NCipher Takes Hardware Security To Network Level

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Oct 7 11:07:21 EDT 2003


"Anton Stiglic" <astiglic at okiok.com> writes:

>This is why you get requirements of the type that it should run on Windows in
>single-user mode, which I take to mean have only an admin account.  This
>prevents privilege escalation attacks (regular user to root) that are easily
>done.
>
>I think this is reasonable, since you really are relying on the OS and the PC
>for the security of the module.

Uhh, so you're avoiding privilege escalation attacks by having everyone run as
root, from which you couldn't escalate if you wanted to.  This doesn't strike
me as a very secure way to do things (and it would still get MSDOS certified,
because you've now turned your machine into a DOS box protection-wise).

>More scary to me is stuff like "DSSENH does not provide persistent storage of
>keys.  While it is possible to store keys in the file system, this
>functionality is outside the scope of this validation."

That's the "Define the bits that we can easily get away with to be secure and
ignore the rest" approach that I commented on.  It was actually part of a
posting to another list where I was poking fun at BS 7799:

-- Snip --

Some years ago I witnessed a BS 7799 security certification being done.  For
those of you who aren't familiar with this, it's ISO 9000 for security.  It
went something like this:

  First, we define the region from the rug in the corner to Dave's desk to the
  pot-plant on the right to be... SECURE.  Everything inside this region is by
  definition SECURE.  Everything outside the region is none of our concern.
  Access to the server room from the SECURE area is by locked door.  The keys
  are on a hook on the wall, but since the hook is outside the SECURE area, we
  don't have to worry about that.

  Now we need to produce a lot of paperwork.  I'll help you with this, it
  should only take a few weeks.

  Congratulations, you now have a BS 7799-certified SECURE facility.  Here's
  my bill.

In other words they didn't change anything at all in their insecure (except in
the eyes of BS 7799) work area.  The whole certification process was an
exercise in meeting the certification requirements purely through the
production of paperwork.

-- Snip --

The SECURE facility has since been decomissioned, so I guess it's safe to talk
about it now.  Incidentally, almost everyone knew where the key was because
the room in question had the best air-conditioning in the building (it was
packed full of servers and networking gear), so it became quite popular in the
summer with the sysadmins, who'd find various reasons to do extended amounts
of work in there.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list