[Cryptography] The Laws (was the principles) of secure information systems design

Peter Fairbrother peter at m-o-o-t.org
Fri Jul 15 14:36:58 EDT 2016 

On 14/07/16 17:42, Ron Garret wrote:
>
> On Jul 12, 2016, at 1:30 PM, Peter Fairbrother <peter at m-o-o-t.org>
> wrote:
>
>> Law 11: Security is a Boolean
>
> I vehemently disagree with this.
>
> Security is only meaningful with respect to a threat model.
> Something can be completely secure against a casual hacker and
> totally insecure against a nation-state with a supercomputer and the
> ability to decap chips.  Moreover, the boundaries of the “something”
> that is secure (or not) with respect to a threat model can vary
> widely.  These boundaries can be physical or virtual.  I can draw a
> security perimeter around my account, around my computer, around the
> safe in my basement, around my house, around my company, around my
> cage in the datacenter, around the datacenter itself, around my
> nation-state…  Furthermore, the effort that you put into making an
> asset more or less secure has to be weighed against the value of the
> asset.  I care a lot more if someone breaks in to my on-line bank
> account than if they break in to my Reddit account.
>
> Law 11 is not merely wrong, it is *dangerously* wrong, the exact
> opposite of what we should be telling people.


is it secure

- depends on your attack model

what's an attack model?

- well, depends on who wants to get your data. If it's the nsa they can

so, is it secure

-

Yes but, is it secure

-


so, is it secure

-

so, is it secure?

- No



The purpose of Law 11, "Security is a Boolean", is to:

* get away from the "spend x to protect against threat y with
probability z" paradigm


- when you don't know what the threat y is.

- when you can't calculate the probability z

- when you don't know the cost of "security"

- when you don't know the cost of insecurity

- when you don't know whether it will work at all.

ie most all of the time.

And I dispute any near-linear relationship between spending and
security, unless it's spending on good system design.

"ignoring failure costs, the upfront and operating costs of
well-designed secure systems are about the same as those of insecure ones"



The purpose of Law 11, "Security is a Boolean", is also to:

* get away from the "security is protecting against threat y with
probability z" paradigm.



They may be nice paradigms in theory, but in practice ..

.. they are just about ways of estimating insecurity. They have given up
on security.




Data security is not "a sliding scale of tradeoffs towards .."

Data security is "can I, and nobody else I don't want to, get my data
when I want it?".



And far too often it's "no" when it doesn't have to be.

Take TLS with 2k DH FS where the server end isn't subject to NSLs -
that's probably secure. Ok, the server and user's computers may be
bugged or pwned - but the link itself probably can't be broken.

But as we all know there are eg MITM downgrade attacks on the link which
are possible in some cases - TLS is a very large system - but just for
that one version, we can (ignoring QC) answer the question "Is it secure
(against any possible threat)" with "Yes, we think so."



Is it really actually secure against all threats though? Well we don't
really know, it might not be.

Maybe God sees all, so nothing is secure from him. On the other hand,
maybe our data is secure in his hands.


But there is an answer to the question "Is it secure?" even if we don't
know what it is.


And that's why security is a Boolean; not a process, not a set of 
compromises.


-- Peter Fairbrother

More information about the cryptography mailing list