Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Saturday, February 23, 2008
Assumptions in the Literature
Hmm... I've started reading through the Handbook of Applied Cryptography by A. Menezes, P. van
Oorschot, and S. Vanstone (CRC Press, 1996), and I have to say that it seems to be very well-written and well thought-out. However, I'm looking at it from the viewpoint of someone who has recently realized that there are issues in how the field views itself and presents itself, and I figure it's probably appropriate to describe some of these issues.
At its heart, cryptography is a means of ensuring that a policy is communicated along with a communication. Whether that policy is "I want nobody else to see this", "I want you to know that it came from me and wasn't forged in the meantime", "I am making a good faith effort to participate in this protocol and I expect you to do the same", or anything else, the policy is communicated by the presence of mathematical transformations of the data (and possibly any secret information which isn't communicated). The fact of the matter, though, is that there is no means to guarantee that the recipient will follow the policy that's communicated. In my view, this is a fundamental flaw of the current state of the art and state of the science in cryptography.
The cryptographic literature appears to assume that the ultimate goal of any and all of its users expect the same level of security, the same guarantees, the same possibilities and the same impossibilities, in each and every communication they make. This is simply and categorically not the case -- and it is an assumption which has damaged the credibility of the field as relates to information security objectives of non-business consumers. It has also damaged the case for applying legislative frameworks within which cryptography has useful functionality, because the assumptions made often simply do not align with real-world information security goals.
(One of my friends made an observation: "I have never met any crypto[grapher] who was not at least a little off." 'off', in this sense, refers to 'eccentric', or 'possessing a skewed worldview' -- essentially, cryptography is an extremely interesting game, but it teaches paranoia and legalistic preciseness as a worldview.)
Bringing this back to the HAC, this viewpoint is brutally apparent in Chapter 1 and its listing of "some information security objectives". To be fair, most of these make sense in a specific worldview -- but only if you can rely on a court system to enforce that specific worldview, and recognize the precise guarantees that each mathematical algorithm can provide. Otherwise, it provides a lot of opportunity and potential for misuse. I'm not going to address all of the points they bring up, here... but I will point out a few of the more interesting (to me) ones.
'privacy or confidentiality' -- well, we often want to know that what we're sending out over the network isn't going to be read by anyone who isn't supposed to read it. The problem with this is that it's damnably difficult to set up -- and it doesn't work at all when sending messages to a mailing list or to a Usenet group.
'data integrity' -- Of all the things it lists, this is the one that almost everyone can agree on. Realistically, it's almost more conspicuous in our current communications protocols for its absence -- even as few as 5 years ago, much of our communication was easily damaged by line noise on our modems (and in some parts of our country, it still is). Now we have to deal with cellular phones, which (at least where I live) often drop packets, causing warbling and inability to understand on each end of a connection.
'entity authentication or identification' -- um... identification and authentication are two separate processes, guys. At least as far as the Information Technology/Information Services field goes, and even as far as X.509 and SET go. And since when is a credit card an 'entity'? Wouldn't that kind of destroy e-commerce as we know it? It may be a token providing evidence of authority (to use a specific account number in a manner that can create liability), but it's not an actual entity. :P
'non-repudiation' -- "preventing the denial of previous commitments or actions." Uhh.. this would be akin to stating that everything ever written must be signed by the person who wrote it, and whoever's signature was on it would be completely actionable for it at any point in the future. I don't know about the authors, but I tend to regard my freedom of speech (and freedom of anonymous speech) as integral to my social identity.
In certain contexts, signatures and non-repudiation are generally considered to be 'bad things'. These contexts include OTR and other direct peer-to-peer non-formal interactions. Non-repudiation is necessary in formal interactions (where you need to prove that someone actually committed to or signed something like a contract), but is overkill and perhaps even damaging in non-formal situations.
"Why wouldn't you want to put your name to everything you write? Do you have something to hide?" Does it matter? I don't want the drama that comes from it. I don't need to be involved in "splash damage" from situations where a friend or colleague's computer is improperly accessed for their logs.
Why would I want to put my name on something that I wrote that might be considered 'unprofessional' where I work, that might cause me to lose my job? (example: I write an erotic story and post it to the Internet, I put my name to it, and suddenly anyone who does a web search on my name finds it. What I do in my own time should be my business, even if I choose to share it with others who enjoy it elsewise -- but if I were to be working at a bank or somesuch, the 'distinct lack of professionalism' would probably get me fired.)
