
Cryptography May Not Be Dead, But It Is on Life Support - rsobers
http://blog.varonis.com/cryptography-may-dead-life-support/
======
codex
Cryptography is not dead. Just because some motivated governments can
theoretically attack your machine does not mean that cryptography is not
useful, because for 99.9999999% of us, that outcome will never happen--and if
it does happen, the information will not leak to those you want to keep it
from (unless that's the government, of course). Cryptography still keeps us
safe from all but three or four entities.

Put another way--the FBI can sneak into my apartment any time they want by
picking my lock, but I still lock my door.

~~~
ds9
Cryptography is alive and well, but not because we can redefine the goals to
disregard the most powerful adversaries. It's alive and well because there are
ciphers that remain essentially unbreakable and are likely to remain so in the
forseeable future.

The title is somewhere between misleading and dishonest. It's like saying that
door locks are "dead" because burglars can go in the windows - in reality
there's nothing wrong with the door locks, and the correct response is not to
abandon the door locks but instead to secure the windows too (no pun
intended).

The fact that there are side attacks is not a flaw of cryptography, rather it
is a part of the environment in which it is practiced, and besides the
attackers' workarounds are in principle subject to being defeated or avoided.

~~~
chris_mahan
One does not need to break the cyphers if one can obtain the decryption key,
either by locating them, or "enhanced interrogation techniques" them out of
biological systems.

~~~
mpyne
Neither of which enable _mass_ surveillance though, which is the major threat
from what I can tell. Rubber-hose cryptanalysis has been possible since the
Caesar cipher.

~~~
chris_mahan
If there were hundreds of millions of sites to compromise, I agree. But if one
obtains, and keeps obtaining, Google, Facebook, Microsoft, and Yahoo private
certificates, then one can access the private information of billions of
people.

------
vezzy-fnord
I absolutely detest FUD about quantum computing and how it's going to "destroy
all cryptography; there's no use anymore", completely ignoring the fact that
only asymmetric systems based on DLP and IFP will be compromised due to the
efficiency of Shor's algorithm.

I always get particularly pissed because it makes the average person think
it's no longer useful to encrypt their data, thus making them a vulnerable
target. I wonder if it's a deliberately orchestrated disinformation campaign.

~~~
ReidZB
> only asymmetric systems based on DLP and IFP will be compromised due to the
> efficiency of Shor's algorithm.

Quantum computing has larger implications than that. For instance, AES with
128-bit keys will need to be phased out since Grover's algorithm would allow a
2^64 time known-plaintext search. MD5 will likewise require 2^64 time to find
a preimage, despite its resistance so far to non-quantum preimage attacks.

You should not discount that "only" asymmetric schemes based on DLP/IFP will
be vulnerable, either. Much of our current key-exchange implementations do not
have post-quantum strength at present.

Still, as you say, it is not "end of the world" status for cryptography. It
will just require a lot of effort on the part of system builders to implement
post-quantum constructions. The issue of backwards compatibility and
widespread implementations will (as it always is) be a significant hurdle.

It's my experience, however, that the average person doesn't know or care
about encrypting their data at all. It's almost certainly the opposite on a
site like reddit or HN, but anecdotally, when my parents' friends (as an
example) ask what I study and I say "cryptography," it's exceptionally hit-
and-miss if they'll even know what I'm talking about. (A nontrivial portion of
people think I've said "photography," actually!)

I've found that "encryption" is more widely-known than cryptography, but even
then, it's been my experience that most (non-techie) people have no clue about
it. But, I suspect that changes quite drastically given your social circle,
area of the world you live in, and culture.

------
ChuckMcM
Cryptography is not on life support any more than Schlage door locks are
"dead" because they can be picked by anyone with the tools and training to do
so, and kicked in by anyone able to bring more than 50 lbs to bear on the
lock.

When I've given security talks I've always tried to compare things like air
travel, which isn't 100% safe (planes do fall out of the sky) but is 100%
"worth it" for most of us. And most of us won't be the focus of a government
investigation.

So the reasoning that we can't make systems 100% secure, therefore security is
dead, doesn't persuade me.

What will be interesting though is the use of cryptography to protect things
like our pin numbers at the checkout line. That is an area that needs
improvement right away.

