[Cryptography] What do we mean by Secure?
Kent Borg
kentborg at borg.org
Mon Feb 9 08:34:04 EST 2015
On 02/09/2015 02:08 AM, alex at alten.org wrote:
> For myself security is just another engineering domain, like software
> or electrical engineering.
There is that--your engineering could be great.
But there are a couple of crucial differences.
First, exactly where you draw the boundary of your system matters. For
example, your system might be perfect until the user chooses the
password "password". If your system boundary includes the choice of that
password, then it is crap. If your responsibility stops short of that
poor choice, then your system might be perfect.
Lucky you! You sold a perfect system, wipe your hands, walk away
counting your bucks. Your customer, however, might think there is a
bottom-line problem. The millions of credit card holders might also have
a complaint and rage why can't "they" build a secure system?
"I thought you said it was just an engineering problem. What kind of
terrible engineer are you?", they might ask.
I don't think orderly engineering domains have that squirrelly property,
I don't think they will invisibly shift from good to bad due to some
invisible, external event. It is like open pails of gasoline can
suddenly appear everywhere, surrounded by lit candles--but invisibly and
not giving off any fumes.
The second difference is that, unlike orderly data and predictably
charged electrons, you have active, clever, adaptive, and malicious foes
who are looking for holes in your design and implementation--and they
are trying to shift the system boundaries to create new holes--trying to
make a shift that destroys your otherwise your perfect security.
Not only can open pails of gasoline be invisible, you have foes who are
trying to sneak them into your hallway!.
Those two properties make computer security very different from "just
another engineering domain". We are trying to "stop crime" here. We know
a lot about it, we have some solid tools, but we don't have complete
solutions and are fools to think we could.
If you exclude the humans who use your system as part of the system you
are cheating, you are not selling a system, you are selling a limited
component, and if you don't admit it is just a component, it probably
has poorly defined interfaces and functions. If you do include humans in
the system then you are being honest, and have some hope of building a
decent system, but are doomed to build a system that can never be
perfectly secure because the enemy is inside the system.
In the case of computer security, at the moment, our attempts to stop
computer crime are made of toothpicks. Though it will never be perfect,
we are extra non-perfect right now, for those wanting to bail an ocean
we are in a golden age, there is plenty of work to do.
-kb
P.S. Does anyone ever do security analysis that specifies the boundaries
and the vulnerabilities near those boundaries? Seems basic, I have
written such things for my own benefit, but don't know that I have seen
anyone else do so.
More information about the cryptography
mailing list