At 10:15 AM -0700 5/30/08, Nelson B Bolyard wrote: >Paul Hoffman wrote, On 2008-05-30 07:17: > >> Adding strong locks to the front doors while the back doors still have >> weak locks is useless from a security standpoint. > >You seem to be arguing that no-one should bother to put locks on their >doors while there remain some people who have no locks on their doors.
Sorry, that was not meant to be my argument. I was arguing that people who have weak locks on their doors should not bothering upgrading some of the weak locks until they upgrade all of them. >If we all lived in one house, and all our valuables were available to >anyone who penetrated any door, that analogy would be apt. But the >information that Mallory actually gets from successfully attacking a >connection (opening a door) is not the same for all connections. >The information going over various connections is compartmentalized, >analogous to separate items of value in separate houses with separate >doors with separate locks of various strengths. Mallory doesn't attack the public key of a CA to get access to a connection: he does it to be able to create certs as if he were the CA. You are arguing about the weakness of the key exchange in TLS, which does not rely on the length of the key of the CA. > > Mallory will always attack the weakest part of the system. > >There will always be people who refuse to take adequate security measures. >They will always be fair game for Mallory. The success of locks on doors >is measured by how well they protect those who wish to use them and who do >deploy them. Quite right. >Off hand, I can't think of a good physical analogy to the strange world >of crypto-based security, in which our "locks" get weaker over time. >Because physical locks do not tend to get weaker with time, people are >not accustomed to upgrading their locks with time. They tend to install >one lock and forget it. I think the analogy with "locks on houses" works if you think that crooks always get better at what they do. That is, the locks don't get inherently weaker, they get relatively weaker as the crooks get better. >Here in this thread we hear Mozilla community members vocalizing their >desire to make the world aware of the need to strengthen their locks, >and to help prod the lock makers in that direction. It is not "the world" who needs to strengthen their locks: it is the CA vendors. That is, Mallory is attacking the good name of Verisign by being able to create bogus certs that look like they are signed by Verisign because Mallory got Verisign's private key. Such an attack would also make Mozilla look bad because we approved the strength of Verisign's lock as sufficient for getting into our root pile, when we "should have known" that only stronger locks were good. Again, I strongly strongly doubt that Mallory will try to break a 1024-bit key for this attack, at least for 20 years or more. Instead, if an attack is ever mounted, he will simply make himself a trusted CA and use that ability to generate certs that people trust for identification in SSL. To date, the value of being able to create bogus certs is not worth the hassle of getting by Mozilla's and Microsoft's root pile entry barriers; maybe doing will be worth more in the future. But it will essentially never be worth the effort to break a public key of 1024 bits (much less anything longer). _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
