[Cryptography] What do we mean by Secure?

Mon Feb 9 08:34:04 EST 2015

On 02/09/2015 02:08 AM, alex at alten.org wrote:
> For myself security is just another engineering domain, like software
> or electrical engineering. 

There is that--your engineering could be great.

But there are a couple of crucial differences.

First, exactly where you draw the boundary of your system matters. For 
example, your system might be perfect until the user chooses the 
password "password". If your system boundary includes the choice of that 
password, then it is crap. If your responsibility stops short of that 
poor choice, then your system might be perfect.

Lucky you! You sold a perfect system, wipe your hands, walk away 
counting your bucks. Your customer, however, might think there is a 
bottom-line problem. The millions of credit card holders might also have 
a complaint and rage why can't "they" build a secure system?

"I thought you said it was just an engineering problem. What kind of 
terrible engineer are you?", they might ask.

I don't think orderly engineering domains have that squirrelly property, 
I don't think they will invisibly shift from good to bad due to some 
invisible, external event. It is like open pails of gasoline can 
suddenly appear everywhere, surrounded by lit candles--but invisibly and 
not giving off any fumes.

The second difference is that, unlike orderly data and predictably 
charged electrons, you have active, clever, adaptive, and malicious foes 
who are looking for holes in your design and implementation--and they 
are trying to shift the system boundaries to create new holes--trying to 
make a shift that destroys your otherwise your perfect security.

Not only can open pails of gasoline be invisible, you have foes who are 
trying to sneak them into your hallway!.

Those two properties make computer security very different from "just 
another engineering domain". We are trying to "stop crime" here. We know 
a lot about it, we have some solid tools, but we don't have complete 
solutions and are fools to think we could.

If you exclude the humans who use your system as part of the system you 
are cheating, you are not selling a system, you are selling a limited 
component, and if you don't admit it is just a component, it probably 
has poorly defined interfaces and functions. If you do include humans in 
the system then you are being honest, and have some hope of building a 
decent system, but are doomed to build a system that can never be 
perfectly secure because the enemy is inside the system.

In the case of computer security, at the moment, our attempts to stop 
computer crime are made of toothpicks. Though it will never be perfect, 
we are extra non-perfect right now, for those wanting to bail an ocean 
we are in a golden age, there is plenty of work to do.

-kb

P.S. Does anyone ever do security analysis that specifies the boundaries 
and the vulnerabilities near those boundaries? Seems basic, I have 
written such things for my own benefit, but don't know that I have seen 
anyone else do so.