Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.hawaii.edu!ames!agate!howland.reston.ans.net!nntp.coast.net!col.hp.com!sdd.hp.com!hamblin.math.byu.edu!park.uvsc.edu!usenet From: Terry Lambert <terry@lambert.org> Newsgroups: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc Subject: Re: need secure OS to entrust millions to Date: 9 Mar 1996 21:54:43 GMT Organization: Utah Valley State College, Orem, Utah Lines: 65 Message-ID: <4hsun4$d3h@park.uvsc.edu> References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com> <4hhp71$cv9@senator-bedfellow.MIT.EDU> NNTP-Posting-Host: hecate.artisoft.com Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:90593 comp.os.linux.development.system:18949 comp.os.linux.networking:31075 comp.unix.bsd.bsdi.misc:2584 comp.unix.bsd.netbsd.misc:2416 comp.unix.bsd.freebsd.misc:15130 ghudson@mit.edu (Greg Hudson) wrote: ] ghudson@mit.edu (Greg Hudson) writes: ] ] It's disappointing that some people still think that security through ] ] obscurity is a net gain. ] ] Terry Lambert <terry@lambert.org> writes: ] : Public key cryptography (RSA, et. al.) is the ultimate in ] : security through obscurity. People trust it every day. ] ] As I'm sure you're perfectly aware, "security through obscurity" refers ] to the practice of assuming that enemies will not be able to exploit ] flaws in your security system because they do not know the algorithms ] you use. "Security through obscurity" does not refer to the practice ] of assigning private information to users and services. ] ] RSA as a cryptosystem has been subject to extensive academic review. ] We know its weaknesses and we know how to avoid being subject to them. ] (We also know cryptosystems which provably don't share most of its ] weaknesses, but they haven't been subject to the same level of ] review.) In short, we know that if we can address the key management ] problem, we have a very good idea (comparatively) of what the risks ] are of an attacker being able to read things we send over the net using ] RSA. What do we know about a proprietary operating system's risks? ] Nothing. ] ] I expected more from you than argument by unconventional definition, ] Terry. Your definition is predicated on the obscurity of a fast-factoring algorithm. Is it your claim that such an algorithm is impossible? I refer you to Godel's Theorem. Typical "security through obscurity" is hiding a key in a search space, but not securing the location of the key itself. That is, it applies to YP and otherwise accessable password files as well as to directories in unsearchable directories on FTP sites. Public key cryptography is an obscurity, not a secrecy, defense. You see, I believe the NSA already has fast-factoring capability based on the questions Robert Morris Senior (formerly of the NSA) posed at a recent security conference. He asked "how much effort would we have to put forth", not "is such effort technically feasible or existant". All that's required to crack RSA is massive parallelism and a willingness to epend the effort, and that's assuming nothing more than a brute-force attack. Regards, Terry Lambert terry@cs.weber.edu --- Any opinions in this posting are my own and not those of my present or previous employers.