz 4 Teh w1n!"is actually a very bad passphrase. Don't blame me when they find itin about two minutes.
It isn't just government that does this, either. Companies such asAccess Data and Elcomsoft have distributed password crackers. Thesethings aren't hacking the crypto, they're hacking the mind usingthe crypto. My old friend and colleague, Drew Gross, who is aforensics expert, has said, "I love crypto; it tells me what partof the system not to bother attacking."
The last bit of evidence we have that suggests that they can'tbreak the crypto is that they are apparently devoting a lot ofeffort to traffic analysis. Look at what we've learned in the lastfew months. Listening for keywords is so twentieth century. They'relooking at call patterns, message flow, and so on. I could go onabout this for a long time, but it's a tangent from this. If you'reinterested in more, I am going to be leading a panel at Defcon thisAugust on traffic analysis. Come liven up the discussion.
        Jon

--
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d


--
School of Computing Science, Newcastle University, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell@xxxxxxxxx   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/~brian.randell/


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on on crypto systems from CTO PGP
Next by Date: [IP] Judge Orders Review of Telecom Mergers
Previous by thread: [IP] more on on crypto systems from CTO PGP
Next by thread: [IP] Judge Orders Review of Telecom Mergers
Index(es):
- Date
- Thread