CDR: Re: Rijndael & Hitachi
"Steven M. Bellovin" <smb@research.att.com> writes:
Precisely. What is the *real* threat model?
History does indeed show that believed-secure ciphers may not be, and that we do indeed need a safety margin. But history shows even more strongly that there are many better ways to the plaintext, and that's the real goal.
Why try to pick a Medeco when it's locking a glass door? :-) -derek PS: This isn't a hypothetical; I visited a friend's parents a number of years ago, and noticed that their front door, all glass (with nothing behind it) was locked using a Medeco lock. For those who don't know, a Medeco is a top-of-the-line lock, practically impossible to pick, drill out, etc. -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available
"Steven M. Bellovin" <smb@research.att.com> writes:
Precisely. What is the *real* threat model?
History does indeed show that believed-secure ciphers may not be, and that we do indeed need a safety margin. But history shows even more strongly that there are many better ways to the plaintext, and that's the real goal.
Ciphers are components of security systems, not complete security systems. How best to improve a component is a legitimate engineering question even if there is reason to believe they will often be misapplied. At present there is no serious threat to 3DES, so why did we bother with the whole AES exercise? [Look at the benchmarks? --Perry] Anyway, I think there is an interesting theoretical question here: Design a cipher algorithm P that assumes as primitives 5 ciphers, C1, ...,C5 (or more generally N ciphers for odd N > 1) with the same block size and key length. P is to have the same block size and key length as the Ci and is to be provably secure against chosen plaintext attacks even under the following conditions: 1. One of the Ci is a strong cipher (i.e. there is no attack faster than trying all the keys) 2. An attacker gets to supply the other four Ci, subject to the condition that they be cipher like: i.e. they must be bijections between the input and output domains, the bijection is the same if the key value is the same and there are no extra outputs. 3. The attacker knows the details of the secure algorithm. P should be as simple as possible not employ any additional cryptographic primitives (e.g hashes, S-boxes or special constants). Derek Atkins adds:
Why try to pick a Medeco when it's locking a glass door? :-)
The fact that some people put Medeco's in glass doors, doesn't mean Medeco should never develop a better lock. Arnold Reinhold
On Wed, 11 Oct 2000, Arnold G. Reinhold wrote:
The fact that some people put Medeco's in glass doors, doesn't mean Medeco should never develop a better lock.
I don't have a problem with people who manufacture locks. I have a problem with the people who sell them. A sign of irrational fear is when the thing that is the *symbol* of security -- in this case the lock, or the cipher, is made very strong -- but used in a way that does not afford good *actual* security. If the fear of being burgled weren't at least partly irrational, meaning if it were based mostly on experience rather than mostly on fear -- we'd be seeing doors with half-inch thick steel plates in them to provide the same level of security as the medeco lock -- and reinforced concrete walls to provide the same level of security as the door. Ditto ciphers. A strong cipher is like that Medeco lock, or even better - but if the "door" is a dumb key management policy, or the key is easily guessable, then what has been gained? Because what is a lock, really? It makes it harder to get in *without breaking anything*. But actual burglars could really care less whether they break some of your stuff -- provided it's stuff they can't steal. So if actual burglars were as common as the people who sell these fancy locks tend to make out in their sales pitches, most folks would know, from experience, that burglars who break a window or a door are far more common than burglars who pick a lock -- and would be demanding *actual* security, meaning windows, doors and walls made of unbreakable stuff, rather than just *symbolic* security, of a strong lock or a strong cipher. If you want to propose a "Paranoid Encryption Standard", IE, a system for people who actually *DO* expect people to spend several million bucks and hundreds of man-years and thousands of CPU-years trying to break it, then it's going to have to encompass a hell of a lot more than ciphers. Start with physical machine security -- put the box in a concrete bunker with armed guards, give it a flat-panel monitor and roll your own drivers and video hardware. Stick a thermite grenade with a photosensitive fuse in the hard drive box. Make a continuous circuit through all the case components, that will detect anybody taking the case off, and blow the HD if the circuit's broken. Do a couple dozen other things along this line, and you'll have the physical security thing covered about as well as your cipher protects the data. But you're not through yet -- you've got the lock and the door, but burglars can still come in through the windows and the walls. You've got to do some real serious data security as well. First of all, nothing unencrypted is EVER written to the hard drive except a bootstrap loader that prompts for a cipher key. When it gets the cipher key, it reads and attempts to unencrypt the rest of the boot record. There is NO swap partition, and no swapping OS is to be used. The system computes a new cipher key every day using a cryptographically strong random number generator, and notifies you of it in a pencil-and-paper cipher that you can solve. (on high-entropy binary data, pencil-and-paper ciphers are actually quite strong) That's the key you would need to use the following day. If you don't log on for one day, you will not have the key for the following day, period. Thus, if someone seizes your box and you can hold out for *one* day, the data is GONE. But the burglars can still come in, maybe, through the roof. So just to make sure of it, put a timer in there that blows the HD if it's ever been more than 24 hours since you were last logged on. *There's* your paranoid encryption standard. Use blowfish for the cipher, and the cipher won't be the weakest point. Bear
Excellent ideas. And the place to start is with Arnold Reinhold's improvement to the cyphers. oo--JS. On Wed, 11 Oct 2000, Ray Dillinger wrote:
On Wed, 11 Oct 2000, Arnold G. Reinhold wrote:
The fact that some people put Medeco's in glass doors, doesn't mean Medeco should never develop a better lock.
