[Cryptography] What do we mean by Secure?

Adrian McCullagh amccullagh at live.com
Sun Feb 8 00:16:41 EST 2015 

Dear All,


If my memory serves me correct, Ed Yourdan in the late 1970’s once said (paraphrased my me and is analogous to Schrödinger's cat ) that a secure computer is a computer that is not connected to any network, turned off with no power and locked in a room and the access mechanism (the  key) has been lost and even then he was not sure that the said computer was secure.





Also Winn Schwartau is attributed with the following simple time based concept of a secure computer system:


S(t) > D(t1) + R(t2)


Basically if the detection time of an attack plus the reaction time is less than the time it takes to break a system then the system is secure.


Now this is a basic concept but how one detects an attack and what actions are to be undertaken by way of reaction are still unsettled to secure a system.


Obviously, Yourdan’s was making a point that a really secure system is unrealistic and uncommercial. I also remember Professor Bill Caelli once telling me that the US Navy had developed an A1 (TCSEC) operating system in the 1970’s but unfortunately it was entirely unusable and was later abandoned.  Compromise has to be taken and it really depends on each situation.  The real problem is that most organisations do not undertake the basic risk assessment to understand what their respective risk appetite is.



In not understanding their respective risk appetite they are not is a position to ever know whether the so called secure system fits within their respective position.


On top of this, all systems are complex and since they was designed and developed by human’s mistakes will occur.  As such it is highly unlikely that a real secure system will ever be developed that can be used effectively by end entities.  Consequently, it is for experts like the people on this group to assist where they can.


In the end the term “secure” is too vague to be used as it will mean different things to different people and organisations/entities.


Just my thoughts.  


Adrian


Sent from Windows Mail









_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150208/7493d605/attachment.html>

More information about the cryptography mailing list