Trillian Secure IM

Alex Pankratov ap at poneyhot.org
Mon Oct 8 23:47:48 EDT 2007 

 

> -----Original Message-----
> From: owner-cryptography at metzdowd.com 
> [mailto:owner-cryptography at metzdowd.com] On Behalf Of Leichter, Jerry
> Sent: Monday, October 08, 2007 11:48 AM
> To: Alex Pankratov
> Cc: cryptography at metzdowd.com
> Subject: RE: Trillian Secure IM
> 
> | > But, opportunistic cryptography is even more fun.  It is 
> | > very encouraging to see projects implement cryptography in 
> | > limited forms.  A system that uses a primitive form of 
> | > encryption is many orders of magnitude more secure than a 
> | > system that implements none.
> | 
> | Primitive form - maybe, weak form - absolutely not. It 
> | is actually worse than having no security at all, because 
> | it tends to create an _illusion_ of protection. 
>
> This is an old argument.  I used to make it myself.  I even used
> to believe it.  Unfortunately, it misses the essential truth:  
> The choice is rarely between really strong cryptography and weak 
> cryptography; it's between weak cryptography and no cryptography 
> at all. What this argument assumes is that people really *want* 
> cryptography; that if you give them nothing, they'll keep on asking 
> for it; but if you give them something weak, they'll stop asking 
> and things will end there.  But in point of fact hardly anyone 
> knows enough to actually want cryptography. Those who know enough 
> will insist on the strong variety whether or not the weak is 
> available; while the rest will just continue with whatever they 
> have.

Well, I view it from a slightly different perspective. 

Even the most ignorant person knows a difference between 
the privacy and the lack of thereof. Cryptography or not. 
Therefore, if he is being told that A offers a privacy, 
it may lead this person to assume the level of this 
privacy protection is adequate ... simply because if it 
weren't, it wouldn't be offered. Needless to say that
this sort of an assumption in case of a weak crypto is
dangerous.

When there's a choice between no and weak protection, I am 
of course in favour of latter *if* it is clearly labeled as 
weak.

> | Which is by the way exactly the case with SecureIM. How 
> | hard is it to brute-force 128-bit DH ? My "guesstimate"
> | is it's an order of minutes or even seconds, depending
> | on CPU resources.
>
> It's much better to analyze this in terms of the cost to 
> the attacker and the defender.

Yup, I am familiar with the methodology. My point was that
128bit DH is "breakable" in terms of the people from those
forum's threads.

Alex

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list