~~~
agreenjay
Thanks for this comment. This is probably closer in spirit to Schneier's view.
And his big point is that we can do more to prevent _mass_ collection of data
through strong cyrpto-- a good door look and bolt. It appears to me -- I was
at the conference and wrote the article--that many in the community are
surprised/impressed by how effective APTs and other techniques--packet
injection-- are at getting around the lock.

------
greenyoda
" _They had a system that looked for phones moving towards each other, turned
off and then turned on when they are turning away from each other. Looking for
secret meetings._ "

And that probably wouldn't require a lot of computation either, since very few
people would turn their phones off while going somewhere and then turn them on
again. So the people who are doing this are smart enough to know that they can
be tracked by their cell phones, but not smart enough to know that turning
them off and on again calls a lot of attention to themselves.

So if you're going to a secret meeting that you don't want the NSA to know
about, leave your phone at home.

------
agreenjay
A few of my thoughts. Bruce did make an important point during his
presentation, which I didn't write about in the piece. Whenever possible the
NSA goes around crypto and other security. The agency has immense power--
through, for example, QUANTUM Insert and redirecting to Foxacid servers--to
target individuals. The real-issue is _BULK_ collection, and that's where
strong crypto will help when placed on endpoint devices and of course at the
backend. In this sense: if we make it more expensive and more difficult to get
at the data, the NSA will go after easier targets--this is kind of implied in
some of the Snowden documents according to Bruce. So crypto is "less
important" because if they really, really want to governments and next-gen
cyber thieves will get at some of the data. But there are a lot of
conventional techniques--better authorization controls, and constant
monitoring of activity-- along with encryption that can limit the amount of
data that's exposed.

------
yeukhon
Disclaimer: I went to the conference (well it's actually my school). The
followings are supposed to be addressed during the QA but I could only ask one
question... sorry for the long baffling.

This is the golden age for cryptography, thanks to education and hardworking
people.

People are actively attacking our cryptographic knowledge and our
implementations. As controversial as it may sound, if it weren't all the
active attacks on our cryptographic infrastructure, we probably will be okay
with RC4 and MD5. Of course we know they are weak and they are not reliable.

So let's thanks everyone, including the state-sponsored attackers.

This is golden age because we long know that relying on mathematical hardness
assumptions is not safe. Maybe a decade later someone discover a theorem to
factor large number very efficiently and then boom all the encrypted
communications using RSA will be broken. We are slowly moving from that kind
of dependencies. We think there are better ways to solve our encryption. Much
like in 20th century the arm race gave rise to active advancement in all
disciplines of engineering and science, cryptography is also growing.

Thanks to all the attackers out there we now know it is important to teach
everyone about computer and web literacy. We know this should be part of
education. In addition, we must make tools more accessible to users. At
#realworldcrypto 2014 someone said PGP has been around what two decades? Why
hasn't everyone in the tech community using it? Why are my non-geek friends
not using it? Why am I not using it? Servers that retain user data or transfer
user data should all be over HTTPS now. Implement 301 redirect on http end
points and on HTTPS endpint add HSTS header. Implement Content-Security-Policy
to harden what resources can be loaded on your website. Add X-Frame-Options to
control whether you want your site to be frame/iframed or not. I can go on and
on but you get the point. This is a long battle and not easy to fix.

Cryptography is not dead. What is dead is our assumption that we can rely on
assumptions and that kind of dependency is going to harm us some time in the
future. For how many more years? We don't know. It is possible no one can ever
come up with an efficient algorithm to break factoring.

