[Interest] TLS/SSL XML encryption security

Roland Hughes roland at logikalsolutions.com
Mon Oct 7 14:31:17 CEST 2019

On 10/7/19 5:00 AM, Konrad Rosenbaum wrote:
> Hi,
> On 10/5/19 2:17 AM, Roland Hughes wrote:
>> _ALL_  electronic encryption is security by obscurity.
>> Take a moment and let that sink in because it is fact.
> Okay, out with it! What secret service are you working for and why are
> you trying to sell everybody on bullshit that weakens our collective
> security?
> SCNR, Konrad



I haven't had any active clearance in a very long time, assuming nobody 
was lying during those projects early in my career.

This is a world of big data. Infobright, OrientDB, Riak, etc. OpenSource 
and massive, some with data compression up to 40:1. That's assuming you 
don't scope your attacks to the 32TB single table limit of PostgreSQL. 
We have botnets available to evil doers with sizes in the millions.

Screaming about the size of the forest one will hide there tree in 
doesn't change the security by obscurity aspect of it. Thumping the desk 
and claiming a forest which is 2^128 * 2^key-bit-width doesn't mean you 
aren't relying on obscurity, especially when they know what tree they 
are looking for.

Removing the tree is how one has to proceed.

Let us not forget we are at the end of the x86 era when it comes to what 
evil-doers will use to generate a fingerprint database, or brute force 


[Now Gidney and Ekerå have shown how a quantum computer could do the 
calculation with just 20 million qubits. Indeed, they show that such a 
device would take just eight hours to complete the calculation.  “[As a 
result], the worst case estimate of how many qubits will be needed to 
factor 2048 bit RSA integers has dropped nearly two orders of 
magnitude,” they say.]

While there are those here claiming 128-bit and 256-bit are 
"uncrackable" people with money long since moved to 2048-bit because 128 
and 256 are the new 64-bit encryption levels. They know that an entity 
wanting to decrypt their sniffed packets doesn't need the complete 
database, just a few fingerprints which work relatively reliably. They 
won't get everything, but they might get the critical stuff.

Haven't you noticed a pattern over the decades?

X-bit encryption would take a "super computer" (never actually 
identifying which one) N-years running flat out to crack.

A few years later

Y-bit encryption would take a "super computer" (never actually 
identifying which one) N-years running flat out to crack (without any 
mention of why they were/are wrong about X-bit).

Oh! You wanted "Why?" Sorry.

I get this list in digest form. Most of the time I don't read it. Only a 
tiny fraction of my life revolves around Qt and small systems. This 
whole security thing came up in another part of my world, then I 
actually read something here.

*nix did it wrong. No application should be allowed to open its own 
TCP/IP or network connection. No application should have any knowledge 
of transport layer security, certificates or anything else. Unisys and a 
few other "big systems" platforms are baking into their OS a Network 
Software Appliance. This allows system managers to dynamically change 
transport layer communications protocols on a whim. Not just transport 
layer security, but what network is in use, even non-TCP based things 
like Token Ring, DECNet, left-handed-monkey-wrench, etc.

All of that is well and good. It's how things should have been done to 
start with.

The fly in the ointment is developers using "human interpretable" data 
formats for transmission. Moving to a non-IP based network (meaning not 
running a different protocol on top of IP but running a completely 
different network protocol on machines which don't even have the IP 
stack software installed) can buy you a lot, but if you are a high value 
target and that network runs between data centers someone will 
eventually find a way to tap into it.

Even if that is not your point of penetration some people/developers 
store this human readable stuff on disk. My God, CouchDB actually stores 
JSON! Yeah, that's how you want to see someone storing a mass quantity 
of CC information along with answers to security questions and mother's 
maiden name.

My having to ponder all of this is how we got here.

Roland Hughes, President
Logikal Solutions


More information about the Interest mailing list