The Crypto Gardening Guide and Planting Tips

ncostigan writes "Peter Gutmann of cryptlib fame has written a very readable paper on real-world constraints for cryptographers, and points out problems that their designs will run into when attempts are made to deploy them. Also included is a motivational list of extremely uncool problems that implementors have been building ad-hoc solutions for since no formal ones exist."

I laughed, I cried!

[Ratface]

Well - actually, I only laughed - over this passage

(Note: If you're in the media or telecoms industry this becomes "Get there
first with something patented, proprietary, and broken, then send lawyers
after anyone who points out problems", but this is a special case).

Heh! What a wag!

Re:Why do I find that so funny?

[Llanfairpwllgwyngyll]

If you're reading about crypto, and you have not heard of Peter Gutmann, then you are either just *starting* to read about crypto, or you have missed out some of the most important *practical* parts of your reading!

Check also the X509 Style Guide. Outstanding and insightful. Trust no one claiming to know about PKI unless they have read and understood this :-)

The Real Question

[The+Subliminal+Kid]

The problem I face every day has bugger all to do with the vague under the hood stuff that I see everyday about the inside or crypto engines but the problem of getting my clients to understand that the extra clicks when they send an email, the remebering a pass phrase, and the extra clicks to read incoming email is not only advisable but absolutly necessary. everyday I see lawyers send priviliged material over the internet and getting them to see both that it is going on a electronic post card and there is a solution is a task that has proved beyond me.

Suggestions from the floor?

Re:The Real Question

Read all of the flirtatious mail they send each other. Send the originator a summary of the juiciest bits, and add the text

"If you would like to stop me reading your mail like this, give me a ring and I'll tell you how. If I find anything good in next month, I'll print it out and pin it up on everyone's messageboard. Give Janice a kiss from me, sugarplum."

Re:The Real Question

[plcurechax]

You are right, the human factor is often ignored in building secure systems, though Schneier's Secrets and Lies and Anderson's Security Engineering (Chapter 3 I believe) deals with building entire systems that are secure including making them usable to the human users.

Re:The Real Question

[plcurechax]

What I'd advocate, and I'm sure that privacy nuts and other security wonks would hate, would be government-issued smart cards that contain a user's private key.

Security wonks hate it because it is insecure. It links the security of everything you authenicate to, from your parking permit, or restaraut reservation, to your root password to the corporate servers you maintain, to your personal financial details. So if the bus boy at the restaraut gets your details, clones them onto a forged card, and saves a "snapshot" of your biometric details, that bus boy can get your SSN, credit report, and likely get credit cards in your name as well as commit government mandated identity theft.

That sounds like a stupid idea. Bypassing the Chinese Wall of everyday life, is a dumb idea. A single id card is as stupid as Microsoft's universial id system formally known as Passport.

... key management systems are either proprietary or too complex for ordinary users, or just involve too many steps ...

You are right, it is too complex, hard to use, and security engineers need to work on building better systems, and customers need to demand and pay for better systems.

Or you'll have an Oracle/Microsoft/US Government national id card secured by MS Windows, and Oracle's nearly unbreakable database.

Re:The Real Question

[angst_ridden_hipster]

Three cards for police choppers in the sky
Seven for politicians in their halls of stone
Nine for Justices doomed to lie
One for the President on his dark throne
In the Land of DC where the lobbyists vie.
One card to rule them all, one card to find them,
one card to track IP, and in a lawsuit bind them...

why isn't an implementation standard?

[PissedOffGuy]

the article says:

Crypto designs are often described as mathematical abstractions that, while easy to work with mathematically, require a significant amount of work to translate into an actual implementation.

i'm surprised by this, why can't the crypto whizzes put together a few lines of math.h and networking code to be a proof of concept? crypto is very much an applied field, so the theorists should include example source in their papers.

Re:why isn't an implementation standard?

[chialea]

>crypto is very much an applied field, so the theorists should include example source in their papers.

Er.. security is an applied field. Crypto is applied non-applied mathematics, basically. I don't /do/ code, generally, and very rarely C or C++, which you seem to be implying should be used. The people who are interested in one are not always interested in the other. Coming from the math side of it, I'm sometimes tempted to say "learn some math and read the proofs before you implement". Not always practical, sure, but just as valid as expecting me to know about networking this'n'that.

