Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

HardCrypto

advertisement 
Why Cryptography is Harder
Than It Looks
Written by Bruce Schneier
Presented by Heather McCarthy
Software Systems Security
CS 551
Outline
•
•
•
•
•
•
•
•
Threats to Computer Systems
Methods of Entry
What Cryptography Can & Can’t Do
Security Dependencies
Threat Models
System Design
Implementation
Human Factor
Introduction
• Cryptography is essential
• Current cryptography is not as strong as
it claims to be
– Cannot be an afterthought
• Difficult to identify strong products
– Wastes money
• Present computer security systems will
not withstand attacks for very long
Threats to Computer Systems
• Types of Threats
– Fraud in Electronic Commerce
• Forgery
• Impersonation
• Denial of Service
• Cheating
– Privacy Violations
• Targeted vs. broad data harvesting attacks
– Electronic Vandalism
• Vandals ROUTINELY break into networked
computer systems
Threats to Computer Systems
• Characteristics of Threats
– Opportunistic
• Often, security need only be relative to thwart
an attack
– Motivation of attackers
• Vast knowledge and free time
• Few financial resources and / or vendetta
Methods of Entry
• Not through typical “doorway”
– Steal technical data
– Bribe insiders
– Modify software
– Collude
• Summary:
– Easy to attack an automated system
– Need only find one of many weaknesses to
gain access
What Cryptography Can and Can’t Do
• Security is never guaranteed entirely
• A good system balances actual failures
against potential failures
• Non-invasive attacks CAN be totally
prevented
• Targeted attacks can only be withstood up to
a point
• The problems with cryptography are not in
the algorithms and protocols, but the
implementation
– Weakness are found at human interaction level
Security Dependencies
• Security is a chain
• Cryptography is rarely broken through
the mathematics
• Finding flaws is difficult and tedious
– No test can prove the absence of flaws
Threat Models
• In other words, understanding what to
protect against
– What system protects
– From whom
– For how long
• Must take into consideration intended
and unintended users
• Often designers don’t work to build
accurate threat models
System Design
• Scientific
– Requires many fields of mathematics
– Extensive peer review
– Years of analysis
• Art
– Needs a balance between conflicting goals
• Security vs. Accessibility
• Anonymity vs. Accountability
• Privacy vs. Availability
– Intuition
Implementation
• Cryptographic algorithms are only part
of the chain
• Exact
– A GUI must be as strong as the protocols
• Unfortunately, this facet is often
overlooked because it is not technically
interesting
• Method of Design: Make, Break, Repeat
The Human Factor
• Insiders commit most fraud
• Honest users cause problems because
they don’t care about security
• Users’ needs must be considered in
order to build a smoothly operating
system
Current State of Security
• No good way to compare systems
– Magazines list features instead of evaluating their
security
– Marketing lies
• Secrecy paves the way for breaches
– Thank goodness for CERT
• Laws only cure the symptoms, not the cause
of security failures
• Average lifetime: Five years
Conclusion
•
•
•
•
Assume the worst
Make, Break, Repeat
Leave a margin for error
Questions?
Related documents
Diapositive 1
Diapositive 1
plaintext version
plaintext version
Side-Channel Resistant Cryptography on FPGAs
Side-Channel Resistant Cryptography on FPGAs
Computer Security
Computer Security
Lecture 1
Lecture 1
CSC 421 COURSE COMPACT
CSC 421 COURSE COMPACT
Syllabus - החוג למדעי המחשב
Syllabus - החוג למדעי המחשב
spring13DA107outline
spring13DA107outline
Abstract: Chen-Mou Cheng, Post
Abstract: Chen-Mou Cheng, Post
MAD 6209 Implementation and Cryptanalysis of Cryptographic
MAD 6209 Implementation and Cryptanalysis of Cryptographic
- projectgenie
- projectgenie
Cryptography Applied to Linear Functions
Cryptography Applied to Linear Functions
Managing Threats in a Changing World
Managing Threats in a Changing World
CS 4390/5390 Fall 2013 Shirley Moore, Instructor October 24 Class
CS 4390/5390 Fall 2013 Shirley Moore, Instructor October 24 Class
Soran University Faculty of Science and Engineering Computer
Soran University Faculty of Science and Engineering Computer
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
Cryptography and Secret Codes
Cryptography and Secret Codes
Certified Information Systems Security Professional (CISSP) SE-CISSP-SE1007 Complete Outline
Certified Information Systems Security Professional (CISSP) SE-CISSP-SE1007 Complete Outline
A Lossless Tagged Visual Cryptography Scheme Abstract
A Lossless Tagged Visual Cryptography Scheme Abstract
MSc EEM118 Research Dissertation CITE, UEL
MSc EEM118 Research Dissertation CITE, UEL
CNT4403Syllabus
CNT4403Syllabus
Full Description - Faculty of Information Technology Multimedia
Full Description - Faculty of Information Technology Multimedia
Download
advertisement