RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

["Craig Wright" <cwright () bdosyd com au>]

Hello,
Even an OTP does not provide perfect security, just good security.

One of the key issues in complexity theory is the N v NP debate. The
class P is defined as the class of decision problems solvable
deterministically in polynomial time. The class NP is the class of
decision problems solvable non-deterministically in polynomial time.
(Basically there currently exists no mathematical way to determine if
all major encryption systems are actually flawed).

This is important as polynomial differences in running time are
considered small, exponential differences large. All reasonable
deterministic computational models are polynomial equivalent. However,
some solutions need to be determined through "brute force".

The N v NP conjecture and the question as to whether one-way functions
exist invites speculation due to the importance of the P and NP classes
in a variety of fields (not least of which includes complexity studies).
If it may indeed be demonstrated that P = NP is true, all complexity
classes based on NP would collapse to P.

P is contained in NP by definition. The containment is believed to be
proper in that there are problems where finding a short proof is
super-polynomially more difficult than verifying the proof. It could be
the case that P = NP is true, though the algorithms for solving
NP-difficult problems in polynomial time are computationally
intractable.

Most important to online commerce and the security of online systems, if
P = NP is demonstrated, most of the cryptosystems currently in use would
be rendered ineffective. This is directly due to the assumption that
certain problems are difficult and computationally expensive to solve.

Next it is unlikely that any ``natural proof'' in the substance of
Razborov & Rudich's, ``Natural Proofs,'' (1997) will solve the issue.

The P=NP problem can be reformulated as "Is existential second-order
logic able to describe languages that first-order logic with least fixed
point cannot". What this means is that if P = NP is true; if positive
solutions to a YES/NO problem can be verified quickly, can the answers
also be computed quickly".

If P = NP, factoring could be done in deterministic polynomial time.
This would be an advantage to many within the scientific community. The
existence of an efficient factoring algorithm does not in any
deterministic manner imply P = NP. Thus the factoring problem parts with
NP-complete efforts.

Cook and Levin discovered certain problems in NP where the individual
complexity of the problem is related to the entire NP class. These are
known as NP-Complete. If it is found that a polynomial time algorithm
exists for any of the NP-Complete class, than all problems in the class
NP will be solvable in polynomial time.

So after the waffle, we have no idea if encryption is mathematically
valid at all. We hope that it is. So given this state, there is no, and
can be no state that is 100% secure.

Regards,
Craig

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com]
Sent: Wednesday, 17 May 2006 11:25 PM
To: Jason Muskat
Cc: Bob Radvanovsky; Sadler, Connie; email () securityabsurdity com;
security-basics () securityfocus com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security."

> Security has to be correct 100% of the time. One omission can lead to
an

I don't disagree with you. However aboslute security requires absolute
non-existence of the information. For e.g. You can have IPS, IDS, DRM,
TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
out that confidential document and tosses it in a garbage can, you
security goes with it.

Another e.g.: Everyone knows that one-time pad provides the "perfect
secrecy". But then how did the British intercept the Soviet
communications???? Soviet re-used the OTP, which allowed for
statistical analysis and/or pattern matching. Re-using seemed pretty
harmless at that time, but in retrospect it was a big mistake. Isn't
everything in retrospect a mistake?

Security has 3 core priciples Confidentiality(non-disclosure),
Integrity, Availability(non-destruction). In in way Confidentiality is
inversely propotional to Availability (i think). By making something
available you are increasing the chances of its disclosure. So in
theory 100% security is not possible.


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.