Writable CD-ROMS as o

smb at research.att.com smb at research.att.com
Tue Dec 21 07:49:32 PST 1993


	 >Or your enemy has to penetrate your site or your correspondent's site,
	 >and copy five CD-ROMs instead of one.

	 Yes - but that should be *HARD* to do...

In a reasonably secure setup, any of these things are *HARD* (to use your
word).  But there's no such thing as absolute security; at best, you
can balance relative risks.

	 >CD-ROMs have one advantage:  there's a lot of data.  But that's not
	 >all good, because you *really* want to destroy any keying material
	 >you've ever used.

	 Yes - but it is a writable CD rom - Write over the data when it's used.

Have you overwritten it beyond recovery by sophisticated agents?  What if
the CD-ROM is compromised before you us it?

	 >I've heard People Who Know say that in the spook and government world,
	 >one-time pads are falling out of favor --- because their practical
	 >security isn't as good as a really high quality conventional cipher
	 >with a dynamically-negotiated session key.  I repeat:  *practical*
	 >security; your enemy isn't going to hit you or bribe you with a copy
	 >of Shannon's theorems.

	 Ok but one time pads DONE RIGHT (an d that's the optimum term - are
	 VERY STRONG

Again -- there's no such thing as ``right''.  There is only relative risk.
Bob Morris Sr. once observed that the real lesson of ABSCAM was not that
politicians are bribable -- we all knew that -- but that he could afford
one.  And if a U.S. Senator costs $50K, what does the janitor cost?
Look at the Walker family spy ring -- not that they sold out for money,
but just how little money they cost!  You're talking about your home
machine?  Sure -- how resistant is your house to a black-bag job pulled
off by professionals?  With one-time pads on CD-ROM, they only have to
win once to capture your future traffic for a very long time to come.
With something like a STU-III, there's *nothing* that can be captured
that will give that sort of information.  The risk there is cryptanalysis
of the underlying system -- but maybe NSA knows enough about cryptosystems
that they think that that risk is very low -- lower, at any rate, than
the risks of one-time pads.

Remember that the goal is not fancy cryptography.  The goal is information
security; crypto is just one tool to help achieve that.  Your enemy
isn't going to be sporting and attack where your defenses are.  The
proper response to a strong security barrier is not to go through it,
but to go around it.

Let me suggest that folks read

@inproceedings{crypt-fail,
	title = {Why Cryptosystems Fail},
	author = {Ross Anderson, Proc. 1st ACM Conference on Computer and Communications
	booktitle = {Proceedings of the First ACM Conference on Computer and Communications Security},
	month = {November},
	year = 1993,
	pages = {215--227}
}

It's an extremely important paper.  I'll quote the beginning of
Section 4:

	As we have seen, security equipment designers and government
	evaluators have both concentrated on technical weaknesses, such
	as poor encryption algorithms and operating systems  which
	could be vulnerable to trojan horse attacks.  Banking systems do
	indeed have their share of such loopholes, but they do not seem to
	have contributed in any significant way to the crime figures.

	The attacks which actually happened were made possible because the
	banks did not use the available products properly; due to lack of
	expertise, they made basic errors in system design, application
	programming and administration.

	In short, the threat model was completely wrong.  How could this
	have happened?


			--Steve Bellovin






More information about the cypherpunks-legacy mailing list