[Cryptography] How to De-Bollocks Cryptography?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Aug 7 01:12:58 EDT 2024
Kent Borg <kentborg at borg.org> writes:
>Cryptography is kind of over. What has been developed is really complicated,
>and deploying it is kinda complicated, but if deployed carefully, it works
>really well!
I was tempted to add a slide saying you could create a protocol secure against
all actual practical (rather than theoretical) attacks using the oldest
rigorous crypto we have, DES (as 3DES), 1974-75, DH, 1976, RSA, 1977, and MD5
(as HMAC-MD5), 1992, where we know where the problems are and can design
around them, rather than going with the latest whiz-bang thing and waiting for
the inevitable vulnerabilities to appear, but didn't want to get sidetracked
into a different argument.
John Downer covers this in his book Rational Accidents, which has only just
come out and which I'm still waiting to get so relying on a reviewer's
comments,
https://www.technologyreview.com/2024/06/26/1093692/book-review-technological-complexity-problems/
Finally is what might be the most interesting and counterintuitive factor:
Downer argues that the lack of innovation in jetliner design is an essential
but overlooked part of the reliability record. The fact that the industry
has been building what are essentially iterations of the same jetliner for
70 years ensures that lessons learned from failures are perpetually relevant
as well as generalizable, he says.
That extremely cautious relationship to change flies in the face of the
innovate-or-die ethos that drives most technology companies today. And yet
it allows the airline industry to learn from decades of failures and
continue to chip away at the future “failure performance” of jetliners.
Crypto seems to be the polar opposite of this approach, every time a problem
is found, no matter how impractical it is to exploit, the approach isn't to
fix the problem but to throw away the current crypto and/or protocol and race
to the next shiny thing that appears, with a host of new problems waiting to
be discovered. Again from the review:
we remain entranced by the promise of implausible reliability, and
implausible certainty about that reliability, our appetite for innovation
has outpaced our insight and humility
Peter.
More information about the cryptography
mailing list