Army signals security & "Clansmen" series radios

[Owen Lewis]

----- Original Message -----
From: "Brian Morrison" <bdm@fenrir.org.uk>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: 06 September 2000 14:38
Subject: Re: Army signals security & "Clansmen" series radios


> On Wed, 6 Sep 2000 11:50:49 +0100, Owen Lewis wrote:
>
> >    1. That the use of any system for information security where the
> >strength of the security is predicated to the certain  recognition of
> >parties unknown to and remote from each other is prone to spoofing. Where
> >the means of identification are organised at the personal level, the risk
> >from spoofing must rise.
> >
>
> Exactly the situation that the PGP web of trust is designed to deal
> with, and can provided that the trust is established correctly in the
> first place.

Agreed. But it begs the question of whether such a method (web of trust) of
establishing trust between strangers is not building on sand. But I did'nt
intend to make this yet another PGP thread, rather to consider why, in 30
years, there has not been wide govermental take up of PK based systems,
particularly for securing the large number of cross-boundary systems where
PK systems should greatly ease the management problems which must otherwise
arise.

> They also have different requirements about physical security of
> cipher systems, PGP could be compromised by careless control of
> material.

Any information security system is made vulnerable by slack keymat
management in particular and also a general neglect the other forms of
security which must be implemented to assure the security that X cipher
should provide. In professional hands such vulnerabilities can be reduced to
a  very small margin, almost regardless of the cryptosystem used. However,
in the hands of the general public, little if anything is done about such
vulnerabilities, even where they are recognised. You will realise that this
comment is not PGP specific but relates to the general issue that high
security is both a complex and relatively expensive matter. This, in turn,
makes suspect the level of information security maintained where strong
cryptosystems are used by the general public - other than where those public
systems are supplied, maintained and entirely managed for the public by one
or more competent organisations. It seem to me that the vulnerabilities
arise from weak management rather than from any flaw in the ciphers
themselves.

The counter-argument might be that, were it as I suggest, the
vulnerabilities can be satisfactorily controlled if PK ciphers were
centrally managed within a properly controlled governmental organisation.
But, is so, why has there been no take up?  Or has there?
>
> --
> Brian Morrison                                  bdm@fenrir.demon.co.uk
>               do you know how far this has gone?
>                just how damaged have I become?
>                                       'Even Deeper' by Nine Inch Nails
>
>
>