Why "carnivore" type systems can't be (entirely) open source

Brian Gladman Brian Gladman" <brg at gladman.plus.com
Wed, 7 Feb 2001 15:54:00 -0000 

From: "Owen Lewis" <oml@eloka.demon.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Wednesday, February 07, 2001 10:48 AM
Subject: Re: Why "carnivore" type systems can't be (entirely) open source


> From: "Brian Gladman" <brg@gladman.plus.com>
> To: "UK Crypto Posting" <stevee+brg@slimy.greenend.org.uk>
> Sent: 05 February 2001 10:58
> Subject: Re: Why "carnivore" type systems can't be (entirely) open source

[snip]
> Over several exchanges we have established that you yourself only object
to
> the use of STO when it is used by A to deny access to B to the algorithm
and
> coding of a cipher provided by A for the use of B. In this particular, you
> consider STO anathema but in other applications you also see the value of
> it. For my part, even in the particular that you object to, I see room for
> benign use of STO as well as malign exploitation of B by A. I have
personal
> knowledge of several examples of benign use of STO and I am surprised that
> you do not have much the same experience.

To be as precise as possible, I believe that the use of STO to hide a
security design [*] from those who are to rely on it is overwhelmingly more
likely to create a detriment to their security interests than any
enhancement of them.

[*] the design itself, not the techniques used to achieve it.

This is not absolute - it is the probability that this will work to their
advantage or disdvantage in practice when averaged over many typical uses of
STO.  And it is because I believe this probability is so skewed towards
insecurity that I consider it to be a completely discredited technique when
used to hide designs from those who will be asked to rely on them.

> In the specific of the GSM system, introduced into this thread by Ben as
an
> example of  how damaging to B is the use of STO by A, I have shown as best
I
> can that :
>
>         -    It is entirely wrong to consider GSM as a secure system. It
> provides conditional privacy only and can do no more, because of its very
> operational parameters. This would be true whatever cipher was used,
> concealed or declared. The cipher is very far from the weakest link in
GSM's
> security chain and improving the cipher and declaring it could not make
GSM,
> as a system, appreciably more secure.

We agree at least on most of this!  In fact making the cipher fully secure
would help some users but I agree not many.  In a sense this was the biggest
con trick of all - putting the crypto in was giving an impression of good
security where there was none.

This con is now an almost universal one. My bank tells me that I have '128
bit security' when I log on when I know that even if the system is perfect
my eight character password can be guessed with a probability of no less
than (2^8)^8 - 2^64 bits of security (in practice a great deal less).  This
is a billion, billion, billion,....., billion times less security than they
are advertising.

>         -    Despite the conditional nature of the privacy afforded to B
in
> GSM, B has flocked en masse to the system and finds that, in the main, the
> level of privacy provided suits his need.   That you and some others
> vehemently disagree with B in this matter has not influenced B's desire to
> adopt GSM in the least. It is B's wishes and none other than has
determined
> both the past success and assured the future of GSM type cellular wireless
> telecom system design.

Yes but because it offered a convenient way of communicating, not because it
offered any real security.  If there is ever a choice between security and
functionality, the latter will win in the market (now at least).

    Brian