On Mon, Apr 11, 2016 at 12:37 PM, Nathan Andelin <nandelin@xxxxxxxxx> wrote:
You appear to be re-framing what I said in a way that would discredit me.
I'm not trying to discredit anyone. I am trying to find language that
is mutually understandable. It seems most of our words are flying past
each other.
There wouldn't be a "repository of encryption keys".
The call for public disclosure of encryption algorithms is based on the
premise of having "lengthy" keys. Of course they are stored - they are too
long to remember. And it's common to store them in a repository such as a
certificate store.
First, I disagree that the call for public algorithms is *based on*
the premise of lengthy keys. It certainly is the case that longer keys
tend to lead to better encryption than shorter keys. It's also the
case that, given modern computing resources, keys have to be too long
for normal humans to remember, if those keys are going to be
effective. But key length is not the reason why people want algorithms
to be public. If tomorrow, everyone in the world were granted eidetic
memory, I don't believe the "call" for public algorithms would
suddenly lessen.
Second, I was thinking in terms of generating new keys as needed and
discarding old ones, which is why I said there wouldn't be a
repository. Indeed, I was focused on transmission of time-sensitive
messages (such as those used to coordinate military operations). The
issue of long-term storage and security of sensitive information was,
to my way of thinking, a separate problem.
The keys and randomizer are *supposed* to be the weakest links in the
chain. The algorithm itself should
ideally be unassailable without the key.)
Are you suggesting that publicly disclosed algorithms are unassailable?
No. I believe every algorithm is inherently assailable. By "ideally
unassailable" I mean the goal should be to have an algorithm that is
as close to unassailable as possible. And indeed, this is the first of
Kerckhoffs's six stated design goals.
The part that I was trying to emphasize was that it is widely accepted
that one direct implication of Kerckhoffs's tenets is that the
security of the cryptosystem *should be* dependent on the security of
the key. That is, if the key gets stolen, by whatever means, it is
*not the cryptosystem's job* to keep out the correct-key-wielding
enemy.
When people talk about an *algorithm's* strength, they mean the degree
to which it resists attack from adversaries that do NOT (already) have
the key.
And you appear to misunderstand the role of the key - which is to modify
values computed by the algorithm to make them "appear" more random.
Not so much misunderstanding as talking on a different level. Is it
the "role" of a carpenter to build a bookshelf? Or is the role of the
carpenter to hammer, saw, sand, etc.?
Mathematically speaking, the algorithm's sole purpose is to prevent
*anyone* without
the key from accessing the data it's protecting.
That statement isn't very clear. I'd suggest that the purpose of the
algorithm is to obscure data, and to do it in a way that appears random
(indecipherable). Both algorithm and key play a role in making the process
and results "appear" to be random.
OK, you want to talk about "roles" or "purposes" at that level. Fine.
I am not getting why you can't talk about a different level though.
Algorithms and keys are both necessary, and they are both
interdependent in a cryptosystem. But they're not equal or
symmetrical. They are different kinds of things. The key is a
parameter to the algorithm. The algorithm is not a parameter to the
key. The algorithm has to be designed and crafted. The key can be
generated in the blink of an eye by a randomizer.
One valid concern with publicly disclosed algorithms is that they all rely
on "lengthy" keys to make data to appear randomly generated - the
"strength" is said to be in the length and randomness of the key.
Well, for any given algorithm, *that* algorithm's strength is a
function of the length and randomness of the key.
But this is true whether the algorithm was developed in secret or in
the open. It's a fundamental mathematical property of key-based
encryption.
Are you perhaps conflating "published algorithm" with "public-key
encryption"? I am guessing you are not, but I can't be sure, given the
way you're talking about key lengths. It's true that public-key
encryption requires longer keys than encryption which relies solely on
private keys, for a given desired strength. But that is independent of
whether the algorithm is published or not.
If the military is using some kind of secret algorithm which uses only
private keys, the strength of that algorithm is still subject to the
length of the keys. If those keys are too short, the resulting
encryption will be mathematically vulnerable.
Or maybe I should say that the strength of the algorithm *better* be
subject to the length of the keys, because if it's not, then that
means that even long keys are as weak as short keys for this
algorithm! And in that case, the *algorithm* is inherently vulnerable.
The problem is that you have to store the keys somewhere, which is a
violation of Kerckhoff's third tenet. That shifts the attack surface from
trying to break the algorithm, and trying to break the key, to trying to
discover the password to where they keys are stored, which is much easier
to break.
You keep coming back to this, and it's one way in which it seems like
we're probably at a philosophical impasse.
Kerckhoffs's "third tenet" is obsolete. In fact, it's probably the
only one of his six that is untenable in modern times. I'll quote it
here so people don't have to Google it:
"It must be possible to communicate and remember the key without using
written notes, and correspondents must be able to change or modify it
at will"
Basically, the power of computers has advanced to the point where
*mathematically speaking* it is impossible to have a high degree of
security and still adhere to that goal. Yes, a quirky and memorable
passphrase will be sufficient for most people's security needs. But if
we're even bothering to talk about what the military and academia
consider high-security cryptography, then we have to accept that keys
must be random and long.
Well, OK, we don't HAVE to accept that. But I believe you are really
flying in the face of *mathematics* if you don't accept it.
John Y.
midrange.com
