Why Cryptography is Harder Than It Looks Written by Bruce Schneier Presented by Heather McCarthy Software Systems Security CS 551 Outline • • • • • • • • Threats to Computer Systems Methods of Entry What Cryptography Can & Can’t Do Security Dependencies Threat Models System Design Implementation Human Factor Introduction • Cryptography is essential • Current cryptography is not as strong as it claims to be – Cannot be an afterthought • Difficult to identify strong products – Wastes money • Present computer security systems will not withstand attacks for very long Threats to Computer Systems • Types of Threats – Fraud in Electronic Commerce • Forgery • Impersonation • Denial of Service • Cheating – Privacy Violations • Targeted vs. broad data harvesting attacks – Electronic Vandalism • Vandals ROUTINELY break into networked computer systems Threats to Computer Systems • Characteristics of Threats – Opportunistic • Often, security need only be relative to thwart an attack – Motivation of attackers • Vast knowledge and free time • Few financial resources and / or vendetta Methods of Entry • Not through typical “doorway” – Steal technical data – Bribe insiders – Modify software – Collude • Summary: – Easy to attack an automated system – Need only find one of many weaknesses to gain access What Cryptography Can and Can’t Do • Security is never guaranteed entirely • A good system balances actual failures against potential failures • Non-invasive attacks CAN be totally prevented • Targeted attacks can only be withstood up to a point • The problems with cryptography are not in the algorithms and protocols, but the implementation – Weakness are found at human interaction level Security Dependencies • Security is a chain • Cryptography is rarely broken through the mathematics • Finding flaws is difficult and tedious – No test can prove the absence of flaws Threat Models • In other words, understanding what to protect against – What system protects – From whom – For how long • Must take into consideration intended and unintended users • Often designers don’t work to build accurate threat models System Design • Scientific – Requires many fields of mathematics – Extensive peer review – Years of analysis • Art – Needs a balance between conflicting goals • Security vs. Accessibility • Anonymity vs. Accountability • Privacy vs. Availability – Intuition Implementation • Cryptographic algorithms are only part of the chain • Exact – A GUI must be as strong as the protocols • Unfortunately, this facet is often overlooked because it is not technically interesting • Method of Design: Make, Break, Repeat The Human Factor • Insiders commit most fraud • Honest users cause problems because they don’t care about security • Users’ needs must be considered in order to build a smoothly operating system Current State of Security • No good way to compare systems – Magazines list features instead of evaluating their security – Marketing lies • Secrecy paves the way for breaches – Thank goodness for CERT • Laws only cure the symptoms, not the cause of security failures • Average lifetime: Five years Conclusion • • • • Assume the worst Make, Break, Repeat Leave a margin for error Questions?