Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)
Let's put this problem in perspective, and try to avoid the "chicken little, the sky is falling" syndrome. It's quite unlikely that someone would come up with "Eureka!" type of solution to factoring large numbers that would end up completely breaking RSA, or that some way would be found to completely break the integrity of SHA-1. Instead, we would be much more likely to see a nibbling around the edges, and a gradually decreasing confidence in existing algorithms, with more than enough time to replace them. In fact, we have already seen that. MD2 is now deprecated, and MD5 is being pretty widely supplanted by SHA-1. Likewise, DES has been broken and people are recommending that triple-DES be used, and soon AES. And OAEP is recommended to get around some hypothetical million-question attacks. But the sky hasn't fallen, and the sun still comes up in the morning. Even if some catastrophic weakness were somehow revealed that any high school kid could take advantage of with a single PC, there are still checks and balances. The kid still has to have money in the bank to pay for the item, and all of the usual velocity checks, etc. that are used to combat fraud would still be in place and would work. And good old-fashioned detective investigations and forensics would still be applicable. Any good security system has defenses in depth, and is not subject to the balloon-popping problem. that doesn't mean that we shouldn't try to make systems be as perfect as possible. But if they aren't (and they never are), that shouldn't be the end of the world as we know it. Let's not invent a hypothetical Y2K problem. Bob Robert R. Jueneman Security Architect Novell, Inc. -- the leading provider of Net services software.
Tony Bartoletti <azb@llnl.gov> 10/19/00 04:09PM >>> At 04:58 PM 10/19/00 -0400, Arnold G. Reinhold wrote:
Yes, that is why Tony's remark was somewhat tongue-in-cheek and used "solid mathematical foundations" within quotes.
Eye twinkle doesn't come across in e-mail, I'm afraid. My apologies to Tony. This is obviously one of my hot buttons.
No problem. I often employ a quoted "x" to convey "so-called x", a shortcut that can lead to misunderstandings.
It is all hypothesis and empirical argument. A lone mathematician working in his attic could come up with an algorithm that would blow some or all of the existing systems out of the water. Who get to cover that financial risk?
The buyer. CAs (read Verisign's CPS or any CA's CPS, or bank contracts and -- above all -- see the US UCC) are not responsible for producing correct results but just for using correct methods. Where "correct methods" are what others consider correct -- even if they are proved wrong later on by a one mathematician working in his attic.
I'm not sure those contracts would stand up in court if there were massive public losses due to a collapse of the PKI. (Anyway CA CPS's stretch to notion of a "mutual agreement" pretty far. I purchase a $10 cert and am bound by over 100 pages of gobbldygook that only a handful of people on the planet can be expected to fully understand?)
But I am less concerned with CA legal liability then with who is left holding the bag when a massive subversion of the banking system is perpetrated, and how big that could be.
I'll wager the taxpayer/consumer will foot the bill, one way or another. Derivative to the Second Law of Thermodynamics, it is easier to destroy wealth than it is to create it. So, on average, work/energy is required to create or recreate wealth. The collapse of a future global PKI, or of the integrity of banking transactions, would represent a huge shift from order into chaos, a decoherence of identities and orderliness amounting to a huge destruction of wealth. Recovery thus will require the recreation of wealth, in one form or another. This will require a correspondingly huge input of work. So, who does most of the work, in general? You know the answer ;) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900
At 11:50 AM -0600 10/20/2000, Bob Jueneman wrote:
Let's put this problem in perspective, and try to avoid the "chicken little, the sky is falling" syndrome.
It's quite unlikely that someone would come up with "Eureka!" type of solution to factoring large numbers that would end up completely breaking RSA,
I don't know of any solid basis for this claim. There have been unexpected mathematical breakthroughs of that magnitude in the recent past. Schönhage and Strassen algorithm for multiplication, the Fast Fourier Transforms, formulas that compute outer digits of 1/pi without computing the earlier ones, etc.
or that some way would be found to completely break the integrity of SHA-1.
Instead, we would be much more likely to see a nibbling around the edges, and a gradually decreasing confidence in existing algorithms, with more than enough time to replace them.
That is already happening.
In fact, we have already seen that. MD2 is now deprecated, and MD5 is being pretty widely supplanted by SHA-1. Likewise, DES has been broken and people are recommending that triple-DES be used, and soon AES. And OAEP is recommended to get around some hypothetical million-question attacks.
But the sky hasn't fallen, and the sun still comes up in the morning.
Even if some catastrophic weakness were somehow revealed that any high school kid could take advantage of with a single PC, there are still checks and balances. The kid still has to have money in the bank to pay for the item, and all of the usual velocity checks, etc. that are used to combat fraud would still be in place and would work. And good old-fashioned detective investigations and forensics would still be applicable.
Any good security system has defenses in depth, and is not subject to the balloon-popping problem.
Well, that is the the big question mark as I see it. There are many choices in designing financial systems based on public key technology. If people use conservative approaches then you may well be right, but if they buy the PKI party line we could face some very serious problems. In particular, systems that depend on the security of one or a few master keys should be treated with suspicion. For example, a bank could keep its own customer's public key fingerprints on file or rely on the fact that all customers' certs are all signed.
that doesn't mean that we shouldn't try to make systems be as perfect as possible. But if they aren't (and they never are), that shouldn't be the end of the world as we know it.
If we throw out existing systems and base our entire financial system on public key crypto without enough independent backups, an algorithmic breakthrough could lead the the end of the world as we know it. Algorithm compromise should be treated as an explicit risk.
Let's not invent a hypothetical Y2K problem.
Let's not forget 2038. Arnold Reinhold
participants (2)
-
Arnold G. Reinhold
-
Bob Jueneman