November 15, 2002
by Bruce Schneier
A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.
Back issues are available at <http://www.schneier.com/crypto-gram.html>. To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to email@example.com.
Copyright (c) 2002 by Counterpane Internet Security, Inc.
In this issue:
This is a short issue of Crypto-Gram, because I'm finishing up a new book.
We are being told that we are in graver danger than ever, and that we must change our lives in drastic and inconvenient ways in order to be secure. We are being told that we must give up privacy or anonymity, or accept restrictions on our actions. We are being told that the police need new investigative powers, that domestic spying capabilities need to be instituted, and that our militaries must be brought to bear on countries that support terrorism. What we're being told is mostly untrue. Most of the changes we're being asked to endure don't result in good security. They don't make us safer. Some of the changes actually make things worse.
My new book, still untitled, is a book about security. Not computer security, but security in general. Its goal is to teach readers how to think differently, how to tell good security from bad security, and to be able to explain why. Its goal is to instill in readers a healthy skepticism about security, especially the technologies surrounding security. Its goal is to convince readers that good security is about people.
The book walks the reader, step by step, through security: what works, what doesn't, and why. It gives general principles that the reader can use to understand and evaluate security. It illustrates those principles with anecdotes from all over: crime, war, history, sports, natural science, myth, literature, and movies. And it gives the reader a simple process that he can use to understand the difference between good security and bad security.
Real-world security looks a whole lot like computer security. It's not just that computers are everywhere; the same concepts and methodologies that allow us to make sense of computer security also apply to the real world. In my previous book, "Secrets and Lies," I used real-world metaphors to explain computer and network security. In this book I am going to explain real-world security using the techniques, processes, and formalism from the computer world, without assuming any computer knowledge.
Book publishing is second only to furniture delivery in slowness. My deadline for the book is the end of the month, but it's not going to be available in stores until next September.
Crypto-Gram is currently in its fifth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram.html>. These are a selection of articles that appeared in this calendar month in other years.
Why Digital Signatures are Not Signatures
Programming Satan's Computer: Why Computers Are Insecure
Elliptic Curve Public-Key Cryptography
The Future of Fraud: Three reasons why electronic commerce is different
Software Copy Protection: Why copy protection does not work
Red Hat vs. the DMCA. Red Hat publishes information about a security patch ONLY to people outside the United States, because of fear of the DMCA. It seems that a description of a fix to a vulnerability also contains information about the vulnerability itself, which could be a violation of the DMCA. Ridiculous? Of course it is. But that's the law for you.
And while we're on the subject of ridiculous, here are some of the "digital media devices" that would be required to incorporate government-approved copy-protection technology under the Hollings CBDTPA Bill: hearing aids, talking picture frames, scrolling signs, and baby monitors.
The previous two items are examples of the kinds of things that happen when laws are written to protect the revenue stream of an industry with no regard to its effects on society as a whole. Another example is the extensions to the copyright laws, currently being debated in the Supreme Court. Here's Larry Lessig's thoughts on arguing at the Supreme Court:
A clever Reuters reporter guesses URL of Swedish company's 3rd quarter results (before they were "officially" posted). The company claims it will file criminal charges. It's an interesting question: is guessing a URL an "intrusion"? I don't think so.
The Security Business Quarterly is a magazine worth reading. Issues are available online.
Windows 2000 receives a Common Criteria security rating. Does this mean anything? Not really. Jonathan Shapiro did such a good job explaining this that I'm just going to post a link to his essay.
Microsoft users may have to pay for security. Actually, I think this is a good idea. If users explicitly pay for security, then there's a greater chance that Microsoft will be liable for that security. And honestly, most users don't want security and don't want to pay for it.
This article says: "The al-Qaeda terror network has begun using hackers who break into websites to create secret pages that send messages to its followers, Internet specialists say." This makes absolutely no sense, and is a sad example of the mindless anti-terrorist computer-security hype we're hearing these days.
A well-written analysis of the major security/privacy/stability concerns of Windows XP.
"Fortune 1000 companies lost $45 billion to theft of proprietary information last year." How do they know?
"Assessing Internet Security Risk," a five-part series:
Root DNS servers attacked. It's a credit to the good guys that the effects of the attack were minimal. Lots of commentary about it, though.
Nice security success story: NASA.
