[cryptography] philosophical question about strengths and attacks at impossible levels

Ian G iang at iang.org
Tue Nov 23 17:42:35 EST 2010

On 24/11/10 7:51 AM, travis+ml-rbcryptography at subspacefield.org wrote:
> On what basis do you make the (implicit) assumption that cert privkeys
> were actually stolen?

For me, it would be Preponderance of evidence, or in non-legal terms 
"more likely than not."

> Note; I do not claim to have any evidence the pubkeys were factored,
> etc., I'm just wondering on what basis you jump to assuming it was
> a node security failure.

Yeah.  We are somewhat hamstrung in our analysis because we have little 
or no direct evidence.  We aren't viewing the direct facts of what is 
occuring, we're having to derive our view from indirect information such 
as media reports, narrow anecdotes from our work, our risk analyses of 
likelihood of attacks, and our own general experience.

So, for example, we know some things:

   CAs aren't rushing to revoke their roots and jump to higher strength, 
/and/ user certificates seem to identified and revoked from time to time.

   There is a history of breaches.  At some point in the past there was 
a company reporting that Linux servers were being breached at around 
4000 per month (IIRC);  we know that packages of Linux servers are 
bought & sold on the attacker markets.  Acquiring a stolen cert is 
therefore cheap.

   We can calculate the cost of a root key factoring, and we can also 
see some data points of root attacks (one MD5-without-nonces sub-root 
was crunched about 1-2 years back).

   The security UI work suggests that the whole UI link of the security 
chain is marginal, and most known attacks are aggregate rather than 
targetted, so the use of a stolen cert seems as plausible as using a 
"perfect" cert.

Etc, etc.


More information about the cryptography mailing list