[Cryptography] new wiretap resistance in iOS 8?

Peter Fairbrother zenadsl6186 at zen.co.uk
Mon Sep 22 12:41:22 EDT 2014 

On 22/09/14 07:06, ianG wrote:
> On 21/09/2014 16:14 pm, Peter Fairbrother wrote:
>> On 20/09/14 21:18, John Denker wrote:
>>
>>>    There will never be perfect security.  The measure
>>>    of good security is that it imposes a cost on the
>>>    attacker, out of proportion to the cost borne by
>>>    the user.
>>
>> Aaarrrghh, not that old bollocks again.
>>
>> "Out of proportion"? - bear in mind Robert Morris's second rule: "Never
>> underestimate the attention, risk, money and time that an opponent will
>> put into reading traffic."
>
>
> That's not a rule, it's a plea for unconstrained spending.

It is most definitely a rule - it's about what you have to do to
successfully defend against an attacker.

Ignore it at your peril - look at what happened when the Nazis did just
that.

> The attacker
> does not likely spend more than he gains unless he is stupid.

Even if that were true - and I do not doubt role of economic
restrictions on breaking security - it has nothing to do with the
proportionality of costs to an attacker and a defender.

However it is not _immediately_ true - there are a lot of reasons why an 
attacker might spend more than he gains.

Most obviously, he might not know what he will gain until he has done
the attack. There might be maintenance reasons - maintaining capacity in 
case it is needed later. There might be what the USAnians call pork reasons.


And then there is the issue of value - if an attacker only has enough
resources to break 10 comms, he will use it to break 10 comms. Now we
might think that that is a ridiculous amount to spend to break each of
the broken comms, but to that attacker it's all he has, and the value of 
those broken comms to him could be better than nothing.

If those resources are a dedicated AES-cracker, then he is going to use
it to crack AES. It's not as if it can be reused for something else.



I'll mention that I do not think it is _necessarily_ true in the long
term either, but I won't go into that.


>> Plus remember, we don't ever really know the full resources of an
>> attacker, or how effective they are.
>
>
> Well, again, no.  We actually do have a good picture about attackers.
> We have about 20 years of experience now in internet attacks.

So, that experience tells us exactly what about what attackers know
about eg attacks which are not presently deployed because they are more
expensive?


Zip.


And if we defended against the attacks which are presently deployed,
apart from deploying the more expensive attacks they already know, don't 
you think they might come up with some new ones?


  We know
> what phishing takes, we know how APTs work, sort of, we know what
> penetration is, and how likely silly attacks like SQL injection are.  We
> now also have lots of Snowden stuff.  And we know that the attacker
> works through a smorgasbord of attacks, before getting serious.


We knew that before, if we were paying attention at all - Robert
Morris's first rule of cryptanalysis, always look for plaintext.


(If you didn't already know, Robert Morris was the Chief Scientist at NSA)

>> The costs might be well out of proportion - but the attacker might still
>> be willing to pay his.
>
>
> Only if he can get what is worth something to him.  A state level
> attacker is not interested in the contents of my laptop


Oh dear.



-- Peter Fairbrother

More information about the cryptography mailing list