Yes. One problem in cryptography has to do with the key storage. I see that in
the future HSM will be cheaper and people can enjoy that as opposed to a
plaintext file in your $USER/.ssh/ directory. Look, cryptography is not silver
bullet. You can't eliminate people from making mistake, but we can look at
what things can be improved to make mistake fail quick and safely. Idea? Maybe
instead of one key, we have multiple partial keys stored on multiple servers?
But key management and key synchronization is going to be a headache. And
look, if someone inject a malware in the network and has some insight
knowledge of the network, there is very little you can do.

Never confuse NSA revelation means we must implement things so secure that we
can't even tell Bob is Bob. We can't have 100% anonymity and we can't enforce
that. The world needs interaction. The ability to choose is the right
direction and I hope companies will start to realize that we don't live in the
80s anymore.

The hardest problem to solve is to tell whether the server is doing what it is
said. People are working on verifiable search but what about whether site is
actually hashing your password? Client-side encryption is important and mufti-
identity remain to be solved. Personally, I'd like to see Persona widely used
so I can just set up my own federated authentication server to authenticate my
own email.

Again, as controversial as it may sound, knowledge exists because we can think
and because we can think we have desire and goals. Knowledge doesn't grow out
of the trees. The are always accidental and incidental. We don't start
inventing things out of the thin air. I like the idea of knowledge as Yin-
Yang. We don't start having cryptography because there is such a thing called
cryptography. Because we want secret to be hidden and safe from evedropper, we
invented substitution cipher schemes. Because we now have digital
communication and we need to prevent MitM we need a better cryptography and
this is why RSA and DHE are useful. We know SHA is never meant for hashing
password because it's fast so we invent other kinds of cryptographically hard
hashing algorithms like bcrypt and scrypt. If it weren't Miller's paper on
fuzzing, we probably would neglect fuzzing testing and our unix command line
tools will probably continue to fail hard. If it weren't NSA, how many of us
would ever pay attention to the problem in OpenSSL and RNG? There is always a
constant Yin-Yang interaction in the pursuit of knowledge. One nice property
of security proof is that we always have to model the evil in our proof
construction...

~~~
saraid216
> Never confuse NSA revelation means we must implement things so secure that
> we can't even tell Bob is Bob. We can't have 100% anonymity and we can't
> enforce that. The world needs interaction. The ability to choose is the
> right direction and I hope companies will start to realize that we don't
> live in the 80s anymore.

I want to quote this for emphasis.

One of the huge mistakes that drives our current despair is the unconscious
ideal of a world where we aren't significantly interacting except through
anonymous transactions. This isn't tenable. More importantly, this isn't
_human_. Privacy is less about having security and more about convincing other
people to avert their eyes. That's why the fault is on the NSA, not on, say,
messaging protocols. Privacy is _not_ sneaking into someone else's home. The
burden of maintaining privacy is on the person who could violate it.

~~~
twobits
"We can't have 100% anonymity and we can't enforce that."

We can and should have pseudonymity.

"That's why the fault is on the NSA [..] The burden of maintaining privacy is
on the person who could violate it."

