1994-07-01 - Physical storage of key is the weakest link

Header Data

From: tcmay@netcom.com (Timothy C. May)
To: adam@bwh.harvard.edu (Adam Shostack)
Message Hash: 3215bdc6638af6fa3e3a2e40c38c8cec382f9f31d0d04e76c9e934cb307704a5
Message ID: <199407012037.NAA17138@netcom11.netcom.com>
Reply To: <199407011746.NAA13073@duke.bwh.harvard.edu>
UTC Datetime: 1994-07-01 20:37:12 UTC
Raw Date: Fri, 1 Jul 94 13:37:12 PDT

Raw message

From: tcmay@netcom.com (Timothy C. May)
Date: Fri, 1 Jul 94 13:37:12 PDT
To: adam@bwh.harvard.edu (Adam Shostack)
Subject: Physical storage of key is the weakest link
In-Reply-To: <199407011746.NAA13073@duke.bwh.harvard.edu>
Message-ID: <199407012037.NAA17138@netcom11.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain

> There are a number of good ways to breach modern cryptography without
> torture.  They include:
> Van Eck (Tempest) monitoring.
> Sodium pentathol & its more modern cousins.
> Bribery.
> Blackmail.

> Adam Shostack 				       adam@bwh.harvard.edu

Much more likely:

* Diskettes left lying around. Secret keys on home computers.

* Incompletely erased files. (Norton Utilities can recover erased
files; mil-grade multiple-pass erasure may be needed.)

A simple search warrant executed on your premises will usually crack
open all your crypto secrets. (Fixes to this are left as an exercise.)

Where to store one's secret key is an issue that makes academic the
issue of whether one's key can be compelled. A diskette stored at
one's home, in one's briefcase, etc., can be gotten. A pendant or
dongle or whatever that stores the key can also be gotten. The
passphrase (8-12 characters, typically) is secure, but not the key.

--Tim May

Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."