The following appears to be a bone fide case of a threat model in action against the PGP program.
Leaving aside commentary on the pros and cons within this example, there is a desparate lack of real experience in how crypto systems are attacked. IMHO, this leads to some rather poorly chosen engineering decisions that have shown themselves to stymie or halt the success of otherwise good crypto systems.
Does anyone know of a repository for real life attacks on crypto systems? Or are we stuck with theoretical and academic threats when building new systems?
iang
There is a lot of material from the World War II era (e.g Silk and Cyanide by Leo Marks) and the early cold war (e.g. http://www.nsa.gov/docs/venona/).
Government cryptographic successes are usually highly classified and kept that way for decades. There was one recent story about the FBI's apparent use of a keyboard logger to get a accused organized criminal's password. The latest U.S. Government wiretap report http://www.uscourts.gov/wiretap02/contents.html (they are now required to report on encryption incidents) says: "Encryption was reported to have been encountered in 16 wiretaps terminated in 2002 and in 18 wiretaps terminated in calendar year 2001 or earlier but reported for the first time in 2002; however in none of these case was encryption reported to have prevented law enforcement officials from obtaining the plain text of the communications intercepted." By comparison they reported 1358 intercepts authorized in 2002.
Arnold Reinhold
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