Fascinating Congressional testimony by NSA Director Michael Hayden. He explains how NSA worked on terrorism pre- and post-9/11, and then tells Congress that they can best help him by going back to their constituents and finding out where the public wants to draw the line between liberty and safety. Required reading.
Excellent paper by Carl Ellison on the myths and realities of PKI:
I'm sitting on some big news that I can't really talk about yet. Hopefully next month.
In the meantime, I will be speaking at COMDEX in Las Vegas on 11/18, at the IETF meeting in Atlanta on 11/21, and at InfoSecurity in New York on 12/11.
Giant hornets regularly attack beehives. Typically, an attack begins when a single hornet captures a lone bee nearby the hive. After several of these perimeter skirmishes, one hornet leaves a marking pheromone at the hive's entrance. This pheromone attracts the other hornets, who arrive en masse and attack the beehive. The bees' stingers can't penetrate the hornets' armor, so it's a one-sided slaughter; something like 30,000 bees can be killed in a few hours by 30-40 hornets.
Japanese honeybees, however, have evolved an interesting defensive strategy. When a hornet marks the hive's entrance, the bees guarding the entrance return to the hive and wait for the attacking hornets. This has the effect of luring the first attacking hornets into the hive, rather than allowing them to start their attack outside. Simultaneously, over 1000 worker bees in the hive leave the combs and mass just inside the hive's entrance. When a hornet tries to enter the hive, the workers surround it, forming a ball of bodies, and cook it to death with their body heat. The bees also release a pheromone that draws ever more bees from the hive's interior to come to the entrance and defend the nest.
This strategy must be perfect in order to be successful. If the bees fail in killing the first hornet attackers, then the hornet pheromone gets stronger, and more hornets arrive to reinforce their attack. By sheer numbers, the hornets can overpower the bees.
Source: Bernd Heinrich, "The Thermal Warriors: Strategies of Insect Survival," Harvard University Press, 1996.
I'm busy, so you'll have to do the work this time. Here are my current doghouse candidates. Decide for yourself which is the funniest.
Is it CryptDefence, which offers "information's absolute protection" via their "entirely new original symmetric cryptographic algorithm MCD," which "disproves the Vernam theory...."
Is it Asier Technology, which "has made a breakthrough in such [cryptography] research and is now offering revolutionary products," with keys "ranging in key sizes from 5,000 to over 136,000 bits"?
Is it TransPlace, "only security program without hacks/ cracks/patches on Internet"? "Unhackable!!! It's IMPOSSIBLE to hack TransPlace-files!" "The internal structure of TransPlace is TOP SECRET!" "We believe it's impossible to make successful cracks for TransPlace or 'TransPlace protected files'!"
Is it ForeScout, an intrusion prevention technology that "pre-emptively neutralize[s] known and unknown attacks with no false positives ensuring zero time to protection," while at the same time requiring "no signature updates nor manual intervention"?
Or is it EuroTech, with their "double cipher, keyless transmission system, with no transmitted key subject to compromise"?
So many to choose from.... And thank you to everyone who e-mails me with Doghouse suggestions. I always enjoy reading these Web sites.
From: Frank Prince <fwp3grumpybear.com>
I disagree that the strategy doesn't make a difference. I feel your comments were too dismissive of it.
Something in the discussion about the relationship between consensus and security didn't ring true for me. Relative to security, consensus -- in a community, in the board room, formalized in law, or honed by legal precedent -- is a kind of community threat estimate and resource allocation decision. We can certainly argue that it is flawed -- but not that it is irrelevant.
Moreover, I take issue with the idea that security is a commons. The new community resources we are trying to protect aren't fully defined. And consensus regarding the threat to them will remain evanescent until they are. Beyond that, the metrics that will allow us to assess liability are even less appreciable. Security, like availability, is a characteristic that can be used to judge if the commons is in crisis. But cultural accommodation to profoundly changing technological realities is the underlying issue -- not security.
That being said, in any time of change there are criminals that take advantage of upheaval. We can't stand by and let them hurt us. Still, we have to remember that we are engaged in a battle that is playing out in two different time scales -- the first with our day-to-day decisions about security and the second with our long-term understanding of the effects of technology change on security. The day-to-day interacts with the long-term. A new technique for mitigating the impact of denial-of-service attacks changes people's perception of how serious they are. But so does a government test balloon on cyber-security, affecting things like research funding and public awareness. Both make a difference. Neither is irrelevant.
