CDR: Re: Disposable remailers
If the net is sufficiently large, then the remailers can be considered to be registers, each holding one message for a random length of time, and allow reordering just by that alone. Of course, for this to work, traffic analysis has to be defeated in another way. Probably in ZKS's
It is interesting to note the two sides of the same coin...mix protocols in theory vs the realities of implementation on these devices. On Sat, 7 Oct 2000, Sean Roach wrote: planned, but
last I checked, not implemented, constant activity among nodes.
This scheme is extremely open to attack, especially when you take into account that many of the nodes will be hostile. Even if the underlying mix protocol were robust enough to protect the sender over hostile nodes, traffic analysis, as you mentioned, is a major weakness (for example, messages could be traced throught the network). The idea and papers brought forth in David's post might be of use here. Instead of passing one message at a time through nodes, a list of messages could filter through the nodes. But, those damned memory constraints...
Of course, the more traffic, the easier it will be for the intranets where these things are set up to locate them, and take them down.
If the devices' communication piggy-backed on common protocols like http, it would be easier to mask, especially in high traffic areas. But, the communication would need to permuted in some way that a generic pattern match would not detect it. Otherwise, IDS vendors and the like will add rules to detect such traffic.
The nodes ping each other on a regular basis, if a node fails to respond to a ping, that node is written off. Perhaps the next general cover traffic includes information that such-n-such node appears to be compromised. If a node receives NO pings, then it might also write itself off, and blank memory.
Who do you trust becomes an issue if nodes pass information around.
Or did you mean in addition to disposible remailers, instead of ways to hide, distribute them?
I meant in addition to, but that is an interesting distribution scheme. As the world becomes more and more connected and devices get smaller and more powerful, the opportunity to plant and exploit rogue, networked modules becomes far greater. A person could have a great deal of fun with this stuff. The government already does. -andrew
Reflections on AES and DES.... DES was developed by a team that wanted to call it "Dataseal" at IBM. Some IBM flacks renamed it Demon (for "demonstration cipher"), a name the original developers didn't like. So they agitated against the new name, and eventually someone decided to rename it Lucifer, which the original developers liked even less. One gets the impression that the flacks were just toying with the techies here, twisting the knife as it were. But then it was adopted (in a slightly different form) as the Data Encryption Standard of the US government, and everybody gave up on the "demonic" naming conventions and just started calling it DES. Now, Dataseal/Demon/Lucifer was pretty good. It may not have been the *most* secure algorithm of its time, but neither was it a transparent and useless "cipher" with obvious flaws other than the 56-bit keyspace. However, the important part of building up trust (or lack thereof) in the cipher came after it was chosen as the DES. That choice focused every cryptanalyst in the world on it, for a while, and sparked a fair amount of hard research in mathematics. Eventually someone found an attack better than brute force on it -- but the attack requires a very very large number of plaintext/ciphertext pairs to carry out, and seems unlikely in practice. The important thing though, is that people did the math, did the research, did the hard thinking -- and did it for a long time. When someone uses DES or 3DES today, she knows EXACTLY how much protection her data is getting, and knows that hundreds, possibly thousands, of brilliant people have focused many man-years on proving that that amount of protection *is* exactly how much she's getting. It may be that some other ciphers that were around at that time are more secure -- hell, no doubt about it really. But none of those ciphers have attracted the attention of as many really bright people making *sure* it's secure that being the DES has gotten for this cipher. Now, the newly minted AES is standing in place to receive the same attention from the worldwide community -- indeed, has already started to. Even if it's not technically as secure as Twofish and Serpent, the coming years of attention are going to reduce the likelihood of an attack that we just didn't know about on AES -- but not as much on Twofish and Serpent. So whatever its respective strength, our *knowledge* of its strength will become stronger and stronger as more and more time goes by with attention focused on it. Anyway, from the POV of confidence in a cipher, it's not really as important which cipher they picked. It's important that they picked one -- and now cryptanalytic attention is focused on it. Every day no flaw is found raises our confidence that there is none, making the security of this cipher more trustworthy. Regardless of its strength relative to the other candidates (which in reality we may never know except by the continued failure to find obvious breaks in anything) the trustworthiness of the cipher, deriving from the amount of effort and testing that have gone into it, will quickly eclipse the trustworthiness of all other candidates. It would have been the same whichever cipher they picked. Bear
Ray Dillinger <bear@sonic.net> wrote:
<snip>
[As the DES,] Dataseal/Demon/Lucifer was pretty good. It may not have been the *most* secure algorithm of its time, but neither was it a transparent and useless "cipher" with obvious flaws other than the 56-bit keyspace. However, the important part of building up trust (or lack thereof) in the cipher came after it was chosen as the DES.
