[Cryptography] Email is unsecurable

ianG iang at iang.org
Wed Nov 27 23:33:08 EST 2013


On 28/11/13 00:20 AM, Jerry Leichter wrote:
> On Nov 27, 2013, at 1:18 PM, Arnold Reinhold <agr at me.com> wrote:
>>> Fortunately, there is a solution that we have long been aware of, which
>>> is smart cards....
>> With the maker movement, open hardware, Adruino, et al, the barrier to entry for hardware has dropped dramatically.... Simple hardware systems have less space to hide backdoors.  I don't want to dump on the people trying to improve existing e-mail protocols and infrastructure, but maybe we should explore different, simpler paths at the same time.
>
> Ah, the irony.
>
> NSA was for years resistant to software-based cryptography.


Is this what the NSA called the home field advantage?  It seems that 
there are a number of factors which align strongly in NSA's favour: 
they are the ones with more money, so can outspend.  Their contractors 
love them for it, so congress approves too.  Hardware designs are harder 
to crunch at cheap costs because specialised hardware is indicated. 
Hardware is oh so much easier to control (read: stop) at the border. 
Hardware is oh so much easier to control (read: pervert) at the fab.


> The DES initial and final permutations were trivial in hardware, a pain in software.  It's long been thought that they were in the algorithm exactly to slow software implementations.  FIPS and similar standards, whose form was clearly influence by NSA, to this day, have a bias toward hardware, to the point where parts of them have to be really stretched to even make sense for software.


Yup.  I suspect we are at a watershed for national standards.  Following 
them may no longer make any sense.  Even before the Snowden revelations, 
it was widely recognised that the FIPS standard process created 
unnecessary bloat and expense, with no perceivable security benefit over 
simpler open engineering.

If TLS moves forward with the open curve suite, this will be a big signal.


> To this day, NSA seems to be big on smart cards and encryption "black boxes" rather than software on general-purpose machines.
>
> It was fashionable for years to dismiss that NSA mindset as just a hold-over from the past - we in the software world knew better.
>
> Well ... maybe we didn't.  :-(


I don't think we ever knew as much as the NSA.  They employ thousands to 
our 1s and 10s.  However, we can also do economics, and we can also do 
things that make sense in smaller teams.  And in software.  One thing we 
do know is that good crypto still works.



iang


More information about the cryptography mailing list