Then we should abolish the police too. Criminals will just feel bad knowing
they are at fault. Who is to blame, is irrelevant to how you address a
problem.

~~~
saraid216
> We can and should have pseudonymity.

We already do. We've always had pseudonymity.

> Then we should abolish the police too. Criminals will just feel bad knowing
> they are at fault. Who is to blame, is irrelevant to how you address a
> problem.

Don't forget journalists, whose entire purpose is breaking boundaries created
by privacy.

------
nullc
Nothing is absolute, you might be hit by a meteor in the next moment. So what
that there is a non-zero chance that if you're targeted by the right parties
you may not be able to keep secrets?

Moreover, cryptography is more than just secret keys being kept secret.

For an example of cryptography which doesn't depend on secrecy, consider
SNARKs (succinct non-interactive arguments of knoweldge): E.g. I can run a
program and give you its output along with a compact proof that the output was
the faithful output of the program. The size and complexity of verifying the
proof is only a product of the cryptographic security level. Given
cryptographic assumptions it is computationally infeasible for me to generate
a fake proof.

The ability to prove the validity of execution in basically no more time than
it takes the read the program being verified is a very powerful result of
cryptography which doesn't depend on secrecy.

(The most efficient constructions of this currently need some secret data, but
it's not a fundamental requirement)

------
thrush
Security is on Time Period Zero (Day Zero, and Year Zero didn't really seem to
be the right terms). What we need in Crpyto is awareness and ubiquitous use.
Additionally, it is not a fast moving concept. It will be long periods of
sweat and churning before the internet is reasonably safe to use (I use the
word reasonably, because anyone familiar with security understands that
Perfect Security is not feasible. Rather we strive for security with
negligible chance of failure).

If nothing else, Bitcoin as a protocol is a ray of hope for cryptography. If a
digital crypto-currency ever becomes widely used, then crypto will become
embedded in everyone's daily life (whether they're on Facebook and Gmail or
not).

Public-Private Key Crypto is a concept that has only been in practice for less
than 50 years. It has yet to be fully understood and implemented.

------
api
"Cryptography is dead" is a weird hypey framing. The problem isn't with crypto
but with the underlying system... crypto is only as secure as the place it's
performed.

------
qwerta
Cryptography is not dead, but useless. We are heading in direction where just
possession of random data will be criminal offense.

~~~
eli
How do you mean?

~~~
ReidZB
I'm not the OP, but:

Securely-encrypted data is supposed to be indistinguishable from truly-random
data --- this is the widely-used definition of security for encryption. If
laws are in place requiring that a user reveal any decryption keys upon a
court order, then a truly-random file will "look" encrypted and so you may be
ordered to provide your key to decrypt the file. Of course, it is truly
random, and there is no key, so you would be in contempt of court. Indeed,
assuming secure encryption, there is no way to prove that a truly random file
is _not_ actually encrypted.

In an extreme case, where the state outlaws secrets entirely, possession of
truly-random data will look like you are attempting to hide secrets.

~~~
AnimalMuppet
Also note that truly random data can encrypt other data simply by XORing it.
That is, truly random data can in fact be a cryptographic key, if you use it
as one.

------
hydralist
How about 10 factor authentication?

------
chris_mahan
Cryptography is very dead. Cryptography relies on the keys being kept private.
The keys must be on computers to be usable. Computers can be compromised,
therefore the keys can be compromised, therefore they encrypted payloads can
be decrypted. Any question?

And by "Computers can be compromised", this means computers also cannot be
trusted to hold any sensitive data.

~~~
TacticalCoder
I don't totally disagree but... What about encrypting your message on a fully
offline computer, like what Schneier is now doing if I'm not mistaken?

What if both him and his recipient do the same? Then you need physical access
(and unnoticed physical access I'd add) to the offline computer to be able to
decrypt right?

And physical access doesn't scale.

~~~
pyre
Devil's Advocate:

What if they swap Scheier's USB key (or drive) with one that will exploit the
USB stack on his offline computer (disabling 'auto-mount' won't help you
here)?

Yes, it's a physical access attack, but physical access to his person might be
easier to achieve (while remaining unnoticed) than access to the offline
computer.

~~~
MichaelGG
I think the idea is to use simple physical media, like CDROM, where hiding a
malicious payload is far more difficult since there's no embedded electronics
on a disc.

If that's too cumbersome, one could always implement a simple teletype-like
system with a low bitrate. Like an automatic machine that can physically press
keys on a keyboard. Then remove every key except letters, numbers, shift and
tab.

You could use a similar system or OCR to get data off the gapped machine.

~~~
pyre
One could, but IIRC Schneier has mentioned using a USB drive (though it could
all be a clever ruse to throw off the NSA ;-).

