[7989] in cryptography@c2.net mail archive
Re: Non-Repudiation in the Digital Environment (was Re: First
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Fri Oct 20 18:35:46 2000
Mime-Version: 1.0
Message-Id: <v04210103b616654ce52b@[24.218.56.92]>
In-Reply-To: <s9f03171.052@prv-mail20.provo.novell.com>
Date: Fri, 20 Oct 2000 17:32:11 -0400
To: "Bob Jueneman" <bjueneman@novell.com>, <azb@llnl.gov>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: <dcsb@ai.mit.edu>, <cryptography@c2.net>, <cypherpunks@cyberpass.net>,
<egerck@nma.com>
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 11:50 AM -0600 10/20/2000, Bob Jueneman wrote:
>Let's put this problem in perspective, and try to avoid the "chicken=20
>little, the sky is falling" syndrome.
>
>It's quite unlikely that someone would come up with "Eureka!" type=20
>of solution to factoring large numbers that would end up completely=20
>breaking RSA,
I don't know of any solid basis for this claim. There have been=20
unexpected mathematical breakthroughs of that magnitude in the recent=20
past. Sch=F6nhage and Strassen algorithm for multiplication, the Fast=20
=46ourier Transforms, formulas that compute outer digits of 1/pi=20
without computing the earlier ones, etc.
>or that some way would be found to completely break the integrity of SHA-1.
>
>Instead, we would be much more likely to see a nibbling around the=20
>edges, and a gradually decreasing confidence in existing algorithms,=20
>with more than enough time to replace them.
That is already happening.
>
>In fact, we have already seen that. MD2 is now deprecated, and MD5=20
>is being pretty widely supplanted by SHA-1. Likewise, DES has been=20
>broken and people are recommending that triple-DES be used, and soon=20
>AES. And OAEP is recommended to get around some hypothetical=20
>million-question attacks.
>
>But the sky hasn't fallen, and the sun still comes up in the morning.
>
>Even if some catastrophic weakness were somehow revealed that any=20
>high school kid could take advantage of with a single PC, there are=20
>still checks and balances. The kid still has to have money in the=20
>bank to pay for the item, and all of the usual velocity checks, etc.=20
>that are used to combat fraud would still be in place and would=20
>work. And good old-fashioned detective investigations and forensics=20
>would still be applicable.
>
>Any good security system has defenses in depth, and is not subject=20
>to the balloon-popping problem.
Well, that is the the big question mark as I see it. There are many=20
choices in designing financial systems based on public key=20
technology. If people use conservative approaches then you may well=20
be right, but if they buy the PKI party line we could face some very=20
serious problems. In particular, systems that depend on the security=20
of one or a few master keys should be treated with suspicion. For=20
example, a bank could keep its own customer's public key fingerprints=20
on file or rely on the fact that all customers' certs are all signed.
>
>that doesn't mean that we shouldn't try to make systems be as=20
>perfect as possible. But if they aren't (and they never are), that=20
>shouldn't be the end of the world as we know it.
If we throw out existing systems and base our entire financial system=20
on public key crypto without enough independent backups, an=20
algorithmic breakthrough could lead the the end of the world as we=20
know it. Algorithm compromise should be treated as an explicit risk.
>
>Let's not invent a hypothetical Y2K problem.
>
Let's not forget 2038.
Arnold Reinhold
