[cryptography] Non-governmental exploitation of crypto flaws?
smb at cs.columbia.edu
Tue Nov 29 09:00:41 EST 2011
On Nov 29, 2011, at 7:44 AM, dan at geer.org wrote:
> Steve/Jon, et al.,
> Would you say something about whether you consider key management
> as within scope of the phrase "crypto flaw?" There is a fair
> amount of snake oil there, or so it seems to me in my line of
> work (reading investment proposals and the like) -- things like
> secure boot devices that, indeed, are encrypted but which have the
> decryption key hidden on the device (security through obscurity).
> That's just an example; don't pick on it, per se. But to repeat,
> is key management within scope of the phrase crypto flaw?
It's a grey area for my purposes. DRM is out completely; that's
something that can't work. I'm looking for situations where (a) it's
easy for someone who knows the field to say, "idiots -- if they'd
done XXX instead of YYY, there wouldn't be a flaw", and (b) there
was a real-world consequence of the failure, and not just someone
saying "gotcha!" Leaving out key management entirely, like WEP did,
would qualify under (a) but not (b).
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography