Schneier on Security

Clive Robinson • September 9, 2022 9:15 AM

@ Bruce, ALL,

“Just add it to the pile of blockchain’s many problems.”

Sadly it’s not just “blockchain” that has this problem.

Consider “data at rest” that has been encrypted for instance,

I have files around from the 1980’s that are enxrypted with DES in a susceptable mode. I think most would agree that they are nolonger realy secure.

I have two choices,

1, Leave as is.
2, Decrypt and re-encrypt.

But two issues arise,

3, Copies of original file.
4, My systems being watched.

If I decide to go for option 2 I’m making a terrible choice.

Because I will have to reveal to a system,

A, The old key.
B, The file plaintext.

If the system or me are being “watched” in some way then there is a high probability the old key will become known.

But there is also the problem that an attacker does not have to be “in my system” to obtain either the old key or the new key. Because if the attacker can get close there will almost certainly be “side channels” that can be utilized.

Remember with the cost of direct crypto attacks halving every nine to ten months and indirect via OS etc to the user side I/O of the security end point being found more than once a day, you are effectively,

“Caught between the Devil and the deep blue sea”

Or if you prefer,

“The frying pan and the fire”

My choice is stick with option 1, because there is no certainty there is not a copy of the file spirited away on some server somewhere just waiting for a mistake to be made, or for it to get to the head of the que to be cracked. Of the two, waiting for it to get to the head of somebodies que is probably safer in the longer term.

Clive Robinson • September 9, 2022 12:56 PM

@ JonKnowsNothing, Zaphor, ALL

Re : Steam rollered

Should that not be,

“Ils sont ecrases et goudronnes”

Something Terry Pratchett put in his will should be done to the hard drives of his computer setup.

Clive Robinson • September 10, 2022 3:47 AM

@ SpaceLifeForm, Ted, ALL,

Re : Is CoinBase doomed?

Just a web server problem, won’t fix until market conditions improve

Hmm let me think…

The little guys took a real bath not so long ago when the 60,000 BTC tumble happened. You may remember that somehow the “big fish” whales swam out but the little guys were left as whitebait and got done to a crisp.

Now there has been a 10% uptick the little guys left are heading out of the pond fast, trying to get ahead, which of course will bring the price down if not create a run or stampede.

The big fish don’t want that as it will not just muck up their “long con” it will muck up the side ventures that support the con.

But what of CoinBase? As some have observed they have liquidity issues but without the backup (all banks / exchanges by default have insufficient liquidity, which is why there are in normal banking Sovereign Reserve Banks they can call on to backstop them).

But also the “End of Quater” is oh 20days away, and CoinBase needs good figures to keep their investors happy. Also to stave off calls for regulators to start a “deep dive”.

So… does this make the third or forth fortuatous “software clitch” CoinBase has had?

Time to put on the frier I’m thinking it’s time for not just another whitebait cookup, but a kipper or two, but unfortunately not whale meat stakes…

Clive Robinson • September 12, 2022 5:58 AM

@ Umberto, JonKnowsNothing,

Re : Encrypted Files

“But that would also mean that can’t ever decrypt these files without leaking them, so they are either useless or insecure. Then, why keep them at all ?”

The thing about “files” is, in the general case, on nearly everyones computer they mostly “stay at rest” apparently unused, much like books on shelves in a dusty old library or archive.

Such buildings have doors locks and keys to keep people out for very many reasons, way more than you are considering. So no the files are far from useless. Encrypting the files is just moving the doors locks and keys to “little rooms” for each archive. Such segmentation can be very usefull.

So usefull you will have no trouble finding law offices that run “Sealed Archive Storage” in effect you can “time vault” a document for an annual fee. One use for such is to hold legal documents such as “Titles of Property” and similar. Also last wills and testiments, where you do not want the beneficiaries to know what is in the archive untill after your death (just in case they can not wait and decide to bump you off 😉

There is also the interesting face lift on the very old idea of a “Tontine”[1]. Where in this day and age the thing of value held is not money or tangible goods but information. One example might be the alledged Beale Ciphers[2], where although the ciphertexts are known the keys have apparently been lost to the mists of time.

Which brings us onto @JonKnowsNothing’s point of,

“I think this recurses with no exit state, to Turtles All The Way Down.”

This is a problem with all documents or similar that can be “copied” at minimal cost. As was observed by “The hippy generation” in later life “Information desires to be free”…

The advantage encryption gives is you can “lock the original befor a copy is made” and as long as it remains secure from crypto attacks all you have to do is keep the key under control in some manner.

The problem is as I’ve noted a couple of times on this blog is the encryption algorithms we use publically don’t last much more than between a quater (DES) and a third (RSA) of a century without being augmented or scrapped… Which means “early implementers” can pay a price.

As our host has observed attacks on security unlike most things in life do not get worse with age, mostly they just get better, especially as the resource cost has a habit of halving every eight to nine months.

The best you can do is somehow take the “intangible information object, and make it a “tangible physical object” that either can not be copied, or the fact it has been copied illicitly is evident upon simple inspection.

But as we know from the Olympics and samples for drug testing the Russian’s knew how to get around most apparently tamper proof systems.

[1] There is disagreement on where the idea for a “Tontine” originated but my ha’penny would be on Scotland. In essence it’s an agreement between a group of people over an object, such the last surviving member inherits it. One such idea would be a bottle of fine whisky, where the survivour drinks to the health of those that have gone before. Sometimes the object becomes an heirloom and along with the original document gets passed down the generations who in turn carry out an annual “observance” to all. It’s known that the French Government used the idea as the equivalent of a “bond and title” combined, such that a person would receive money as long as they lived. More generally the Finance and Insurance industries have taken over the idea for investments, pensions and similar.

https://legal-dictionary.thefreedictionary.com/tontine

[2] The alledged Beale ciphers are in all probability a money making hoax to sell pamphlets containing them. The “papers” contain three ciphertexts, the first of which states the location of a buried treasure. It is described in the second to be of gold, silver bullion and jewels, all improbabbly in “iron pots” in an underground stone vault, and estimated to be of considerable value (possibly $60million today). With the third listing the names of the treasure’s owners and their next of kin. It takes little imagination to guess correctly which of the three is the only one to have been decrypted. Especially as the pamphlets was actually very expensive for the time…

Clive Robinson • September 14, 2022 7:14 AM

@ Weather,

“Trump isn’t going to be a issue, not some conspiracy but he asked for it.”

My only concern about the Doh-gnarled is about half the US voting population… Not all people learn from lifes little mistakes, blow over or not.

How many million new voters will there be in four years? There may be enough “new angry votes” to tip the balance…