[Cryptography] On the Impending Crypto Monoculture

Tom Mitchell mitch at niftyegg.com
Wed Jun 29 16:49:30 EDT 2016 

On Wed, Jun 29, 2016 at 7:46 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:

> Salz, Rich <rsalz at akamai.com> writes:
>
> >> On the Impending Crypto Monoculture
> > ===================================
> >
> >So, Peter, TL;DR -- is this a good thing or not?
>
> It's not really a comment either way, more of a food-for-thought article.
> We
> need usable, non-brittle crypto,
>

On brittleness.  One omission in these discussions is a way to refresh,
and repair the tools and recover from damage.

It is logical and convenient to have a monoculture for a class of
communications.   However if that monoculture gets infected (Dutch Elm
style).
Then a non infected reliable infrastructure (scaffolding) is needed to
quickly
and reliably deploy a replacement and protect the uninfected.   If
scaffolding
is cracked it can be rebuilt by the primary method.

In the discussions on TLA's desire for their own side door is an omission.
The omission is a failure to address detection and replacement of the TLA
specific keys and access.  Ignoring mathematical impossibility, the reality
is that
a side door will be opened by hook or crook and then that set of keys
needs to be replaced in a safe, speedy, secure and reliable way.

Detection of attack and compromise is also ignored.  I can almost live with
a TLA
holding a flaw secret if and only if they can also effectively monitor and
discover others
exploiting the secret.   On discovery that the secret is known by others
perhaps
bad guys then that flaw needs to be technically repaired at the speed of
the internet
and faster than the bad guys can act on it.  Dutch Elm management took
half a century plus to get to where we are today.  Internet time collapses
that to days and hours.  If infrastructure is involved minutes and seconds.


Currently managing illegal and criminal activity seems to seek anchors in
litigation, prosecution
and other slow legal methods.  National and infrastructure security
involves issues outside
the law and often has great urgency.   For law enforcement to apply law
enforcement
methods and time frames to technical issues embrittles these technologies.
A mindset
change is needed.

http://www.dutchelmdisease.ca/history/
Lot of lessons:

"Sounds lofty to say, but think about it: Dutch elm disease has affected
everything from the way
we view monoculture street plantings to our understanding of invasive
pests. It forever altered
urban forestry policy and law, and certainly changed the public’s awareness
of street tree management.
...."




-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160629/012b756b/attachment.html>

More information about the cryptography mailing list