Good hard critique, Eric! Now if I might try to salvage my position... "One time pads are very (much more) expensive on a per-link basis than public key systems..." Yes, of course. However I don't envision OTPs as a standard for bulk encryption on large networks. Rather, for person-to-person communication in small networks. Examples: a group of civil rights attorneys suing the Federal govt., an international environmental organisation's main offices in the capital cities of a small number of countries, etc. Cases where the adversary is one or more powerful governments, and the number of links required is relatively small. Given the nature of the relationships between these kinds of networks and their adversaries, the expense would seem to be justified; in any case, the **incremental** cost of for instance a set of 30MB cartridges as compared to a few floppy discs, is an minor fraction of the cost of the airline tickets and other expenses for trusted couriers. (oops: "a minor fraction...") Your discussion of bandwidth can be met with a similar counter-arguement. First of all, I would reject the use of UPS or (God help us) the *Post Office* as a courier, particularly where one or more governments may be the adversaries against whom protection is needed. So your reference to those carriers is not relevant to the main point of my case. I'm assuming that key materials are transported by trusted courier and are guarded by same until they reach their intended recipient. Okay, that *really* drives up the cost, doesn't it...? Not if the key materials "hitch hike" on an existing travel plan: attorney A flies out to city B to visit attorney B... and happens to carry key material onboard in his/her shoulder bag. No added cost except for the storage devices, and that is not significant. Re mathematical breakthroughs in factoring etc, you say, "we don't know when that will happen, and we don't know which will happen." Exactly my point. *We* don't know. But the NSA and so on, most certainly do know, and they won't be telling. If the breakthrough comes, then the period between that point and the point when it is publicised, will be one of false security. Was it Kahn who said nothing is more dangerous than a bad cipher? My point here comes down to nothing more or less than the principle of caution in the face of an unknown. (Discussion of relative cost of brute force solutions, and the question of hard problems and scale.) I agree that my intuition about these things may be highly flawed. However this doesn't invalidate my point about the possibility of basic breakthroughs happening behind closed doors. Now in a way I'll admit that my arguement here sort of comes down to a black box. However, again I would assert that there are cases where the almost irrational caution is worthwhile. You say in concluding, "Perfect security is not worth the cost in time, effort, or dollars when the marginal cost of perfection is less (do you mean more?) than perfection." You cite examples of international banking systems. I would cite examples of political movements which have been sabotaged and destroyed by government covert action. One need not look far to run into COINTELPRO and the more recent French govt action of blowing up a Greenpeace vessel. Where your adversaries are the intelligence agencies of world powers, and where lives are at stake, I would say the cost of perfect security is justified. Now of course, the French terrorist bombing, the destruction of Black nationalist and student organising groups in the US, and other examples, may not (probably would not) have been prevented altogether by adoption of perfect communications security. Che Guevara after all used OTPs, and it was radio direction finding and traffic analysis (rather than cryptanalysis) which ultimately led to his murder by US-backed mercenaries. If we are promoting a tendency which is inherently political, it implicitly recognises governments as its adversaries. Our choices of cryptographic systems should reflect a wide range of applications and not exclude some a-priori on grounds of cost or convenience. -George (gg@well.sf.ca.us)
Previously I said about one-time pads: "High security, high cost." (Well, not exactly that...) I invoked it then in order to argue that I personally didn't need to use one-time pads. Implicit also in that statement is the claim that when the worth of security is high, the cost may be relatively cheap. George and I agree on this point. When you are fighting a military battle, when you have a government pissed off at you in a serious way, you need as good as you can get. Since you can get perfect end-to-end link encryption, you use it. All cryptography is economics. Repeat after me. All cryptography is economics. I don't need one-time pads. Sendero Luminoso does. It's as easy as that. It's merely a matter of scale. Large scale, high security. Small scale, pretty good security. Re: Mathematical breakthroughs. George missed my main point here. We don't know whether factoring is "fundamentally hard." (Project your own definition here.) We should not assume that when the breakthrough comes, that is will be found "easy." It may be that factoring is hard, and that RSA is secure for that reason. (The astute reader will see that these two are not exactly the same question.) My current thinking is that factoring is hard because of various randomness properties of primes, that in fact multiplying one large prime by another is like encrypting one prime with the other as a one-time pad! But I'm no number theorist. I do, however, agree with "caution in the face of an unknown." And for high stakes, George's "irrational caution" is not irrational at all. Re: Relative security. It seems I had an editing error. What I meant to say (paraphrased) was the following. Perfect security is not worth the cost when the marginal cost of perfect security is more than the marginal benefits of such security. This encompasses both the high end and the low end. I don't need one-time pads. Abu Nidal does. Repeat after me. Cryptography is all economics. Eric
One time pads don't provide perfect security, George. They only provide perfect security if the opponent doesn't know the contents of the pad. Given that most small organizations are in locations that are easily burglarized, ``when lives are at stake'' it would be easy for governments to break in, copy the storage medium containing the pad, and then read all past and future traffic encrypted with that pad. All cryptography is economics. If you make it harder to tap your phone lines, but it's cheap to break in, they'll do that. There is no absolute security this side of the grave (and who knows about the other side). John
participants (3)
-
Eric Hughes -
George A. Gleason -
gnu