Simpson Garfinkel in Spooky Cryptographic Action at a Distance

Simpson Garfinkel in Spooky Cryptographic Action at a Distance

An excellent read. One example:

Consider the case of basic public-key cryptography, where an individual’s public and private keys are created together in a single operation. These two keys are held, not by quantum physics, but by mathematics.

When I create a virtual machine server in the Amazon cloud, I am asked for an RSA public key that will be used to control access to the machine. Normally, I create a public and private key on my laptop and upload the public key to Amazon, which stores my public key in the server administrator’s account. My laptop and the removal server are stuck, in that the only way to log into the server is to use the key on my laptop. And because that administrator account can do anything on that server read sensitive data, hack a web server to install malware on people visiting its web pages, or anything else I might care to do with a private key on my laptop it represents a security risk on that server. .

Here’s why it’s impossible to test a server and know it’s secure: as long as that private key is on my laptop, that server is vulnerable. But if I remove that private key, the vulnerability is gone. By removing the data, I have removed the security risk from the server and its security has increased. This is a true encounter! And it’s scary: nothing has changed on the server, yet it’s very secure.

Read it all.

Posted on October 30, 2024 at 10:48 AM • 0 Comments

Bruce Schneier sidebar photo by Joe MacInnis.


Source link