IP: more on Security Czar Points Finger of Blame (should be at Governments)

[Dave Farber <dave () farber net>]

Herb's comments are well taken. But I will still hold that we would be much
better prepared if the governments (and note not just the USA) took a more
long view on security in the 90s. Many of us testified as to the dangers and
many were roundly ignored.

Dave


------ Forwarded Message
From: "Herb Lin" <HLin () nas edu>
Date: Sat, 3 Aug 2002 11:13:46 -0400
To: farber () cis upenn edu
Subject: Re: IP: Security Czar Points Finger of Blame (should be at
Governments)

I think the invective being directed at Richard Clarke and the government
here
is misplaced, though I do understand the sentiments being expressed.  The
connection between the crypto that the government tried to restrict with its
40-bit encryption-key export limitations and today's state of system and
network
security seems quite tenuous.  Consider:

-- WiFi (802.11b) has a capability to support 128 bit encryption.  Was 128
bit
encryption a solution to the security problems of WiFi?

-- Has any documented security flaw in existing software ever been traced to
the
cryptographic inadequacy of a 40 bit key (as opposed to larger keys)?

I think any serious look at these questions has to result in a "no" to both
of
them - and if that analysis is right, then it is very hard to argue that
attempts to restrict encryption key length has or had anything at all to do
with
the flaws we see today.

Readers might also do well to consider that the state of world affairs and
technolgy deployment is very different now than in the early 1980s and
1990s.
Specifically, it's much clearer today that good encryption is relevant to a
much
wider range of applications and services than it was then.  Rather than
being
the subject of criticism, Clarke should be praised for understanding the
importance of security.

None of this is intended to deny the point that there are elements within
the
law enforcement and national security communities that would much prefer no
encryption at all.  But the bottom line from my perspective is that the
encryption strength is mostly (but not completely) orthogonal to the
security
problems that plague us today.

Herb Lin
Senior Scientist
(and study director of the 1996 NRC report on cryptography)
CSTB
www.cstb.org




------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/