Is cryptography where security took the wrong branch?

Ian Grigg iang at systemics.com
Wed Sep 3 05:24:36 EDT 2003 

Eric Rescorla wrote:
> 
> Ian Grigg <iang at systemics.com> writes:
> > That's a scary talk!  I see a lot of familiar
> > stuff, but it seems that whilst Eric courts the
> > dark side of real security, he holds back from
> > really letting go and getting stuck into SSL.
> >
> > For example, he states that 28% of wireless
> > networks use WEP, and 1% of web servers use SSL,
> > but doesn't explain why SSL is a "success" and
> > WEP is a "failure" :-)
> 
> I was very clear about this in my talk.

A good point - commenting on slides is fraught
with danger, as others have pointed out.  Is
there to be a paper?

[further WEP comments at end...]

> I think it's pretty
> inarguable that SSL is a big success.

One thing that has been on my mind lately is how
to define success of a crypto protocol.  I.e.,
how to take your thoughts, and my thoughts, which
differ, and bring the two together.

There appear to be a number of metrics that have
been suggested:

   a.  nunber of design "wins"
   b.  penetration into equivalent unprotected
       market
   c.  number of actual attacks defeated
   d.  subjective good at the application level
   e.  worthless measures such as deployed copies,
       amount of traffic protected

All of these have their weaknesses, of course.
It may be that a composite measure is required
to define success.  I'm sure there are more
measures.

a. The only thing that seems to be clearly a win
for SSL is the number of design wins - quite
high.  That is, it would appear that when someone
is doing a new channel security application, the
starting point is to consider SSL.

b. we seem to be agreeing on 1% penetration of
the market, at least by server measurement (see
my other post where I upped that to 1.24% in the
most recent figures).

That's not going to support any notion of "big
success."  (Note here Michael Shields' comments
on HTTPS (in)convenience.)

c.  number of attacks defeated.  When correctly
deployed, SSL seems to defeat all known active and
passive attacks.

Problem is, at least for HTTPS, there are practically
no active attacks.  And passive attacks are not
very common.  We know this because credit cards get
stolen in their millions.  But in all cases, known,
they get stolen by hacking.  I still believe there
has never been a case of a credit card number being
eavesdropped off an open transmission (and delivering
CCs over open forms & email does go on!).

So, it's not clear that SSL achieves much with c.
either - for HTTPS.  For other applications, one
would need to look at those specific cases.

d.  subjective good.  For HTTPS, again, it's a
decidedly mixed score card.  When I go shopping
at Amazon, it makes little difference to me, because
the loss of info doesn't effect me as much as it
might - $50 limit on liability.  Same with the
merchant - what he's worried about is identity,
but SSL's only contribution to identity - client
certs - is a failure.  More on this another day,
the basic issue is that the threat model is wrong,
I think.



In sum, I think it highly arguable that SSL is a
huge success.  Highly arguable, and in terms of
any positive objective measure as to where one can
show SSL's success, I'm interested to see what that
is, from both the particular SSL case, and the
general crypto case.



> Actually, I think that SSL has the right model for the application
> it's intended for. SSH has the right model for the application it
> was intended for. Horses for courses.

Plenty of room for future discussion then :-)

(I sense your pain though - I see from the SHTTP
experiences, you've been through the mill.  And
written the book!  I also share the pain, as all
this fine work by many people has delivered what
amounts to very little.  Our comms, our browsing,
our net, remains fundamentally unprotected.)


iang


PS:  in the interests of brevity, I stuck my
reponse on the WEP issue here, where it can be
skipped more readily...

> WEP is a failure because any even vaguely serious attacker can break
> it in minutes. Therefore, the amount of value it adds over simple MAC
> checking is quite small. If WEP had been competently done (IE used RC4
> correctly) it would be a smashing success.

I admit I was thinking it was an active attack,
but in fact a passive attack is sufficient.  This
makes the attack by far easier.

   "AirSnort requires approximately 5-10 million
   encrypted packets to be gathered. Once enough
   packets have been gathered, AirSnort can guess
   the encryption password in under a second."
   http://airsnort.shmoo.com/

On a busy network, maybe many minutes of listening.
On a mostly idle network, many hours.  It seems
to reduce WEP to a complicated method of access
control.

I'm almost convinced that WEP is a failure, but
I think it retains some residual value.

What matters is how much this slows down the
attackers.  Not the theoretical one (with his
copy of WepCrack or AirSnort) but the real
people out in the street.  For a start, just the
mere knowledge that you have to crack something
will reduce the potential for outsiders entering
into your network by about 100 fold.

Coz most people are honest.  What this achieves
is the equivalent of yellow police tape across
a prohibited area - more access control than
security, perhaps.

But, the interesting thing is that with WEP
penetration at 28%, then there should be some
experience out there that shows whether it is
good or useless.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list