Re: Re: Hacking's American as Apple Cider

["I)ruid" <druid () caughq org>]

On Tue, 2005-09-20 at 19:38 -0400, Marcus J. Ranum wrote:
> OK, I won't bore you with fleshing these out ad nauseam. But an expert
> castle-builder is going to understand the parameters for what are needed to
> build a strong castle. And, yes, technologies change. For example, there
> are all kinds of nice brick civil-war-era forts that were designed to withstand
> smoothbore cannon for months that would be battered to bits by rifled cannon
> in days. The reason they would still last days (instead of minutes) is because
> of engineering overhead in the assumptions about the wall thickness.
>
> Transformative shifts in attack paradigm may cause catastrophic failures.
> But they are few and far between. Incremental improvements in attacks
> should be within the engineering overhead of good design. Same
> applies with crypto or with other security systems. So, if you have a
> system that was designed well by someone who thought through
> the attack paradigms of the day, then testing it destructively is not
> going to make sense.

You use the term "crypto", it seems, as a reference to cryptography
rather than cryptology, which as you properly describe is the design and
engineering of cryptographic algorithms and protocols, but really is
only one aspect of cryptology.

There is a second aspect that I feel can be undeniably classified as
"hacking" and which I personally feel is very, very cool.  It's called
cryptanalysis, which is essentially developing methods of breaking
cryptography.  I don't see how you can classify it as anything but
"hacking", and without cryptanalysis you cannot prove the strength of
your cryptography or the protection it provides.

-- 
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

Attachment: signature.asc
Description: This is a digitally signed message part