[Cryptography] All applications need top security (was Re: Director GCHQ speaks at MIT)

Perry E. Metzger perry at piermont.com
Wed Mar 9 09:47:20 EST 2016


> http://www.gchq.gov.uk/press_and_media/speeches/Pages/hannigan-speech-at-mit-front-doors-and-strong-locks.aspx
> 
> Front doors and strong locks: encryption, privacy and intelligence
> gathering in the digital era
> 
> Speech - 08 Mar 2016
[...]
> "I don't *need* or *want* [for my family's communications] the same
> level of security applied to protect a nuclear submarine's
> communications."

This reminds me of a widely misunderstood principle in secure systems
that I don't hear talked about much, so I'll bring it up now:

It is seemingly reasonable to say that your discussion with a friend
about what kind of beer to pick up for a party does not need the same
level of protection as a dissident discussing an upcoming attempt to
expose corruption in an election. It is seemingly reasonable to say
that a connection that is protecting an article about cat food does
not require the same level of protection as a connection that is
protecting a large banking transaction.

HOWEVER, the problem is that in practice, both activities will use
exactly the same protocols and software, identically configured. You,
as a protocol or software designer, do not get the luxury to provide
"appropriate" levels of security for different uses. In practice,
your protocols and software will sometimes be used for trivia and
sometimes for things that incredibly important and you will have to
design for the most important possible use.

Anyone saying that they don't "need or want" the best possible
security for their communications is, de facto, saying that no one
should get the best possible security, because even top politicians
text on iPhones, because even internal bank transaction systems are
front ended by Firefox or Explorer over HTTPS, because systems of all
sorts (even very secure ones) are administered over ssh, because
reporters working in places with hostile regimes use the same email
programs and systems as people trading baby pictures.

To say "I don't *need* or *want* the same level of security" is to
express ignorance of the real-world constraints on designers of secure
systems. We don't get to hand a teenager one communication application
and a Senator or top reporter another one -- both will, in the end,
almost certainly use the same one, and thus we need to assume the
threat model required by the most serious possible user.


Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list