There's also not generally room in a paper for source. Rigorous proofs and definitions can take up a LOT of room. (Everyone who's read the 5x page HILL paper, or one of Dan Boneh's 3x page papers, raise your hand if you want to see source at the end of it.)

Lea

Re:why isn't an implementation standard?

[dracken]

i'm surprised by this, why can't the crypto whizzes put together a few lines of math.h and networking code to be a proof of concept? crypto is very much an applied field, so the theorists should include example source in their papers.

Well, There is nothing to be surprised about. Many theoretically secure encryption schemes have been broken in practice because the implementation is very difficult. One common pitfall: in theory, often, we assume the existance of a perfect source of random bits. Practically it is very very very difficult to ensure this (remember that part from cryptonomicon - where the encryption is broken because the keys were not perfectly random and there was a slight statistical anomaly ?).

Also in theory, some schemes are secure only if the keys have some mathematical property. In practice, someone who does not understand this subtle point might make a horrendous implementation. (I dont want to go into the gory details about the field from which the keys should be chosen in the diffie-hellman scheme).

Even with a perfect implementation, the user is also a very weak link in the chain.There is this famous incident of the more secure german naval enigma getting broken because some ship tranmitted using the new enigma scheme and the same message using the old enigma scheme (which was already broken).

Re:Very readable..

[xmath]

Message Authentication Code
Hashed Message Authentication Code
Pseudo Random Function
Initialization Vector

security thru obscurity, anyone?

[djupedal]

Hey! Aren't you Peter G., that famous cryptlib guy???

uh...no, sorry, you have me mixed up with some other cryto guy. My name is, uh, Chuck...Chuck Laylow. I don't know squat about anything dealing with secrets, really...now, please go away before someone sees you talking to me, and don't tell anyone you talked to me...ever...thanks.

for beginners i totally recommend this:

[colonel.sys]

bruce schneier: secrets and lies - digital security in a networked world

(http://www.amazon.com/exec/obidos/tg/detail/-/0 47 1253111/qid=1044455851/sr=8-2/ref=sr_8_2/102-63475 44-3715317?v=glance&s=books&n=507846)

excellent book on crypto and security basics. also contains basic concepts of avoiding general security issues.

nico

Top 5 reasons to use cryptography

[Amsterdam+Vallon]

5 -- At least your mom will think you're 1337

4 -- You need a BFS (Big Fucking pgp Sig) for all those blogs you waste your time on

3 -- To avoid letting the FBI know that Dear Matt, I you thought the last comp sci lab was hard and will probably just wait until Punjab Moltisontorilho hands his in and then we can steal his answers From Peter

2 -- Its geek factor will offset the fact that you still run Windows 95
... and the number 1 reason to use cryptography

1 -- Get that "terrorist feel" without all the violence

Copyright Eric Krout, Editor of *nix.org

False advertising!

[Greedo]

Damn ... I read the title and I thought "Whoa, someone has come up with a way to hide secret messages in their garden."

Kinda like steganography, but with flowers.

Now *that* would be news for nerds.

Re:What about the other side?

[chialea]

>But I wonder if some of those suggestions decrease the strength of encryption?

Most modern cryptography is based on a variety of problems which are believed -- NOT known -- to be hard in certain contexts. Factoring, RSA, CDH, DDH, bilinear maps over CDH/DDH gap groups, braid factoring, CVP, etc. There are people who believe that factoring (and thus RSA) may be poly-time solvable, and thus cryptosystems based on it may be insecure. Cryptosystems based on different hard problems are important for that reason. It's a hedge bet.

There are also interesting things which come "for free" with certain types of hard problems, which may be very expensive to add on to more common cryptosystems. These properties, for example committment, are used in protocols like Deniable Ring Authentication. This sort of thing follows your suggestion of "a variety of rules", but it's really not possible to list every single cryptosystem in existance and how well it fits in. The authors simply say "(E,D) is a cryptosystem with the following properties", and leave anyone who wants to use it to find the best such cryptosystem, as it may change over time. (They usually do provide a trivial example or a reference, though)

Of course, if one-way functions don't exist, we'll all be back to information-theoretically secure stuff, and some of these problems will go away :P

Lea