[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Jerry Leichter leichter at lrw.com
Thu Sep 5 23:02:14 EDT 2013


On Sep 5, 2013, at 10:19 PM, Jon Callas wrote:
> I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the "cryptocalypse." And that the ostensible reason was that there are new discrete log attacks -- which was just from Mars and I thought that that proved the people didn't know what they were talking about. Oh, wait, it *was* only a month ago! Silly me.
> 
> "Crypto experts issue a call to arms to avert the cryptopocalypse"
> 
> http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/
> 
> Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a finite field that's hard to understand. It all sucks.
Perhaps it's time to move away from public-key entirely!  We have a classic paper - Needham and Schroeder, maybe? - showing that private key can do anything public key can; it's just more complicated and less efficient.

Not only are the techniques brittle and increasingly under suspicion, but in
practice almost all of our public key crypto inherently relies on CA's - a structure that's just *full* of well-known problems and vulnerabilities.  Public key *seems to* distribute the risk - you "just get the other guy's public key" and you can then communicate with him safely.  But in practice it *centralizes* risks:  In CA's, in single magic numbers that if revealed allow complete compromise for all connections to a host (and we now suspect they *are* being revealed.)

We need to re-think everything about how we do cryptography.  Many decisions were made based on hardware limitations of 20 and more years ago.  "More efficient" claims from the 1980's often mean nothing today.  Many decisions assumed trust models (like CA's) that we know are completely unrealistic.  Mobile is very different from the server-to-server and dumb-client-to-server models that were all anyone thought about the time.  (Just look at SSL:  It has the inherent assumption that the server *must* be authenticated, but the client ... well, that's optional and rarely done.)  None of the work then anticipated the kinds of attacks that are practical today.

I pointed out in another message that today, mobile endpoints potentially have access to excellent sources of randomness, while servers have great difficulty getting good random numbers.  This is the kind of fundamental change that needs to inform new designs.
                                                        -- Jerry



More information about the cryptography mailing list