[Cryptography] Secure erasure
Stephen Farrell
stephen.farrell at cs.tcd.ie
Mon Sep 12 03:33:07 EDT 2016
Hiya,
On 12/09/16 07:53, Peter Gutmann wrote:
> Stephen Farrell <stephen.farrell at cs.tcd.ie> writes:
>> On 11/09/16 10:50, Peter Gutmann wrote:
>>> Which leads to a further corollary that anything more than maybe single DES
>>> when your opponent is anything other than a nation-state is probably a waste
>>> of time because there's always an easier way in.
>>
>> Really? That seems awfully inaccurate to me. Single DES does not require a
>> nation state and passive attacks are far less risky than active. I think
>> you've let rhetoric overly affect your words there, and in a way that could
>> cause harm.
>
> I didn't say "use weak crypto", I said that using anything stronger than about
> single DES isn't necessary because it's no longer the weakest point.
So I do think your message encouraged weaker crypto but the more
interesting part is perhaps why the weakest point, as in the simplest
attack to demonstrate, is not the only relevant argument.
Yes, a rational attacker will choose the weakest point, in the
sense of the most effective attack. For most non-nation-states
that will mean the most cost-effective attack. (Nation states
have a less cost-driven definition of effective;-) But some attackers
will consider the cost of a detected attack as high and so may
find a more passive attack more attractive. For example, a hoster
or ISP might either collude with someone else or be coerced into
doing so, and that can then become the most cost-effective attack.
At that point a des-cracker would be entirely usable and would not
(in contrast to your statement) require a nation-state. And that
argument generalises to weaker crypto and not just single-DES.
For many attack vectors, this doesn't matter, but it does matter
when considering weaker crypto, such as single-DES. So your point
about weakest points is relevant but not the only relevant argument.
> Barring
> corner cases, can you give me an example of a widely-deployed system involving
> crypto where single DES is the weakest point, in other words where attackers
> are using DES-cracking to get in? It's not SCADA, both because SCADA isn't
> protecting anything worth applying a DES-breaker to and because there's
> always, always a much easier way in. It's not protecting bank accounts/credit
> cards (TLS) because you can buy those in bulk from any carder forum for next
> to nothing (heck, carders give away free samples to prove their wares are
> good). It's not Unix logons/server access (SSH) because you can buy
> compromised machines for equally little.
>
> So for which generally-used, widely-deployed system (where the opponent isn't
> a nation-state) is DES the weakest point of attack?
I don't curate such lists, but perhaps deployments where mschap
is still usable and where such packets traverse networks that
allow sniffing packets? I'd be shocked but happy if that was now
a small number of deployments. I think we all know that it takes
many many years to get rid of crypto that used be, but is no longer,
considered ok, which is all the more reason to really be careful
to not encourage continued use of such, once there's an alternative
that's feasible. (Where there's no feasible alternative, that's
another discussion.)
All that said, I do fully agree that adding better crypto is not
a way to make systems magically secure. But encouraging weaker
crypto, when that's not the only option, is a way to make systems
less secure, which is what I objected to in your message.
Cheers,
S.
>
> Peter.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3840 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160912/9e3871a4/attachment.bin>
More information about the cryptography
mailing list