Security Basics mailing list archives
RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 18 May 2006 11:21:10 +1000
Hello, Even an OTP does not provide perfect security, just good security. One of the key issues in complexity theory is the N v NP debate. The class P is defined as the class of decision problems solvable deterministically in polynomial time. The class NP is the class of decision problems solvable non-deterministically in polynomial time. (Basically there currently exists no mathematical way to determine if all major encryption systems are actually flawed). This is important as polynomial differences in running time are considered small, exponential differences large. All reasonable deterministic computational models are polynomial equivalent. However, some solutions need to be determined through "brute force". The N v NP conjecture and the question as to whether one-way functions exist invites speculation due to the importance of the P and NP classes in a variety of fields (not least of which includes complexity studies). If it may indeed be demonstrated that P = NP is true, all complexity classes based on NP would collapse to P. P is contained in NP by definition. The containment is believed to be proper in that there are problems where finding a short proof is super-polynomially more difficult than verifying the proof. It could be the case that P = NP is true, though the algorithms for solving NP-difficult problems in polynomial time are computationally intractable. Most important to online commerce and the security of online systems, if P = NP is demonstrated, most of the cryptosystems currently in use would be rendered ineffective. This is directly due to the assumption that certain problems are difficult and computationally expensive to solve. Next it is unlikely that any ``natural proof'' in the substance of Razborov & Rudich's, ``Natural Proofs,'' (1997) will solve the issue. The P=NP problem can be reformulated as "Is existential second-order logic able to describe languages that first-order logic with least fixed point cannot". What this means is that if P = NP is true; if positive solutions to a YES/NO problem can be verified quickly, can the answers also be computed quickly". If P = NP, factoring could be done in deterministic polynomial time. This would be an advantage to many within the scientific community. The existence of an efficient factoring algorithm does not in any deterministic manner imply P = NP. Thus the factoring problem parts with NP-complete efforts. Cook and Levin discovered certain problems in NP where the individual complexity of the problem is related to the entire NP class. These are known as NP-Complete. If it is found that a polynomial time algorithm exists for any of the NP-Complete class, than all problems in the class NP will be solvable in polynomial time. So after the waffle, we have no idea if encryption is mathematically valid at all. We hope that it is. So given this state, there is no, and can be no state that is 100% secure. Regards, Craig -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Wednesday, 17 May 2006 11:25 PM To: Jason Muskat Cc: Bob Radvanovsky; Sadler, Connie; email () securityabsurdity com; security-basics () securityfocus com Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Security has to be correct 100% of the time. One omission can lead to
an I don't disagree with you. However aboslute security requires absolute non-existence of the information. For e.g. You can have IPS, IDS, DRM, TPM, AV, Firewall etc on your netowork, but as soon as somebody prints out that confidential document and tosses it in a garbage can, you security goes with it. Another e.g.: Everyone knows that one-time pad provides the "perfect secrecy". But then how did the British intercept the Soviet communications???? Soviet re-used the OTP, which allowed for statistical analysis and/or pattern matching. Re-using seemed pretty harmless at that time, but in retrospect it was a big mistake. Isn't everything in retrospect a mistake? Security has 3 core priciples Confidentiality(non-disclosure), Integrity, Availability(non-destruction). In in way Confidentiality is inversely propotional to Availability (i think). By making something available you are increasing the chances of its disclosure. So in theory 100% security is not possible. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." email (May 10)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Sadler, Connie (May 10)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Robinson, Sonja (May 23)