[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: [Cryptography] storage encryption
From: John Denker via cryptography <cryptography () metzdowd ! com>
Date: 2018-07-21 23:51:30
Message-ID: f9e38554-9821-28a6-691e-3f18a3eef84c () av8n ! com
[Download RAW message or body]
On 07/19/2018 11:54 AM, John Kelsey wrote:
> What kind of access to the documents is needed?
Their goals are the same as everybody else's:
confidentiality + integrity + availability
If you want an example, here's an obvious use-case:
Each of N people are told to write their chapter of
a report, then put a draft on the cloud drive where
all N can see it. There is no need for the other
M-N members of the organization to read the draft,
or even know that it exists.
An easy-to-read overview of small-organization security
issues, including some useful checklists, is here:
https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.7621r1.pdf
> What are the threats they are worried about?
There are too many threats to mention, even if I knew
what they all are, which I don't.
If you want an example, start with a Podesta-style
spearphishing attack. That worked in 2016. Attackers
are going to keep using it until it stops working.
http://theconversation.com/spearphishing-roiled-the-presidential-campaign-heres-how-to-protect-yourself-68274
Reportedly, the Hillary campaign was advised to use
2fa (which might have blunted the spearfishing attack),
but decided that would be too burdensome.
On 07/17/2018 04:02 PM, Tom Mitchell wrote:
> > A file has a single key.
True but not the whole story, I would hope. Methods
for dealing with multi-recipient messages have been
around for eons. See e.g. PGP. Single session key
versus multiple access keys.
> > Are all files encrypted with the same key?
I would hope not. Neither same session key nor
same access keys.
> > Do all members of the group have equal access and trust.
I would hope not. Need-to-know reduces the attack
surface by a factor of N/M, ideally.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic