[8234] in cryptography@c2.net mail archive
Re: migration paradigm (was: Is PGP broken?)
daemon@ATHENA.MIT.EDU (Rick Smith at Secure Computing)
Sat Dec 9 16:45:36 2000
Message-Id: <4.3.2.7.0.20001207152530.00c5a100@mailhost.sctc.com>
Date: Thu, 07 Dec 2000 15:35:14 -0600
To: Peter Fairbrother <peter.fairbrother@ntlworld.com>,
Ray Dillinger <bear@sonic.net>,
"Arnold G. Reinhold" <reinhold@world.std.com>
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Cc: <cryptography@c2.net>, William Allen Simpson <wsimpson@greendragon.com>
In-Reply-To: <B655A6D6.3E19%peter.fairbrother@ntlworld.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 02:43 PM 12/7/00, Peter Fairbrother wrote:
>In WW2 SOE and OSS used original poems which were often pornographic. See
>"Between Silk and Cyanide" by Leo Marks for a harrowing account.
Yes, a terrific book. However, the book also contains an important lesson
regarding human memory.
Marks was responsible for training agents in crypto procedures to use while
operating behind enemy lines, and he was also responsible for decrypting
the messages they sent back. Marks found himself organizing a cryptanalysis
team (independent of Bletchley) primarily for the purpose of cracking of
mis-encrypted messages received from their own agents. In short, the agents
mis-remembered their poems and used their faulty recollection as the basis
for their encryption.
Now, just how do we intend to address such concerns in our memory-based
authentication systems? Our whole technology for using memorized secrets is
built on the belief that people will remember and recite these secrets
perfectly. Some applications could take more of a 'biometric pattern
matching' strategy that measures the distance between the actual passphrase
and a stored pattern. But this won't provide us with a secret we can use in
crypto applications like PGP.
Rick.
smith@securecomputing.com roseville, minnesota
