Koblitz and Menezes have posted a new paper Another Look at "Provable Security". Serious readers in cryptography and philosophy of science (you know who you are) should grab a copy, but for the rest of us, turn to Eric Rescorla's shorter review.
In summary of his summary, the proofs are unproven, their assumptions are unrealistic, and a lot of the attacks that are contrived are also unrealistic. The result? Designers and programmers bypass all that and just code up what they can.
I especially like the "Fundamental Tenet of Cryptography" [Kaufman, Perlman, and Speciner]
"If lots of smart people have failed to solve a problem, then it probably won't be solved (soon).."
which brings to mind Adi Shamir's 1st law of cryptology:
"There are no secure systems..."
Come to think of it, Adi's other comments on that link bear much re-reading! These signs of revisionism from the academic side of cryptology are very welcome. They make utter sense to us higher layer geeks who have to build systems based on these weird and wonderful psuedo mathematical properties. It's definitely the case that for 99% of the geeks I've ever met, the notion that some claim or other is proven gets glossed over very quickly.
Not that the coders and other users of cryptography are so much better; we are currently going through our own era of revisionism. No-risk cryptosystems such as SSL and certificate authority-signed certs are being dissected in all their embarrassing real world weakness, you can't give away a PKI system these days, and all the while, opportunistic cryptography systems such as SSH and PGP continue to plod along, doing the work in a no-fuss but secure fashion.
Bringing the hubrists to task is a noble one, and only made more noble by a future generation's challenge to our own hubris.
Posted by iang at July 17, 2004 05:20 PM | TrackBackThings that are broken and thrown away if we examine the scrap heap of concepts we may learn to make a new what was once junk. Although society does not reward the non-pop star the rebuilder. So if one where to make the crypto thong and splash it with a bit of glitter the old PKI could have another run in a smaller venue since altering its aspects for private use might prove of some value. Of course this is not science but an excercise in critical review. When you tier the readers of this paper into groups you are touching on the real reason for unsecure systems, the systems are designed for general use and the levels of understanding trickle down not up. Academic review in isolation is meaningless to few understand enough to contribute.
Posted by: Jimbo at July 18, 2004 05:09 AMCorrect me if I'm wrong here; however, it seems that the process of making crypto provably secure often produces discussions and development that drops into a black hole, instead of discussions that lead to reasonable improvement. To me, crypto is simply a form of security. Other forms of security (that come to my mind) do not obsess with perfection.
For example, if one were to analyze physical security for a building, one would not first obsess with a model for creating a building that is perfectly secure. Even if one were to abstract that discussion to a model for physical security for all buildings, I doubt that we would start by building a model for the perfectly secure building.
Extending on this thought, fire protection is an element of physical security. Analysis of fire protection for a specific building proceeds from a perspective of assessing the risk, measuring potential responses by cost-benefit analysis, and then implementing protection. It sounds cruel to consider that builders do not build in every form of fire prevention possible; however, this is the case.
We live safely in buildings lacking every known means of fire protection for several reasons. First, are implementation issues. Improving fire security causes increasing costs that produce decreasing returns in terms of protection. Second, we recognize that *any* building can burn. It would be pointless to try to achieve perfection, and so, we build buildings that are less than perfect in terms of fire security. Lastly, the accepted risks are (if we look for them) clearly stated. For example a building made of wood is less likely to burn than one made of steel.
On the other hand, in the world of information technology, analysis too often proceeds from a misguided pursuit of perfection -- with neither an anysis of the costs nor a consideration of implementation effects. For example, a consulting firm does a security audit on a company. Weak passwords are identified as a problem. Management decides to require random 8 character passwords. Problem solved! Well, not exactly, henceforth in that company all monitors will be adorned with Post It notes containing passwords.
Obsession with perfection produces stagnation. I believe that if fire protection were addressed in the same manner that IT security is, we'd all be living in and working in fire traps while we waited for an oracle to offer us a perfect means for preventing building fires.
The focus in other security fields is one of improvement and risk analysis, instead of one of perfection. In my opinion, we could learn from how security is succesfully applied in other arenas.
Posted by: Will at July 18, 2004 01:35 PM