I don't have a problem with people who manufacture locks. I have a problem with the people who sell them.
A sign of irrational fear is when the thing that is the *symbol* of security -- in this case the lock, or the cipher, is made very strong -- but used in a way that does not afford good *actual* security.
If the fear of being burgled weren't at least partly irrational, meaning if it were based mostly on experience rather than mostly on fear -- we'd be seeing doors with half-inch thick steel plates in them to provide the same level of security as the medeco lock -- and reinforced concrete walls to provide the same level of security as the door.
Ditto ciphers. A strong cipher is like that Medeco lock, or even better - but if the "door" is a dumb key management policy, or the key is easily guessable, then what has been gained?
Because what is a lock, really? It makes it harder to get in *without breaking anything*. But actual burglars could really care less whether they break some of your stuff -- provided it's stuff they can't steal. So if actual burglars were as common as the people who sell these fancy locks tend to make out in their sales pitches, most folks would know, from experience, that burglars who break a window or a door are far more common than burglars who pick a lock -- and would be demanding *actual* security, meaning windows, doors and walls made of unbreakable stuff, rather than just *symbolic* security, of a strong lock or a strong cipher.
If you want to propose a "Paranoid Encryption Standard", IE, a system for people who actually *DO* expect people to spend several million bucks and hundreds of man-years and thousands of CPU-years trying to break it, then it's going to have to encompass a hell of a lot more than ciphers. Start with physical machine security -- put the box in a concrete bunker with armed guards, give it a flat-panel monitor and roll your own drivers and video hardware. Stick a thermite grenade with a photosensitive fuse in the hard drive box. Make a continuous circuit through all the case components, that will detect anybody taking the case off, and blow the HD if the circuit's broken. Do a couple dozen other things along this line, and you'll have the physical security thing covered about as well as your cipher protects the data.
But you're not through yet -- you've got the lock and the door, but burglars can still come in through the windows and the walls. You've got to do some real serious data security as well.
First of all, nothing unencrypted is EVER written to the hard drive except a bootstrap loader that prompts for a cipher key. When it gets the cipher key, it reads and attempts to unencrypt the rest of the boot record.
There is NO swap partition, and no swapping OS is to be used.
The system computes a new cipher key every day using a cryptographically strong random number generator, and notifies you of it in a pencil-and-paper cipher that you can solve. (on high-entropy binary data, pencil-and-paper ciphers are actually quite strong) That's the key you would need to use the following day. If you don't log on for one day, you will not have the key for the following day, period. Thus, if someone seizes your box and you can hold out for *one* day, the data is GONE.
But the burglars can still come in, maybe, through the roof.
So just to make sure of it, put a timer in there that blows the HD if it's ever been more than 24 hours since you were last logged on.
*There's* your paranoid encryption standard. Use blowfish for the cipher, and the cipher won't be the weakest point.
Bear
Why try to pick a Medeco when it's locking a glass door? :-)
-derek
PS: This isn't a hypothetical; I visited a friend's parents a number of years ago, and noticed that their front door, all glass (with nothing behind it) was locked using a Medeco lock. For those who don't know, a Medeco is a top-of-the-line lock, practically impossible to pick, drill out, etc.
The solution is obvious, to a chemist. Make the glass door double-glazed, sealed at the edges, and filled with hydrogen cyanide (prussic acid). (with a smidgen of phosphoric acid added to prevent long-term polymerization.) Jim Bell BS Chem MIT '80
On Sat, Oct 14, 2000 at 02:51:32PM -0700, jim bell wrote:
Why try to pick a Medeco when it's locking a glass door? :-)
-derek
PS: This isn't a hypothetical; I visited a friend's parents a number of years ago, and noticed that their front door, all glass (with nothing behind it) was locked using a Medeco lock. For those who don't know, a Medeco is a top-of-the-line lock, practically impossible to pick, drill out, etc.
