[Cryptography] Why don't we protect passwords properly?

Bill Frantz frantz at pwpconsult.com
Wed Dec 25 21:25:57 EST 2013 

Let me try to describe where I'm coming from. The way I see it, 
we live in a world where major portions of our online life are 
under constant attack from adversaries with far few resources 
than the National Scale Adversaries (NSAs) we all worry about. 
In addition to these run-of-the-mill attacks, I expect the NSAs 
are quite busy doing industrial spying for their national 
champions, a situation which should worry any technology company.

On 12/25/13 at 3:03 AM, pinterkr at gmail.com (Krisztián Pintér) wrote:

>we always learn very late when an attack goes from theoretical to
>practical...

This statement is not universally true. It takes only one 
example to prove my statement. Shortly after DES was 
standardized with its 56 bit key, some people published a paper, 
I think Whit Diffie was one of the authors, suggesting that a 
DES cracking machine could be built. Anyone wanting to use DES 
could include that published paper in their risk analysis. At 
the time of course, only NSAs had the budget for such a machine. 
Many years later Moore's law allowed the EFF to build the first 
publicly acknowledged DES cracker.

However, given the current security situation, I am find ways of 
protecting against attacks which aren't seen in practice at best 
of academic interest. Discovering protections is a fun exercise, 
but it isn't addressing the problems which are killing us today.

If one believes Snowden, our algorithms are OK, but our 
protocols and procedures are questionable. For my part, I worry 
about random number generators, CAs, spear phishing, and the 
Hoovering of unencrypted metadata. There are probably other 
things I should worry about, but side channel attacks, EM 
emission, and power analysis don't seem to be a real threat to 
me and my laptop. (GIven the current state of OS security, it is 
easier for an attacker to get root than to setup to use any of 
these attacks.)

Achieving security in todays network world in a fascinating 
combination of technology, psychology, economics, and politics. 
Pure technical solutions don't cut it now, and as I learned late 
in my career, never did.


>>OK, when is the cold boot attack a practical attack?
>
>yep, this is the game we (you and i) are playing right now, but this
>is a game i refuse to play.

So you have no realistic attack model. And I gave you at least 
two in a previous email along with a practical protection 
against them. Sad, with so many attack methods that are 
succeeding today, to spend time worrying about cold boot.


>>it hurts, don't do it.
>
>or make it not hurt. i think this latter is the more modern approach,
>at least in medicine. the don't do it approach is more medieval.

So long as you can make it not hurt. Even modern medicine can't 
make everything not hurt. When I fell 4 meters in a cave, it 
hurt. I intend to try very hard not to fall again.

Some of the timing attacks between VMs running on common 
hardware seem very hard to protect against. With current 
technology dedicated hardware is clearly the cheaper choice. The 
same kind of argument applies to sources of secure random 
numbers. If you need to generate a SSH key early in bringing up 
a system, either include a hardware USB random source, or plug 
in a KVM and run the mouse around on the screen. Don't 
compromise your security for ease of administration unless it is 
a low security system.


I like Jerry's analysis:

On 12/25/13 at 7:05 AM, leichter at lrw.com (Jerry Leichter) wrote:

>[Much really good stuff cut]...
>
>It's now (and has, really, been for a while) a big-ass 
>engineering problem.  And as I used to tell my OS classes, 
>engineering is all about tradeoffs...
>
>So I expect to see many more discussions about security 
>wandering, as we're no longer certain about what security 
>means.  Yes, worthwhile security debates start with a 
>definition of the attacks to be defended against; or, even 
>better, of the risks and costs associated with different 
>attacks and defenses.  But given the huge spectrum of entirely 
>different classes of risks, and the very different likelihoods 
>and costs different people will assign to them ... to accept 
>agreement on what are, at base, the *goals* is increasingly folly.


Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        |Security, like correctness, is| Periwinkle
(408)356-8506      |not an add-on feature. - Attr-| 16345 
Englewood Ave
www.pwpconsult.com |ibuted to Andrew Tanenbaum    | Los Gatos, 
CA 95032

More information about the cryptography mailing list