[Cryptography] Long-term security (was Re: ratcheting DH strengths over time)
John-Mark Gurney
jmg at funkthat.com
Tue Nov 17 12:35:46 EST 2015
Peter Gutmann wrote this message on Tue, Nov 17, 2015 at 08:34 +0000:
> John-Mark Gurney <jmg at funkthat.com> writes:
>
> >Only changes your attack surface... Most of the ones mentioned will easily
> >fall to passive listening...
>
> ... which means the attacker has to control a switch or router between the
> victim and device and be actively listening at the time that comms take place.
> That's a long, long way from being able to seize control of it via a random
> port scan over the Internet.
But if you access the machine, say, from your vacation in Fiji back to
the US, there are lots of passive listeners along the way that can sniff
it out... What about rouge access points (fake xfinity ones), coffee
shops, etc? If you're targeted, it'd be easy to do any of these...
If one day I found I could do my work w/o the corporate VPN, that keeps
crashing my system, why wouldn't I stop using the VPN? Even though
company policy says to use the VPN? Saves my machine from crashing and
I still get my work done...
Remember, you have to think like a normal user that doesn't take
security seriously...
> >Either you implement full crypto to get security, or you're vulnerable to any
> >number of attacks...
>
> You're still vulnerable to any number of attacks with full crypto, they're
> just different attacks.
True, if someone lifts the key/auth creds, then all if lost, but
crypto does provide authentication and confidentiality to those w/ the
keys...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list