Why "carnivore" type systems can't be (entirely) open source

[Owen Lewis]

----- Original Message -----
From: "Brian Gladman" <brg@gladman.plus.com>
To: "UK Crypto Posting" <stevee+brg@slimy.greenend.org.uk>
Sent: 03 February 2001 23:49
Subject: Re: Why "carnivore" type systems can't be (entirely) open source


> From: "Owen Lewis" <oml@eloka.demon.co.uk>
> To: <ukcrypto@chiark.greenend.org.uk>
> Sent: Sunday, January 28, 2001 6:51 PM
> Subject: Re: Why "carnivore" type systems can't be (entirely) open source
>
> [snip]
> > > ...STO in this case was being used to
> > > protect a deliberate 'designed in' insecurity.  It is hence a very
good
> > > example of a typical use of STO.
> >
> > Thank you. I agree that it is a typical use. Whether there are
deliberate
> > design insecurity does not, in this context, matter. The security
afforded
> > was sufficient (or very nearly so) for the purposes in hand. It seems
> > reasonable to suppose that the nations that contributed to the design of
> GSM
> > would have made a forecast of the probable secure life and were fairly
> > accurate in doing so.
>
> You surely mean insecure life since it was never secure to start with.

No, as think you will see if you re-read the exchange.
>
> If I read your position correctly you claim that this is an example of STO
> use to achieve security because, by protecting a known design weakness,
the
> useful life of the product was extended.  On the other hand I claim that
it
> had no useful life to start with and hence that this is an example of the
> use of STO to hide design insecurity and hence to 'con' users into
trusting
> an algorithm that was untrustworthy from the very outset.
>
> These are pretty well opposite interpretations of the same facts so I
guess
> we have to allow others on the list to judge for themselves whether STO in
> this case promoted security or insecurity.

In this case, the reason for the different interpretation is fairly simple
and is worth elucidating.

You present security as monolithic, as an absolute. I know it to be no such
thing.

If there is such a thing as perfect security, I have not seen it. I have
seen some fearsomely good security that would take great risk and effort to
overcome.

In the specific of a cryptosystem, you, I or anyone else in unable to prove
that the system cannot be broken, though in the case (only) of an OTP
algorithm the algorithm is proveably secure. However, even that does not
make use of an OTP cryptosystem necessarily 100% secure (VENONA q.v.).

That you. I or anyone else - or all of us together - have done our best to
make it so does not make any cryptosystem - or even a cipher algorithm -
proveably secure. The best that might be said is that we are the best there
is, we have looked very hard indeed and we have found no insecurity. The
nearest thing to a proof comes retrospectively, even some years after the
retirement of the system, where there remains no sign that it has been or
could have been overcome. You know this. We all know this.

> > > I don't think that anyone disputes the value of STO in hiding design
> > > insecurity and this is precisely why it is a completely discredited
> > approach
> > > when the objective is the exact opposite.

Mmmm...  I would be interested in any deconstruction of the argument that
GSM substantially achieved its security design aim of providing privacy in
mobile telecommunication to the people.

> > Do you say that that governments with the capability to design their own
> > ciphers and all of whom invariably do not make 'open source' the
> algorithms
> > of such are simply covering deliberate design insecurity? Somehow, I
doubt
> > that you would argue so but, unless you find that you can do so
cogently,
> > then your point must fall.
>
> You are making the assumption here that there are only two possible
reasons
> for this secrecy and concluding that if it is not one of them it must be
the
> other.  Not so.

Please read again. I remark only that, unless one argues from the position
given, then the point falls.
>
> I might also add that you are wrong in claiming that governments
invariably
> do not publish their own algorithms. For example, the US government has
> openly published the Skipjack and KEA algorithms that are widely used by
the
> US DoD to protect medium grade classified information.

I wonder why they do not use these algorithms to protect all classified
information. You argue that perfect is perfect, that the
less-than-certainly-perfect must be wicked rubbish and allow no gradation
between. What do we have here then? .

> > > Anyone who argues that security is enhanced when STO is used to
protect
> > > the 'security' available from deliberately broken cipher algorithms is
> > > logically correct (in limited circumstances)
> >
> > The plain fact is that where honest men do their best to produce a
secure
> > crypto design and test it as such against the finest parameters they
know,
> > they can never be sure that there is neither someone smarter out there
or
> > that there will not be some theoretical development that will limit the
> > secure life of their best efforts.
>
> And dishonest men sell broken ones with known weaknesses that are hidden
by
> STO.

You do not answer the point nor do you deconstruct the rationale of the
argument that the GSM security designers substantially met both their aims
and the needs of the public. The particular security 'weakness' in GSM is
that the encryption is not end-to-end but on the wireless links only. Any
system so designed - whatever the cipher - can never be fully secure or
pretend to be so. It can and has, in the case of GSM, provided pretty good
privacy ;-)

Who was dishonest in the selling of GSM security? It was never pretended
that it was more than it is.

It is however less than entirely honest to infer that that the quality of
the cipher used (+STO) has had the least real effect on the level of
security (i.e. privacy only) that was intended for and has been afforded to
and appreciated by GSM users over these many years.

Owen