[Cryptography] What do we mean by Secure?
Bill Frantz
frantz at pwpconsult.com
Sat Feb 7 19:05:25 EST 2015
On 2/6/15 at 3:10 PM, kentborg at borg.org (Kent Borg) wrote:
>Ah, but then one would have to stop and figure out what one is
>trying to do...damn! Can't I just ask for Wholesome Apple Pie
>and be done?
The more I hear people talk about making thing secure, the more
I hope they will explain what they mean by secure. What I mean,
in the broadest sense, is "Bad Things Won't Happen". Now this is
a bit over nebulous. :-)
In general, we think computers should enforce a policy. But what
policy? When I ask this question, the answer I generally get is,
"Any policy you want". But there are many policies we can't
implement with our current security mechanisms.
On our home computers, my wife and my security policy is that
both of us should have full ownership permissions on all of our
files since the owner is the only one who can change certain
meta-data, like who can access the file.. However, on our Unix
based systems, a file can have only one owner. Our solution is
to share accounts. As far as the computer is concerned, there is
only one of us.)
Another security policy which gave IBM's RACF security policy
team fits come from the Stanford Linear Accelerator Center
(SLAC). Their policy was, "We are an open facility. All files
are to be world read-only unless approved by management." RACF
was made to keep secrets. I couldn't implement that policy.
We have more serious problems with the policies our systems let
us implement, so while we have a large number of policies, they
are all quite narrow and all of them share a degree of
impracticality. One of the ways to see if a policy is bad is to
see if otherwise loyal employees are violating it to get their
jobs done. For example, does an executive share account
passwords with an admin? Sharing account access is against
almost all written and unwritten security policies.
For an example of the flexibility we need in our policies,
consider a real-world situation (from:
<http://www.hpl.hp.com/techreports/2009/HPL-2009-169.pdf>):
Alice, in a race to her next meeting, turns thunder-struck to
Bob and says, "Bob, I just remembered I need to get my daughter
Carol’s car to Dave’s repair shop. I’ve got to go to this
meeting. Can you take Carol’s car over there?"
Now consider the computer equivalent: Alice, in a race to her
next meeting, turns thunder-struck to Bob and says, "Bob, I just
remembered I need to get my daughter Carol's prom posters to
Dave's print shop. I've got to go to this meeting. Can you get
Carol's PDF from her computer and take to Dave?"
The first example is an easily solved problem. The second is
impossible with our current security structures. Marc Stiegler
has more detail at <http://www.skyhunter.com/pubshare/>.
In another interesting policy area, Alan Karp has developed the
idea of Voluntary Oblivious Compliance (VOC)
<http://www.hpl.hp.com/personal/Alan_Karp/STAR-201-Karp.ppt>.
With VOC, the system will help a user follow a policy the user
doesn't even understand. My favorite version of VOC detects a
violation of policy and prompts the user, "This action appears
to be a violation of our security policy. Please click "Cancel"
or enter an explanation for your manager."
The above comments really only deal with the data secrecy facit
of policy. There are really two broad areas of security policy,
data secrecy, and authority limitation. Data secrecy keeps your
competitors from reading your business plan. Authority
limitation keeps attackers from destroying your uranium
enrichment centrifuges.
While there is a lot of overlap between these areas of policy,
they are different. A power plant will probably be much more
concerned about strangers remotely turning the dials than they
will be concerned about strangers reading the meters. On the
other hand, while a passive observer can steal data, it is hard
to see how a passive attack can change the state of the system.
For many important systems, data loss is a minor problem
compared with authority problems.
The area of security structures to support a broader range of
policies is where the work is needed.
Cheers - Bill
--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray
More information about the cryptography
mailing list