[Cryptography] Summary of the discussion so far

Nico Williams nico at cryptonector.com
Thu Sep 12 15:53:28 EDT 2013


On Wed, Sep 11, 2013 at 04:03:44PM -0700, Nemo wrote:
> Phillip Hallam-Baker <hallam at gmail.com> writes:
> 
> > I have attempted to produce a summary of the discussion so far for use
> > as a requirements document for the PRISM-PROOF email scheme. This is
> > now available as an Internet draft.
> >
> > http://www.ietf.org/id/draft-hallambaker-prismproof-req-00.txt
> 
> First, I suggest removing all remotely political commentary and sticking
> to technical facts.  Phrases like "questionable constitutional validity"
> have no place in an Internet draft and harm the document, in my opinion.

Privacy relative to PRISMs is a political problem first and foremost.
The PRIM operators, if you'll recall, have a monopoly on the use of
force.  They have the rubber hoses.  No crypto can get you out of that
bind.

I'm extremely skeptical of anti-PRISM plans.  I'd start with:

 - open source protocols
 - two or more implementations of each protocol, preferably one or more
   being open source
 - build with multiple build tools, examine their output[*]
 - run on minimal OSes, on minimal hardware [**]

After that... well, you have to trust counter-parties, trusted third
parties, ...  It get iffy real quick.

The simplest protocols to make PRISM-proof are ones where there's only
one end-point.  E.g., filesystems.  Like Tahoe-LAFS, ZFS, and so on.
One end-point -> no counter-parties nor third parties to compromise.
The one end-point (or multiple instances of it) is still susceptible to
lots of attacks, including local attacks involving plain old dumb
security bugs.

Next simplest: real-time messaging (so OTR is workable).

Traffic analysis can't really be defeated, not in detail.

On the other hand, the PRISMs can't catch low-bandwidth communications
over dead drops.  The Internet is full of dead drops.  This makes one
wonder why bother with PRISMs.  Part of the answer is that as long as
the PRISMs were secret the bad guys might have used weak privacy
protection methods.  But PRISMs had to exist by the same logic that all
major WWII powers had to have atomic weapons programs (and they all
did): if it could be built, it must be, and adversaries with the
requisite resources must be assumed to have built their own.

Anti-PRISM seems intractable to me.

Nico

[*] Oops, this is really hard; only a handful of end-users will ever do
    this.  The goal is to defeat the Thonpson attack -- Thompson trojans
    bit-rot; using multiple build tools and dissassembly tools would be
    one way to increase the bit-rot speed.

[**] Also insanely difficult.  Not gonna happen for most people; the
     ones who manage it will still be susceptible to traffic analysis
     and, if of interest, rubber hose cryptanalysis.


More information about the cryptography mailing list