crypto question
D. A. Honig
dahonig at cox.net
Sat Mar 23 00:28:22 EST 2002
At 01:04 PM 3/21/02 -0500, Nelson Minar wrote:
>>Question. Is it possible to have code that contains a private encryption
>>key safely?
>
>As a practical matter, yes and no. Practically no, because any way you
>hide the encryption key could be reverse engineered. Practically yes,
>because if you work at it you can make the key hard enough to reverse
>engineer that it is sufficient for your threat model.
>
>This problem is the same problem as copy protection, digital rights
>management, or protecting mobile agents from the computers they run
>on. They all boil down to the same challenge; you want to put some
>data on a computer you don't control but then restrict what can be
>done with that data.
The fundamental issue is: who benefits from keeping the secret secret?
If the holder of the bankcard (or whatever) is liable for abuse
due to cracking, you are in a much better position than if the
bank loses when a cracker cracks the card in his possession.
This of course does not help when an adversary *steals* access to the
secret in the bankcard. It only helps when the holder of the secret
has an interest in keeping the secret.
One gathers from this discussion that the content-creator is worried
about content-users cracking their system; that is in general hopeless,
modulo the cost factors. (And remembering what Schneier wrote about
"all it takes is one cracker + the internet", if a crack tool is readily
copied.)
dh
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list