Current Crypto Trends with Bruce Schneier 196
Saint Aardvark writes "SecurityFocus has published an interview with Bruce Schneier. Fascinating stuff, especially the level-headed assessments of the NSA, spam and the impact of full disclosure: 'Q: Since most crypto protocols on the internet, such as SSL or SSH, uses public-keys to build a secure channel, wouldn't a unexpected public disclosure create a chaos on the internet ? A: No. Chaos is hard to create, even on the Internet. Here's an example. Go to Amazon.com. Buy a book without using SSL. Watch the total lack of chaos.'"
Article text, ROT13'd for the paranoid (Score:5, Funny)
V'z n frphevgl grpuabybtvfg. Zl pnerre unf orra n frevrf bs trarenyvmngvbaf. V fgnegrq jbexvat va pelcgbtencul: zngurzngvpny frphevgl. Gura V ernyvmrq gung nyy gur pelcgbtencul va gur jbeyq jba'g uryc vs gur pbzchgre vf vafrpher, naq nyy gur pbzchgre frphevgl jba'g uryc vs gur argjbex vf vafrpher. Fvapr gura, V unir orra pbapragengvat zber ba gur fbpvny naq rpbabzvp nfcrpgf bs frphevgl, ernyvmvat gung nyy gur grpuabybtl va gur jbeyq jba'g uryc vs gubfr nera'g qbar evtug.
Zber ba zl onpxtebhaq pna or sbhaq ba fpuarvre.pbz
AFN yvprafrq Pregvpbz'f RP cngragf sbe $25 zvyyvba ynfg lrne, naq erpragyl naabhaprq gur arj HF tbireazrag fgnaqneq sbe xrl nterrzrag naq qvtvgny fvtangherf, pnyyrq Fhvgr O. Vg hfrf Ryyvcgvp Pheir Qvssvr-Uryyzna (RPQU) naq Ryyvcgvp Pheir Zrarmrf-Dh-Inafgbar (RPZDI) sbe xrl nterrzrag, naq Ryyvcgvp Pheir Qvtvgny Fvtangher Nytbevguz (RPQFN) sbe fvtangher trarengvba/irevsvpngvba. Qb lbh guvax gung AFN vf cebzbgvat RPP onfrq pelcgb orpnhfr gurl pnaabg penpx EFN/QFN onfrq bar ?
V qb abg. V oryvrir gur AFN oryvrirf gung RPP vf fgebat. V jebgr nobhg RPP urer:
uggc://jjj.fpuarvre.pbz/pelcgb-tenz-9911.ug zy#Ryyv cgvpPheirChoyvp-XrlPelcgbtencul
Nygubhtu V jebgr gung va 1999, V nz fgvyy fxrcgvpny nobhg ryyvcgvp pheirf.
Be znlor whfg orpnhfr gurl pna penpx EFN/QFN gurl cersre gb cebgrpg HFohfvarff jvgu RPP (fhccbfrq gb or uneqre gb penpx)?
Jvgu fhssvpvrag xrl yratguf, nyy bs guvf vf hapenpxnoyr. V qba'g oryvrir gung gur AFN unf nal frperg zngurzngvpf gung gurl hfr gb oernx EFN/QFN be RPP.
Jbhyq n dhnaghz pbzchgre qb gur wbo ?
Va gurbel, lrf. Va cenpgvpr, jr unir ab vqrn ubj gb ohvyq bar gb qb vg. Znlor va svsgl lrnef. Be gjragl-svir.
Fbzr gvzr ntb lbh pb-nhguberq n cncre ba fbsgjner zbabcbyl evfxf. Jung nobhg pelcgb zbabcbyl? Qba'g lbh guvax gung univat whfg n pbhcyr bs choyvp-xrl nytbevguzf onfrq ba gur fnzr zngu ceboyrz pbhyq yrnq gb n pngnfgebcur vs penpxrq ?
Gur frphevgl nqinagntrf bs n pbzzba pelcgbtencuvp nytbevguz sne bhgjrvtu gur qvfnqinagntrf. V'ir jevggra nobhg gung nf jryy:
uggc://jjj.fpuarvre.pbz/pelcgb-tenz-9904.ugzy#qv ss rerag.
Jung jbhyq lbh qb vs lbh sbhaq n fbyhgvba gb gur snpgbevmngvba ceboyrz?
Nal pelcgbtencure, vs gurl sbhaq fbzrguvat fb fvtavsvpnag nf n fbyhgvba bs gur snpgbevmngvba, jbhyq choyvfu gurve erfhygf. Fhpu n qvfpbirel jbhyq yvxryl erfhyg va cebsbhaq punatrf va ubj jr ivrj ahzore gurbel, naq jbhyq or gur zngurzngvpny qvfpbirel bs gur qrpnqr...naq znlor rira zber vzcbegnag.
