Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Send cryptography mailing list submissions to
- cryptography@metzdowd.com
- To subscribe or unsubscribe via the World Wide Web, visit
- http://www.metzdowd.com/mailman/listinfo/cryptography
- or, via email, send a message with subject or body 'help' to
- cryptography-request@metzdowd.com
- You can reach the person managing the list at
- cryptography-owner@metzdowd.com
- When replying, please edit your Subject line so it is more specific
- than "Re: Contents of cryptography digest..."
- Today's Topics:
- 1. Making models + scenarios realistic (John Denker)
- 2. Re: Making scenarios realistic (Ralf Senderek)
- 3. Re: Making scenarios realistic (Phillip Hallam-Baker)
- 4. Re: Making scenarios realistic (Ralf Senderek)
- 5. Re: Making models + scenarios realistic (Ralf Senderek)
- ----------------------------------------------------------------------
- Message: 1
- Date: Sun, 14 Apr 2019 23:54:36 -0700
- From: John Denker <jsd@av8n.com>
- To: Phillip Hallam-Baker <phill@hallambaker.com>, Cryptography Mailing
- List <cryptography@metzdowd.com>
- Subject: [Cryptography] Making models + scenarios realistic
- Message-ID: <03ccef17-4658-ba23-c0ea-df34a9ed46e8@av8n.com>
- Content-Type: text/plain; charset=utf-8
- On 4/13/19 8:02 AM, Phillip Hallam-Baker wrote in part:
- > So the reason Alice and Bob are worried about Eve overhearing their
- > conversations is that Alice is married to Eave but she really wants to have
- > an affair with Bob who is really interested but a little worried that Alice
- > might turn out to be an axe murderer. And yes, Alice does have an axe
- > hidden under her bed because she is 4'11" tall weighing less than 100lb and
- > Bob is the Naval mixed martial arts champion.
- But is she /exactly/ 4'11" ????
- > My point here is not humorous.
- Yet the scenario is ludicrous. The rococo details tell us that
- this scenario covers a set of measure zero in a very large space.
- Scenarios are infinitely important, but other considerations
- are also infinitely important. In particular, you have to have
- some sort of /model/. It's like high-school chemistry, where
- you collected some data points and then fitted a straight line
- to them:
- -- The line is the model, with some adjustable parameters. It
- allows you to interpolate between the data points, and to
- extrapolate.
- -- Scenarios play the role of data points. They allow you to
- pin down the adjustable parameters in the model.
- A good model incorporates your /understanding/ of the situation.
- This understanding allows you to limit the number of parameters
- in the model, which in turn reduces the number of scenarios that
- are needed to constrain and test the model.
- > brittle
- Yes. Data points by themselves are infinitely brittle. They
- have measure zero in a very large space.
- Three of the smartest guys I know just got the Turing prize for
- work that revolves around this principle:
- *Without the model the scenarios are useless ... and vice versa.*
- https://www.vox.com/future-perfect/2019/4/4/18294978/ai-turing-award-neural-networks
- https://www.wired.com/story/godfathers-ai-boom-win-computings-highest-honor/
- > people ask me about that scenario all the time.
- >
- > Ooops, sorry. Nobody has ever asked me about it, they just did it anyway
- > knowing that there was a risk even though they were worried about it at the
- > time.
- Not only have they not asked; they wouldn't have had a
- language to use for asking the question even if they wanted
- to, even if they realized it was an important question.
- They would have had no way to specify which details of the
- situation are important to them and which are not.
- > The cryptography is the easy part.
- Yes.
- > The hard part is working out what the scenarios should be.
- Again: The scenarios are absolutely necessary but they are
- not the only hard part, or even the hardest part. One must
- also have a sharable understanding of what the security
- model is /supposed/ to do. Scenarios can be used to test
- understanding, but they do not create understanding.
- A model is tantamount to a formal language for specifying
- what you want. As always, language design is only secondarily
- a language issue; understanding has to come first. Otherwise
- the language becomes impossibly complex and inscrutable, to
- the point where it is useless even to experts, not to mention
- laypersons such as Alice.
- Offering an encyclopedia of scenarios and asking Alice to
- choose one is not feasible.
- I once had a student pilot who didn't want to build explicit
- mental models of the situation. She just wanted to practice
- until she had seen all the scenarios. I explained that during
- landing there are 12 different things you need to worry about.
