[Cryptography] What do we mean by Secure?

Bill Frantz frantz at pwpconsult.com
Sat Feb 7 19:05:25 EST 2015 

On 2/6/15 at 3:10 PM, kentborg at borg.org (Kent Borg) wrote:

>Ah, but then one would have to stop and figure out what one is 
>trying to do...damn! Can't I just ask for Wholesome Apple Pie 
>and be done?

The more I hear people talk about making thing secure, the more 
I hope they will explain what they mean by secure. What I mean, 
in the broadest sense, is "Bad Things Won't Happen". Now this is 
a bit over nebulous. :-)

In general, we think computers should enforce a policy. But what 
policy? When I ask this question, the answer I generally get is, 
"Any policy you want". But there are many policies we can't 
implement with our current security mechanisms.

On our home computers, my wife and my security policy is that 
both of us should have full ownership permissions on all of our 
files since the owner is the only one who can change certain 
meta-data, like who can access the file.. However, on our Unix 
based systems, a file can have only one owner. Our solution is 
to share accounts. As far as the computer is concerned, there is 
only one of us.)

Another security policy which gave IBM's RACF security policy 
team fits come from the Stanford Linear Accelerator Center 
(SLAC). Their policy was, "We are an open facility. All files 
are to be world read-only unless approved by management." RACF 
was made to keep secrets. I couldn't implement that policy.

We have more serious problems with the policies our systems let 
us implement, so while we have a large number of policies, they 
are all quite narrow and all of them share a degree of 
impracticality. One of the ways to see if a policy is bad is to 
see if otherwise loyal employees are violating it to get their 
jobs done. For example, does an executive share account 
passwords with an admin? Sharing account access is against 
almost all written and unwritten security policies.

For an example of the flexibility we need in our policies, 
consider a real-world situation (from: 
<http://www.hpl.hp.com/techreports/2009/HPL-2009-169.pdf>): 
Alice, in a race to her next meeting, turns thunder-struck to 
Bob and says, "Bob, I just remembered I need to get my daughter 
Carol’s car to Dave’s repair shop. I’ve got to go to this 
meeting. Can you take Carol’s car over there?"

Now consider the computer equivalent: Alice, in a race to her 
next meeting, turns thunder-struck to Bob and says, "Bob, I just 
remembered I need to get my daughter Carol's prom posters to 
Dave's print shop. I've got to go to this meeting. Can you get 
Carol's PDF from her computer and take to Dave?"

The first example is an easily solved problem. The second is 
impossible with our current security structures. Marc Stiegler 
has more detail at <http://www.skyhunter.com/pubshare/>.

In another interesting policy area, Alan Karp has developed the 
idea of Voluntary Oblivious Compliance (VOC) 
<http://www.hpl.hp.com/personal/Alan_Karp/STAR-201-Karp.ppt>. 
With VOC, the system will help a user follow a policy the user 
doesn't even understand. My favorite version of VOC detects a 
violation of policy and prompts the user, "This action appears 
to be a violation of our security policy. Please click "Cancel" 
or enter an explanation for your manager."

The above comments really only deal with the data secrecy facit 
of policy. There are really two broad areas of security policy, 
data secrecy, and authority limitation. Data secrecy keeps your 
competitors from reading your business plan. Authority 
limitation keeps attackers from destroying your uranium 
enrichment centrifuges.

While there is a lot of overlap between these areas of policy, 
they are different. A power plant will probably be much more 
concerned about strangers remotely turning the dials than they 
will be concerned about strangers reading the meters. On the 
other hand, while a passive observer can steal data, it is hard 
to see how a passive attack can change the state of the system. 
For many important systems, data loss is a minor problem 
compared with authority problems.

The area of security structures to support a broader range of 
policies is where the work is needed.

Cheers - Bill

--------------------------------------------------------------
Bill Frantz        | There are now so many exceptions to the
408-356-8506       | Fourth Amendment that it operates only by
www.pwpconsult.com | accident.  -  William Hugh Murray

More information about the cryptography mailing list