mxb wrote: |
1) You have previously suggested holding software developers liable for the security in their products. What is your opinion about free software? |
Quote: |
2) As privacy seems to be currently eroding away, with the requests for wiretapping VOIP calls, logging of internet usage, and so forth, do you think that eventually the general public will realise and start to demand that privacy back?
3) With the current tactics being employed by the RIAA/MPAA against file sharers, what do you think about the current generation of file sharing networks? Do you think that actions by such corporations are a major driving force behind the research and development of anonymous and encrypted networks? |
B-Con wrote: |
He answered this question in (I believe) Secrets and Lies. He believes that only proprietary software deserves to be held liable. |
JustinT wrote: |
As an academic researcher in cryptography, I pay attention to what you might call the "nitty gritty" areas of cryptanalysis, that the layman wouldn't be aware of; the layman is, ironically enough, sometimes the individual responsible for incorporating some type of cryptographic layer within their framework. When doing a superficial analysis of the specifications, the first thing I look for, habitually, is a MAC. When arriving at some sensible, conservative threat model, more often than not, an integrity failure is just as detrimental than a confidentiality failure; it's also the case, many times, that a loss of the former is even greater than the latter. There is ample justification for the preservation of integrity through a message authentication code. I have no doubt there. My question entails correlations between notions of security, and compositions for authentication and encryption. Today, it seems plausible that for a modern implementation, we would like to have something that is IND-CCA2 secure and achieves INT-PTXT. For example, I like the rationale behind authenticating first, then encrypting last. However, given the results of Bellare and Namprempre, although this composition allows us to achieve INT-PTXT, it's only IND-CPA secure. On the other hand, there have been instances when this composition was sufficient for a particular threat model I was addressing. I prefer relying on as few assumptions as possible, and being as conservative as possible, so my question is, "When addressing authentication, should we apply a composition that satisfies the threat model for a particular application, even if it does not particularly satisfy IND-CCA2 security ("MAC-then-Encrypt"), or should we only consider compositions that satisfy IND-CCA2, and achieve at least INT-PTXT?" The latter seems a bit more comfortable, and here's my rationale. While the proofs associated with these notions aren't surefire guarantees of security, they are, however, useful for reducing the amount of assumptions we have to make, and I am more confident in reducing assumptions, as opposed to applying a composition that isn't IND-CCA2 secure, and assuming that my threat model considers every threat that is applicable to the scenario, and favorable to the adversary. I certainly see the rationale behind your advocation of authenticating first, as noted in your book with Niels Ferguson. However, would it be simpler, and more responsible, to encrypt first, by say, applying a SUF-CMA MAC to an IND-CPA secure encryption construction's ciphertext, which would satisfy IND-CCA2 (and NM-CCA2) and INT-CTXT (and INT-PTXT)? I've seen both secure and insecure instances of both AtE and EtA, and there are certainly many details and subtleties to get right for either, but I'm curious as to where you stand on the importance of order, and these notions of security. I believe it to be a vital goal to strive for simplicity and the reduction of assumptions, which is my main concern. There's certainly no wrong in wanting to get the MAC part right, and those two goals seem to be key proponents in doing so! |
datah wrote: |
To Dr.Schneier:
What is your advice to young budding cryptologist's? |
alt.don wrote: |
Hello,
I generally post one every month on the 15th barring my being kidnapped by aliens and being gang-probed or somesuch. Don't laugh! It could happen to you to! In essence on the 15th of every month is when I post one. cheers |
Secure Lockdown wrote: |
we will send blackberry msg to alien mothership to re-schedule kidnapping for 16th. |
RFmax wrote: |
Stilz, thank for the heads upon the conference. I never would have known about it. Maybe see you there. |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours