[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NO reasno whatsoever for the MILITARY to use an intentionally WEAK encryption system. (fwd)



Forwarded message:
>From fc Sat Jul 29 07:18:30 1995
Subject: NO reasno whatsoever for the MILITARY to use an intentionally WEAK encryption system.
To: [email protected] (Phil Fraering)
Date: Sat, 29 Jul 1995 07:18:30 -0400 (EDT)
In-Reply-To: <[email protected]> from "Phil Fraering" at Jul 28, 95 03:19:45 pm
X-Mailer: ELM [version 2.4 PL22]
Content-Type: text
Content-Length: 3694      

...
> You misunderstand. With public key encryption, the proliferation of processor
> power and bandwidth, and their funding, there is NO reason whatsoever for the
> MILITARY to use an intentionally WEAK encryption system.

	The military doesn't have that much funding for this sort of
thing.  There are more than 2.5 million computers (est.) in the DoD, and
to put in and manage a cryptosystem for this large a network is a very
difficult and expensive proposition. 

	At $100 per computer (including only purchase price and
installation) that's $250 million, but that only covers relatively low
bandwidth communications.  The vast majority of systems use Ethernets
and similar things where encryption is far more expensive - but we'll
ignore that for now.

	You also have the key management problem.  You need to create a
secure distributed key management database capable of handling 2.5
million public keys.  No current system I am aware of can do this, so
there is a substantial R+D problem out there.  Then we have to put hooks
into every different OS used in the DoD to allow this to work properly. 
Then we have issues like synchorinization and man-in-the-middle attacks
to worry about.  Any of these could take out the crypto-systems, which
are (in today's world) less reliable than standard communications.

	This means we are sacrificing availability for confidentiality,
which in the military domain means we will lose the war, but nobody will
be able to tell us why, because they will never be able to decrypt all
the details.

	The DoD does use cryptography extensively, but only to protect
information worthy of the real costs and complexities associated with the
technology - just as any organization should strive to do.

...
> I think you misunderstood: if we want a military in the first place
> (yes, I realize that's an open question to many people on this list)
> it needs to have as much of its communications encrypted as possible.
> Without back doors or intentionally weakened algorithms. Otherwise
> we're just stuck with a standard conventional force that isn't _that_
> great compared to the combined assets of a reasonable assembly of
> enemy forces.

	Secrecy isn't the only military advantage in information
warfare.  The pace of the action is far more important, the availability
of select information at the right place at the right time is far more
important, the ability to deny information to the enemy is far more
important, the accuracy and timeliness of the information is far more
important, and on and on.  If you really want to know more about this, you
should read:

	"Protection and Security on the Information Superhighway"
	 John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95


	Furthermore, backdoors are very useful, for example, when we
sell the equipment to other nations who resell them to those who try to
use the techynology against us.  The best cryptosystem for the NSA is one
that only they can break.

> I would go even farther: since so many of the troops sent over to the Gulf
> in the war there went with K-Mart-purchased GPS receivers that the military
> had to turn off selective availability, I am willing to bet that in future
> conflicts the U.S. soldier's ability to have secure communications (with
> no backdoors or weakened algorithms) is dependent on civilians having access
> to the same technology. Because the only way they might have it is if Ma
> and Pa go down to the local K-Mart and buy one for their son/daughter about
> to go overseas.

How much would you like to make that bet for?

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236


-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236