[Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
Thierry Moreau
thierry.moreau at connotech.com
Fri Jun 3 09:21:44 EDT 2005
Adam Shostack wrote:
>
> No. If I get your database with SQL injection, all conditions are
> met, and I have your plaintext. But, the data is in an encrypted
> form, and you're saved.
I'm not familiar with SQL injection vulnerabilities. Perhaps the issue
is misrepresentation by the SQL provider that the database is encrypted
using proper algorithms and key management. I guess that if a database
access application using SQL injections has cleartext access to the
data, this data is either not appropriately encrypted or the control of
the encryption key escaped the legitimate user when the SQL injections
were leaked to the adversary.
One issue with rulemaking/lawmaking is that consequences of a rule are
sometimes unexpected because words (e.g. "properly encrypted") are
smetimes corrupted by diverted usage e.g. public relations aspects of
e-commerce security. So, even if your statement was technically wrong,
if *you* are convinced that a database vulnerable to SQL injection
tampering threat is nonetheless "encrypted", then a judge might be so
convinced. Consequently, the lawmaking exercise must be more specific
than above, e.g. using reference to by-laws which define acceptable
encryption technology and key management techniques ... which is no
longer a simple solution.
Thanks for highlighting the limits of the original post, either on a
technical basis or on issues of lawmaking strategy.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list