Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

Fax
Telephone
Pen & paper
snail mail

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

According to most people, 'change' is something you keep in your pocket.

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

I agree with astcell, what once was old tradecraft will be new again, I can very well see using USB dead drops that look like rocks, innocuous looking IR square taped on a mailbox when there's something new to communicate about, pre-timed F2F meets in a campus library, or any other well trafficked area. More use of one time pads and something a little more rocking than the Lincolnshire Poacher being broadcast on the Internet.

I'd keep listing suggestions, but the best ones are sitting in my WTSHTF plan.

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

So does that mean that SpongeBob is the one true god. ROFL

xor

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

My interpretation of the question revolved around the idea that one morning someone announces "We have a box that can break all common PKI based crypto" ala "Sneakers"

While not necessarily breaking the functions currently in place (money could still be transfered, cryptomail sent) but suddenly the mass assumption that it can't be broken in a reasonable time being crushed.

This is what I would fear more than any attack or sudden catastrophic event. Because a real failure of any system can be fixed. A wire breaks, you replace it. A server fails, you switch to the backup. The backup fails, you pray to spongebob.

The bits, bytes, metal, plastic, silicon, and even math that make up such 'secure' systems are built upon the basis of something much smaller and intangible; TRUST

If such a box or decryption system suddenly hit the world, that trust is broken. If that trust is broken, you cannot be reasonably sure that the incoming bank withdrawal request is real. You cannot trust the orders coming from higher up in command. Your not going to take the risk if that trust is broken.

Terrorism, asteroids, global warming, nuclear proliferation. These don't scare me. What does scare me is natural human reactions to fundamental changes in their base psychology. Things like alien life being proven. Religious nuts in general being proven wrong and then attempting to 'make it right'. Humans don't do well with change. To suddenly pull a rug out from a high level of trust (i.e. banking, chain of command) usually doesn't end well

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

I asked Bruce Schneier(sorry don't mean to name drop) this very question at the QA at DEFCON. I'm paraphrasing my question, did he think that technology specifically Moores Law would render crypto moot. His respond also paraphrasing here was that the math is on the side of the cryptographer, and as technology increases it increases for the cryptographer as well. He also stated to not go after the crypto but to attack the implementation. His analogy being the encryption was like a stake in the ground, why run into the stake when you can go around it.

Just MHO, that perhaps for a short term period the attacker may have a slight edge, but it would be short lived at best.

thx-1138

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

This wouldn't lead to wide-spread loss of electronic devices, and data.

Using formula from Physics, you can compute the effective force and field strength of a magnetic field given a distance in addition to strength. Like Gravity, the force of field strength relies on the strength of a charge, but the distance is much more important, since the distance is an inverse square applied to any change in charge/field.

So, double the charge, and double the distance, you halve the effective strength to the new distance. Because of this, the effective radius for any EMP bomb is very limited, and addition of more "power" to generate a strong field faces diminishing returns.

A single bomb over the US would not be enough-- even if the power source was nuclear. Many, many EMP would be needed, and then you would have to consider additional power requirements to push the EMI through shielded spaces, and underground storage systems.

This is a risk too. Maybe a topic for another thread on catastrophic failures like doomsday scenarios.

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

Actually since we moved away from the cold/possible nuclear war stance a lot of military electronics don't contain the $5.00 transorbs. I think things would be so messed up after an attack like the one mentioned above that we would only be able to mount something akin to the Doolittle Raid.

thx-1138

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

Well, there are 3 or 4 spaces I know about, probably more, that might have a chance in this realm. (None of these are really new, and have been investigated for a long time.) One is a difficult problem in mathematics that has yet to be proven. It is related to an assumption made in math that many think might be true, but has not been proven to be true. Another is quantum computing. However, quantum computing might be the weakest of these, as access to build faster computing system at this level could provide us with fast, reliable quantum cryptography too.

Much of present high-speed crypto (done on computers today) that use Public Key, or Public Key exchange, rely on very basic assumptions. Many non-public key-exchange are not necessarily at risk. For example, a vernam (Simple XOR, OTP, no key reuse, *) cipher with non-reused "keys" exchanged in an implied secure manner allow for what is considered by many to be one of the most "secure" (from attack by only watching the data stream, not physical security, eavesdropping, etc.)

As DT mentioned, cases where there are *only* secret keys (such as pre-shared secret keys in VPNs) are often considered to not be at *new* risk to attacks (specific) to PKI, by matter of definition and key secrecy.

I wanted to have the problem be generic enough, so as to not be limited to just the spaces where fundamental assumptions required for present Public Key systems are being attacked, but also include spaces that I've not considered, or that might develop in the future.

Right. I was hoping to see an interesting cross section of responses from members here, from "new person" to, "I am a director/manager and would do this," and everyone in between.

