Slashdot Mirror

← Back to Stories (view on slashdot.org)

Decrypting the Secret to Strong Security

Posted by michael on from the common-sense dept.

farrellj writes "Cnet has an excellent article by Whitfield Diffie, who has probably has forgotten more about crypto than 99.9% of us will ever know, explains why secrecy does not equal security. The article also addresses the whole "open source vs proprietary software" security issue. A definite *must read* for anyone concerned about security...and that should be everyone!"

3 of 261 comments (clear)

  1. Ancient Knowledge... by MarvinMouse · · Score: 5, Insightful

    Diffie is definitely the guy to be talking about this. Considering a main form of private key-exchange is called Diffie-Hellman.

    But, nontheless, it's silly that people don't know this inherently. A secure system is only as secure as its weakest point. If that point is compromised and cannot be easily fixed and/or repaired. It's useless.

    Depending on the secrecy of the code or "Security through Obscurity" is useless. Anyone who tells you otherwise is a quack or is trying to sell you something and doesn't want to do all the work necessary to do the proper job.

    If you want a secure system, you have to instantly assume that the system, code, and key will eventually be completely compromised, and then you can begin to think about. Now, if any of these were compromised, how can I fix the problem. The current solution is to reset the keys, and using modern mathematics (most of which was developed by Dif) You can do this securely.

    Now, the only problem that remains with modern cryptography, is if the factoring problem is solved _and_ the elliptic curve problem is solved efficiently, then modern crypto becomes useless, and we are back to square one.

    Albeit, Quantum Cryptography has some potential as it provides a mathematically verifiable form of perfect cryptography, since it is one time pads. It just currently cannot be done over long enough distances to be completely effective. When the technical/engineering details are solved for QC, then crypto is guaranteed secure. Assuming no one compromises your system directly (Human Error).

    Dependence on Security through Obscurity is bad, incredibly bad, and I hope anyone programming security software out there will realize that, and begin to use proper cryptographic techniques.

    ** I am going to write a couple of journal articles soon reviewing the various techniques for those who are interested. **

    --
    ~ kjrose
  2. Re:Accuracy by monkeydo · · Score: 5, Insightful

    That may be an excellent article for someone who has never been told that secrecy != security, but he didn't really say anything new. He didn't even really support any of his points. It isn't even really an article, more like a blurb. It's like someone at CNET said, "Give us 1,000 words on why OSS is good."

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  3. Re:Accuracy by HawkinsD · · Score: 5, Insightful
    Dude, CNet is a general-audience wide-circulation publication. Yes, the geeks that hang out in here all know this stuff already, but my clients, with whom my company must exchange data securely, may not know anything about why open source is good.

    Anything that helps convince my crypto-less clients to use GnuPG is very, very helpful.

    --
    Never attribute to malice that which can be explained by mere idiocy.