[cryptography] Non-governmental exploitation of crypto flaws?

Steven Bellovin smb at cs.columbia.edu
Tue Nov 29 09:00:41 EST 2011

On Nov 29, 2011, at 7:44 AM, dan at geer.org wrote:

> Steve/Jon, et al.,
> Would you say something about whether you consider key management
> as within scope of the phrase "crypto flaw?"  There is a fair
> amount of snake oil there, or so it seems to me in my line of
> work (reading investment proposals and the like) -- things like
> secure boot devices that, indeed, are encrypted but which have the
> decryption key hidden on the device (security through obscurity).
> That's just an example; don't pick on it, per se.  But to repeat,
> is key management within scope of the phrase crypto flaw?
It's a grey area for my purposes.  DRM is out completely; that's
something that can't work.  I'm looking for situations where (a) it's
easy for someone who knows the field to say, "idiots -- if they'd
done XXX instead of YYY, there wouldn't be a flaw", and (b) there
was a real-world consequence of the failure, and not just someone
saying "gotcha!"  Leaving out key management entirely, like WEP did,
would qualify under (a) but not (b).  

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list