We can start moving towards literally unbreakable security. And we really should for all high priority services. Things like book codes or modern versions of the same thing.
Encryption seeds into the terabytes.
Networks that are air-gapped and rely on proprietary network hardware that is simply different from everything else.
We need to push it farther. The NSA demonstrated that this is not paranoia. You make it theoretically possible and they're in.
Other ideas would be unique protocols... utterly distinct means of communicating information such that any system that doesn't understand the protocol wouldn't even be able to interface with it much less decode it.
Its akin to the Indian code talkers in WW2. You can use an encryption system like Germans or Japanese used... which the British and Americans broke respectively. Or you can use something like an unknown language to render the transmission unbreakable.
I'm not trying to be offensive here, but I assume that you do not know too much about modern cryptography. Correctly applied, it is secure. Really secure. Successful attacks target the system that uses the cryptography, not the cryptography itself. Random number generators are a nice target. Systems running vulnerable software are nice targets. Targeting modern cryptography itself is usually a futile endeavour.
Languages can be learned. It may take a bunch of linguists a couple of years to get somewhere if the language is odd enough, but it is doable.
Proprietary, undocumented protocols and file formats exist. People who reverse engineer them and write their own compatible implementations also exist. I have done that kind of thing a few times myself.
Proprietary protocols and the like are basically what is commonly referred to as security through obscurity. This is considered a bad thing.
On the other hand, we have modern cryptography. Properly implemented, that stuff is incredibly secure. Even if you have a bunch of linguists or mathematicians, they won't break it in a few years or even a few hundred years, likely. The situation is not really comparable to WW2 era ciphers at all. We have left those far behind.
Sure, it is possible but we will have some incredible, mathematical breakthrough with regards to integer factorization, but it doesn't seem likely to happen suddenly. Usually, the state of the art advances at a slower pace. Even quantum computers will still leave us with working symmetric cryptography and (somewhat more unwieldy and less studied) asymmetric cryptography intact.
One time pads are commonly cited as the holy grail, but they miss the point and are difficult to employ, even today. Cryptographic systems are not broken by attacking the cryptography. They are broken by circumventing it. To use a one time pad, you first have to generate it. For that you need a true RNG, or it will be no better than a regular stream cipher. If your randomness is bad, you will be vulnerable and there exist interesting attacks [arstechnica.com] that could subvert commonly deployed sources of entropy, such as Intel's RdRand instruction.
The second problem is exchanging the one time pad securely. How are you going to do that? Snail mail? It could get intercepted. Besides, if you have a way to securely share a secret with the person you are communicating with, you could just share a 256bit ChaCha20 or AES key and be done with it. The practical gain in security a one time pad would provide over those would be negligible.
It would only be breached if the enemy got access to the machine used to send the messages. And nothing is going to survive that.
There is a nice property good, modern cryptographic systems provide, which is called "perfect forward secrecy". It guarantees that communications that took place before an attacker gained access to the secret keys of a peer will still remain secure after the fact. I suppose you could achieve something similar by securely zeroing out the used parts of your one time pad, but then you get into the messy affair of how to securely delete data.
As to modern cryptography being secure... the premise of most cryptography is that you've made something so complex that no one can sort it out. That is your security. It is security through complexity.
And I grant that it's probably secure in most situations. But my primary problem with it is that it's theoretically breakable.
We can make security systems that are theoretically UNbreakable.
As to a series of linguists breaking an unknown language. Wrong. Generally speaking, without a "Rosetta stone" or some v
Somehow I expected that the Voynich manuscript would come up. It's not a very good argument though. We don't know if the contents of that thing are even supposed to make sense. You can't decrypt/dev/random. In general, where you have data, you have context. That context helps deciphering the data, unless care is taken to make that impossible. And with "care is taken" I mean "cryptography is applied". If you make up a new language, it probably won't be a cipher that is better than encoding that information
As to not knowing if the Voynich manuscript is even language. That is the point.
That's how you know the security is solid.
Imagine for example if I write in chinese and you had no reference for chinese. You do not know how to read it and you don't know of any similar languages to aid in your decoding of the chinese.
You can't use a systematic code attack on it because it will never decode into a known language. You can't use the frequency of given characters to reveal words. There are no vowels or consonants.
A quick note to your argument about how with regular encryption you know when you have found the right key because regularities will appear: You can easily circumvent this*, by encrypting the data multiple times with different keys and possibly with different algorithms.
That's how you know the security is solid.
Or that there is nothing there that can be broken...
Imagine for example if I write in chinese and you had no reference for chinese. You do not know how to read it and you don't know of any similar la
"Practical security" assumes you know the capabilities and knowledge of your enemy.
If you're wrong then "practical security" is insecure.
The point is that we can make things that cannot be broken. Cannot. Impossible. No amount of computer resources or human genius can breach perfect security.
And we can do it. It requires that we do things differently and it requires that the very term "practical security" be treated as a big red flag that there is a problem. "practical" means you know there's a vulnerabilit
I just asked myself... what would John DeLorean do?
