[Cryptography] new wiretap resistance in iOS 8?

ianG iang at iang.org
Tue Sep 23 13:52:31 EDT 2014


On 22/09/2014 09:41 am, Peter Fairbrother wrote:
> On 22/09/14 07:06, ianG wrote:
>> On 21/09/2014 16:14 pm, Peter Fairbrother wrote:
>>> On 20/09/14 21:18, John Denker wrote:
>>>
>>>>    There will never be perfect security.  The measure
>>>>    of good security is that it imposes a cost on the
>>>>    attacker, out of proportion to the cost borne by
>>>>    the user.
>>>
>>> Aaarrrghh, not that old bollocks again.
>>>
>>> "Out of proportion"? - bear in mind Robert Morris's second rule: "Never
>>> underestimate the attention, risk, money and time that an opponent will
>>> put into reading traffic."
>>
>>
>> That's not a rule, it's a plea for unconstrained spending.
> 
> It is most definitely a rule - it's about what you have to do to
> successfully defend against an attacker.
> 
> Ignore it at your peril - look at what happened when the Nazis did just
> that.


There are gremlins in every corner.  If you spend your life insisting on
"never underestimating" every fear, uncertainty or doubt that others can
inject into you, you'll set yourself up as the victim not the defender.
 You'll be too busy to contribute much to humanity.


>> The attacker
>> does not likely spend more than he gains unless he is stupid.
> 
> Even if that were true - and I do not doubt role of economic
> restrictions on breaking security - it has nothing to do with the
> proportionality of costs to an attacker and a defender.


True, but a different issue.  You also should spend only what you can
that saves you money according to your costs.


> However it is not _immediately_ true - there are a lot of reasons why an
> attacker might spend more than he gains.


I think you'll find that an attacker doesn't spend more than he gains,
it is just a perception difficulty in us knowing how he gains, and
likewise, a perception difficulty in him knowing how he gains.  Added to
this confusion, the unproportionality of our costs to his gains/costs,
as you point out, leads us to assume he is irrational.


> Most obviously, he might not know what he will gain until he has done
> the attack.

So it will statistically even out over a lot of attacks, otherwise he'll
run out of money.


> There might be maintenance reasons - maintaining capacity in
> case it is needed later.


If maintaining capacity is a gain, need to account for that...

> There might be what the USAnians call pork
> reasons.


I'm not sure of that expression, but pork is valuable :)


> And then there is the issue of value - if an attacker only has enough
> resources to break 10 comms, he will use it to break 10 comms. Now we
> might think that that is a ridiculous amount to spend to break each of
> the broken comms, but to that attacker it's all he has, and the value of
> those broken comms to him could be better than nothing.


This is a sunk costs argument.  So the cost-benefit analysis needs to be
extended over the sunk costs and the marginal costs.  Can't cherry pick
the last effort's marginal costs and call that an analysis.


> If those resources are a dedicated AES-cracker, then he is going to use
> it to crack AES. It's not as if it can be reused for something else.
> 
> 
> 
> I'll mention that I do not think it is _necessarily_ true in the long
> term either, but I won't go into that.
> 
> 
>>> Plus remember, we don't ever really know the full resources of an
>>> attacker, or how effective they are.
>>
>>
>> Well, again, no.  We actually do have a good picture about attackers.
>> We have about 20 years of experience now in internet attacks.
> 
> So, that experience tells us exactly what about what attackers know
> about eg attacks which are not presently deployed because they are more
> expensive?
> 
> 
> Zip.


If they are not presently deployed, how do you know they are dangerous?
 Economic?  You have zip facts about them because there are no facts,
only conjectures, as discussed in the other thread concerning DES
crackers.  Deep Throat was a fact.

Undeployed threats are indistinguishable from FUD.  If that's ones
business -- selling FUD -- then this is good and aligned;  I prefer a
more straightforward approach myself :)


> And if we defended against the attacks which are presently deployed,
> apart from deploying the more expensive attacks they already know, don't
> you think they might come up with some new ones?


Of course.  Problem is, the possibility of all new and future attacks is
too hard a problem for society to deal with.  Hence we lean on events
and facts to filter our limited resources.  E.g., if we get hit by a
buffer overflow, we tend to fix it, and at the same time fix all buffer
overflows.  (We wish.)


>>  We know
>> what phishing takes, we know how APTs work, sort of, we know what
>> penetration is, and how likely silly attacks like SQL injection are.  We
>> now also have lots of Snowden stuff.  And we know that the attacker
>> works through a smorgasbord of attacks, before getting serious.
> 
> 
> We knew that before, if we were paying attention at all


Well, true, there is a steady stream of research and complaints about
the PKI/SSL business in the late 1990s up to 2003 when phishing started
seriously.


> - Robert
> Morris's first rule of cryptanalysis, always look for plaintext.


We knew that there were potential attacks.  What we didn't know is which
of these potential attacks were economic.  E.g., when phishing first got
tested against e-gold in 2001, it failed.  Some would then say it was
uneconomic.  Fair bet without hindsight?

In contrast, "always look for plaintext" is simply daft.  We now know
enough from the Internet's use of credit cards over plaintext to say
that there is no reasonable or measurable threat.  Credit card sniffing
over the unencrypted net is not a sufficient threat to make us deploy
encryption such as authenticated SSL.  In contrast we know that attacks
against banks is sufficient for SSL, and hacks into servers that have
databases full of validated and sorted credit card information is severe
and sufficient to deploy hardened websites.


> (If you didn't already know, Robert Morris was the Chief Scientist at NSA)


Yeah.  And you're mixing threat actors.  The NSA has one set of threat
actors to deal with.  We have another set.  The intersection of the sets
is typically small in the Internet security trade.  Not zero, but not
the driver by any means.

Following NIST / NSA in security thought is to not do security thought.


>>> The costs might be well out of proportion - but the attacker might still
>>> be willing to pay his.
>>
>>
>> Only if he can get what is worth something to him.  A state level
>> attacker is not interested in the contents of my laptop
> 
> 
> Oh dear.


Well, post snowden we know that this is not quite the case.  The state
level attacker is interested in everything he can get his hands on as
long as his resources can hold out.  But, he's not interested in *my
laptop* especially, more he's interested in *every laptop*.  Which means
he's not that concerned if he misses out, and he's not actually using
any of the data he finds, if its on my laptop.

(Although, the breach of the intelligence firewall between IC and the
police/civilian agencies is by far the most troubling thing of the
post-snowden era.  It is that breach of democratic faith that makes the
NSA the enemy of humanity.)



iang


More information about the cryptography mailing list