Fvapr zbfg pelcgb cebgbpbyf ba gur vagrearg, fhpu nf FFY be FFU, hfrf choyvp-xrlf gb ohvyq n frpher punaary, jbhyqa'g n harkcrpgrq choyvp qvfpybfher perngr n punbf ba gur vagrearg ?
Ab. Punbf vf uneq gb perngr, rira ba gur Vagrearg.
Urer'f na rknzcyr. Tb gb Nznmba.pbz. Ohl n obbx jvgubhg hfvat FFY. Jngpu gur gbgny ynpx bs punbf.
Va gur frphevgl pbzzhavgl gurer ner inevbhf jnlf bs guvaxvat nobhg ihyarenovyvgvrf qvfpybfher (choyvp-, shyy-, erfcbafvoyr-, ab-). Jung vf gur fvghngvba va gur pelcgb pbzzhavgl ? Jung glcr bs qvfpybfher cebprff vf gurer ?
Zbfg frphevgl cebsrffvbanyf oryvrir va shyy qvfpybfher, naq pelcgbtencuref ner ab rkprcgvba. Gur nqinaprzrag bs gur fpvrapr vf orfg freirq ol gur serr rkpunatr bs vqrnf.
Jul vf bsgra hfrq n zbarl-erjneqrq punyyratr gb irevsl n pelcgb nytbevguz?
Orpnhfr vg'f serr pbafhygvat jbex, naq zbarl vf na nggrzcg gb nqq fbzr svanapvny vapragvir. Zbfg bs gur gvzr vg'f n funz. Juvyr gurer ner fbzr yrtvgvzngr pbagrfgf, zbfg ner whfg nggrzcgf gb tnva choyvpvgl.
Erpragyl fbzr cncref nqqerffvat unfu shapgvbaf jrer choyvfurq, naq lbh fhttrfgrq ba lbhe oybt gung vg'f gvzr gb trg gb jbex ercynpvat FUN. Lbh jebgr: "Gur AVFG nyernql unf fgnaqneqf sbe ybatre -- naq uneqre gb oernx -- unfu shapgvbaf: FUN-224, FUN-256, FUN-384, naq FUN-512. Gurl'er nyernql tbireazrag fgnaqneqf, naq pna nyernql or hfrq. Guvf vf n tbbq fgbctnc, ohg V'q yvxr gb frr zber." Jul q
within (Score:4, Funny)
Zonk.. (Score:1, Funny)
Has a weak password.
Re:Interesting interview... (Score:5, Funny)
AA Roadwarrior Bruce Schneier article (Score:5, Funny)
"Bruce Schneier
Minneapolis, Minnesota
I had a free day on a business trip to Seoul, so I decided to do a bit of sightseeing. Yoseu, a random town at the end of a train line, seemed as good a place as any to explore, so I bought a round-trip ticket.
The market was still crowded even though it was dusk by the time my train arrived. I stopped in front of what looked to be a restaurant. On the floor in front of the store were water-filled pails with things inside. I recognized squid in one, oysters in another, and clams in a third. There were three others: orange bulbous things with puckers, long brown things with puckers, and long smooth white things that half floated and half sank. I assumed they were all alive.
The woman who sat behind this menagerie looked up at me. I pointed to the orange things, pointed to the brown things, pointed at the tables inside of the store, and smiled.
She smiled back, got up, and walked into the restaurant. I followed her.
There were four long tables, all empty. I sat down at the far table. The woman brought three orange things and three brown things and proceeded to clean them. She set two bowls of water out in front of her: a green one and a white one. She cut open the orange things and put the orange insides in the green bowl, and the orange outsides in the white bowl. Then she cut open the brown things and put the brown outsides in the green bowl with the orange insides, and the brown insides in the white bowl with the orange outsides. I didn't have the foggiest idea which bowl was for eating and which was for throwing away.
After she was finished, she started cutting up the orange insides and the brown outsides. All I could think at this point was: Please cook this. Whatever you do, please cook this. Then I noticed that there wasn't a stove anywhere.
She put the orange and brown things on a plate and set it in front of me. Then she gave me a bowl of hot sauce, a bowl of kimchi, and a cup of cold tea.
I looked at my plate. I didn't even know what phylum the stuff came from.
She then presented something to me with a flourish and a big smile. It was a fork. Well, I had to take it. I really didn't want it, but she'd probably had this fork for years, it was probably her only one, and I was probably the first American brave enough to eat there. I couldn't spoil it for her.
I took the fork and stabbed a brown thing. She was watching me as I put it in my mouth. It was chewy, but it tasted pretty good. I tried an orange thing. It wasn't as good. I smiled at her. She smiled back and went outside.
