December 28, 2004
STORK - strategic roadmap for crypto - New Trends in Cryptology
Phong Nguyen has edited for STORK a long 'New Trends' discussion of what cryptologers are concentrating on at the moment. It's very much a core, focused scientists view, and engineers in the field will find it somewhat disjoint from the practical problems being faced in applications today. E.g., no mention of economic or opportunistic models. Still for all that, it is a useful update on a broad range of areas for the heavy crypto people.
New Trends in Cryptology (PDF only?)
Posted by iang at December 28, 2004 06:50 AM
I don't see why you say there is no mention of economic issues in the document. It looks to me like such issues are pervasive. They drive the entire discussion on mobile platform security, where the main considerations are the limited computing power and bandwidth availability, as well as the need to protect SIM cards (so as to preserve the business model of cell phone companies). Likewise for the discussion of ambient computing research. Surely you will agree that DRM has something to do with economics. E-voting as well is essentially an economic issue in terms of choosing from competing technologies and trying to find new ones which satisfy the economic requirements of a practical voting system. Authentication protocols are a big economic issue which relate to the phishing problem.
As for opportunistic encryption, that's your own personal hobbyhorse and you're welcome to ride it, but I say that a net built on OE would be an insecure net. You can't leave your crypto up to chance, there's too many ways for an attacker to disrupt it and presto, you have no security at all just when you really need it. And the same-key-as-before rule is utterly brittle; if that were the universal basis for security people would get so tired of key-has-changed warnings that they would disable them entirely and you are back to no security at all.
In terms of economic issues: I'll take that one on the chin, yes, there are economic considerations in there, just not the ones I want to see. Well spotted!
"OE:" I would *love* to be associated with that movement, but unfortunately, I'm just a bit of a cheerleader there. You say "a net built on OE would be an insecure net." Yet SSH rocks. Wannabes like SSL get rolled, because they are built on exactly the same false assumptions: we have to make the crypto perfect, nothing else will do. The end result is a flawed and uneconomic security model, but at least the crypto guys are proud of their work.
The way to consider SSH v. SSL, or the "opportunistic" versus "no-risk" models is to consider this: it all depends where you make the leap of faith. (As Adi says, there are no secure systems, right?) In the former, it is in that first key exchange, which you consider brittle. In the latter, it is in the safety and sanctity of the TTP, which I consider stupid. Which is better? Neither, in theory, because we assumed away these difficulties. But in practice, a huge difference pertains: one delivers adequate security to the masses, the other delivers placebo security to the privileged.
Now, to be fair, SSL's current problems relate from a bunch of bad assumptions, not just one. For example the threat model is some made up thing out of a text book. See that new post for actual validated threat models; there is a world of difference between what those guys experienced, and were documented as experiencing, and the mythical Mallory or MITM that SSL claims to protect against. What then is the purpose of making this crypto so darn perfect, when the threat just ain't there?
(Yes, I know, it isn't there because we protected against it. Nope, sorry. CCs get pushed across the net in the clear in massive numbers every day. The reason the threat isn't present is because it's a dumb threat.)