"PGP Encryption Proves Powerful"

Ian Grigg iang at systemics.com
Sun Jun 1 11:18:06 EDT 2003 

John Kelsey wrote:
> 
> At 10:29 AM 5/30/03 -0400, Anton Stiglic wrote:
> 
> >So what happened to passphrase guessing?  That's got to be
> >one of the weakest links.  Unless their private key wasn't
> >stored on the device?
> 
> One thought:  How hard would it be to write a Palm app to use the
> interaction between several devices to derive a key or password, using the
> IR ports?  The whole thing could easily be encrypted under a common
> key.  Require the attacker to get a device from each member of the cell (or
> 3/5 or some such)

Certainly, if all the cell members had a PDA,
with IR, then that would allow a much more
robust multi-factor system.  But...

> before recovering the actual encrypted secrets.  I wouldn't be surprised if
> technologically sophisticated terrorists and spies were doing stuff like
> that.  (You could easily do this with pen and paper, too, for simple
> control structures.  Each member of the cell holds some parts of the
> password written down, and 4/5 of them have to get togther to reconstruct
> the full password.)

This sounds workable in theory, but in practice,
one has to work with the skills base of the users
and the stress of the work.

Terrorists are generally not adept at technical
work.  They are not really chosen for their
skills;  more their loyalty, their anger, and
often their simplistic belief in "some other
bad guy" stories.  Terrorists are like soldiers,
mostly drawn from the lower echelons of society,
with a small smattering of bright sparks who
rise to the top (if they survive at all).  If
they could master technically challenging tools
like crypto then they'd not be terrorists, they'd
be out there making a living.

Giving them a complex technical tool means an
awful lot of training.  Which means:  they may
be able to master this, as they are not totally
dumb, but, this means they are not training in
some other thing.

There is a reason that the AK47 is the weapon of
choice:  it is an extraordinarily simple weapon.
Training is probably about half the requirements
of say the M16.  That makes a difference, much
more so than, say, the increased accuracy of the
M16!

There is a huge premium in a simple tool.  In
practice, I'd suspect that a single factor crypto
system would win out in the end, as anything more
complex would bog down under fire.  (In fact, I
am surprised they are using crypto *at* *all*,
I'd be very nervous about the amount of data that
could end up being compromised by a lost PDA and
a tortured terrorist!)



There is this pervasive image that terrorists are
technologically adept.  I don't think I've ever
seen much real evidence of that.  I think there
are two factors in this unrealistic belief.

1. The media love to portray terrorists as a wiley
enemy.  I can only put that down to a need to
explain how they managed to do this terrible
thing to us:  mentally, we feel better if the
enemy is really smart, a challenge to us, as it's
ok for him to win once or twice.  (As long as we
are smarter, and can rise and win in the end...)

Recall, we all love and admire the Germans because
they were a smart adept enemy in the first half
of the 20th century.  We have almost as much
admiration for the Japanese, but pretty much no
admiration for the Chinese and the Koreans, who
resort too quickly to human wave tactics.

(The Vietnamese, and Russians, we feel quixotic
about...)

Phsycologically, it makes us unhappy to realise
that the 911 attackers were actually quite simple,
so we don't.  We build up Osama bin Laden to be
a mastermind, a sort of James Bond-qualified evil
guy who constructs plans of insidious cunning.



2. Also, the counter-terrorist forces have a
vested interest in presenting the terrorists as
more capable than they really are (hence, that
article, as many have observed).  This is a simple
and pervasive technique to get more support for
their activities.  For example, it's now pretty
much clear that a lot of the threat assessments
of the Soviet Union were routinely exaggerated
dramatically by money-seeking companies and generals.

Also, you can't really be "wrong" and embarressed
if you over-exaggerate the threat.



All this is a long winded way of saying your
average terrorist is much more like your grandma
when it comes to tech.  Highly competant in the
kitchen, but can't send an email to save herself.

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list