Re: A proposal for secure videoconferencing and videomessaging over the Internet
> Date: Fri, 28 Jul 2000 07:35:42 -0700 > From: "James A. Donald" <[EMAIL PROTECTED]> > "Provably secure" is a word applicable to cyphers, not protocols. To use > it in reference to a protocol is nonsense gibberish. No, it is just more difficult to establish of protocols than of primitives because there are more possible attacks to consider. > When we discuss a protocol, we normally take for granted that the cyphers > are strong, irrespective of whether they are provably secure or not. In fact the ciphers most commonly used in practice have not been proved secure. (A widespread misconception is that breaking RSA is as hard as factoring, which may be true but has not been proved.) > One can prove that cracking a cypher is as hard as cracking some well known > mathematical problem. > > What, however, does it mean to say that a protocol is provably secure? A > protocol is not a cypher, though it uses well known cyphers. It usually means essentially the same thing, namely that one can prove that a successful attack of the protocol yields a solution to an assumed-hard problem. (Such a proof must establish that all possible protocol attacks have been taken into account.) It can also refer to a complexity-theoretic or information-theoretic analysis of the protocol relative to an appropriate adversarial model. There are also formal methods that address the security of protocols, e.g. BAN logic. I don't know too much about that stuff except that it is usually possible to find insecure protocols that pass the tests, so the techniques are more useful for finding weaknesses in protocols than for providing convincing proofs of security.
Re: A proposal for secure videoconferencing and videomessaging over the Internet
Actually, no, you can apply "provably secure" to a protocol as well. Granted, it is usually applied to cryptographic protocols, but that is still a protocol, not a cryptosystem. Indeed, one could attempt to apply "provably secre" techniques to protocols such as Kerberos, or, in the case of the original post, secure multicast. I'd still like to see the proof of security, but it's a perfectly reasonable goal. -derek "James A. Donald" <[EMAIL PROTECTED]> writes: > -- > James A. Donald: > > > I do not understand what is meant by "provably secure"] > > At 09:57 AM 7/28/2000 -0400, Rich Salz wrote > > An unfortunate admission for a would-be cryptographer. > > It should have been obvious from the context that you deleted that I was > criticizing the use of the word to refer to protocol. > > Multicast is a protocol, not a cypher. It may well use provably secure > cyphers, but that does not make multicast provably secure. > > "Provably secure" is a word applicable to cyphers, not protocols. To use > it in reference to a protocol is nonsense gibberish. > > "Provably secure" means that breaking a cypher is as hard as cracking the > underlying one way transformation", which is usually true, and not very > interesting, since cypher weakness is separate from protocol > weakness. Cyphers are almost always stronger than protocols, and protocols > seldom attacked through their cyphers. > > When we discuss a protocol, we normally take for granted that the cyphers > are strong, irrespective of whether they are provably secure or not. > > One can prove that cracking a cypher is as hard as cracking some well known > mathematical problem. > > What, however, does it mean to say that a protocol is provably secure? A > protocol is not a cypher, though it uses well known cyphers. > > For example the problem with Verisign is not any weakness in the cyphers, > but a weakness in determining true names. > > --digsig > James A. Donald > 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG > f/wePiA4NUqV4TnDEAk3SMnTITqtbXlOE+0v1m/3 > 4r58BUE6S1/oWtoWDbs9VJxhGz07D0ZA1WMhIvFuB > > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH [EMAIL PROTECTED]PGP key available
Re: A proposal for secure videoconferencing and videomessaging over the Internet
-- James A. Donald: > > I do not understand what is meant by "provably secure"] At 09:57 AM 7/28/2000 -0400, Rich Salz wrote > An unfortunate admission for a would-be cryptographer. It should have been obvious from the context that you deleted that I was criticizing the use of the word to refer to protocol. Multicast is a protocol, not a cypher. It may well use provably secure cyphers, but that does not make multicast provably secure. "Provably secure" is a word applicable to cyphers, not protocols. To use it in reference to a protocol is nonsense gibberish. "Provably secure" means that breaking a cypher is as hard as cracking the underlying one way transformation", which is usually true, and not very interesting, since cypher weakness is separate from protocol weakness. Cyphers are almost always stronger than protocols, and protocols seldom attacked through their cyphers. When we discuss a protocol, we normally take for granted that the cyphers are strong, irrespective of whether they are provably secure or not. One can prove that cracking a cypher is as hard as cracking some well known mathematical problem. What, however, does it mean to say that a protocol is provably secure? A protocol is not a cypher, though it uses well known cyphers. For example the problem with Verisign is not any weakness in the cyphers, but a weakness in determining true names. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG f/wePiA4NUqV4TnDEAk3SMnTITqtbXlOE+0v1m/3 4r58BUE6S1/oWtoWDbs9VJxhGz07D0ZA1WMhIvFuB
Re: A proposal for secure videoconferencing and videomessaging over the Internet
> I do not understand what is meant by "provably secure". An unfortunate admission for a would-be cryptographer. For what it's worth, this is a mark against your credibility and might mean that fewer real crypto types will look at your work. (And no, I don't qualify as a crypto type.) /r$
