Schneier on Security

Clive Robinson • August 23, 2014 12:28 AM

@ Joseph Arpaia,

You’ve missed the point of the comment.

The problem is that all the definitions boil down to either “random” or “chance” neither of which has a usefull definition in a dictionary or else where for that matter.

Try thinking about how you would explaining what chance or random is to a six year old, then the much harder task of explaining it to an adult who already thinks they know what chance or random is. And don’t cop out to arm waving or saying “you know” or avoiding it by using other words such as probability that when you strip off the mumbo jumbo come back to chance or random.

With regards random in mathmatics you have “determanism” which has the outlook that random does not exist, it is just “unpredictability” that is the value of a random variable is always found by a determanistic process, but the process is not discernible by an observer of the random variables value. As one might say “In the opposite corner” are those that take the rival Bayesian interpretation of probability, which choses to believe in the unexplainable chance or random as an axiom. They seek to charicterise the changing values of a random variable and charecterise it as a curve on a graph and call it a distribution. The fact that you get distributions that are not flat is seen by some as a point in favour of the determanists view point. Either way statistics is a usefull tool for people dealing with non complex physical objects and processes.

More recently we have another contender which some consider to sit in between the other two camps and these are the mathmaticians investigating chaotic systems, they will quite happily point out that the unpredictable nature of a dice roll is infact a chaotic process. Without going into details broadly a chaotic process is one that is determanistic in nature, but so sensitive to it’s starting values that the output is in effect unpredictable. There are however other views in other fields of science one of which is quantum physics, whilst random has worked for them for a century, it’s begining to show cracks at the seams which is causing some to revisit early ideas that were discarded for one reason or another. One view is that behind the quantum randomness is a determanistic process we cannot see or measure directly in our perceived three dimensional universe but that make sense in higher dimensions. But again is this notion of what we see is unpredictable.

But what does unpredictable mean, as already indicated from one point of view it implies a hidden determanistic process which is not readily apparent to the observer of the process output as expressed by the values of a random variable. Yet to others it implies that there is no pattern discernible and that there is ultimately something that is unknowable, that can not be predictable no matter what invention of mankind is brought to bear on the values of a random variable.

There is a fly in the ointment, which is the mathmatical notion of a one way function conceptualy it is a function which is easy to compute in the forwards direction, but hard to invert to find the input from any known output values. There are other constraints on the definition and the meanings of easy and hard may not be what you expect, nor for that matter do we have proof that the exist. However the bulk of cryptography rests on the notion and it’s used in the logic of hashes and block and stream ciphers as well as the more informal idea of mathmatical ciphers like Public Key.

As FEAL demonstrated on repeated occasions, the idea of what is and is not invertable can change quite quickly and what was assumed to be non invertable with an unpredictable output today is found to be invertable by new statistical methods thus is relegated from unpredictable to predictable (under certain constraints).

Thus there is a notion of degrees of unpredictability and this is where the problem hits the points. Few people have any idea about why a function or process might be unpredictable against an attacker, and thus chose what appears unpredictable to them. The fact others such as an attacker might find that trivially invertable and thus easily predictable does not figure in their calculations.

Thus without guidence they are very likely to make the wrong choices, which is the primary point.

The secondary point I was making, is that we currently have no way to test what is a good or bad choice except by trial and error, and most times we find error at some point. Thus it is not possible to “know” definitively “how to randomize correctly” it is now and will remain for the forseable future an open question, not just philosophically but theoretically, and to a certain extent practically.

Clive Robinson • August 23, 2014 11:08 AM

@ Winter,

I think this is simply Kolmogorov (algorithmic) complexity

It would be nice to “think this is simply Kolmogorov complexity” (KC) problem but the idea only partly works in theory for bounded vectors of finite length and not at all for unbounded entropy generators (if they exist).

The simplest informal example of a KC generator is a program which wraps around the desired output and prints it, this obviously implies stored state which provides an upper bound on the output.

It can be trivialy shown [1] that the longest possible output of all 1s or all 0s in such a –non degenerate– stored state generator system is 3n-2 where n is the size of the state, and further the complexity in simple gates of the update function has a maximum relating to 2^n(n+1) + Cn simple gates (where Cn is the gates required to update the storage elements in the array and 2^n(n+1) the gates in an efficient ROM to map the update function).

It can further be shown that by the use of a divide an conquer algorithm that the maping function can be reduced substantialy by the use of the equivalent of an n bit counter and successive simple maps that reproduce the sequency output of the generator –such as a Grey Code or Walsh generator– if and only if the generator output is compressable efficiently in some way.

