[Cryptography] Why don't we protect passwords properly?
Bill Frantz
frantz at pwpconsult.com
Wed Dec 25 21:25:57 EST 2013
Let me try to describe where I'm coming from. The way I see it,
we live in a world where major portions of our online life are
under constant attack from adversaries with far few resources
than the National Scale Adversaries (NSAs) we all worry about.
In addition to these run-of-the-mill attacks, I expect the NSAs
are quite busy doing industrial spying for their national
champions, a situation which should worry any technology company.
On 12/25/13 at 3:03 AM, pinterkr at gmail.com (Krisztián Pintér) wrote:
>we always learn very late when an attack goes from theoretical to
>practical...
This statement is not universally true. It takes only one
example to prove my statement. Shortly after DES was
standardized with its 56 bit key, some people published a paper,
I think Whit Diffie was one of the authors, suggesting that a
DES cracking machine could be built. Anyone wanting to use DES
could include that published paper in their risk analysis. At
the time of course, only NSAs had the budget for such a machine.
Many years later Moore's law allowed the EFF to build the first
publicly acknowledged DES cracker.
However, given the current security situation, I am find ways of
protecting against attacks which aren't seen in practice at best
of academic interest. Discovering protections is a fun exercise,
but it isn't addressing the problems which are killing us today.
If one believes Snowden, our algorithms are OK, but our
protocols and procedures are questionable. For my part, I worry
about random number generators, CAs, spear phishing, and the
Hoovering of unencrypted metadata. There are probably other
things I should worry about, but side channel attacks, EM
emission, and power analysis don't seem to be a real threat to
me and my laptop. (GIven the current state of OS security, it is
easier for an attacker to get root than to setup to use any of
these attacks.)
Achieving security in todays network world in a fascinating
combination of technology, psychology, economics, and politics.
Pure technical solutions don't cut it now, and as I learned late
in my career, never did.
>>OK, when is the cold boot attack a practical attack?
>
>yep, this is the game we (you and i) are playing right now, but this
>is a game i refuse to play.
So you have no realistic attack model. And I gave you at least
two in a previous email along with a practical protection
against them. Sad, with so many attack methods that are
succeeding today, to spend time worrying about cold boot.
>>it hurts, don't do it.
>
>or make it not hurt. i think this latter is the more modern approach,
>at least in medicine. the don't do it approach is more medieval.
So long as you can make it not hurt. Even modern medicine can't
make everything not hurt. When I fell 4 meters in a cave, it
hurt. I intend to try very hard not to fall again.
Some of the timing attacks between VMs running on common
hardware seem very hard to protect against. With current
technology dedicated hardware is clearly the cheaper choice. The
same kind of argument applies to sources of secure random
numbers. If you need to generate a SSH key early in bringing up
a system, either include a hardware USB random source, or plug
in a KVM and run the mouse around on the screen. Don't
compromise your security for ease of administration unless it is
a low security system.
I like Jerry's analysis:
On 12/25/13 at 7:05 AM, leichter at lrw.com (Jerry Leichter) wrote:
>[Much really good stuff cut]...
>
>It's now (and has, really, been for a while) a big-ass
>engineering problem. And as I used to tell my OS classes,
>engineering is all about tradeoffs...
>
>So I expect to see many more discussions about security
>wandering, as we're no longer certain about what security
>means. Yes, worthwhile security debates start with a
>definition of the attacks to be defended against; or, even
>better, of the risks and costs associated with different
>attacks and defenses. But given the huge spectrum of entirely
>different classes of risks, and the very different likelihoods
>and costs different people will assign to them ... to accept
>agreement on what are, at base, the *goals* is increasingly folly.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz |Security, like correctness, is| Periwinkle
(408)356-8506 |not an add-on feature. - Attr-| 16345
Englewood Ave
www.pwpconsult.com |ibuted to Andrew Tanenbaum | Los Gatos,
CA 95032
More information about the cryptography
mailing list