Until our society becomes more accepting of private lives becoming public, I'm not going to sign my name to the stuff I do in my own private life, unless I think it's appropriate.
Oorschot, and S. Vanstone (CRC Press, 1996), and I have to say that it seems to be very well-written and well thought-out. However, I'm looking at it from the viewpoint of someone who has recently realized that there are issues in how the field views itself and presents itself, and I figure it's probably appropriate to describe some of these issues.
At its heart, cryptography is a means of ensuring that a policy is communicated along with a communication. Whether that policy is "I want nobody else to see this", "I want you to know that it came from me and wasn't forged in the meantime", "I am making a good faith effort to participate in this protocol and I expect you to do the same", or anything else, the policy is communicated by the presence of mathematical transformations of the data (and possibly any secret information which isn't communicated). The fact of the matter, though, is that there is no means to guarantee that the recipient will follow the policy that's communicated. In my view, this is a fundamental flaw of the current state of the art and state of the science in cryptography.
The cryptographic literature appears to assume that the ultimate goal of any and all of its users expect the same level of security, the same guarantees, the same possibilities and the same impossibilities, in each and every communication they make. This is simply and categorically not the case -- and it is an assumption which has damaged the credibility of the field as relates to information security objectives of non-business consumers. It has also damaged the case for applying legislative frameworks within which cryptography has useful functionality, because the assumptions made often simply do not align with real-world information security goals.
(One of my friends made an observation: "I have never met any crypto[grapher] who was not at least a little off." 'off', in this sense, refers to 'eccentric', or 'possessing a skewed worldview' -- essentially, cryptography is an extremely interesting game, but it teaches paranoia and legalistic preciseness as a worldview.)
Bringing this back to the HAC, this viewpoint is brutally apparent in Chapter 1 and its listing of "some information security objectives". To be fair, most of these make sense in a specific worldview -- but only if you can rely on a court system to enforce that specific worldview, and recognize the precise guarantees that each mathematical algorithm can provide. Otherwise, it provides a lot of opportunity and potential for misuse. I'm not going to address all of the points they bring up, here... but I will point out a few of the more interesting (to me) ones.
'privacy or confidentiality' -- well, we often want to know that what we're sending out over the network isn't going to be read by anyone who isn't supposed to read it. The problem with this is that it's damnably difficult to set up -- and it doesn't work at all when sending messages to a mailing list or to a Usenet group.
'data integrity' -- Of all the things it lists, this is the one that almost everyone can agree on. Realistically, it's almost more conspicuous in our current communications protocols for its absence -- even as few as 5 years ago, much of our communication was easily damaged by line noise on our modems (and in some parts of our country, it still is). Now we have to deal with cellular phones, which (at least where I live) often drop packets, causing warbling and inability to understand on each end of a connection.
'entity authentication or identification' -- um... identification and authentication are two separate processes, guys. At least as far as the Information Technology/Information Services field goes, and even as far as X.509 and SET go. And since when is a credit card an 'entity'? Wouldn't that kind of destroy e-commerce as we know it? It may be a token providing evidence of authority (to use a specific account number in a manner that can create liability), but it's not an actual entity. :P
'non-repudiation' -- "preventing the denial of previous commitments or actions." Uhh.. this would be akin to stating that everything ever written must be signed by the person who wrote it, and whoever's signature was on it would be completely actionable for it at any point in the future. I don't know about the authors, but I tend to regard my freedom of speech (and freedom of anonymous speech) as integral to my social identity.
In certain contexts, signatures and non-repudiation are generally considered to be 'bad things'. These contexts include OTR and other direct peer-to-peer non-formal interactions. Non-repudiation is necessary in formal interactions (where you need to prove that someone actually committed to or signed something like a contract), but is overkill and perhaps even damaging in non-formal situations.
"Why wouldn't you want to put your name to everything you write? Do you have something to hide?" Does it matter? I don't want the drama that comes from it. I don't need to be involved in "splash damage" from situations where a friend or colleague's computer is improperly accessed for their logs.
Why would I want to put my name on something that I wrote that might be considered 'unprofessional' where I work, that might cause me to lose my job? (example: I write an erotic story and post it to the Internet, I put my name to it, and suddenly anyone who does a web search on my name finds it. What I do in my own time should be my business, even if I choose to share it with others who enjoy it elsewise -- but if I were to be working at a bank or somesuch, the 'distinct lack of professionalism' would probably get me fired.)
Until our society becomes more accepting of private lives becoming public, I'm not going to sign my name to the stuff I do in my own private life, unless I think it's appropriate.
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
