Vlad "SATtva" Miller wrote:
Allen wrote on 31.01.2007 01:02:
I'll skip the rest of your excellent, and thought provoking post as it
is future and I'm looking at now.
From what you've written and other material I've read, it is clear that
even if the horizon isn't as short as five years, it is certainly
shorter than 70. Given that it appears what has to be done is the same
as the audio industry has had to do with 30 year old master tapes when
they discovered that the binder that held the oxide to the backing was
becoming gummy and shedding the music as the tape was playing -
reconstruct the data and re-encode it using more up to date technology.
I guess we will have grunt jobs for a long time to come. :)
I think you underestimate what Travis said about ensurance on a
long-term encrypted data. If an attacker can (and it is very likely) now
obtain your ciphertext encrypted with a scheme that isn't strong in
70-years perspective, he will be able to break the scheme in the future
when technology and science allows it, effectively compromising [part
of] your clients private data, despite your efforts to re-encrypt it
later with improved scheme.
The point is that encryption scheme for long-term secrets must be strong
from the beginning to the end of the data needed to stay secret.
Imagine this, if you will. You have a disk with encrypted data
and the key to decrypt it. You can take two paths that I can see:
1. Encrypt the old data and its key with the new, more robust,
encryption algorithm and key as you migrate it from the now aged
HD which is nearing the end of its lifespan. Then use the then
current disk wiping technology of choice to destroy the old data.
I think a blast furnace might be a great choice for a long time
to come.
2. Decrypt the data using the key and re-encrypt it with the new
algorithm using a new key, then migrate it to a new HD. Afterward
destroy the old drive/data by your favorite method at the time. I
still like the blast furnace as tool of choice.
Both approaches suffer from one defect in common - there is the
assumption that the old disk you have the data on is the only
copy in existence, clearly a *bad* idea if you should have a
catastrophic failure of the HD or other storage device, so then
it boils down to finding all known and unknown copies of the
encrypted data and securely destroying them as well. Not a safe
assumption as we know from looking at the history of papers dug
up hundreds of years after the original appears to be lost forever.
Approach 1 also suffers from the problem that we may not have the
software readily available waaay down the road to decrypt the
many layers of the onion. And that will surely bring tears to our
eyes.
Since we know that we can not protect against future developments
in cryptanalysis - just look at both linear and differential
analysis versus earlier tools - how do we create an algorithm
that is proof against the future? Frankly I don't think it is
possible and storing all those one-time pads is too much of a
headache, as well as risky, to bother with. So what do we do?
This is where I think we need to set our sights on "...good
enough given what we know now...." This does not mean sloppy
thinking, just that at some point you have done the best humanly
possible to assess and mitigate risks.
Anyone got better ideas?
Best,
Allen
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
