> time for end to end security.
The time for that was here from the very beginning; only the public
awareness is getting better lately.
There were many implementations developed and deployed already; Cryptofon,
Nautilus, PGPfone, SpeakFreely...
> Phil Z. is working on encrypted VoIP (zPhone:
> http://www.philzimmermann.com/EN/zfone/index.html ) and those
> comfortable with rolling your own can always use OpenVPN / IPsec for
> transport. Let them tap SHA2-256 AH AES-256 ESP* to their hearts
> content.
No need for full-scale VPNs anymore. The new version of OpenSSL supports
DTLS, or TLS over datagrams; think a SSL/TLS that runs over UDP instead of
being restricted only to TCP.
http://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security
> [* ideally SHA2-512 but this seems to be ill supported in most stacks
> at the moment....]
256 bits should be enough for next couple years. Symmetric ciphers are
pretty much secure; the threat in PKI lies more in the asymmetric
component; use as long keys as practiacal there. Asymmetric algorithms
also tend to be heavily dependent on factorization, which may be
significantly weakened if the problem of entanglement of the necessary
number of qubits gets solved. If that one bastion falls, we're back to
one-time pads for some more time.
Also do not forget signed Diffie-Hellmann, so each transaction uses an
unique session key which gets discarded after the connection is closed and
there is low chance for the adversary to do man-in-the-middle, and a good
entropy generator. Also be aware about the MITM possibility to degrade the
secure channel to a less secure channel (eg. tampering with the handshake
sequence, and force only 40-bit ciphers and then bruteforce 'em), so make
sure the lowest-security options are still good enough. (Hint: disable the
export ciphersuites in your HTTPS servers and also in your browsers, and
do it today.)
Then there is the problematic of hashes. There were recently found
weaknesses in both MD5 and SHA1; while they are still as good as before
for standard file integrity checks in non-adversarial setting, it is
possible to intentionally generate files that have the same hash, which
makes some kinds of attacks on digital signatures possible (eg. you get a
document - eg. an agreement - to sign, the adversary then swaps the files
and it looks like you signed the other one).
Also be always aware that the number of bits won't protect you if you have
a software bug in implementation, a transmitter bug in the red zone, or
lack of attention to details between the chair and the keyboard. Or if you
get social-engineered. A long-range lawyer with the payload of a
high-yield tactical subpoena may also significantly shake one's defenses,
when the threat model doesn't count with it.
There is a wide palette of attacks on secured systems that do not even
touch the cryptographic math, and they are both hightech and lowtech. The
lowtech ones are reportedly more common, but the hightech ones get more
attention because they are sexier and more glamorous.
Do not ever let the number of bits in the cipher suite blind you with the
appearance of security. It is only one of the links of the chain, even if
the shiniest one.
Received on Sat Mar 02 2024 - 00:57:26 CST