🪴 thoughts - straightupjac


Search IconIcon to open search

Context of Cryptography

Last updated Mar 5, 2023

  • crypto part of larger system, useless on its own
  • rest of system has to be sufficiently secure as well
  • cryptography attacks - low detection, no traces of attack, just looks like “good access”
  • to improve security of system, must improve weakest link
  • in practice, attacker may not know what the weakest link is

# 1.3 Adversarial Setting

  • adversarial setting is a harsh environment - prepare for all kinds of attacks
  • different from regular real-world engineer where attacks are more predictable - physics based, the wind won’t change, physical properties won’t change

# 1.4 Professional Paranoia

  • once you start thinking about how to attack systems, you apply that to everything around you and how they could cheat you
  • assume all parties are trying to defraud
  • attacker can have any # of goals
  • constantly look for weaknesses in any system – only way to improve
    • criticize the system, not the designers
  • every system can be attacked - no such thing as perfect security
    • what are you trying to protect?
    • who are you protecting against?
  • practicality - sometimes you need the info to make the system work
    • credit cards - # used to look up customer records, if always encrypted, would break many other systems

# 1.6 Cryptography is not the solution

  • part of solution but not the full solution
  • it can make systems weaker if not used appropriately
    • underlying algorithm can be secure - but used in a system that doesn’t make sense

# 1.7 Cryptography is very difficult

  • weakest link property and adversarial setting conspire to make life for cryptographer very hard
  • no known way of testing whether a system is secure

# 1.8 Cryptography is the easy part

  • clearly defined constraints in a crypto algorithm
  • full system is much more difficult to clearly define
  • poor software quality + network security is even harder

# 1.9 Generic Attacks

  • some security problems can’t be solved
  • black box or generic attacks against certain types of systems

# 1.10 Security and Other Design Criteria

  • security vs performance
  • efficiency - in the form of reducing cost is a secondary issue
  • first priority - get something that is safe and that works
  • complexity is the worst enemy of security

Brain in Graph Form