|
|
|
|
|
|
by vii
2113 days ago
|
|
|
The idea of layering security is very powerful, acknowledged in this "Network Operations Division Cryptographic Requirements" document https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%... > Certificate validation must not be performed against any standard SSL root CAs. > implement an inner cryptostream within the SSL tunnel transfer People often state that you should not roll your own crypto. Definitely, you look foolish for making a mistake doing your own thing. However, adding your own layer on top of a standard one seems safe and likely to slow an adversary down considerably. Adding a layer below to encrypt data before the standard algorithm gets it has some risks (e.g. could leak in some complex way like a timing attack) but it also protects against a compromise in the implementation of the standard algorithm. Adding the Horcrux layer of multiple channels does seem to increase security at the cost of creating a new unvalidated magic wand that then becomes the attack surface - and another significant cost in that it is not user friendly and involves considerable effort per message. There are ways of implementing greater security at high cost, e.g. point-to-point communications off network. The question is if the extra effort confers any benefit. Sometimes just the fact that two parties are communicating is valuable knowledge and this Horcrux mechanism actually makes that easier to detect as it occurs across multiple systems. |
|
|
> Sometimes just the fact that two parties are communicating is valuable knowledge and this Horcrux mechanism actually makes that easier to detect as it occurs across multiple systems.
Steganography can alleviate that red flag.