[Cryptography] On threat models and progress

ianG iang at iang.org
Fri Jan 10 04:18:06 EST 2014 

On 9/01/14 23:38 PM, Jerry Leichter wrote:
> If you look at any of the classic texts on computer security from 20+ years ago - sometimes even more recently - you'll find some interesting assumptions about threat models.  They're "interesting" because they seems so obvious at the time - but none are valid any more.
>
> 1.  Once an opponent gets physical access to the machine, all bets are off.  But machines with valuable information in them live in secure data centers, and we have thousands of years of experience in protecting physical assets.  So there's no point worrying about attacks based on physical access.
>
> Of course, today valuable data is on machines people carry with them - and as the recent information about NSA techniques shows, even the machines that go into data centers may not be secure because they were sabotaged before they ever got there.


This is why I say:  the threat is always on the node.

This fallacy that we are protecting the wire, and we do/can not protect 
the node is at the root of a lot of our woes.  The proof is in the 
pudding, the last 20 years of security has been the history of, on the 
one hand, wire security that seemed to wallow around without direction, 
and on the other hand, attacks on the nodes that powered on apace 
without much notice from the server-side community (excluding the *BSD 
community that is) because they were convinced that wire was where the 
threat was.


> 2.  Denial of service attacks are impractical to defend against, but they don't matter because no attacker would have much reason to carry them out (with an exception perhaps made even back then in military settings, though the military wasn't nearly as vulnerable then), and besides they are expensive and difficult to organize.  Along the way, we discovered such motives - whether simple playing around, or to make a political point, or as a means of extortion.  We also learned that DoS is actually quite easy to carry out in a networked world full of botnets, at levels far beyond what anyone could have imagined back then.  On the other hand, when the need arose, it turned out we actually *could* defend against them.


WYTM?

http://iang.org/ssl/wytm.html

10 years ago last October, posted on this very list.  One of the things 
that I discovered was that the MITM-TM derived from military experience, 
and we didn't at the time have a good view of an indigenous Internet TM. 
  Now we more or less have the experience, assuming we actually do the 
analysis, and now we have sufficient evidence in the post-phishing, post 
Snowden world to ground that analysis.  But then, it was all 
copy/borrow/steal.


> 3.  There's no way to close timing channels, but you can arbitrarily reduce their rate to the point where they don't matter.  Everything about this statement remains true, except for those crucial words "to the point where they don't matter".  We still have no way to completely close such channels, but we can get them down to very small data rates.  Unfortunately, "to the point where they don't matter" was based on a model where the timing channel was being used to exfiltrate data from a secure data center.  If you can only exfiltrate a bit per second, it's difficult to get very much useful information from a terabyte database out.  (Oh, there were always special cases - getting the name of a spy out might only take a minute once you've found it in the database.)  Today, however, the database is likely backed up somewhere else, in encrypted form - and thus is "safe".  Except that now the key can be exfiltrated in a couple of minutes through that very slow timing channel.


That's very scary.  But I'm not sure how real it is.  With a nod to 
other threads about what an attack is, how much data do we have that 
crooks are actually using timing channels or side channels to defeat 
real systems and do real damages?  Open question?



iang

More information about the cryptography mailing list