She poked her head in from time to time. Once she brought a friend. She told her something in Korean. Probably something like: "Look at that. I gave him the orange insides and the brown outsides, and he doesn't even know the difference."
I just smiled. What else could I do?
Chief Technical Officer, Counterpane Internet Security, Inc.
Age: 41"
Speaking of Rob Schneider... (Score:1, Funny)
Re:Article text, ROT13'd for the paranoid (Score:4, Funny)
Man- what a letdown.
Re:Article text, ROT13'd for the paranoid (Score:3, Funny)
2. Post decrypter with original account
3. Proffit!
Re:Please stop abusing the English language (Score:5, Funny)
"Why is often used a money-rewarded challenge to verify a crypto algorithm?"
Yeah, but can the ate it too?
Re:Article text, ROT13'd for the paranoid (Score:5, Funny)
You think thats secure? For the ultra paranoid I've encrypted it into ROT26:
Could you introduce yourself ?
I'm a security technologist. My career has been a series of generalizations. I started working in cryptography: mathematical security. Then I realized that all the cryptography in the world won't help if the computer is insecure, and all the computer security won't help if the network is insecure. Since then, I have been concentrating more on the social and economic aspects of security, realizing that all the technology in the world won't help if those aren't done right.
More on my background can be found on schneier.com
NSA licensed Certicom's EC patents for $25 million last year, and recently announced the new US government standard for key agreement and digital signatures, called Suite B. It uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. Do you think that NSA is promoting ECC based crypto because they cannot crack RSA/DSA based one ?
I do not. I believe the NSA believes that ECC is strong. I wrote about ECC here:
http://www.schneier.com/crypto-gram-9911.html#Elli pticCurvePublic-KeyCryptography [schneier.com]
Although I wrote that in 1999, I am still skeptical about elliptic curves.
Or maybe just because they can crack RSA/DSA they prefer to protect USbusiness with ECC (supposed to be harder to crack)?
With sufficient key lengths, all of this is uncrackable. I don't believe that the NSA has any secret mathematics that they use to break RSA/DSA or ECC.
Would a quantum computer do the job ?
In theory, yes. In practice, we have no idea how to build one to do it. Maybe in fifty years. Or twenty-five.
Some time ago you co-authored a paper on software monopoly risks. What about crypto monopoly? Don't you think that having just a couple of public-key algorithms based on the same math problem could lead to a catastrophe if cracked ?
The security advantages of a common cryptographic algorithm far outweigh the disadvantages. I've written about that as well:
http://www.schneier.com/crypto-gram-9904.html#diff erent [schneier.com].
What would you do if you found a solution to the factorization problem?
Any cryptographer, if they found something so significant as a solution of the factorization, would publish their results. Such a discovery would likely result in profound changes in how we view number theory, and would be the mathematical discovery of the decade...and maybe even more important.
Since most crypto protocols on the internet, such as SSL or SSH, uses public-keys to build a secure channel, wouldn't a unexpected public disclosure create a chaos on the internet ?
No. Chaos is hard to create, even on the Internet.
Here's an example. Go to Amazon.com. Buy a book without using SSL. Watch the total lack of chaos.
In the security community there are various ways of thinking about vulnerabilities disclosure (public-, full-, responsible-, no-). What is the situation in the crypto community ? What type of disclosure process is there ?
Most security professionals believe in full disclosure, and cryptographers are no exception. The advancement of the science is best served by the free exchange of ideas.
Why is often used a money-rewarded challenge to verify a crypto algorithm?
Because it's free consulting work, and money is an attempt to add some financial incentive. Most of the time it's a sham. While there are some legitimate contests, most are just attempts to gain publicity.
Recently some papers addressing hash functions were published, and you suggested on your blog that it's time to get to work r
It's not a paradox... (Score:5, Funny)
Oblig. bash.org quote (Score:5, Funny)
Cthon98: hey, if you type in your pw, it will show as stars
Cthon98: ********* see!
AzureDiamond: hunter2
AzureDiamond: doesnt look like stars to me
Cthon98: AzureDiamond: *******
Cthon98: thats what I see
AzureDiamond: oh, really?
Cthon98: Absolutely
AzureDiamond: you can go hunter2 my hunter2-ing hunter2
AzureDiamond: haha, does that look funny to you?
Cthon98: lol, yes. See, when YOU type hunter2, it shows to us as *******
AzureDiamond: thats neat, I didnt know IRC did that
Cthon98: yep, no matter how many times you type hunter2, it will show to us as *******
AzureDiamond: awesome!
AzureDiamond: wait, how do you know my pw?
Cthon98: er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
AzureDiamond: oh, ok.