This can be seen as the equivalent of a Turing engine driving a chain of Turing engines however each engine requires it’s own Tape which is the equivalent of increased internal state in the generator. Thus there is on some rare occasions the possibility of reducing the gate count of a complex stateless mapping function by swaping the number of gates in the statless update function with the use of increased secondary state within the Turing engines. By definition this means the usage of the state within such a system is sub optimal for any given algorithm.

But it gets worse, it is axiomatic that the set of all possible output strings, –for any given generator state size,– that by far the majority of the set members are “complex” in the sense that they cannot be compressed in any significant way. Thus, it turns out that the complexity of any given set member cannot be formally proven if the complexity of the string is above a certain unknown threshold. Which in turn means we cannot know if we have found a set member that is amendable to compression or not which means we cannot for the majority of set members say there is let alone find an efficient compression algorithm.

Obviously this is a problem, in that by far the majority of generators can not be differentiated between a counter driving a random map –which is only invertable by brut force methods that have significant limitations– and an efficient algorithm or what is regarded as an unbounded or true random generator. And the inverse of this is above a certain set of bounds set by the laws of physics we cannot tell in by far the majority of cases if the output of any generator we observe is produced by a true entropy generator or some kind of determanistic generator. Further if it is determanistic we have no reliable way to see if the sequence the generator produces has hidden markers that alow an adversary to reliably predict the next bit or entire series of bits from the generator.

Whilst this might still be acceptable for “just a one off password generation” it rapidly becomes a liability when the actual output state becomes known to an adversary. The problem then shifts from brut force searching or random guessing to finding an offset from a known starting position, which can be trivial to do.

As for finding a known start point you may at some point have set up an account on a machine under the control of an adversary or one due to a man in the middle or known key attack, the adversary can see the plaintext of the password being sent. As we know the NSA amongst others is known to have had available to use all of these attack methods for several years….

Thus the XKCD system fails on at least two counts, the first is not specifing a suitable random source, the second is not reusing words in the selection list in any future passwords.

That is the list of a thousand words is updated with a new word to replace a selected word for use in a password or for other purposes.

This obviously has practical limits so a lesser constraint is to ensure that if a word that has been used in the list before, it is not added back to the list in the same position as at any previous time and does not get used more than a quater of the list size times.

[1] The proof is simply this assume a binary storage array of length n and an update mechanism without state that maps one output to another –different– state in the storage array. The maximum length of any state patern is n bits the nearest patterns to this differ by one bit n-1 at either end of the array a simple three bit array would be 111 with 011 & 110 being the two n-1 patterns. Thus the maximum 1s output would be 011 111 110 giving seven set bits or 3n – 2 = 3×3-2 = 7. It can also be trivialy shown that in a degenerate state where one state updates to the same value that this can easily be compressed by a simple program that repeatedly prints out the same n bit length pattern. It can also be shown trivialy that either the state array update mechanism will not have a degenerate pattern and thus provide a total output of 2^n unique n bit patterns or it will either only produce a lesser pattern of unique n bit patterns before repeating them. Thus the upper bound on any given generator output pattern will be 2^n x n bits. Less trivialy it can be shown that any such string can be analysed to find it’s underlying sequency using Walsh transforms, and this will provide limits on the potential compressability –without adding aditional state– thus algorithmic complexity (in gates) of the output sequence from the generator (think of the state array as a counter of n bit length driving a gate array of unknown number of simple gates which map the output values, up to the limiting value of an efficiently implemented ROM of n bit address and n bit data output).

Clive Robinson • August 24, 2014 3:02 PM

@ Mr C,

With regards your point two,

I actually think you’ve got it the wrong way around, many of us have a healthy waryness of users intelligence.

In engineering there is a very old saying “Foolproof is easy, but there’s never a fool around”. That is your average user is far from being a fool / idiot / uninteligent, which makes them dangerous.

As Bruce and others have pointed out user incentives are misaligned. When it comes to a choice between meeting your boss driven targets or the CIOs security bleatings, you know which way the user is going to go. Thus they devote consideravle inteligence in developing short cuts arround, and removing security barriers, not just for themselves but their co-workers.

It’s a “no brainer” bread on the table today beats a possible job loss six months or more down the line after a possible security breach.

If organisations want security for real and not just for audit, then those at the very top have to “buy in” and align incentives accordingly. However if they are too draconian than the best employees will move on as only the unwanted time servers and dross will put up with the regime….