- If we oversimplify it to the point where each variable can
- have only three different values (high, nominal, and low) that
- still leaves us with half a million scenarios, and it would be
- spectacularly infeasible to learn them all by rote. Instead
- you must use /understanding/ in order to factor one infeasible
- problem into 12 feasible problems, and then master those.
- Obviously we have "some" understanding of what security policies
- are supposed to do, but I'm not convinced it is enough, except
- perhaps in certain tightly circumscribed micro-domains. For
- example, consider the PGP "web of trust". What does that even
- mean? For one thing, trust is not transitive, and secondly,
- trust is hard to quantify. It's not even one-dimensional. I
- have some neighbors whom I would trust to borrow the proverbial
- cup of sugar but wouldn't trust to borrow my car or my credit
- card.
- Also: The /language/ issue runs both ways:
- -- We need a way for Alice to tell her IT guy what she wants.
- -- We also need a way for Hillary's IT guy to tell her about
- the threats, in a way that she understands, e.g. that maybe
- the inconvenience of using two-factor authentication is
- small compared to the inconvenience of having your campaign
- pillaged and burned by Fancy Bear.
- Bottom line: A floridly detailed scenario is, ironically, a
- way of illustrating the limitations of scenarios. We also
- need models aka languages and (!) understanding.
- ------------------------------
- Message: 2
- Date: Mon, 15 Apr 2019 10:04:32 +0200 (CEST)
- From: Ralf Senderek <crypto@senderek.ie>
- To: Phillip Hallam-Baker <phill@hallambaker.com>
- Cc: Cryptography Mailing List <cryptography@metzdowd.com>
- Subject: Re: [Cryptography] Making scenarios realistic
- Message-ID: <alpine.LFD.2.21.1904151000350.3897@laptop.senderek.ie>
- Content-Type: text/plain; charset=US-ASCII; format=flowed
- On Sat, 13 Apr 2019, Phillip Hallam-Baker wrote:
- > Perhaps a business model for a Web MetaNotary is selling the key escrow service to Alice.
- Now that selling key escrow seems to be the business model you fancy,
- you may put this study
- (https://www.schneier.com/academic/paperfiles/paper-key-escrow.pdf)
- on the new enterprise's web site.
- --ralf
- ------------------------------
- Message: 3
- Date: Mon, 15 Apr 2019 11:27:42 -0400
- From: Phillip Hallam-Baker <phill@hallambaker.com>
- To: Ralf Senderek <crypto@senderek.ie>
- Cc: Cryptography Mailing List <cryptography@metzdowd.com>
- Subject: Re: [Cryptography] Making scenarios realistic
- Message-ID:
- <CAMm+LwiBzQEqGpAJdp0=M=7518NVgSRuxL3h4ct3xDDWPmemUQ@mail.gmail.com>
- Content-Type: text/plain; charset="utf-8"
- On Mon, Apr 15, 2019 at 4:04 AM Ralf Senderek <crypto@senderek.ie> wrote:
- > On Sat, 13 Apr 2019, Phillip Hallam-Baker wrote:
- > > Perhaps a business model for a Web MetaNotary is selling the key escrow
- > service to Alice.
- >
- > Now that selling key escrow seems to be the business model you fancy,
- > you may put this study
- >
- > (https://www.schneier.com/academic/paperfiles/paper-key-escrow.pdf)
- >
- > on the new enterprise's web site.
- >
- I have made no such decision and I will just point out that most folk who
- have claimed they know what my business model is have proved to be wrong in
- the past.
- The paper is from 1997. Think about that for a while. Back then we thought
- that the biggest issue any crypto system had to address was how to
- absolutely guarantee any possibility that the FBI could gain any imaginable
- advantage in any circumstance whether realistic or not.
- Yes, I know that the paper addresses the legitimate uses of local escrow
- and if you look at the architecture I have in the Mesh, it follows largely
- the approach suggested. But the paper itself was written as a rebuttal to
- Louis Freeh when he was approaching peak crazy. A few months after it was
- written, Freeh conspired with a corrupt prosecutor to impeach a President
- in revenge for being snubbed on the key escrow issue.
- It was ideology, not security.
