CDR: Re: Lions and Tigers and Backdoors, oh, my...
Ray said: -- begin quote -- I do not buy the story that what happened to PGP was an accident; on the contrary, it was just NAI doing what they had to do to get approval to put it up for international downloads, the same as Lotus just did what it had to do. -- end quote -- I have to agree. The very existance of unhashed packets in the key structure is insecure. Given that unhashed packets were a design decision for V4 keys, and given that the PGP/NAI guys are arguably not bone-stupid, some coercion must have been brought to bear. BTW, Wells Fargo is happy with Netscape 4.08, but not 4.07. I had wondered why a 4.08 release was built so long after 4.5x was available. I guess now I know.
At 6:24 PM -0400 9/27/00, brflgnk@cotse.com wrote:
Ray said: -- begin quote -- I do not buy the story that what happened to PGP was an accident; on the contrary, it was just NAI doing what they had to do to get approval to put it up for international downloads, the same as Lotus just did what it had to do. -- end quote --
I have to agree. The very existance of unhashed packets in the key structure is insecure. Given that unhashed packets were a design decision for V4 keys, and given that the PGP/NAI guys are arguably not bone-stupid, some coercion must have been brought to bear.
BTW, Wells Fargo is happy with Netscape 4.08, but not 4.07. I had wondered why a 4.08 release was built so long after 4.5x was available. I guess now I know.
I can't speak to the truth or falsity or plausibility of some of the claims here, but there is a general point: modularization. There is no real reason for crypto to be built into complex products, at least not when those products are well-suited for handling text (and even files). If speech is in the form of ASCII (or even MIME) text, then end-to-end crypto can be done using fairly basic (and hence more easily verfied, audited, and tested by time) modules which are NOT PART OF THE MORE COMPLEX PRODUCT. To wit, who really cares whether Netscape 4.08 or 4.07 has crypto built in so long as a robust, non-trapdoored crypto program is available/ We lose a lot of the advantages of orthogonality (independent programs, modules) when we seek "all in one" solutions. And we make the job of the NSA and SDECE and GCHQ spooks a lot easier when we adopt all-in-one solutions. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
At 06:48 PM 9/27/00 -0400, Tim May wrote:
There is no real reason for crypto to be built into complex products, at least not when those products are well-suited for handling text (and even files).
...
To wit, who really cares whether Netscape 4.08 or 4.07 has crypto built in so long as a robust, non-trapdoored crypto program is available/
We lose a lot of the advantages of orthogonality (independent programs, modules) when we seek "all in one" solutions. And we make the job of the NSA and SDECE and GCHQ spooks a lot easier when we adopt all-in-one solutions.
Yes but many potential users of crypto will not put up with too many extra actions, e.g., going to a command prompt, running pgp, opening the ciphered file, cutting and pasting. You can argue that, e.g., they should all be shot :-), but isn't the goal to get more traffic (even uninteresting traffic) encrypted? Modularity *is* useful for keeping things simple enough to analyze, but isn't a library with a well-defined API sufficient? [If your OS supports it, there might be slightly more decoupled ways (vs. linking) to talk to the crypto process, e.g., pipes, clipboards, rpc. Is this more in line with what you're thinking?] How would you modularize SSL? Distribute a proxylike program that an app talks to when it wants to go secure? How do you modularize PGPfone? PGPdisk? Even in a bloated integrated app, clean modular design can keep the analysis tractable. If the app talks to the crypto module, you'll likely have to trust the app whether the crypto is linked-in or whether it is an secure isolated process (after all, the app is capturing/rendering the plaintext..) It does create a single-point-of-failure if everyone uses the same library (or other independent 'module'), but on the other hand, everyone rolling their own is likely to introduce more fatal flaws. Curious what the alternatives are, dh
At 7:33 PM -0400 9/27/00, David Honig wrote:
It does create a single-point-of-failure if everyone uses the same library (or other independent 'module'), but on the other hand, everyone rolling their own is likely to introduce more fatal flaws.
Curious what the alternatives are,
I said nothing about "everyone rolling their own." --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
At 07:51 PM 9/27/00 -0400, Tim May wrote:
At 7:33 PM -0400 9/27/00, David Honig wrote:
It does create a single-point-of-failure if everyone uses the same library (or other independent 'module'), but on the other hand, everyone rolling their own is likely to introduce more fatal flaws.
Curious what the alternatives are,
I said nothing about "everyone rolling their own."
Yes, that was the most extreme contrast I could think of. A straw man. Obviously bad practice. What kind of modularity (not including linking a source-inspectable library) were you thinking of?
At 10:41 PM -0400 9/27/00, David Honig wrote:
At 07:51 PM 9/27/00 -0400, Tim May wrote:
At 7:33 PM -0400 9/27/00, David Honig wrote:
It does create a single-point-of-failure if everyone uses the same library (or other independent 'module'), but on the other hand, everyone rolling their own is likely to introduce more fatal flaws.
Curious what the alternatives are,
I said nothing about "everyone rolling their own."
Yes, that was the most extreme contrast I could think of. A straw man. Obviously bad practice.
What kind of modularity (not including linking a source-inspectable library) were you thinking of?
For example, receiving or sending text with PGP (of an early-enough vintage, or one which has been vetted extensively). Using clipboards, for example. This works for text, sending and receiving, and has the advantage that the crypto program is orthogonal to the browser, mail client, whatever. It works best for text, not so well for browsing, temporary connections, etc. (Though the basic idea is still valid, just much more complex to make work.) Most important "encrypted messages" fit this model of a browser/mailer transmitting _generalized text_, with a crypto program then turning this generalized text into something else. Regrettably, and as I predicted at several Cypherpunks meetings in '93 or so, the effect of "integrating crypto into apps" is to make analysis of the algorithms and possible trapdoors much more problematic. (I argued in '93-94 that the then-mania for "integrating crypto into PINE and Eudora" was misdirected, for reasons related to the above points.) This has nothing whatsoever to do with "everyone rolling their own." Quite the opposite, in fact. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Tim May wrote:
For example, receiving or sending text with PGP (of an early-enough vintage, or one which has been vetted extensively). Using clipboards, for example.
This works for text, sending and receiving, and has the advantage that the crypto program is orthogonal to the browser, mail client, whatever.
It works best for text, not so well for browsing, temporary connections, etc. (Though the basic idea is still valid, just much more complex to make work.)
Most important "encrypted messages" fit this model of a browser/mailer transmitting _generalized text_, with a crypto program then turning this generalized text into something else.
Regrettably, and as I predicted at several Cypherpunks meetings in '93 or so, the effect of "integrating crypto into apps" is to make analysis of the algorithms and possible trapdoors much more problematic.
(I argued in '93-94 that the then-mania for "integrating crypto into PINE and Eudora" was misdirected, for reasons related to the above points.)
Both Eudora, and (IIRC) pine *DO* use external applications for encryption/decryption/verification--or at least use "plugins" (in the case of Eudora) where the cryto functions are isolated.
This has nothing whatsoever to do with "everyone rolling their own." Quite the opposite, in fact.
-- A quote from Petro's Archives: ********************************************** Sometimes it is said that man can not be trusted with the government of himself. Can he, then, be trusted with the government of others? Or have we found angels in the forms of kings to govern him? Let history answer this question. -- Thomas Jefferson, 1st Inaugural
On Wed, 27 Sep 2000, David Honig wrote:
Modularity *is* useful for keeping things simple enough to analyze, but isn't a library with a well-defined API sufficient?
This sort of highlights how the current models of shared code fail. A good deal of modularity and independence of cryptography implementations (what Tim probably drives at with his comment of making life too easy for Three Letter Agencies) could be achieved with proper shared libraries with well thought out APIs. Only DLLs and alike aren't quite stable enough to be used for such heavy inter-vendor use. If they were, the massive single function apps could be implemented as lighter wrappers around them and modularity would be maintained, all without compromising ease of use. There would be security considerations in using someone else's library, yes, but a proper authentication architecture and/or open source development could be used to alleviate those. Too bad M$ does not place a lot of weight on such design considerations, instead pushing its own centralized model. Sampo Syreeni <decoy@iki.fi>, aka decoy, student/math/Helsinki university
participants (5)
-
brflgnk@cotse.com -
David Honig -
petro -
Sampo A Syreeni -
Tim May