[Cryptography] On threat models and progress

Jerry Leichter leichter at lrw.com
Thu Jan 9 15:38:13 EST 2014 

If you look at any of the classic texts on computer security from 20+ years ago - sometimes even more recently - you'll find some interesting assumptions about threat models.  They're "interesting" because they seems so obvious at the time - but none are valid any more.

1.  Once an opponent gets physical access to the machine, all bets are off.  But machines with valuable information in them live in secure data centers, and we have thousands of years of experience in protecting physical assets.  So there's no point worrying about attacks based on physical access.

Of course, today valuable data is on machines people carry with them - and as the recent information about NSA techniques shows, even the machines that go into data centers may not be secure because they were sabotaged before they ever got there.

2.  Denial of service attacks are impractical to defend against, but they don't matter because no attacker would have much reason to carry them out (with an exception perhaps made even back then in military settings, though the military wasn't nearly as vulnerable then), and besides they are expensive and difficult to organize.  Along the way, we discovered such motives - whether simple playing around, or to make a political point, or as a means of extortion.  We also learned that DoS is actually quite easy to carry out in a networked world full of botnets, at levels far beyond what anyone could have imagined back then.  On the other hand, when the need arose, it turned out we actually *could* defend against them.

3.  There's no way to close timing channels, but you can arbitrarily reduce their rate to the point where they don't matter.  Everything about this statement remains true, except for those crucial words "to the point where they don't matter".  We still have no way to completely close such channels, but we can get them down to very small data rates.  Unfortunately, "to the point where they don't matter" was based on a model where the timing channel was being used to exfiltrate data from a secure data center.  If you can only exfiltrate a bit per second, it's difficult to get very much useful information from a terabyte database out.  (Oh, there were always special cases - getting the name of a spy out might only take a minute once you've found it in the database.)  Today, however, the database is likely backed up somewhere else, in encrypted form - and thus is "safe".  Except that now the key can be exfiltrated in a couple of minutes through that very slow timing channel.

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140109/e20d147e/attachment.bin>

More information about the cryptography mailing list