[Cryptography] Serious paranoia...

[Theodore Ts'o]

I don't think discussions of "serious paranoia" are particularly
useful, and can be counter-productive, if they don't also take into
account the question of usability.  Sure, you can talk about how we
need to use a key stretching function that takes minutes to transfer
the a 160 character (which will be completely random alphanumerics
with special characters), but if it is too difficult to use, it won't
get used.

It's also important to consider the threat environment, and what the
adversary might or might not be willing to do in order to get at your
precious bodily fluids^H^H^H^H^H^H^H data.  Are they going to be
willing to carry out a black bag job, where they may physically invade
your home and install hidden cameras and keyboard bugs?  Are they
willing to park a van outside of your house and try grab tempest
emissions from your computer or laptop?

Personally, I'm much more inclined to keep very tight control on those
systems where my ssh private key might reside, and also to keep very
tight control of my laptop which contains the ssh private key.  After
all, you could use a fancy, non-standard key stretching KDF to encrypt
your ssh private key, but what about the rest of data on your laptop?
And what if they just install a trojan'ed ssh client that simply
captures the private key once it has been decrypted.

So the bottom line is that it's imporant to take a holistic view of
security, and not focus in on the threats which key-stretching is
designed to protect to the exclusion of all else.  So what if the key
is splattered all over RAM?  If the attacker is able to grab arbitrary
contents from your system memory, your OS has been subverted so badly
that there are million other, more simpler ways that you can get
0wned.

> I suspect the moderators have allowed non-technical discussions like this
> in light of the Snowden revelations.  There are some serious expert crypto
> guys on this list, and I appreciate that some of them are taking the time
> to answer these sorts of questions.

I've been kill-threading most of these non-technical discussions,
including the lame one about moving to a web forum, but the signal to
noise ratio of this list has dropped through the floor lately, and if
it doesn't improve, it may be that many experts may decide to
unsubscribe.  Indeed, the strongest argument against moving to a web
forum is that it is likely to make the signal to noise drop even lower.

Others can judge whether or not I'm an expert or not, but I will say
that the noise has gotten bad enough that I did briefly consider
declaring this list devoid of intelligent life, and to say, "beam me
up Scotty", and unsubscribe.

Regards,

                                                - Ted