From: Kent Crispin <kent@songbird.com>
Date: Wed, 11 Jun 1997 05:19:20 +0800
To: cryptography@c2.net
Subject: Re: Access to Storage and Communication Keys
In-Reply-To: <19970610112926.04400@bywater.songbird.com>
Message-ID: <19970610134844.39484@bywater.songbird.com>
MIME-Version: 1.0
Content-Type: text/plain



On Tue, Jun 10, 1997 at 03:20:27PM -0400, Ray Arachelian wrote:
> On Tue, 10 Jun 1997, the spooks made the tentacle named Kent Crispin
> write the following bad advice:
> 
> > If you have data you wish to guard from disclosure I think that in
> > most circumstances you want to back up ciphertext.  It is a *lot*
> > cheaper to secure a piece of paper with a passphrase on it (in a safe
> > deposit box, for example) than it is guard a gigabyte of backup tapes. 
> 
> BBBBZZZZZZZZZT!  Wrong!

> Passphrases can be memorized.

Chinese proverb: "The strongest memory is weaker than faded ink".

>  4mm DAT tapes hold several gigs and are
> tiny.

[excoriating exposure of my stupidity deleted]

You're right -- I misspoke.  I confess that I don't pay much attention
to tape technology.  I was just thinking about the robotic silos at
work -- of course, they hold a lot more than gigabytes -- individual
data files on them are frequently many gigabytes.  In this environment
(admittedly atypical, though some commercial enterprises are probably 
at least as large) it would clearly be cheaper to guard keys than it 
would be to guard the tapes.  But they guard the tapes anyway.

[long tape tutorial deleted]

> But you can leave the tapes unprotected in clear view of the world. 
> They're useless to those that don't have the passphrase.  Hence it costs
> you $0.0 to secure tapes that hold strongly encrypted information.  It
> costs a lot more to protect that said piece of paper.

After all that humiliation, thank you for exactly making my point. 
You guard the keys, you don't guard the tapes.

> If you are paranoid, you could encrypt your backup with a
> different cypher.  (i.e. use IDEA on the hard drive, then backup and
> encrypt the encrypted drive with 3DES and Blowfish, all using different
> passphrases.)

Ah yes, remembering *all* those passphrases, and what happens if you 
forget? 

> Yes, you can write your passphrase on paper, but if someone finds it you
> are screwed.

You are screwed if you forget it, to.  Either eventuality can be 
disastrous, depending on the circumstances.  For many types of data 
losing access to the data is a far bigger disaster than unauthorized 
exposure. 

> Giving such advice is dangerous.  It is as if you told
> someone to put a PostIt(tm) note with their account and password on their
> monitor, or to use their birthday as their password, or their dog's name.
> Paper is very easily compromised.  Weak passwords and passphrases are also
> easily compromised.

I am quite familiar with all these issues, Ray.

The scheme is that you write the passphrase on a piece of paper, and 
put the paper in a vault.  This reduces the risk of loss of access, 
and increases the risk of exposure.  In real environments you 
evaluate both risks.  Put it in other terms:  you have $1000000000 in 
untraceable ecash sitting encrypted on your disk.  Which is worse: 
having it stolen, or losing the key that decrypts it?  The answer is, 
they are equally bad.

Indeed you can use secret sharing techniques to hide the key -- for 
$1000000000 I probably would.  For all the secrets I currently know, 
putting the key in a vault is sufficient security.

-- 
Kent Crispin				"No reason to get excited",
kent@songbird.com			the thief he kindly spoke...
PGP fingerprint:   B1 8B 72 ED 55 21 5E 44  61 F4 58 0F 72 10 65 55
http://songbird.com/kent/pgp_key.html