[Cryptography] What to put in a new cryptography course
Michael Kjörling
michael at kjorling.se
Thu Jun 23 11:41:17 EDT 2016
On 23 Jun 2016 00:33 -0400, from phill at hallambaker.com (Phillip Hallam-Baker):
> * The heart of cryptography is integrity, not confidentiality.
Add to this: The heart of cryptography is NOT anonymity. Cryptography
can very well provide all three (or some combination of them) _iff_
the cryptosystem is properly designed (but as we know, that's the
exception rather than the rule).
> * Message, transport security are not alternative choices, do both.
It's not _directly_ related to the subject of cryptography, and might
not warrant a module all of its own, and is somewhat related to the
above point. Consider touching on the subject of _leaky metadata_.
Cryptography can make a wide range of problems much easier to solve
(but can, of course, also make a wide range of otherwise trivial
issues much harder to solve), but it can't protect what it isn't
tasked to protect. Data required for message routing; (network and
disk) I/O timing along a transmission path; (relative) message sizes;
... all of that needs something other than pure cryptography. (Notice
how I didn't mention unencrypted headers in e-mail?) DNS, SNI, ...
Also logs; mail logs, web server logs, system audit logs, ...
That's something that I find to often be missing from introductory
material. You can give someone a screwdriver, but if they don't know
when a screwdriver is a useful tool and when it is not, then they are
bound to try to hammer a nail in with it some day. Sometimes you
really need a hammer or for that matter a wrench, rather than a
screwdriver.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
More information about the cryptography
mailing list