### Podcast: Crypto-Gram 15 November 2008:

from the Nov 15, 2008 Crypto-Gram Newsletter

by Bruce Schneier

* The Skein Hash Function

NIST is holding a competition to replace the SHA family of hash functions

Skein is our submission (Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker): a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze.

* Me and the TSA

TSA been checking ID's all this time to no purpose whatsoever.

* Quantum Cryptography

Quantum cryptography: the basic idea is still unbelievably cool, in theory, and nearly useless in real life.

The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance alerts legitimate users as to the eavesdropper's presence. No disturbance, no eavesdropper -- period.

The basic science behind quantum crypto was developed, and prototypes built, in the early 1980s by Charles Bennett and Giles Brassard. This is totally separate from quantum computing, which also has implications for cryptography. WHich is fundamentally different from a classical computer. If one were built - and we're talking science fiction here - then it could factor numbers and solve discrete-logarithm problems very quickly. In other words, it could break all of our commonly used public-key algorithms. For symmetric cryptography it's not that dire: A quantum computer would effectively halve the key length, so that a 256-bit key would be only as secure as a 128-bit key today. Pretty serious stuff, but years away from being practical. I think the best quantum computer today can factor the number 15.

I don't see any commercial value in quantum cryptography. I don't believe it solves any security problem that needs solving. I don't believe that it's worth paying for, and I can't imagine anyone but a few technophiles buying and deploying it. Systems that use it don't magically become unbreakable, because the quantum part doesn't address the weak points of the system.

Our symmetric and public-key algorithms are pretty good, even though they're not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Cryptography is the one area of security that we can get right. We already have good encryption algorithms, good authentication algorithms and good key-agreement protocols. Maybe quantum cryptography can make that link stronger, but why would anyone bother? There are far more serious security problems to worry about, and it makes much more sense to spend effort securing those.

* The Economics of Spam

Result of research on Storm worm infiltration"

"After 26 days, and almost 350 million e-mail messages, only 28 sales resulted: under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. These conversions would have resulted in revenues of $2,731.88- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network - we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

"Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise."

Of course, the authors point out that it's dangerous to make these sorts of generalizations.

* The Psychology of Con Men

These guys used to go door-to-door in the 1970s selling lightbulbs and they would offer to replace every single lightbulb in your house, so all your old lightbulbs would be replaced with a brand new lightbulb, and it would cost you, say $5, so a fraction of the cost of what new lightbulbs would cost. So the man comes in, he replaces each lightbulb, every single one in the house, and does it, you can check, and they all work, and then he takes all the lightbulbs that he's just taken from the person's house, goes next door and then sells them the same lightbulbs again...

* Giving Out Replacement Hotel Room Keys

Guests lose their hotel room keys, and the hotel staff needs to be accommodating. But at the same time, they can't be giving out hotel room keys to anyone claiming to have lost one. Generally, hotels ask to see some ID before giving out a replacement key and, if the guest doesn't have his wallet with him, have someone walk to the room with the key and check their ID.

* P = NP?

There's a million-dollar prize for resolving the question.

length: 20:44m

PS: this is my cheat sheet of Bruce Schneier's Podcast:

http://www.schneier.com/crypto-gram-0811.html

by Bruce Schneier

* The Skein Hash Function

NIST is holding a competition to replace the SHA family of hash functions

Skein is our submission (Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker): a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze.

* Me and the TSA

TSA been checking ID's all this time to no purpose whatsoever.

* Quantum Cryptography

Quantum cryptography: the basic idea is still unbelievably cool, in theory, and nearly useless in real life.

The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance alerts legitimate users as to the eavesdropper's presence. No disturbance, no eavesdropper -- period.

The basic science behind quantum crypto was developed, and prototypes built, in the early 1980s by Charles Bennett and Giles Brassard. This is totally separate from quantum computing, which also has implications for cryptography. WHich is fundamentally different from a classical computer. If one were built - and we're talking science fiction here - then it could factor numbers and solve discrete-logarithm problems very quickly. In other words, it could break all of our commonly used public-key algorithms. For symmetric cryptography it's not that dire: A quantum computer would effectively halve the key length, so that a 256-bit key would be only as secure as a 128-bit key today. Pretty serious stuff, but years away from being practical. I think the best quantum computer today can factor the number 15.

I don't see any commercial value in quantum cryptography. I don't believe it solves any security problem that needs solving. I don't believe that it's worth paying for, and I can't imagine anyone but a few technophiles buying and deploying it. Systems that use it don't magically become unbreakable, because the quantum part doesn't address the weak points of the system.

Our symmetric and public-key algorithms are pretty good, even though they're not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Cryptography is the one area of security that we can get right. We already have good encryption algorithms, good authentication algorithms and good key-agreement protocols. Maybe quantum cryptography can make that link stronger, but why would anyone bother? There are far more serious security problems to worry about, and it makes much more sense to spend effort securing those.

* The Economics of Spam

Result of research on Storm worm infiltration"

"After 26 days, and almost 350 million e-mail messages, only 28 sales resulted: under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. These conversions would have resulted in revenues of $2,731.88- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network - we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

"Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise."

Of course, the authors point out that it's dangerous to make these sorts of generalizations.

* The Psychology of Con Men

These guys used to go door-to-door in the 1970s selling lightbulbs and they would offer to replace every single lightbulb in your house, so all your old lightbulbs would be replaced with a brand new lightbulb, and it would cost you, say $5, so a fraction of the cost of what new lightbulbs would cost. So the man comes in, he replaces each lightbulb, every single one in the house, and does it, you can check, and they all work, and then he takes all the lightbulbs that he's just taken from the person's house, goes next door and then sells them the same lightbulbs again...

* Giving Out Replacement Hotel Room Keys

Guests lose their hotel room keys, and the hotel staff needs to be accommodating. But at the same time, they can't be giving out hotel room keys to anyone claiming to have lost one. Generally, hotels ask to see some ID before giving out a replacement key and, if the guest doesn't have his wallet with him, have someone walk to the room with the key and check their ID.

* P = NP?

There's a million-dollar prize for resolving the question.

length: 20:44m

PS: this is my cheat sheet of Bruce Schneier's Podcast:

http://www.schneier.com/crypto-gram-0811.html

## 0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home