The PAIN mnemonic

Anne & Lynn Wheeler lynn at garlic.com
Sun Dec 21 09:41:35 EST 2003 

At 11:20 PM 12/20/2003 -0800, Carl Ellison wrote:
>Sorry, Lynn, but I don't buy this.
>
>It's missing replay prevention (freshness)
>
>and it included non-repudiation which is an unachievable, nonsense concept.
>
>If you want to keep the mnemonic, you can change the 4th one to
>"non-replay".
>
>  - Carl

but non-replay would be pretty specific to transactions in flight .... 
there are probably gobs of additional threats .... if i was looking at data 
in flight and data at rest ... non-replay wouldn't even apply to all data 
in flight. non-repudiation could apply to data in flight (whether or not 
there was a replay attack) as well as data at rest.  one possible issue is 
that you don't necessarily have to apply non-repudiation ... but it can be 
a significant security issue. One of the issues of asking that every entity 
have a unique password and nobody shares passwords could be considered a 
non-repudiation issue. In the case of insider fraud .... being able to tie 
every action to specific entity helps in post-even analysis of fraud events.

one could look at one aspect of non-repudiation as the requirement for 
everybody having a unique pin/password with guidelines never to share 
pin/passwords ... which could be considered across a broad range of 
security activities. replay might be considered a more specific kind 
of  threat to just transactions. Some number of non-repudiation definitions 
allow for a lot more feature/function than simply don't share your 
password  .... but a simple conjecture is that whoever originated "pain" 
might have been thinking of something as that simple.

in any case as mentioned in the previous reply .... doing search engine on
   +security +pain +privacy +authentication +integrity +non-repudiation
on at least google and alta vista turns up several hundred references .... 
even discounting the medical entries where pain isn't an acronym/mnemonic

i just tried the same on google for
   +security +pain +privacy +authentication +integrity +non-replay
and got zero hits
--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
  

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list