-- Raoul Duke
There are only two types of security... (Score:2)
We can start moving towards literally unbreakable security. And we really should for all high priority services. Things like book codes or modern versions of the same thing.
Encryption seeds into the terabytes.
Networks that are air-gapped and rely on proprietary network hardware that is simply different from everything else.
We need to push it farther. The NSA demonstrated that this is not paranoia. You make it theoretically possible and they're in.
Re: (Score:1)
Re: (Score:2)
Other ideas would be unique protocols... utterly distinct means of communicating information such that any system that doesn't understand the protocol wouldn't even be able to interface with it much less decode it.
Its akin to the Indian code talkers in WW2. You can use an encryption system like Germans or Japanese used... which the British and Americans broke respectively. Or you can use something like an unknown language to render the transmission unbreakable.
The unknown language can of course be something
Re:There are only two types of security... (Score:1)
I'm not trying to be offensive here, but I assume that you do not know too much about modern cryptography. Correctly applied, it is secure. Really secure. Successful attacks target the system that uses the cryptography, not the cryptography itself. Random number generators are a nice target. Systems running vulnerable software are nice targets. Targeting modern cryptography itself is usually a futile endeavour.
Languages can be learned. It may take a bunch of linguists a couple of years to get somewhere if the language is odd enough, but it is doable.
Proprietary, undocumented protocols and file formats exist. People who reverse engineer them and write their own compatible implementations also exist. I have done that kind of thing a few times myself.
Proprietary protocols and the like are basically what is commonly referred to as security through obscurity. This is considered a bad thing.
On the other hand, we have modern cryptography. Properly implemented, that stuff is incredibly secure. Even if you have a bunch of linguists or mathematicians, they won't break it in a few years or even a few hundred years, likely. The situation is not really comparable to WW2 era ciphers at all. We have left those far behind.
Sure, it is possible but we will have some incredible, mathematical breakthrough with regards to integer factorization, but it doesn't seem likely to happen suddenly. Usually, the state of the art advances at a slower pace. Even quantum computers will still leave us with working symmetric cryptography and (somewhat more unwieldy and less studied) asymmetric cryptography intact.
One time pads are commonly cited as the holy grail, but they miss the point and are difficult to employ, even today. Cryptographic systems are not broken by attacking the cryptography. They are broken by circumventing it. To use a one time pad, you first have to generate it. For that you need a true RNG, or it will be no better than a regular stream cipher. If your randomness is bad, you will be vulnerable and there exist interesting attacks [arstechnica.com] that could subvert commonly deployed sources of entropy, such as Intel's RdRand instruction.
The second problem is exchanging the one time pad securely. How are you going to do that? Snail mail? It could get intercepted. Besides, if you have a way to securely share a secret with the person you are communicating with, you could just share a 256bit ChaCha20 or AES key and be done with it. The practical gain in security a one time pad would provide over those would be negligible.
There is a nice property good, modern cryptographic systems provide, which is called "perfect forward secrecy". It guarantees that communications that took place before an attacker gained access to the secret keys of a peer will still remain secure after the fact. I suppose you could achieve something similar by securely zeroing out the used parts of your one time pad, but then you get into the messy affair of how to securely delete data.
Re: (Score:2)
As to modern cryptography being secure... the premise of most cryptography is that you've made something so complex that no one can sort it out. That is your security. It is security through complexity.
And I grant that it's probably secure in most situations. But my primary problem with it is that it's theoretically breakable.
We can make security systems that are theoretically UNbreakable.
As to a series of linguists breaking an unknown language. Wrong. Generally speaking, without a "Rosetta stone" or some v
Re: (Score:1)
Somehow I expected that the Voynich manuscript would come up. It's not a very good argument though. We don't know if the contents of that thing are even supposed to make sense. You can't decrypt /dev/random. In general, where you have data, you have context. That context helps deciphering the data, unless care is taken to make that impossible. And with "care is taken" I mean "cryptography is applied". If you make up a new language, it probably won't be a cipher that is better than encoding that information
Re: (Score:2)
As to not knowing if the Voynich manuscript is even language. That is the point.
That's how you know the security is solid.
Imagine for example if I write in chinese and you had no reference for chinese. You do not know how to read it and you don't know of any similar languages to aid in your decoding of the chinese.
You can't use a systematic code attack on it because it will never decode into a known language. You can't use the frequency of given characters to reveal words. There are no vowels or consonants.
Re: (Score:1)
A quick note to your argument about how with regular encryption you know when you have found the right key because regularities will appear: You can easily circumvent this*, by encrypting the data multiple times with different keys and possibly with different algorithms.
Or that there is nothing there that can be broken...
Re: (Score:2)
"Practical security" assumes you know the capabilities and knowledge of your enemy.
If you're wrong then "practical security" is insecure.
The point is that we can make things that cannot be broken. Cannot. Impossible. No amount of computer resources or human genius can breach perfect security.
And we can do it. It requires that we do things differently and it requires that the very term "practical security" be treated as a big red flag that there is a problem. "practical" means you know there's a vulnerabilit