[Cryptography] RSA is dead.

Phillip Hallam-Baker hallam at gmail.com
Mon Dec 23 17:42:31 EST 2013 

On Mon, Dec 23, 2013 at 1:34 PM, <dan at geer.org> wrote:

>
>  > What the recent revelations really show is that the NSA is abjectly
>  > incompetent at its real job which is making America safe. They have
>  > failed to protect the confidentiality of US government secrets.
>  > They were pwned by a 29 year old contractor.
>
> It is said that the most important legacy for an executive
> is what did not happen on their watch.  In a complexifying
> world, the list of things that did not happen (the numerator)
> becomes as inestimable as the list of things that could
> have happened (the denominator), thus reducing  conversations
> on a given legacy to the listing of anecdotes.
>
> In the meantime, what do you think of the Russians going
> back to typewriters?  To be crisp, on a scale from paranoid
> fantasy (0) to unshakeable genius (100), where would you
> place the mark?
>

I think they miss the real risks even worse than our own generals.

Disclosure is not the risk to worry about. The problem is integrity
attacks. Specifically the fact that we are all operating pre-cryptographic
critical infrastructures.

My bank just called to tell me that my bank card spending limit is reduced
to $200 and they are sending me a card because another vendor (not target)
has been compromised. We have known how to block card present fraud
completely for two decades and Europe has had Chip and Pin for getting on
for a decade.


Cyber is not a new and exciting domain for warfare any more than terrorism
was in the 1970s. Cyber-attack is terrorism. Stuxnet was terrorism.

Cyber-attack has a low barrier to entry and is inherently unattributable.
The risk of misattribution or a false flag attack are inescapable. The
likely impact of a cyber attack is low but the fear factor is very high.

Cyber lowers the threshold for deciding to use force. This encourages the
use of force in place of diplomacy. The alternative to Stuxnet was not war,
it was to make a serious effort at finding a diplomatic solution. Olympic
games were politically expedient in that they were much cheaper politically
than the diplomatic route. But the cost is that the US has set a precedent
in which civil nuclear facilities under IAEA inspection are fair game for
cyber attack.


Every major power should have as its primary foreign policy objectives to
avoid the use of nuclear weapons or any major conflict between the great
powers. The risk of a war between the US and Russia or China is negligible.
But the risk of a war between Russia and China is quite significant. Russia
has a weak, corrupt government with a loss of empire complex. China is
emerging as a successful, confident economic power. Between the two
countries lies a half dozen failed states with corrupt, unstable
governments and large ethnic Russian and Han populations.

Breshinsky calls the area the global Balkans because of the risk of a war
in or between the states in the region leading to a Russian/Chinese war.
Scenarios in which the Russians attempt a pre-emptive attack on the Chinese
cyber infrastructure to keep them busy while they invade seem quite
plausible to me. Since 1979 Russia has had an unbroken record of backing
the losing side in every major international conflict in which they have
taken a stand.


Security is not the zero sum game Hayden and Alexander believe it to be. It
is in the UK and US interest to ensure that every country has a solid and
trustworthy critical infrastructure.

I think it is possible to go further and argue for mutual assistance in
putting diplomatic and government communications beyond attack but that is
a longer argument.

Going to typewriters is not going to help much, there were acoustic attacks
against typewriters in the 1970s. And any modern process that is based on
typewriters is also going to have a lot of photocopiers involved. And those
all have CPUs these days and many have hard drives and all are hideously
insecure.



-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/3f339eef/attachment.html>

More information about the cryptography mailing list