[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Triple encryption...
Mike Johnson wrote:
> Naturally, the two aren't mutually exclusive, but I'll not buy a vault
> door for my house unless I've got a vault to put it on.
Perhaps not, but I would not call a person who decides to do so, for reasons
of his own, "rabid, clinically paranoid" - a phrase you used in your
original post. While I might chuckle at his inconsistent approach, I wouldn't
call the men in white coats to take him away. In fact, I DON'T KNOW whether
his approach is "reasonable" or not until I have a chance to evaluate the
perceived threat he's protecting against. If the potential burglar he's
concerned about is an expert lockpicker who has a phobia about breaking
glass, then your hypothetical "vault door" *MIGHT* make sense, to continue
the analogy. The point being, I'm not in a position to make that decision
for him.
Technically, it might be easier to use the third degree on someone rather
than attempt to break even a 384 bit public key, but sheer level of effort is
not always the whole story. Let's say I stumbled across an encrypted
message from someone I knew, not addressed to me, that I thought might be
"interesting" to decipher. I *MIGHT*, hypothetically, be willing to write a
program that would run in the background on my PC, even if it took many,
many years, or even decades, to arrive at a solution by brute force.
Breaking into the guy's house, or torturing his passphrase out of him might
be "faster", or "easier" for me, but that's not the nature of the "threat"
I'd pose, since I, as an "attacker" would also be weighing risks versus
rewards. While I might be willing to wait years or even decades to satisfy
my curiosity, the message is probably not valuable enough to risk a prison
term for. Thus, a longer key, more layers of encryption, etc. might make
more sense (for him against me) than buying an expensive safe to store his
keyring in, or splitting it up as a "shared secret" so that a "rubber hose"
attack on any one person would not reveal the entire key/passphrase.
Also, the envelope of encryption protection needs to be "pushed". As
processing becomes faster and cheaper, currently "secure" technologies could
become vulnerable. What seems "clinically paranoid" today might seem
"reasonable" in a decade or two, who knows? Why not get them tested and
proven BEFORE they're absolutely needed, even if that testing is at the
hands of people willing to risk being considered "paranoid"?
/--------------+------------------------------------\
| | Internet: [email protected] |
| Dave Sparks | Fidonet: Dave Sparks @ 1:207/212 |
| | BBS: (909) 353-9821 - 14.4K |
\--------------+------------------------------------/