threat modelling strategies

Ian Grigg iang at systemics.com
Fri Oct 3 15:59:10 EDT 2003 

"Arnold G. Reinhold" wrote:
> 
> At 11:50 PM -0400 10/1/03, Ian Grigg wrote:
> >...
> >A threat must occur sufficiently in real use, and incur
> >sufficient costs in excess of protecting against it, in
> >order to be included in the threat model on its merits.
> >
> 
> I think that is an excellent summation of the history-based approach
> to threat modeling. There is another approach, however,
> capability-based threat modeling. What attacks will adversaries whom
> I reasonably expect to encounter mount once the system I am
> developing is deployed? Military planners call this the "responsive
> threat."  There are many famous failures of history-based threat
> modeling: tanks vs. cavalry, bombers vs. battleships, vacuum tubes
> vs. electromechanical cipher machines, box cutters vs skyscrapers,
> etc.


A very nice distinction.  The problem with this approach
is that it depends heavily on the notion of "reasonably
expect," which is highly obvious, after the fact.

In each of those cases, it was possible to trace the
development of the attack through history, again,
after the fact [1], [2], [3].

In each case, the history was mostly readable.  Just
like security today.  In each case, it was very difficult
to predict the future.  And, for those lucky few who
did, they were ignored.  And, for those lucky few
who did predict correctly, there were many score more
who predicted the wrong thing.

Military affairs are fairly typecast.  You are stuck
with the weapons of the past, chasing an infinite
number of possibilities in the future.  In all that,
you have to fight the current war.  Prepare for some
unlikely future at your peril.  If you pick the wrong
one, you'll be accused of being a dreamer, or of
fighting the last war.  Pick a future that actually
happens, and you'll be called a genius.

Crypto systems get pretty much deployed like that
as well.  Reasonable threat models are built up,
a point in the future is aimed for, and the system
gets deployed.  Then, you hope that attacks like
that of Adi Shamir's student don't happen until
the very end of life.  You watch, and you hope.


> In the world of the Internet the time available to put in place
> counteract new threats once they are publicized appears to be
> shrinking rapidly. And we are only seeing one class of adversaries:
> the informal network of hackers. For the most part, they have not
> tried to maximize the damage they cause. There is another class,
> hostile governments and terrorists, who have so far not shown their
> hands but are presumably following developments closely.  I don't
> think we can restrict ourselves to threats already proven in the wild.


The alternate is to prepare for every possible
threat.  That's hard.  It may be that you can
justify this level of expenditure, but for most
ordinary missions, this is simply too expensive.

Mind you, I'm not sure of your first claim there,
can you explain why the security field has not
moved quickly to counter the threat of web site
spoofing?  It's been around for yonks, and it's
resulting in losses....

> Then there is the matter of costs and who pays them. Industry is
> often willing to absorb small costs, or, better, fob them off onto
> consumers. Moderate costs can be insured against or written off as
> "extraordinary expenses." Stockholders are shielded from the full
> impact of catastrophic costs by the bankruptcy laws and can sometimes
> even get governments to subsidize such losses.
> 
> Perhaps guilds are the right model for cryptography. At their best,
> guilds preserve knowledge and uphold standards that would otherwise
> be ignored by market forces. Anyone out there willing to have open
> heart surgery performed by someone other than a member of the
> surgeon's guild?

Anyone out there willing to send a chat message
that is protected by ROT13?

As we have defined our mission, we can set our
requirements, and build our threat model.

I don't see that the presence of huge costs in
some exotic industries means the rest of us have
to pay for heart surgery every time we want to
send a chat message.  Or face death threats every
time we pay for flowers with a credit card.

But, I grant you that FUD will play a part in
the ongoing evolution of the Cryptologists'
Guild, just as it has in the past.  It's too
powerful a card to ignore, just because it is
unscientific.

YMMV :-)

iang

[1] Although Guderian's development of Blitzkreig was
kept a secret, as was all German war planning, it wasn't
totally unemulated by the Allies, just not up-played
as well as it might have been &.  C.f., Patton, who
famously "read Rommel's book," and de Gaulle, who
parlied a presidency out of his success at holding
back the Guderian advances, albeit briefly.

In fact, the French tanks outnumbered, outgunned, and
out armoured the Germans,  The Versaille Treaty
banned Germany from having *any* armoured vehicles.

That's preparation!

& _Panzer Leader_, General Heinz Guderian, 1952.


[2] box cutters v. skyscrapers - I have a collection of
films that predict the activities of 9/11 in the years
before *. In each case, note that Hollywood famously
predicts not only a diabolical attack with many
similarities, but also a cunningly devious deception
plan.

* _Die Hard_ (1,2,3), _Executive Decision_,
_Under Seige_, _The Seige_, and I gather one of
the Clancy books describes the precise form of
the attack.  Oh, and countless James Bond movies.

[3] Bombers v. battleships - yes, although bombers v.
submarines, no.  It took sonar, depth chargers and
lots of frigates to counter the U-boats.  Vacuum
tubes v. enigma machines, yes with 3 reels, not
immediately with 4, and useless when Hitler switched
back to motorcycle couriers in the battle of the
Bulge.  Etc).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list