Five Theses on Security Protocols
Perry E. Metzger
perry at piermont.com
Sat Jul 31 12:32:39 EDT 2010
Inspired by recent discussion, these are my theses, which I hereby
nail upon the virtual church door:
1 If you can do an online check for the validity of a key, there is no
need for a long-lived signed certificate, since you could simply ask
a database in real time whether the holder of the key is authorized
to perform some action. The signed certificate is completely
superfluous.
If you can't do an online check, you have no practical form of
revocation, so a long-lived signed certificate is unacceptable
anyway.
2 A third party attestation, e.g. any certificate issued by any modern
CA, is worth exactly as much as the maximum liability of the third
party for mistakes. If the third party has no liability for
mistakes, the certification is worth exactly nothing. All commercial
CAs disclaim all liability.
An organization needs to authenticate and authorize its own users;
it cannot ask some other organization with no actual liability to
perform this function on its behalf. A bank has to know its own
customers, the customers have to know their own bank. A company
needs to know on its own that someone is allowed to reboot a machine
or access a database.
3 Any security system that demands that users be "educated",
i.e. which requires that users make complicated security decisions
during the course of routine work, is doomed to fail.
For example, any system which requires that users actively make sure
throughout a transaction that they are giving their credentials to
the correct counterparty and not to a thief who could reuse them
cannot be relied on.
A perfect system is one in which no user can perform an action that
gives away their own credentials, and in which no user can
authorizes an action without their participation and knowledge. No
system can be perfect, but that is the ideal to be sought after.
4 As a partial corollary to 3, but which requires saying on its own:
If "false alarms" are routine, all alarms, including real ones, will
be ignored. Any security system that produces warnings that need to
be routinely ignored during the course of everyday work, and which
can then be ignored by simple user action, has trained its users to be
victims.
For example, the failure of a cryptographic authentication check
should be rare, and should nearly always actually mean that
something bad has happened, like an attempt to compromise security,
and should never, ever, ever result in a user being told "oh, ignore
that warning", and should not even provide a simple UI that permits
the warning to be ignored should someone advise the user to do so.
If a system produces too many false alarms to permit routine work to
happen without an "ignore warning" button, the system is worthless
anyway.
5 Also related to 3, but important in its own right: to quote Ian
Grigg:
*** There should be one mode, and it should be secure. ***
There must not be a confusing combination of secure and insecure
modes, requiring the user to actively pay attention to whether the
system is secure, and to make constant active configuration choices
to enforce security. There should be only one, secure mode.
The more knobs a system has, the less secure it is. It is trivial to
design a system sufficiently complicated that even experts, let
alone naive users, cannot figure out what the configuration
means. The best systems should have virtually no knobs at all.
In the real world, bugs will be discovered in protocols, hash
functions and crypto algorithms will be broken, etc., and it will be
necessary to design protocols so that, subject to avoiding downgrade
attacks, newer and more secure modes can and will be used as they
are deployed to fix such problems. Even then, however, the user
should not have to make a decision to use the newer more secure mode,
it should simply happen.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list