On Tue, 11 Aug 1998, Vladimir Z. Nuri wrote:
you will find most people here will disagree with you. cyberspace is very, very weak without crypto. when you think about it, 98% of cyberspace is the "stuff between the wires". the other 2% are the people on each end. now, crypto protects the 98%, but agreed, the 2% is still vulnerable.
I never said that the internet would be great without crypto. Crypto is needed. As long as we are quoting percentages, "87% of statistics is made up on the fly." Seriously, protecting the internet entails more than securing data transmission, as you imply. Explain to me the difference between having a broken web browser that is vunerable to a buffer overflow attack, and a broken browser that implements snake-oil crypto? In both cases we need better programs on the user's end. The ends of the communication link define the communication itself. You can't protect the middle without modifying the ends.
Certainly, good crypto would plug up some holes but general internet technology is full of cracks. All the crypto in the universe won't stop a buffer overflow in your mail program, or 1000's of nested tags from crashing your browser in a DoS.
this is nothing anyone cares about in the cyberspatial world.
You're right about that.. and that is _exactly_ the problem. As I see it, the primary function of the internet is to communicate, to exchange information. As such, any security we talk about is going to be information security. A secure information system not only keeps unauthorized users out, but it must insure that authorized users can get to the information when they need it. This means that DoS attacks are part of our security concerns, just as much as crypto is in keeping the transmission secret, and authorization is to keep unwanted people out of the loop.
these are thing that happen outside of cyberspace.
I'm not exactly sure what 'cyberspace' is, anyhow.. so I'm just going to ignore this. It sounds like you mean to tell me that the internet is just a bunch of wires.. that the only security issues the internet faces is in the area data transmission. This is false. Encryption prevents eavesdropping, yes. This is the only area that NSA regulates. In reality, the internet faces other, more fundamental problems as well. The idea of using crypto to fix a problem such a TCP/IP hijacking is bizarre to me. This is not the optimal solution, and everyone knows it. It _is_ however, the best practical solution. Pure encryption is (ie, confidentiality) is not needed for this. A MAC will suffice. Internet security runs far deeper than confidentiality.
the bigtime issue is internet commerce, security of your mail. how about if someone reads your mail to steal your money?
In my opinion commerce over the internet is insane. Period. Let me say it again: commerce over the internet is insane. Even if Uncle Sam let us use any crypto we like with any key size, it is still insane. There are too many problems with the fundamental network structure. Confidentiality doesn't help us here. Lets be factual: NSA doesn't regulate authentication technology and most of what we need to fix these problems is secure authentication, not confidentiality. You brought up email. We have secure email: PGP. So does the rest of the world. Confidential email is available. Does NSA like it? They certainly don't like the theory. They probably don't like us using the algorithms. If, by "strong crypto" you mean any cryptographic technology used for authentication, confidentiality, or otherwise then I must agree with you. But no one regulates this.. they only regulate a subset of this. It happens to be a subset that I like, but it is not _the_ most vital thing needed for securing the internet. It is not necessarily even the most important thing for e-commerce.
p.s.-- can you quote to me how many billions go to the nsa every year? and would you care to calculate how much of your own salary from your paycheck is sent to them? and you think you are getting your money's worth? rather than paying someone to hold you down?
This is irrelevent for me: I don't pay income tax. Even if I did, I can't say whether or not I am getting my money's worth, because I do not know what NSA is capable of. If NSA can factor 2048 bit numbers easily or other such things, then yes.. I would say I am getting my money's worth. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "..subordination of one sex to the other is wrong in itself, and now one of the chief hindrances to human improvement.." John Stuart Mill "The Subjection of Women"