doctorow at June 9th, 2014 23:00 — #1
pjz at June 9th, 2014 23:13 — #2
I think the key here is to take a minimum timeframe as just that - a minimum. Overengineer the proof of work or whatever. Think the NSA has 10x the rest of the world? Fine, just make your key 10x as hard to figure out. So it may take the rest of the world 3-4 more years to decrypt... so what?
fuzzyfungus at June 9th, 2014 23:56 — #3
It's a fundamentally tricky problem:
Proof-of-work/low-difficulty-brute-force is the obvious approach; but it's hard to calibrate: You don't know what advances in computing and cryptoanalysis may or may not be made (we aren't even talking sci-fi stuff here: In, say, 1995, 3dfx Interactive had been in business for about a year, rainbow tables wouldn't exist for another 8 years, Crack was still pure CPU and wouldn't support clustering until v.4. It's only 20 years on, and the situation has...changed a bit.)
You can't control how the adversary will traverse the keyspace: on average you find the key about halfway through; but if you get really lucky it could be your first try, if you get really unlucky it could be your last, or anywhere in between. Even if you perfectly predict the future and calibrate the size of the keyspace properly, you still have an uncontrollable probabilistic element.
Using some sort of tamper-resistant keystore with an RTC seems like an attractive option; but that has a fundamental weakness (in addition to any practical attacks that a given device may suffer from): In common use, tamper-resistant storage hardware has broad freedom to just blank the storage and thus frustrate an attacker. This is what they are supposed to do. Nobody cares about the lost data because they are either just authentication secrets(a shared secret seed on RSA fobs, a private key embedded or generated during manufacture for SIMs, CACs, chip-and-pin cards, and similar) or an offsite copy of something that is backed up in the locked datacenter back at the office(as with most Ironkey deployment scenarios). Authentication secrets are meaningless, IT can just issue you a new one and invalidate the old one at any time, no problem. Offsite files aren't meaningless; but the field copy is usually presumed to just be a convenience thing, and its destruction much preferable to its compromise.
Things are more difficult in the 'time capsule crypto' scenario: If there is an authentication entity that can just issue new credentials, they'll just get the subpoena and the whole arrangement is for nothing. If there is not, you can't just blank the storage at the first sign of trouble; because what is being stored is either the data you wish to store and protect, or irreplaceable keys to that data. Unfortunately, this takes the greatest weapon a tamper-resistant system posesses right off the table. If the system is free to nuke the keys, the attacker has to sneak past or disable all the defenses and tripwires the designer adds to the system. If the attacker knows that the system can't nuke the keys, because they are valuable, he can do more or less anything he wishes, so long as he doesn't directly destroy the memory himself. Under such relaxed conditions, very few systems could resist for long, definitely not as long as you would want.
The most theoretically elegant (but wildly impractical) solution I've seen proposed is to locate a reflector X/2 light years away from earth and optically transmit the key at it. Highest-latency delay-line-memory in the galaxy, and, unless you snagged a copy of the key as it was transmitted, you'll just have to wait X years for the reflection to come back to you.
A much less satisfying; but probably more practical, approach would be to use one of the secret sharing schemes that allows you to chop the key into N parts and construct them such that reconstructing the key requires at least M of them, with M somewhere between 1 and N, inclusive. This provides no elegant theoretical solution; but it allows you to choose your own balance of risk of permanent loss vs. risk of premature disclosure, and makes it about as easy as it can be to distribute the keys across multiple institutions, jurisdictions, storage media, etc. so that any given adversary will have a hell of a time subpoenaing, hacking, stealing, coercing, etc. enough of the parts to reconstruct the key.
You don't even need to tell the piece-holders who the others are, how many of them there are, or anything else. Just affix their chunk of data to a suitably durable storage medium with instructions to 'send to location X at time Y'. This isn't elegant; fundamentally you can roll the piece-holders one by one just as easily as you could a single keyholder; but in practice, especially if you don't know who all of them are, navigating a maze of different jurisdictions, some hostile or indifferent to your authority, is going to be much more of a challenge than just accessing a single one.
fuzzyfungus at June 10th, 2014 00:18 — #4
It depends on what the data are, of course; but you do run the risk of making the proof of work so much work that you lose your secret permanently.
In the case of the 'Belfast Project', say, you need something good enough to resist anything up to (and including) Her Majesty's Spy Nerds at the GCHQ being willing to burn a lot of CPU time to settle as many scores as possible from a conflict that remains relatively bitter in living memory. However, you also need something easy enough that, once the people directly involved are dead, somebody will spare enough CPU time to recover some niche historical material from a 20th century ethnic slugfest that (if it didn't involve people and countries about which a damn is given) would scarcely rise above the background noise(I don't wish to suggest that the 3,530 deaths weren't tragic; but that's a pretty small number by the standards of 'ugly 20th century ethnic nationalist conflict spanning several decades'.)
That's potentially tricky: between just saving energy, and any number of philanthropic crunching exercises(folding at home, et al.) donor CPU time isn't necessarily going to be easy to come by for niche stuff that has cooled off enough that you now do want to release it; but quite substantial amounts of it may be available if some jurisdiction's feds think that you have the goods on people they want to get to (which, in the case of the Belfast project, is very, very, likely to be true.)
nergalms at June 10th, 2014 02:09 — #5
Crypto is good and all, but with future computing advances unpredictable relying on crypto alone seems foolish. Aren't we overthinking things here? A physical device - literally a safe or some other secure construct - would be more useful. Set it up so that as the safe opens correctly a sequence of properly timed commands is sent to the electronic storage device within. If the safe is forced the commands aren't sent, or aren't sent in the correct order and the data goes poof. Have the person who donates the information set the commands and order so that no one else, not even the designated organization to whom the documents have been given, has any way to know the correct sequence and thus be able to force the safe. Physical safeguards as the crypto key should be less liable to obsolescence via computing advances.
zittrain at June 10th, 2014 08:01 — #6
Yes, I think keysplitting may work better than trying to time crypto properly. (One suggesting on the latter front is simply to launch the secrets into a spacecraft designed not to return to Earth for the designated time period -- interesting, but probably requires quite a kickstarter of secrets to fund.) With the keysplitting, there's no mathematical guarantee that it won't be opened early, but it does mean that multiple jurisdictions would have to agree to compel production of the key -- a much larger hurdle than the current one.
gordian_dziwis at June 10th, 2014 14:58 — #7
Actually it is not a problem, if the nsa gets faster in the next ten years. If a key is secure now, for example you use 256bit. If you choose instead 512bit. Now the decryption problem did not grow by the factor of 2, but by the factor 2^256. So you are protected from moorse law.
But you are not save from quantum computers, which would render now ecisting encryption useless.
karls at June 10th, 2014 15:30 — #8
Yes, but the problem is that you don't want it to be too difficult either. It's tricky to find the right balance so that the wrong people won't be able to decrypt it too soon while someone will still be able to decrypt it in a reasonable time frame (or at least ever.)
doctorow at June 14th, 2014 23:01 — #9
This topic was automatically closed after 5 days. New replies are no longer allowed.