[Interest] TLS/SSL XML encryption security
roland at logikalsolutions.com
Mon Oct 7 14:31:17 CEST 2019
On 10/7/19 5:00 AM, Konrad Rosenbaum wrote:
> On 10/5/19 2:17 AM, Roland Hughes wrote:
>> _ALL_ electronic encryption is security by obscurity.
>> Take a moment and let that sink in because it is fact.
> Okay, out with it! What secret service are you working for and why are
> you trying to sell everybody on bullshit that weakens our collective
> SCNR, Konrad
I haven't had any active clearance in a very long time, assuming nobody
was lying during those projects early in my career.
This is a world of big data. Infobright, OrientDB, Riak, etc. OpenSource
and massive, some with data compression up to 40:1. That's assuming you
don't scope your attacks to the 32TB single table limit of PostgreSQL.
We have botnets available to evil doers with sizes in the millions.
Screaming about the size of the forest one will hide there tree in
doesn't change the security by obscurity aspect of it. Thumping the desk
and claiming a forest which is 2^128 * 2^key-bit-width doesn't mean you
aren't relying on obscurity, especially when they know what tree they
are looking for.
Removing the tree is how one has to proceed.
Let us not forget we are at the end of the x86 era when it comes to what
evil-doers will use to generate a fingerprint database, or brute force
[Now Gidney and Ekerå have shown how a quantum computer could do the
calculation with just 20 million qubits. Indeed, they show that such a
device would take just eight hours to complete the calculation. “[As a
result], the worst case estimate of how many qubits will be needed to
factor 2048 bit RSA integers has dropped nearly two orders of
magnitude,” they say.]
While there are those here claiming 128-bit and 256-bit are
"uncrackable" people with money long since moved to 2048-bit because 128
and 256 are the new 64-bit encryption levels. They know that an entity
wanting to decrypt their sniffed packets doesn't need the complete
database, just a few fingerprints which work relatively reliably. They
won't get everything, but they might get the critical stuff.
Haven't you noticed a pattern over the decades?
X-bit encryption would take a "super computer" (never actually
identifying which one) N-years running flat out to crack.
A few years later
Y-bit encryption would take a "super computer" (never actually
identifying which one) N-years running flat out to crack (without any
mention of why they were/are wrong about X-bit).
Oh! You wanted "Why?" Sorry.
I get this list in digest form. Most of the time I don't read it. Only a
tiny fraction of my life revolves around Qt and small systems. This
whole security thing came up in another part of my world, then I
actually read something here.
*nix did it wrong. No application should be allowed to open its own
TCP/IP or network connection. No application should have any knowledge
of transport layer security, certificates or anything else. Unisys and a
few other "big systems" platforms are baking into their OS a Network
Software Appliance. This allows system managers to dynamically change
transport layer communications protocols on a whim. Not just transport
layer security, but what network is in use, even non-TCP based things
like Token Ring, DECNet, left-handed-monkey-wrench, etc.
All of that is well and good. It's how things should have been done to
The fly in the ointment is developers using "human interpretable" data
formats for transmission. Moving to a non-IP based network (meaning not
running a different protocol on top of IP but running a completely
different network protocol on machines which don't even have the IP
stack software installed) can buy you a lot, but if you are a high value
target and that network runs between data centers someone will
eventually find a way to tap into it.
Even if that is not your point of penetration some people/developers
store this human readable stuff on disk. My God, CouchDB actually stores
JSON! Yeah, that's how you want to see someone storing a mass quantity
of CC information along with answers to security questions and mother's
My having to ponder all of this is how we got here.
Roland Hughes, President
More information about the Interest