[cryptography] Math corrections [was: Let's go back to the beginning on this]

Jeffrey Walton noloader at gmail.com
Sun Sep 18 05:12:02 EDT 2011


On Sun, Sep 18, 2011 at 1:37 AM, Marsh Ray <marsh at extendedsubset.com> wrote:
> On 09/17/2011 11:59 PM, Arshad Noor wrote:
>>
>> The real problem, however, is not the number of signers or the length
>> of the cert-chain; its the quality of the "certificate manufacturing"
>> process.
>
> No, you have it exactly backwards.
>
> It really is the fact that there are hundreds of links in the chain and
> that the failure of any single weak link results in the failure of the
> system as a whole. When the number of CAs is large like it is, it
> becomes impossible to make all the CAs reliable enough ("give them
> enough nines" of reliability) to end up with an acceptable level of
> security.
"acceptable level of security" is fine when discussing the likelihood
of SSN egress'ing out the proverbial door. But I find it hard to
quantify personal safety (or how many theoretical 9's it would take).

> On 09/15/2011 06:32 PM, dan at geer.org wrote:
>>
>> The source of risk is dependence, perhaps especially dependence on
>> expectations of system state.
>
> This is an extreme example of that principle.
>
> Your insecurity gets exponentially worse with the the number of
> independent CAs.
>
> Something this analysis doesn't capture probably even causes it
> understate the problem: CAs aren't failing randomly like earthquakes.
> Intelligent attackers are choosing the easiest ones to breach. In other
> cases, the CAs themselves will willfully sell you out!
Right.

> Now you may be a law-and-order type fellow who believes that "lawful
> intercept" is a magnificent tool in the glorious war on whatever. But if
> so, you have to realize that on the global internet, your own systems
> are just as vulnerable to a "lawfully executed" court order gleefully
> issued by your adversary (as if they'd even bother with the paperwork).
When searching for a threat model, let me suggest the adversaries for
modeling: government and corporate. It does not matter to me if its
the US government and an illegal wiretap, or the Iranian government
and MITM.

If you can secure the system from the government and corporate
adversaries, many of the the other adversaries simply fall by the
wayside. But you will never be totally secure against government,
since many courts will happily issue orders to aide or benefit the
adversary.

i know Its not a popular opinion when your firm/company is vying for
post 9/11 funding, but it is what it is.

> And don't let anybody tell you that it will be hard for him to pull off an
> active attack on the internet, because in normal circumstances it just
> isn't.
>
> It was demoed for DefCon 18:
> http://www.wired.com/threatlevel/2008/08/how-to-intercep/
> http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
>>
>> In the case of Kapela and Pilosov’s interception attack, Martin
>> Brown of Renesys analyzed that incident and found that within 80
>> seconds after Kapela and Pilosov had sent their prefix
>> "advertisement" to hijack DefCon’s traffic, 94 percent of the peers
>> from whom Renesys collects routing traffic had received the
>> advertisement and begun to route DefCon traffic to the eavesdroppers’
>> network in New York.
>
> Yep, that's right. IP routes are agreed on based on the honor system.
DNS appears to be in the same boat.

Jeff



More information about the cryptography mailing list