Re: [Uta] opportunistic keying / encryption considered of dubious value

Keith,

Please point out *anywhere* that I have said that passive
attacks are the only thing to worry about, or where I have
said that pervasive monitoring is the only attack to worry
about. You will not find that since I have repeatedly said
the opposite. PM is one more thing to worry about, but is
one where we've (security eggheads like me) previously not
done a very good job. That plus the news fully explains the
current focus. And that's blatantly obvious.

And (hopefully) lastly, I have no clue as to why you started
this thread if you believe that "Absolutely we do know that
ciphertext, even between unauthenticated parties, is better
than plaintext." OK/OE-has-value follows immediately from
that.

S.

On 03/17/2014 07:52 AM, Keith Moore wrote:
> On 03/16/2014 10:41 PM, Stephen Farrell wrote:
>> Cost/benefit is gibberish. The main PM attacker here is government who
>> care less about costs and are willing to construe benefits to justify
>> the spent-cost. ISTM far more credible to assume that the attacker
>> here cares nothing about costs and would actually prefer higher costs
>> in order to assist with empire building. 
> 
> I think we do ourselves (and the Internet community) a disservice to
> assume that there's just one (kind of) attacker against whom we need to
> defend.
>> Nonsense says me with exactly as much evidence as you, i.e. none.
>>
>> However, I do additionally have some evidence - we know that
>> ciphertext != plaintext and we have many reports from credible sources
>> that plaintext helps pervasive monitoring a lot. And in fact that
>> is logically as plain as the noses on all our faces.
>>
>> That kind of "if we do something, some other bad thing may happen"
>> argument is utterly bogus IMO.
> 
> It's not utterly bogus to realize that attackers who apparently have few
> constraints on their funding are going to keep attacking even if they
> have to spend more money to do it.  Nor is it even that difficult to
> understand what their next steps are likely to be.
> 
> Absolutely we do know that ciphertext, even between unauthenticated
> parties, is better than plaintext.  There's no question about that, and
> I don't see anyone arguing that we shouldn't try to raise the bar.  
> What we don't know is whether that kind of ciphertext will deter the
> well-funded major-state-supported SIGINT organization, to any
> significant degree, over the long term.    And while that's not the only
> kind of threat that we're concerned about, it is one of them.
>> If we do nothing, then the current bad things will just keep on
>> happening, but increasingly on behalf of more and more bad actors
>> as others jump on NSA and GCHQ's bandwagon.
> 
> I don't see anyone advocating doing nothing, so I'm not sure why you're
> saying this.
>>
>> There are many news releases that imply that plaintext is either
>> the meat for their monitoring or else is required for launching
>> a man on the side attack.
>>
>> There is no evidence so far that I know of that indicates that
>> MITM attacks against even moderately well implemented crypto can
>> be done at anything similar in scale. Do correct me in detail
>> if I am wrong.
> If the only threat you're concerned about involves intercepting fibers
> that carry huge amounts of traffic, I'd agree - MITM attacks against all
> of the traffic in that fiber there are very hard to implement.   But I
> don't see any reason to assume that those are the only threats against
> which we need to be concerned.
> 
>>
>> There is an abundance of evidence that endpoint authentication
>> is a sufficient barrier to make turning on crypto too hard for
>> enough folks for that to be important.
> 
> Do I misunderstand you, or are you really arguing that we don't need to
> do any more than defend against passive attacks?
> 
> Keith
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
> 