Michael Stone, June 6, 2010, , (src), (all posts)


Weak Secret-keepers

Mechanical keys, mag-stripe cards, prox cards, and barcoded keytags are weak secret-keepers. Fortunately, my local environment is safe enough that these secret-keepers work well for me in spite of their weakness.

But why do they work well for me?

Among other reasons:

  1. They’re ubiquitous, so people understand them.

  2. They’re cheaply but not trivially copyable, which helps with availability without completely destroying their utility.

  3. They’re portable.

  4. They’re easy to loan to guests.

  5. They’re small enough to be concealed or isolated from many threats.

I wish I had cryptographic secret-keepers that were as convenient.


Software cryptographic methods (algorithms) and their means of production (source code and compilers) used to be proprietary and untrustworthy. They are now libre and somewhat more trustworthy. Why?

The two reasons I see are that

  1. the basis of their trustworthiness changed from liability (personal, pecuniary, and reputational) to adversarial verifiability and

  2. conflicts of interest between owners and potential users were removed by making autonomy (pseudo-ownership) available to everyone who wanted it.

Might these considerations also apply to the trustworthiness of hardware cryptographic methods and their means of production?

The decades-long trail of hardware crypto-scandals documented in Schneier’s Crypto-Gram newsletters certainly suggests so to me.

What does it cost to design and produce hardware cryptographic authentication tokens or smartcards as a function of the degree to which their designs and means of production are libre?

To what extent can libre hardware design and manufacturing processes like those underlying the Arduino and the RepRap projects be used to make technology for (adequately) trustworthy authentication of intent more accessible to the general public?

I don’t know yet, but I think it might be fun and socially profitable to try to find out.