I end up in debates about the use of smartcards (PKI) and one-time passwords (OTP) fairly frequently. Which one is “safer” or “better” and which one is easier to implement. I love PKI. I love the math around public-key cryptography. But what I hate about PKI is the implementation of a PKI. It is not easy. Have you ever set up a certificate authority (CA)? I tried once but I stopped when I noticed my hair had turned white. It is not for the faint of heart. Once mis-step can lead to having to re-do everything and imagine a re-do after you have already deployed certificates to your end-users! When I first got involved in the Defense Message System (DMS) and NATO ACP123 for secure message interoperability I felt I had entered the world of spy-versus-spy. This stuff is really complicated. That’s probably why it’s been “The year of PKI” for the last 20 years and why it might be “The year of PKI” for the next 20 if we can’t figure out how to un-complicate it.
Well, it seems that this stuff is pretty darn complicated for the US military, too. I was dumbfounded when I read in the Wall Street Journal that our “enemies” were able to watch the real-time video feeds from Predator aircraft. All they needed was a satellite dish and a program (“SkyGrabber”) that was put together in Russia that costs $30 or so. My first thought, aside from “You must be kidding!!!” was that the insurgents must have found some sort of vulnerability but it turns out they hadn’t. The military just wasn’t encrypting the video feeds and they even admitted to knowing about the problem since the Bosnia conflict in 1990s.
Bruce Schneier is a world renowned cryptography and security expert. His book, “Applied Cryptography”, is one of the few reference texts I keep on my bookshelf. He weighed in on this topic with some very interesting takes on the whole affair in a Wired magazine article: Insurgents Intercepting Predator Video? No Problem and it is worth a read. He has an interesting perspective on how the military is used to protecting data against Cold War enemies and maybe we don’t need all that heavy duty armor to protect a video download that might be intercepted by some cave dwelling insurgents. After all, a satellite dish and $30 are pretty easy for anyone to obtain whereas I doubt Osama bin Laden is ordering Cray supercomputers to decrypt US military communications down in his cave. Maybe there’s a happy medium?
The one disagreement I have with Schneier is he seems to think that a few minutes of video won’t really help the insurgents. Does anyone remember the news footage of the Iranian ladies piecing together the US Embassy shredded, classified documents by hand? I do and I think given enough video the insurgents would be able to know flight patterns, areas being searched, etc. all of which I think would be valuable information.
Either way, it's about time that we de-complicated PKI.
P.S. See Bruce's recent outstanding post: "Me and the Christmas Underwear Bomber"
2FA in Password Managers: Fair or Faux
7 hours ago