- And it hurt us badly because instead of actually solving real problems
- people needed solving and delivering products that they could use, we
- insisted on addressing really difficult problems like end-to-end secure
- email and sneering at partial solutions such as transport security.
- STARTTLS is pretty much the only email security in place today. We got it
- ten years later than we could have had it and we ended up with end-to-end
- email take up of about 2 million S/MIME and 2 million OpenPGP users having
- registered a key - about -.1% of users. and they use it for maybe 1% of
- their email.
- We spent inordinate amounts of time making sure that IPSEC delivered
- 'perfect' forward secrecy and as a result delivered a specification that
- still doesn't actually work out of the box, is a pig to use and can only be
- made tolerable with proprietary hacks.
- Ideology does not deliver security.
- As with the end-to-end arguments paper, this is a paper that is shared far
- more often than it is read. The arguments made in the paper are not the
- same as the ones that people seem to think. I suggest people read it. They
- may well be surprised.
- That said, it is a pity that the group didn't include any people with
- experience of running a commercial CA. Otherwise they would know that there
- is actually a very solid reason for escrowing signature keys and every CA
- makes use of it. On the other hand, very few people were doing that in
- 1997. I wasn't one of them then.
- -------------- next part --------------
- An HTML attachment was scrubbed...
- URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190415/dff45e57/attachment-0001.html>
- ------------------------------
- Message: 4
- Date: Mon, 15 Apr 2019 19:39:26 +0200 (CEST)
- From: Ralf Senderek <crypto@senderek.ie>
- To: Phillip Hallam-Baker <phill@hallambaker.com>
- Cc: Ralf Senderek <crypto@senderek.ie>, Cryptography Mailing List
- <cryptography@metzdowd.com>
- Subject: Re: [Cryptography] Making scenarios realistic
- Message-ID: <alpine.LFD.2.21.1904151924190.3657@laptop.senderek.ie>
- Content-Type: text/plain; charset=US-ASCII; format=flowed
- On Mon, 15 Apr 2019, Phillip Hallam-Baker wrote:
- > The paper is from 1997. Think about that for a while. Back then we thought that the biggest
- > issue any crypto system had to address was how to absolutely guarantee any possibility that the
- > FBI could gain any imaginable advantage in any circumstance whether realistic or not.
- In 1997 I happened to know people who already tried to broaden the user
- base of PGP keys in an academic environment including the improvisation of
- user interfaces to PGP. But the common mindset was the opposition to key
- escrow in any form, because key escrow is very different from key
- availabilty/backup which was a pain in the neck back then, and still is.
- > [...] we ended up with end-to-end email take up of about 2 million S/MIME and
- > 2 million OpenPGP users having registered a key - about -.1% of users. and they use it for maybe
- > 1% of their email.
- Even if your numbers were correct (in the open source community a handful
- of keys secure the integrity of a large number of OS packages, and almost
- all users are unaware of their "use" of GPG keys) the lesson to be learned
- here is that key management is the problem to be solved. But it has to be
- solved in a way that the user can contol himself, not by key escrow.
- --ralf
- ------------------------------
- Message: 5
- Date: Mon, 15 Apr 2019 22:31:32 +0200 (CEST)
- From: Ralf Senderek <crypto@senderek.ie>
- To: John Denker <jsd@av8n.com>
- Cc: Phillip Hallam-Baker <phill@hallambaker.com>, Cryptography
- Mailing List <cryptography@metzdowd.com>
- Subject: Re: [Cryptography] Making models + scenarios realistic
- Message-ID: <alpine.LFD.2.21.1904152229100.5451@laptop.senderek.ie>
- Content-Type: text/plain; charset=US-ASCII; format=flowed
- On Sun, 14 Apr 2019, John Denker via cryptography wrote:
- > Again: The scenarios are absolutely necessary but they are
- > not the only hard part, or even the hardest part. One must
- > also have a sharable understanding of what the security
- > model is /supposed/ to do. Scenarios can be used to test
- > understanding, but they do not create understanding.
- And that's why I've asked for a threat model for the MESH.
- --ralf
- ------------------------------
- Subject: Digest Footer
- _______________________________________________
- cryptography mailing list
- cryptography@metzdowd.com
- http://www.metzdowd.com/mailman/listinfo/cryptography
- ------------------------------
- End of cryptography Digest, Vol 72, Issue 6
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement