At 08:40 AM 06/03/2003 -0400, Ian Grigg wrote:
Eric Rescorla wrote:
Ian Grigg <iang@systemics.com> writes:
....
I don't think this is likely to be true. In my experience, people who learn enough to design their own thing also learn enough to be able to do SSL properly.
True, although, that begs the question as to how they learn. Only by doing, I'd say. I think one learns a lot more from making mistakes and building ones own attempt than following the words of wise.
The catch, of course, is that most cryptosystems are only useful if they're widely deployed. Learning from mistakes is good, but endangering large numbers of users in the process is bad. By contrast, learning cryptanalysis doesn't have this weakness - if you can't crack somebody else's code, no problem, (with obvious exceptions for people who need to learn cryptanalysis quickly in wartime or whatever, or undertrained cryptanalysts who are hired by people who are learning cryptography by making mistakes...)
WEP for example is perfectly fine, unless you are attacked by a guy with a WEP cracking kit! Then it's a perfectly lousy cryptosubsystem.
Even ROT-13's not too bad unless somebody tries to crack it, though some people who've spent way too much time with it can just read the stuff by recognizing it as an alternate font :-) Somebody else followed up by mentioning that, while GSM's privacy encryption is cracked, their authentication encryption isn't, and they aren't getting massively attacked. I thought the state of the art at this point was that the authentication is also crackable, but it's currently enough work that nobody's or almost nobody's bothering, because governments can get what they want by telling phone companies to give them the information, and regular criminals can get the equivalent of cracking GSM authentication by stealing mobile phones more easily than by hiring cryptanalysts, and unlike satellite TV smartcard cracking, nobody's figured out any potential market opportunities for widespread cracked GSM.