Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)

[Arnold G. Reinhold]

At 11:50 AM -0600 10/20/2000, Bob Jueneman wrote:
>Let's put this problem in perspective, and try to avoid the "chicken 
>little, the sky is falling" syndrome.
>
>It's quite unlikely that someone would come up with  "Eureka!" type 
>of solution to factoring large numbers that would end up completely 
>breaking RSA,

I don't know of any solid basis for this claim.  There have been 
unexpected mathematical breakthroughs of that magnitude in the recent 
past. Schönhage and Strassen algorithm for multiplication, the Fast 
Fourier Transforms, formulas that compute outer digits of 1/pi 
without computing the earlier ones, etc.

>or that some way would be found to completely break the integrity of SHA-1.
>
>Instead, we would be much more likely to see a nibbling around the 
>edges, and a gradually decreasing confidence in existing algorithms, 
>with more than enough time to replace them.

That is already happening.

>
>In fact, we have already seen that.  MD2 is now deprecated, and MD5 
>is being pretty widely supplanted by SHA-1.  Likewise,  DES has been 
>broken and people are recommending that triple-DES be used, and soon 
>AES.  And OAEP is recommended to get around some hypothetical 
>million-question attacks.
>
>But the sky hasn't fallen, and the sun still comes up in the morning.
>
>Even if some catastrophic weakness were somehow revealed that any 
>high school kid could take advantage of with a single PC, there are 
>still checks and balances.  The kid still has to have money in the 
>bank to pay for the item, and all of the usual velocity checks, etc. 
>that are used to combat fraud would still be in place and would 
>work.  And good old-fashioned detective investigations and forensics 
>would still be applicable.
>
>Any good security system has defenses in depth, and is not subject 
>to the balloon-popping problem.

Well, that is the the big question mark as I see it. There are many 
choices in designing financial systems based on public key 
technology. If people use conservative approaches then you may well 
be right, but if they buy the PKI party line we could face some very 
serious problems. In particular, systems that depend on the security 
of one or a few master keys should be treated with suspicion. For 
example, a bank could keep its own customer's public key fingerprints 
on file or rely on the fact that all customers' certs are all signed.

>
>that doesn't mean that we shouldn't try to make systems be as 
>perfect as possible.  But if they aren't (and they never are), that 
>shouldn't be the end of the world as we know it.

If we throw out existing systems and base our entire financial system 
on public key crypto without enough independent backups, an 
algorithmic breakthrough could lead the the end of the world as we 
know it. Algorithm compromise should be treated as an explicit risk.

>
>Let's not invent a hypothetical Y2K problem.
>

Let's not forget 2038.


Arnold Reinhold