Right. The banking systems have everything they need to pass information (OTP/XOR, or a private/secret key exchange) from one place to another using physical security. They also have laws, and physical security measures to have physical security in place to decrease risk of loss of private key exchange/storage. It wouldn't be a pretty transition, but they would probably be able to shift away from any present public-key systems faster than other businesses.

Good point.

Heh heh. No. No it wouldn't. It would be very exciting, actually. If someone posted, "What would I do differently? I would buy a new camera," then we would have a new undercover reporter spotted.

Hahahahahah! Clever. :-)

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

I cannot imagine that situation happening without incurring a very specific loss of life in both the immediate and in the following days and weeks. I'd imagine we would be responding as much to the loss of our infrastructure as we would to the loss of life.

As far as going to war at that point, it would depend on how protected our military electronics were. Personally I would have the military on alert and on our shores at that point. National defense first and foremost. I know a lot of people would rather see us marching to war to do something about it, but I think it would be ignorant not to expect more after an event like that. If there was good, verified, actionable intelligence saying "yes, there is more, and it's going to come from X" I'd see if we couldn't get an ally in the area (Say Isreal, if it's the middle east) to launch a preemptive counterstrike to whatever worse was about to come.

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

A better question to ask would be what would happen if an EMP device were detonated over the US. An attack of our infrastructure and technology not killing people directly mite not merit a direct military response. Can you really justify killing people over the destruction of critical electronic infrastructure.

Imagine one day we are part of a global village; suddenly and without warning we are reduced to getting news from our neighbor. No TV, cars, radios, computers, the US goes dark. All unprotected electronics destroyed.

Could you justify war at this point or would you first have to put the country back together which could take a decade or more?

Even without an attack a solar flare from the sun directed at the planet could be absolutely catastrophic. In fact it has already happened in the past and will happen again.

thx-1138

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

I'd stop clicking on the red box.

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

I assume this topic came about because of the recent announcement of 2 separate groups both making leaps in quantum computing...

I think that what would change depends on the type of person on an individual level, and at what level of society on a mass level

On an individual level you'd find credit cards and most common commerce functions would be suspect and you'd see something akin to the old 'run on the bank'.

Large segments of society would grind to a halt as suddenly large banking transactions cannot be verified nor trusted because of the inevitable number of jackasses who would begin to screw with things or just create enough noise in the system to create chaos.

In a smaller bubble beyond socio-economic meltdown, I would see alot of communication remain the same. Most people recieve email in plain text and few if any average home users use crypto beyond banking/commerce functions.

I think that for those of us who use crypto as much as we can (I like un-necessary crypto) our trust would not be immediately broken however our paranoia and suspicion would increase and new communication would be vetted very closely. Habits would change and less un-necessary communications would occur.

It's an interesting question to think about because it's a very real one that may occur. I personally tend to be a pessimist and assume the worst will occur. Society tends not to deal with paradigm shifts too well and things would get very ugly very quickly.

At least it would'nt be boring.....

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

The beauty of this topic, is level of skill is not a requirement for posting a reply. Anyone can provide a list of things they might do differently. :-)

Even a forum member who is a luddite, that uses carrier pigeons to another human as a forum proxy can reply. Maybe they would say, "The only thing that I would do differently is say,'I told you so!nyah nyah!'"

If I provide a specific cause, then there is an attempt to solve the specific problem and not answer the question. (I'd rather not provide any specifics on where the model might fail.) However, you provide an answer to this question by asking this question-- your decision would be to allocate your time and resources to looking at the failure in the models.

Even if a new model was found, which appeared to "solve" the present catastrophe, the implementations using the broken models would still exist in live systems, and perhaps exist in firmware, only upgradeable by physical replacement. The only thing a new model would change would be how long the catastrophe would last.

Re: What would you do?: Assume all Public Key Exchange models in use failed overnight

Personally I don't claim to be an expert in this subject or even educated. But since we are just talking I'll give it a try.

Initially and most likely life would go on in an insecure way until new secure models could be developed or existing alternatives could be implemented. Most crypto is so complicated the average person still would not be able to do anything with it. Data would only be insecure/accessible to a few. It would be a tremendous blow and set back to the perception of trust by the people of internet commerce. As reliant as we are on technology and the fact the most people don't secure anything unless it's done for them again life would go on. The internet has too much going for it for a little thing like trust to get in the way. The internet is an unstoppable juggernaut, short of a solar flare, gamma ray burst, an EMP weapon detonated over the US, nuclear holocaust, the Taliban sacking Washington DC, or us exhausting all energy in the world the internet will be with us insecure or secure for the foreseeable future.

There was a guy in the wireless village at defcon that was pushing a box that performed realtime decryption of ssl webpages. Just cause it can be done doesn't mean he has my banking info or is reading my mail.

I personally don't see how this could happen, please elaborate on the possibilities. Though this is an extreme analogy and no doubt a stretch it's sort of like saying what would happen if all the windows boxes one day suddenly didn't boot(wishful thinking). We would all learn MAC OSX, LINUX or FREEBSD.

xor