[cryptography] Non-governmental exploitation of crypto flaws?

Steven Bellovin smb at cs.columbia.edu
Tue Nov 29 09:00:41 EST 2011


On Nov 29, 2011, at 7:44 AM, dan at geer.org wrote:

> 
> Steve/Jon, et al.,
> 
> Would you say something about whether you consider key management
> as within scope of the phrase "crypto flaw?"  There is a fair
> amount of snake oil there, or so it seems to me in my line of
> work (reading investment proposals and the like) -- things like
> secure boot devices that, indeed, are encrypted but which have the
> decryption key hidden on the device (security through obscurity).
> That's just an example; don't pick on it, per se.  But to repeat,
> is key management within scope of the phrase crypto flaw?
> 
It's a grey area for my purposes.  DRM is out completely; that's
something that can't work.  I'm looking for situations where (a) it's
easy for someone who knows the field to say, "idiots -- if they'd
done XXX instead of YYY, there wouldn't be a flaw", and (b) there
was a real-world consequence of the failure, and not just someone
saying "gotcha!"  Leaving out key management entirely, like WEP did,
would qualify under (a) but not (b).  


		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the cryptography mailing list