July 26, 2004

Eavesdropping III - do customers get badly hurt?

Over on the cryptography list, Perry Metzger writes:
> I hope you have no customers who you have advised to ignore the
> eavesdropping problem, because they stand a good chance of getting
> badly hurt.

As Perry Metzger declined to permit a rejoinder to that astouning claim on his list, I'll respond here. Warning: It takes few words to be wrong, many words to present a fairer picture.

Perry Metzger is confused by my search for Eve. We can address this at several levels:

1. Firstly, "In Search of Eve - the upper boundary on Mallory."

2. In the crypto world, what we do is to attack crypto systems. In fact, over in the cryptography algorithms side (as opposed to the protocols world of software engineering) professionals are encouraged to attack other people's systems for a decade or so before attempting to invent their own.

But, attacking crypto systems should not be misunderstood as meaning anything beyond the search for weakness so as to improve the result. Exposing a weakness is not a suggestion to turn off the system. It's an invitation to think about the weakness and improve it in future deployments.

3. Oddly enough, in our systems for financial trading, we do indeed tend to tell customers not to worry about the eavesdropping problem! That's because:

a) almost all financial fraud happens on the inside, and our systems are very strong there - unlike anyone else's financial systems who are generally wide open to fraud (not to do with crypto or software engineering,
but see for example "
Mutual Funds and Financial Flaws"),

b) even if people could do eavesdropping, the frauds are more limited to things like insider trading and external attacks like competitive trading (recall I posted on fibre vampires earlier this year!),

c) we (and other financial cryptographers) throw in end-to-end encryption protection as a giveaway.

Perry Metzger is almost correct in what he suspects - our system would run 99% as strongly without any eavesdropping protection because most of the threat is on the inside. But, hey, once the software is built in, we tend to leave it in place. It's free, it's end-to-end, and it's transparent. Refreshingly unlike the protection that people are accustomed to getting from the CA/PKI model employed in SSL.

4. On the point of actual cryptographic protection: The systems we have implemented in financial cryptography have generally used RSA 1024+/-, triple DES and so forth. The difference between those systems and the systems others are perhaps more used to is that financial cryptography systems are much more strongly aligned to the customer's needs. For example, my work is the only work where anyone has successfully integrated digital signatures with human contracts, AFAIK, just by way of example ("The Ricardian Contract").

Gary H's SOX is in fact stronger than SSL not because it uses more or less bits but because it is integrated end-to-end. From the issuer to every transaction, it much more clearly aligns to patterns of trade than say something like SSL, which is a connection-oriented product and is thus extremely limited in the protection it can give to any particular business. (Although SOX is almost entirely unscrutinised by outsiders, so there may be bugs in there. I know of one, for example.) See 3., above for why we don't make a song and dance about it.

5. People in financial cryptography have a long history in basic crypto. We started the Cryptix group - the first solution for Java cryptography of any form. I believe it stands on its merits (albeit, it has being overtaken by BouncyCastle these days). Our work with PGP in Java (libraries in 2.6 and OpenPGP) was based on a view that it provides far more security as a model than others can ever hope to achieve (SSL and SSH), simply because the OpenPGP as a model is more aligned to what is needed by people and businesses.

Our Cryptix group provided all the Java infrastructure for the AES competition, running the gauntlet of Americans and foreigners working together to develop strong crypto. Even though we were there at the start, and the finish, we still haven't got around to putting our (public domain) Rijndael into SOX. Why? 3DES does the job.

In closing, when financial cryptographers say "don't worry about the eavesdropping problem," then customers don't need to worry. It's been taken care of, one way or another.

Posted by iang at July 26, 2004 05:41 AM | TrackBack