Threat models (was: quantum hype )

Fri Sep 19 15:59:54 EDT 2003

In message <3F6B4F20.3030108 at av8n.com>, "John S. Denker" writes:
> Or perhaps more relevantly, what
>is the chance that an enemy black-bag artist or a
>traitor or a bungler will compromise all my keys
>and/or all my plaintext?  The latter is not to
>be sneezed at, and puts an upper bound on what
>I'm willing to pay for fancy crypto.
>

Right -- this is crucial.  *What is your threat model?*  Until you know 
that, you don't know how to design your crypto gear.  For example, one 
of the prime considerations in NSA designs is to make sure that no 
traffic decryption key is *ever* accessible to users of the system -- 
that way, those keys can't be compromised, by stupidity or espionage.  
Think of it as perfect forward secrecy on steroids.

Let me strongly recommend that people read "Between Silk and Cyanide", 
by Leo Marks.  It's a good read, but from a professional perspective 
what's important is what you learn about threat models.  During World 
War II, Marks worked on (among other things) secure communications for 
resistance fighters in occupied Europe.  A naive approach to the 
problem would be "make sure that all of the keying material is 
memorizable, so that there's nothing incriminating in written form".  
Indeed, that was tried -- it turned out to be the wrong answer.  If the 
Gestapo was interested in you, you *would* disclose your key, with high 
probability.  It didn't matter if there was a secret distress 
authenticator; they'd match what you said about that to your past 
traffic and see what it looked like.  By contrast, a written 
one-time-use key that was destroyed after encryption revealed nothing, 
not even which variant of the key was the distress signal.  
Furthermore, the printed keys were easier to use, which made for fewer 
garbles when encrypting and hence fewer retransmissions.  And 
transmissions were *very* dangerous, because of Gestapo direction 
finders; anything that minimized transmission time was a major 
improvement.

In other words, what looks at first glance to be a weaker system is 
actually much stronger.  There's a lot more; read the book.

Returning to the original question -- quantum key distribution has 
certain strengths and certain weaknesses.  Do its strengths address 
areas where you're actually weak?  For example, is (as John points out) 
the real risk that someone will steal your private key or your 
plaintext, rather than that someone will crack RSA?  If so, QKD isn't 
going to help.  Even from a purely cryptographic perspective, if you're 
using QKD perhaps AES is the weak point, rather than RSA, in which case 
a more secure mechanism for distributing AES keys won't help.

We're dealing with cryptographic systems here, and enemies don't go 
through security, they go around it.

		--Steve Bellovin, http://www.research.att.com/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com