The solution is obvious, to a chemist. Make the glass door double-glazed, sealed at the edges, and filled with hydrogen cyanide (prussic acid). (with a smidgen of phosphoric acid added to prevent long-term polymerization.)
First kid with a bee-bee gun and you're on the evening news. I've lost a couple of similar doors in the past to kids, both my own and neighbors...
Jim Bell BS Chem MIT '80
Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
At 07:19 PM 10/14/00 -0400, Michael H. Warfield wrote:
On Sat, Oct 14, 2000 at 02:51:32PM -0700, jim bell wrote:
The solution is obvious, to a chemist. Make the glass door double-glazed, sealed at the edges, and filled with hydrogen cyanide (prussic acid). (with a smidgen of phosphoric acid added to prevent long-term polymerization.)
First kid with a bee-bee gun and you're on the evening news. I've lost a couple of similar doors in the past to kids, both my own and neighbors...
Or a snowball, or a baseball. When I was in college, you could tell which dorms had lacrosse players in them by the number of broken windows. Someone else
clear high explosives.
Deploy that widely enough and you'll increase BB-gun sales radically. Poisoning a whole household by cracking the cyanide window is bad, but blowing up the whole window with one little pellet could be fun, if you're into that sort of thing. and a clearer head
bullet-proof glass.
Burglar alarms are another good approach - if the glass gets broken, make sure everybody knows about it real fast. One of my neighbors in college had somebody break into her apartment by breaking the back picture window. They stole her TV and one of her two pot plants; she had to hide the other one in the car while the cops were there. We presumed they couldn't carry both pot plants on top of the TV. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
At 02:51 PM 10/14/00 -0700, jim bell wrote:
The solution is obvious, to a chemist. Make the glass door double-glazed, sealed at the edges, and filled with hydrogen cyanide (prussic acid). (with a smidgen of phosphoric acid added to prevent long-term polymerization.)
Jim Bell BS Chem MIT '80
Well you're back in full form :-) Mr. B but the counter is not even a full chem suit, merely a fireman's or diver's oxygen system. DH BS EECS-CS, Cog Sci MIT '86
I wouldn't recommend boobytrapping the glass in that manner. I'd go with a ballistic laminate on the glass. That way I can avoid wearing an NBCW suit and body armour on around the house if some joker threw a brick(or worse)through the window.. ie:Ding-Dong + brick=Big mess+ouch all over YOU! Getting wacked with your own trap sucks big time, no? Let your own level of paranoia decide on the thickness of laminate to go with (tire irons, etc -> .50cal BMG API) Regards, Ed ----- Original Message ----- From: "David Honig" <honig@sprynet.com> To: "jim bell" <jimdbell@home.com>; "Derek Atkins" <warlord@MIT.EDU>; "Steven M. Bellovin" <smb@research.att.com> Cc: <coderpunks@toad.com>; <cryptography@c2.net>; <cypherpunks@cyberpass.net> Sent: Saturday, October 14, 2000 5:51 PM Subject: Re: Rijndael & Hitachi
At 02:51 PM 10/14/00 -0700, jim bell wrote:
The solution is obvious, to a chemist. Make the glass door
double-glazed,
sealed at the edges, and filled with hydrogen cyanide (prussic acid). (with a smidgen of phosphoric acid added to prevent long-term polymerization.)
Jim Bell BS Chem MIT '80
Well you're back in full form :-) Mr. B but the counter is not even a full chem suit, merely a fireman's or diver's oxygen system.
DH BS EECS-CS, Cog Sci MIT '86
jim bell writes:
The solution is obvious, to a chemist. Make the glass door double-glazed, sealed at the edges, and filled with hydrogen cyanide (prussic acid). (with a smidgen of phosphoric acid added to prevent long-term polymerization.)
The solution is obvious, to a chemist. Laminate the glass door with a sheet of clear (impact or air sensitive) high explosive. Extra points for using detonating HE, since turning glass into powder and not littering up the sidewalk with glass shards.
Wouldn't an errant BB, baseball, etc. blow your house to matchsticks with this scenario? Or just all the glass, assuming you didn't do that yourself "Tim Allen-ing" this thing into place? I guess if you used just enough explosive to blow the glass into dust, you basically accomplish the bad guys task for him. How many dead chemists does it take to qualify for a Darwin award anyways?
The solution is obvious, to a chemist. Laminate the glass door with a sheet of clear (impact or air sensitive) high explosive. Extra points for using detonating HE, since turning glass into powder and not littering up the sidewalk with glass shards.
participants (11)
-
..
-
Arnold G. Reinhold
-
Bill Stewart
-
David Honig
-
Derek Atkins
-
Eugene Leitl
-
Jay Sulzberger
-
jim bell
-
Michael H. Warfield
-
Ray Dillinger
-
sustaeļ¼ intergate.ca