*BSD News Article 63110


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.hawaii.edu!ames!agate!howland.reston.ans.net!nntp.coast.net!col.hp.com!sdd.hp.com!hamblin.math.byu.edu!park.uvsc.edu!usenet
From: Terry Lambert <terry@lambert.org>
Newsgroups: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc
Subject: Re: need secure OS to entrust millions to
Date: 9 Mar 1996 21:54:43 GMT
Organization: Utah Valley State College, Orem, Utah
Lines: 65
Message-ID: <4hsun4$d3h@park.uvsc.edu>
References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com> <4hhp71$cv9@senator-bedfellow.MIT.EDU>
NNTP-Posting-Host: hecate.artisoft.com
Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:90593 comp.os.linux.development.system:18949 comp.os.linux.networking:31075 comp.unix.bsd.bsdi.misc:2584 comp.unix.bsd.netbsd.misc:2416 comp.unix.bsd.freebsd.misc:15130

ghudson@mit.edu (Greg Hudson) wrote:
] ghudson@mit.edu (Greg Hudson) writes:
] ] It's disappointing that some people still think that security through
] ] obscurity is a net gain.
] 
] Terry Lambert <terry@lambert.org> writes:
] : Public key cryptography (RSA, et. al.) is the ultimate in
] : security through obscurity.  People trust it every day.
] 
] As I'm sure you're perfectly aware, "security through obscurity" refers
] to the practice of assuming that enemies will not be able to exploit
] flaws in your security system because they do not know the algorithms
] you use.  "Security through obscurity" does not refer to the practice
] of assigning private information to users and services.
] 
] RSA as a cryptosystem has been subject to extensive academic review.
] We know its weaknesses and we know how to avoid being subject to them.
] (We also know cryptosystems which provably don't share most of its
] weaknesses, but they haven't been subject to the same level of
] review.)  In short, we know that if we can address the key management
] problem, we have a very good idea (comparatively) of what the risks
] are of an attacker being able to read things we send over the net using
] RSA.  What do we know about a proprietary operating system's risks?
] Nothing.
] 
] I expected more from you than argument by unconventional definition,
] Terry.


Your definition is predicated on the obscurity of a fast-factoring
algorithm.

Is it your claim that such an algorithm is impossible?

I refer you to Godel's Theorem.


Typical "security through obscurity" is hiding a key in a
search space, but not securing the location of the key itself.

That is, it applies to YP and otherwise accessable password
files as well as to directories in unsearchable directories
on FTP sites.

Public key cryptography is an obscurity, not a secrecy, defense.


You see, I believe the NSA already has fast-factoring
capability based on the questions Robert Morris Senior (formerly
of the NSA) posed at a recent security conference.

He asked "how much effort would we have to put forth", not "is
such effort technically feasible or existant".

All that's required to crack RSA is massive parallelism and a
willingness to epend the effort, and that's assuming nothing
more than a brute-force attack.


					Regards,
                                        Terry Lambert
                                        terry@cs.weber.edu
---
Any opinions in this posting are my own and not those of my present
or previous employers.