"Marcus J. Ranum" <mjr @
iwi .
com> wrote:
> I don't work for Security Dynamics or Digital Pathways
>but I get irritated when I see people who don't understand their
>products posting ignorance about how "there might be a hole in
>the algorithms" or some such nonsense.
Your irritation, your condescension, and your warrantless insults are
no substitute for a reasoned rebuttal.
No one has insinuated that those vendor's products have a hole in the
algorithms, and no one has said that hiding the key alone is security
through obscurity. Your mouth is full of straw. What _has_ been
suggested is that a cryptographic product that depends on the secrecy
of an _algorithm_ (with or without key) depends upon security through
obscurity. _Good_ algorithms depend on the secrecy of the key _only_.
That is not a new observation, but a well established principle among
cryptologists. Read the texts. Study up. Think about it. This is from
the sci.crypt FAQ:
"3.5. What are some properties satisfied by every
strong cryptosystem?
The security of a strong system resides with the
secrecy of the key rather than with the supposed
secrecy of the algorithm."
Note that "keys" are _not_ "algorithms". They are not even spelt the
same. Why are secret _algorithms_ STO? Because they do not receive
the public scrutiny of the scientific community. To a large extent,
this also applies to "trade secret" algorithms. These may come from
highly respected designers, and details will surely leak out via NDAs
or whatever--but there simply isn't much evidence that a secret
algorithm doesn't _need_ to be secret until that secrecy is
substantially given up (or lost) and much time has passed. The real
close-to-the-chest "trade secret" algorithm may be secret because it
is good--but equally it may be secret because it is crap (aka "export
quality" :). Most importantly, it may turn out to be crap precisely
because it is secret.
The idea that secret algorithms are _more_ secure is imo classic STO,
and shares genes with the school of thought that says that if you
perform a sufficiently complex calculation and don't tell anyone how
you did it, you get a strong random number. If your favourite vendor's
"secret algorithm" were made public, would it be like RSA and DES,
which have largely withstood public scrutiny, or would it be like the
many more silly and not-so-silly algorithms which haven't? Or worse,
is it like the encryption in the average WP program, which is so
egregiously bad that you don't even need to know the algorithm to roll
it over, never mind the key? The surest way to find out is to get them
to make it public. Releasing it under NDA and so forth is better than
nothing, and is the only option if there is a trade secret involved,
but it is _not_ a substitute for letting everyone systematically sniff
and poke the system, with _full_ disclosure of the findings to
everyone else. Netscape found that out the hard way with their random
number debacle--and Netscape has some of the best crypto expertise in
the world available to itself internally.
[about a particular HHA]
>The fact that the code works
>with the calculator (when you read the source) is an absolute
>indication that the algorithm works as advertised.
Confidently asserted falsehood. (That other mjr guy who said not to
believe crypto stuff you read on the net may have had the right idea:)
Testing does not prove the absence of bugs, for a kick off. But more
importantly, a black box device may do anything at all if you use it
in a way that is *not* advertised, or that simply is not anticipated.
No technical obstacle prevents the designer from adding a back door
that responds with the secret (the key, i.e) only when the designer's
birth date is entered at lunch time, just for example. There are a
zillion other potential sites for such back doors. You can't test for
them all, and you'd be an idiot to try. That the device designers
don't start messing is simply a matter of trust and assurance (this
would also be true if the algorithm were public, of course, and
applies to more than just HHAs).
[for the slow readers & the misquote-happy --I'll once again state
that I do _not_ believe that anyone's HHA suffers from any such back
door. I'm just highlighting the inanity of any appeal to "absolute
indication", as if such things existed anywhere, never mind in the
security field]
>You can, with
>a lot more difficulty and an NDA, get the sources for Security
>Dynamics' card server. I've seen it, and Vin's seen it, and I
>didn't see anything bogus or "security through obscurity" in
>there.
I'd like to politely suggest that your opinion of your own opinion is
overrated, then. The scientific community hasn't "seen it", and that's
the point. Myself, I don't particularly want to see it under NDA, and
would remain more or less agnostic as to its security even if I
did--or downright sceptical if the algorithm was at all novel. I do
understand vendors' motivation for "trade secrecy", though, and these
devices are certainly preferable to reusable passwords (but then
that's not saying much). I wouldn't mind reading about the internals
in the scientific literature, just the same, if that's OK with you,
and if you'll spare me the warrantless insults for saying so.
Cheers,
Frank O'Dwyer.
Follow-Ups:
|
|