I suggest that you give insufficient weight to the importance of the NSA imprimatur on the DES. The DES became the standard we know today -- for years, universally accepted in US commerce, banking, and trade -- largely because the US National Security Agency (NSA) issued, upon the designation of the DES by NIST, a statement that the NSA's cryptanalysts knew of no attack on the DES algorithm more effective than a brute force search of all possible 56-bit keys. That -- and perhaps NIST's projections of the work and time required to break a 56-bit key -- provided the "due diligence" groundwork that allowed US bankers and businessmen to label crypto a solved problem. No liability could accrue to a CTO or CEO or product manager who chose to use the DES (and, conversely, no one but a fool would use an alternative cipher --whatever the key length -- in a commercial environment.) The 1976 designation of the DES -- unlike most traditional standardization efforts -- was not about interoperability. It was not even about relative cryptographic strength (although there must have been some fascinating charts at Fort Meade which projected the life-span of a 56-bit key against the successive five-year certifications built into the DES selection.) The broad acceptance of the DES in US industry and finance was, in large part, simply a function of the way a NSA-blessed cipher contained and limited potential liability. In the real world, the technical review that you celebrate -- among academic mathematicians and the(relatively few) unencumbered cryptographers in academia and private industry -- was all but irrelevant. (Only negative results would make a difference, and those were scant and slow in coming.) I would argue that, at least in the US, that research had virtually no impact on those who made the relevant purchase and policy decisions (who were seldom crypto-savvy, let alone crypto-literate.) Until well into the 1990s, there was no significant non-governmental crypto community to offer alternative judgements until fairly recently... and it must be said that the widespread trust, among American civilians, in the NSA's judgement in this matter was not misplaced. DES was pretty much what they said it was (even down to that tweak in the S-boxes to block differential analysis, which the academic crypto researchers didn't discover for many years.) The NSA was/is really very good at what they did, and -- particularly in the US computer industry (which until 1960 had been pretty much guided by NSA R&D contracts) -- their cryptanalytic expertise was wholly unchallenged.
That choice focused every cryptanalyst in the world on it, for a while, and sparked a fair amount of hard research in mathematics. Eventually someone found an attack better than brute force on it -- but the attack requires a very very large number of plaintext/ciphertext pairs to carry out, and seems unlikely in practice. The important thing though, is that people did the math, did the research, did the hard thinking -- and did it for a long time. When someone uses DES or 3DES today, she knows EXACTLY how much protection her data is getting, and knows that hundreds, possibly thousands, of brilliant people have focused many man-years on proving that that amount of protection *is* exactly how much she's getting.
It may be that some other ciphers that were around at that time are more secure -- hell, no doubt about it really. But none of those ciphers have attracted the attention of as many really bright people making *sure* it's secure that being the DES has gotten for this cipher.
Now, the newly minted AES is standing in place to receive the same attention from the worldwide community -- indeed, has already started to.
<snip> I presume that the AES selection process was open, to the degree that it was, largely to permit the large contemporary private-sector and the academic crypto community an opportunity to participate in, and endorse, the final AES selection. I suspect, however, that the formal adoption of the AES FIPS -- when Rijndael is designated the approved mechanism for securing sensitive but unclassified government data -- will involve some similar NSA endorsement, implicit or explicit. It will be interesting to see how explicit it is, and what sort of demand for an overt stamp of approval from the NSA still exists in the marketplace.
Vin wrote:
It will be interesting to see how explicit it is, and what sort of demand for an overt stamp of approval from the NSA still exists in the marketplace.
NIST has stated that the maximum endorsement will be to use AES for non-classified government information. So the question will remain of what is better than AES, or to put it another way, what is not good enough about AES for its use on classified information. To be sure it would be too much to expect that the USG would promote a program that it could not penetrate, or to put it another way, to openly disclose a technology it believes to provide maximum data protection. If NSA/NIST went that far the agencies would be shut by DC for national security reasons. Still, one can dream of NIST/NSA slipping through a technology stronger than the ordinary officeholding paranoid, secrecy-loving power mongering goofus can prevent by way of elastic oversight technology. David Alvarez writes of the intel agencies withholding most secret information from the president in the 30s and 40s on the belief that that office could not be trusted to put the nation's interest above its own urgencies to endure. What a wonder it would be to read in say, 25 years, that NIST/NSA raced a fast one past their watchers and advanced the public's interest over the government's. Lots of those folks are looking forward to becoming well-paid ex-govs, having seen what lucrative benefits have come the way of those who jumped ship. Is it conceivable that the USG's need for maximum protection of its information would take second place to the need of the public's protection from government? That depends on what government workers -- especially the defense establishment defined by Eisenhower -- believe their future to be. The burgeoning market for dual use technologies is surely going to change the way globalism gets implemented, now that so many of those who fostered those technologies are coming into the marketplace as hungry players, not merely underwriters and regulators. This applies not only to the the former Soviet Union and the US best minds who are fed up with their bosses' maximum perk protection. Davidge's expose of Tennant is instructive of how the unders apply payback to the uppers who cannot believe NDA's and third-class pensions no longer control intellects once with no where else to thrive than as national servants.
participants (4)
-
despot -
John Young -
Ray Dillinger -
Vin McLellan