[Cryptography] Fwd: OPENSSL FREAK

Jerry Leichter leichter at lrw.com
Sat Apr 4 07:26:53 EDT 2015

On Apr 3, 2015, at 3:24 PM, Ray Dillinger <bear at sonic.net> wrote:
> ...The Death Note is disaster management for full-scale emergencies
> where time to plan and implement a more reasonable and measured
> response has already, clearly, *provably* run out. You can't
> deploy it without doing some damage, but the damage you'd do
> by NOT deploying it is worse. Death Notes cannot and should
> not appear until the cipher or whatever primitive has broken
> so very badly that damage is unavoidable.
So in the last 50 years or so, can you give an example in which a Death Note would have actually been published?

I can think of many cases of *implementations* being revealed to be broken by the publication of attack code.  And of cases where *security parameters* were shown to be two small (size of DES and RSA keys) by the publication of descriptions of such breaks using just-now-possible amounts of hardware.  You might be able to get something like a death notice out of the latter (by pre-publishing challenge problems), though you'd have to trust whoever generates the challenges to keep them private.  (As I understand it, a "real" Death Notice is an actual proof which is impossible to fake, even given special knowledge.)

If you can't show the existence of such a mechanism would actually help in plausible real cases, this discussion seems rather pointless.

                                                        -- Jerry

More information about the cryptography mailing list