[3096] in cryptography@c2.net mail archive
security memory & auto certs (Re: Geer's Law of Good and Easy offers a political solution?)
daemon@ATHENA.MIT.EDU (Adam Back)
Mon Jul 27 12:21:00 1998
Date: Mon, 27 Jul 1998 17:00:31 +0100
From: Adam Back <aba@dcs.ex.ac.uk>
To: gnu@toad.com
CC: cryptography@c2.net, geer@world.std.com, gnu@cygnus.com
In-reply-to: <199807262133.OAA26887@cygint.cygnus.com> (message from John
Gilmore on Sun, 26 Jul 1998 14:33:40 -0700)
John Gilmore writes:
> Dan Geer today stated what looks to me like a Law of Good and Easy:
> > You can have good crypto or you can have easy crypto
> > but you cannot have good, easy crypto.
>
> But this observation might be the salvation of the most defensible of
> the FBI/NSA interests. Suppose we deploy strong but easy (rather than
> strong and good) crypto, such as automatic Diffie-Hellman key
> establishment, but with only occasional and intermittent
> authentication by humans. If this became widespread end-to-end (or
> even firewall-to-firewall) then mass surveillance would take a lot of
> work and get detected if anyone cared to look.
I prefer a distributed approach to key management, to me automatic
forward secret security (eg D-H) together with automatic security
memory seems more desirable and likely more secure than relying
largely on the hierarchical certification view which is the
authentication `fat target' analogous to the confidentiality fat
target that is formed by proposed government key escrow databases.
Hierarchically organised fat targets in the authentication domain are
a privacy and freedom threat also.
We can add `security memory' to forward secret communications links so
that if a secure communication does occur at some point, that from
this point in time forwards shared secret information, or
automatically generated certificates can be used to authenticate
further communications. This then allows automatic detection of later
attempts to insert a wire tap and active MITM attack. By distributing
these auto certs some additional security can be obtained for links between
people who have not communicated directly, for example if they share a
communicant, and the auto cert is distributed via communications with
this software agent.
As you suggest the protocol for authenticated forward secrecy should
appear indistinguishable from unauthenticated forward secrecy to the
attacker so that we optimise his risk of detection.
If the active attack MITM capability is not widely present currently,
by deploying links exhibiting security memory we can perhaps more quickly
deply a more distributed authentication framework based on security
memory via distribution of auto certs
Manual use certification is higher security and important, but harder to
deploy, and hierarchical certification alone I think is risky for individual
freedoms.
Adam
--
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
