CDR: Re: why should it be trusted?

John Young jya at pipeline.com
Tue Oct 17 04:24:29 PDT 2000


Bruce Schneier, among others, argues that strength of
algorithm is not a reliable determinant of security of
information. That most successful attacks occur through 
more accessible weaknesses, the prime one being
human. Bruce reviews several of these in his October 15
Crypto-Gram, and refers to his latest book for more
cybersecurity threats that crypto cannot defend.

Ross Anderson, among others (some here), claim that
chips are readily vulnerable to tampering, and that poses
a much greater risk than algo attacks.

Programs and people which just grab info directly from
your box and bunker through B&E software and black
bag jobs cannot be stopped by mathematics, though
encrypted info might remain inaccessible.

Lifting electromagnetically emanated data, say, that from
keyboard to cpu, before it is encrypted, is still a threat,
not limited to classified technology, as demonstrated
by Ross Anderson, Markus Kuhn and others, and
reviewed here recently.

Cryptanalysis may be the most crucial technology in the
world today, as it has been well before mathematical
encipherment. How it is being done is probably the
most closely guarded secret, and part of that protection
is zero information. Share encryption information, yes,
but not decrypt, not even a hint. Blow sunshine about
algo strength and unbreakability, yes, that would be in 
order.

What intrigues is the national security benefit of fostering
the growth of public encryption, despite the claims that
it makes global surveillance more difficult. If a public
encryption enterprise didn't exist it would have to be
invented to divert the attackers from genuine threats
and weaknesses, as well as embed in the public
realm a technology for covert snooping inside the
Medeco pretense.

The question occurs: did PK crypto get leaked on purpose?
How was it done?







More information about the cypherpunks-legacy mailing list