On 11/28/2011 06:52 PM, Steven Bellovin wrote:
On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote:
On 11/28/2011 04:56 PM, Steven Bellovin wrote:
I'm writing something where part of the advice is "don't buy snake
oil crypto, get the good stuff". By "good" I mean well-accepted
algorithms (not "proprietary for extra security!"), and protocols
that have received serious analysis. I also want to exclude
too-short keys.
But -- honesty requires that I define the threat model. We *know*
why NSA wanted short keys in the 1990s, but most folks are not being
targeted by<pick your favorite SIGINT agency>, and hence don't have
a major worry.
But where's the evidence of that claim?
For which claim? That most folks aren't being targeted by major SIGINT
agencies? I suspect that it's the converse that needs proving.
Is there a distinction being made here? How fine is it?
"Targeted" may imply that someone has your name on a finite sized list
somewhere.
On the other hand, some percentage of your traffic (or metadata about
it) are likely being intercepted, archived, and indexed for later
searching. We know Google, Facebook, and every sleazy ad server network
on the internet does this. We know Syria does this, their BlueCoat logs
were uploaded the other day. We know the US government believes in
warrantless wiretapping and has at least one wiring closet in US telcos.
We could call this "non-targeted surveillance". But given the searching
and retrieval capabilities today (e.g., Palantir's glowing review in the
WSJ the other day), is this still a useful distinction?
Just asking questions out loud here.
If you are a tech, aerospace, or military company in
the West, you would should expect state-sponsored adversaries to rattle
your doorknobs on a regular basis.
Right. And if you manufacture paper clips or sell real estate, you're
not in that category.
One would certainly think so.
But surely the Malaysian Agricultural Research and Development Institute
did not realize it was painting a target on itself when some IT staffer
requested the code signing flag be set on their cert request for
anjungnet.mardi.gov.my.
( http://www.f-secure.com/weblog/archives/00002269.html )
I do note that none of the news stories about cyberattacks from China have
mentioned crypto. EIther it's not part of the attack -- my guess -- or
Someone doesn't want attention called to weak crypto.
With all the vulnerable Adobe client software out there they probably
have more hack targets than they can possibly handle.
Funny, that one sounds to me like a failed model. This idea of keeping
secrets locked in a plastic box while simultaneously selling it to
millions of consumers has failed every time it has been tried.
I don't follow. TI put a public key into their devices, and used the
private key to sign updates.
Yes that makes more sense then.
That's a perfectly valid way to use
digital signatures, even if I think their threat model was preposterous.
If they had used 1024-bit keys it wouldn't have been an issue.
Right, it likely would have fallen to some other issue.
If we can't get clarification, perhaps we can obtain some samples of the
malware and confirm it ourselves.
How? Private keys are private keys; the fact that they exist somewhere
says nothing about how they were obtained.
The question remaining in my mind was: was this batch of signed malware
found in the wild by F-Secure really signed with a set of exclusively
512 bit keys?
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
