

 encryption is not gravy - vgnet
http://benlog.com/articles/2012/04/30/encryption-is-not-gravy/

======
joejohnson
There are many other issues with adding encryption to an existing service.
Take Dropbox as an example. If Dropbox allowed each user to manage their own
private/public key pair, then Dropbox wouldn't be able to see any of your
data, and this couldn't use de-duplication. This means they need to actually
allocate 2GB for every free user; no longer could they count on multiple users
uploading the same files. Dropbox would have no way of knowing. Additionally,
every minor change to a file would result in the entire file needing to be re-
uploaded. The "previous versions" of each file would need to be re-worked,
etc.

There are lots of technical issues with just slapping some crypto on to an
existing service. User management of passwords/keys seems trivial compared to
these problems.

~~~
st3fan
I would pay DropBox premium for this feature.

~~~
hemancuso
You and about 5,000 other people. Not a big market, unfortunately.

~~~
ecaron
It may not be a big market that the masses are clamoring for, but it will soon
be similar to services encrypting passwords in the database. The outside world
shouldn't be expected to know about the existence of rainbow tables and the
futility of md5-hashes. The educated, however, know what to demand, will
expect their services to offer it, and will leave lacking-services for
support-services - and in their exodus the masses inevitably follow (e.g.
Hotmail -> GMail)

~~~
batista
_> The educated, however, know what to demand, will expect their services to
offer it, and will leave lacking-services for support-services - and in their
exodus the masses inevitably follow (e.g. Hotmail -> GMail)_

That's not how it works.

People didn't leave Hotmail because the "educated" left, they left it because
Google gave several GBs for free, the interface was simpler, the search better
and MS was out of fashion.

If you're not a large market you don't get a service, or you only get niche
vendors to cater to you. You can bypass this by setting trends for the
"uneducated" (whatever that means), else we will all be using Lisp Machines or
Smalltalk environments.

~~~
skarayan
Educated/uneducated may not be the right terms, but it is possible to have
hindsight just by understanding the landscape.

Privacy is becoming a large problem in the internet and encryption will likely
be part of the solution. Without encryption, the ownership of data is on the
service provider instead of the person.

Privacy is a feature just like free storage. One day, privacy can be available
to the masses just like storage is today. (also think back how many people
actually wanted or needed multiple gb of free storage for their emails until
one was provided by a service like gmail)

------
darklajid
For me, the fact that my data is inaccessible on the server is the single most
interesting fact about that sync product.

All alternatives would be reasons to politely decline taking part. So IF there
will be compromises in the future for the scenario where users cannot back up
their own key, I do hope that the current behavior will always be a viable
option either. I'd rather risk losing my data through my own stupidity (been
there, often enough) than pushing my browsing history (potentially sensitive)
or even passwords (..) to a random service on the net.

------
kragen
While I agree with most of this article, Adida says that a "full-strength,
randomly generated, user-managed key" implies that "Enabling a new device
requires coordination with an existing device". This is _typically_ the case
with current systems, but it is not _necessarily_ the case. It is eminently
practical for a human being to memorize an xkcd password with enough entropy
to resist brute-force attacks into the foreseeable future.

[http://lists.canonical.org/pipermail/kragen-
hacks/2012-April...](http://lists.canonical.org/pipermail/kragen-
hacks/2012-April/000538.html) demonstrates encoding an 80-bit random number
(which is plenty secure with a reasonable key derivation function) as each of
"point pleased intense de maybe fairly arms", "bejuso jejigi nububi bidoda
gahano", "ADD DOTE BID HILT LAUD MAIN CALF CITY", and "仴薦肨縨猯鹽", any of which
is eminently practical to memorize. I use this program to generate my login
passwords these days.

(80 bits is not enough for a key for something like AES, because you can try a
lot of different keys per second. It's plenty if you have a decent key
derivation function to add a 25–35-bit work factor.)

This is different from a user-chosen password because users are often highly
predictable in their password choice.

~~~
benadida
right, that's what I labeled the password-derived encryption use case. Great
to do the XKCD mechanism, and if you follow the link in that article you'll
see that we're working on maximizing the key stretching we can do based on
passwords:

[https://wiki.mozilla.org/Identity/CryptoIdeas/01-PBKDF-
scryp...](https://wiki.mozilla.org/Identity/CryptoIdeas/01-PBKDF-scrypt)

But unless you have a crazy long passphrase, you're not going to get 128 bits,
let alone 256.

~~~
kragen
Yeah, I did read Warner's proposal. It's full of awesome, as his ideas usually
are. Were you around that time that he showed Memento at his house, but with
the scenes in chronological order?

As I explained in a late edit to my comment, this is distinct from your
"password-derived key" case because it eliminates the major drawback of that
case: "This is not as secure as the previous setting, since most user
passwords are not nearly as strong as full-strength crypto keys." If you
generate high-entropy passphrases, that problem goes away.

128 bits is overkill for defense against brute force. You can do maybe 2³⁰
crypto operations per second in a custom crypto-cracking processor, pack maybe
2²⁰ of them onto a custom chip, use maybe 2²⁰ custom chips in your Crypto
Cracking Center in your evil genius volcano base, and let it run for maybe a
year, 2²⁵ seconds, before you get bored. That's still only enough to search
2⁹⁵ keys, so you should be pretty safe with keys that need 2¹⁰⁰ operations to
crack, at least for a few years. Or, if you don't have a supervillain or major
intelligence agency devoting their full computational resources to reading
your browser bookmarks, 2⁸⁰.

I do think it's actually feasible for someone to memorize an 11-word phrase
encoding a 128-bit key, but it would take several minutes and careful practice
over the next few weeks to be sure they didn't forget it, and using a decent
PBKDF with a 7- or 8-word passphrase is probably a better option.

------
TazeTSchnitzel
If you install Ubuntu with home folder encryption, it gives you the
"unravelled" encryption key for you to write down somewhere.

Seems like a good idea: If you forget your passphrase, you can recover your
data with this.

~~~
darklajid
The product he's talking about in the end does the same. If you join Sync (at
least that's what I remember what happened..) you'll create an account and see
a long generated key. You're asked to store it somewhere safely/to print &
file it.

------
Cushman
> The most expensive cars have unlocking fallbacks.

This is only the case because the car company is sitting on a database of
everyone's keys. It amounts to server-side security. If a security
professional were designing a "secure" car, they would demand one which is
truly bricked if you lose the keys.

I expect that part of the issue with cryptography is explaining to users why
their data needs to be _more_ secure than their car.

------
sp332
I wonder if you could set up a "key server". It would be like an online safety
deposit box for your key. That way, no matter what computer you're on, you can
access the keyserver and authenticate yourself, and it would recover your key.

~~~
SoftwareMaven
Sure, but then all of your data is only as safe as that key server. And if you
lose your key/password to it, you are just as hosed.

It really comes down to two options: take care of your key by yourself, have
best security and highest risk of loss or share your key with somebody else,
reduce your security, and have a fallback against key loss.

My company is working on easy-to-use security. One of the things we are
looking at is a middle-ground using key-splitting algorithms to give you very
nearly as much security as the first with the fallback of the second.

------
derrida
"Every feature is someone else's bug."