From: "Odom, Joel" <Joel.OdomBellSouth.com>
In the same way that the "National Strategy to Secure Cyberspace" is going to do no good to improve computer security, passing laws requiring certain security behavior will do no good either. As a matter of fact, laws requiring companies and individuals to practice certain security behavior would likely do more harm than good.
As you pointed out, the government is all about politics and not about what will actually work. Computer security laws would require behavior that would make systems more complicated. As a system becomes more complicated, it generally becomes less secure and not more secure.
Laws would not be able to mandate the detection and response necessary for true security. Instead, laws would mandate certain products that would be trusted and would choke out bona fide efforts to improve security. Even worse, they would lull users into a false sense of security.
The best way to wreck computer security is to let the government meddle with it. All of the security laws that have passed in recent years have only made matters worse. Why do we expect that the government could ever actually make it better?
To: Bruce Schneier <firstname.lastname@example.org>
> Security is a commons. Like air and water and radio spectrum, any
No. The way to prevent people from abusing a commons is to establish and enforce property rights. A public bathroom will be filthy no matter how many laws you pass. Most companies obey the laws against dumping wastes rivers, but there are still plenty who just got a bit more creative about where and when they do their polluting. Laws don't work. You need people with an interest in protecting _their_ property, not bureaucrats who will protect the commons as long as no one bribes them to look the other way, and not governments that pass laws but make themselves exempt.
The tricky bit is dividing the commons up into the proper chunks of property to insure that the greatest number of people can still use it at a fair price.
From: Marc de Piolenc <piolencmozcom.com>
While I agree with your comments about the ineffectiveness of a plan without teeth, I am equally doubtful of the efficacy of legislation. Your analogy to pollution regulations is a good one, because it points up the fundamental fallacy of a "commons."
That which belongs to everybody belongs to nobody, in the sense that nobody has any incentive to preserve it. The answer is not empowering bureaucrats to protect the commons (which they will do poorly or not at all), but to privatize the resources currently treated as common property.
In the case of the infrastructure that we are talking about, it is already in private hands, and considering it a "commons" is just a fancy way of letting the people who control its various components escape responsibility for their management.
To use a simple example, the owners of distribution networks are, in the USA at least, civilly liable for failure to follow established good practice in their respective technical fields. This is not a matter of regulation, but of tort law. The problem with our sector is the absence of generally recognized good practices. Any advance in that area is worth any number of tons of output from the Federal Register.
From: Jim Reid <jimrfc1035.com>
I think your comments about consensus with regard to security matters could have been more carefully worded. Security is ultimately about consensus. It has to be a trade-off between what the end users will tolerate, what the security guys will tolerate, what providers are prepared to offer in the way of services, and what the bean counters will accept both in costs and risks/rewards. Provided these conflicting interests can be balanced properly, the resulting system should be secure enough for the purpose it was intended. It's a bit unfair of you to say that consensus security mostly results in bad decisions. In a free society I think it's impossible to deploy workable security systems unless those systems are built around consensus. For some fluffy definition of "consensus."
Where I do agree with you wholeheartedly is that security -- or anything else we try to do -- becomes flawed when the participants come with their own axes to grind or have a not-so-hidden agenda to protect their vested interests. And then distort the decision making process to reflect their position.
Your response to the CyberSecurity Strategy is an impassioned plea, but I can't believe you came to your conclusion. What possible law should the government pass? After the example of the DMCA, they'll pass a law against hacking or anything that looks like it, and that law will make all network management (especially managed security such as Counterpane produces) illegal by side effect.
The people you describe, driven by special interests into confusion and feebleness in spite of tons of good advice, would pull the trigger -- but what would they hit?
So -- what law would you want them to pass? It sounds like you want one law: that makes companies liable for successful attacks. Would Counterpane be liable?
I suspect that it's Microsoft you want to be made liable -- as punishment for their creation of exploitable holes. But, you don't say that. Why do you expect the government to use the same logic you and I use? If you want them to make someone liable, they might make a homeowner liable if his home computer is used as a DDoS launch point -- and leave Microsoft untouched.
From: Stefan Lucks <lucksweisskugel.informatik.uni-mannheim.de>
I have studied the equation-solving technique for the cryptanalysis of secret-key ciphers, such as the AES, myself. As a scientist, I find the technique exciting. However, I think it is too early to draw any conclusions.
As I mentioned, the paper from Courtois and Pieprzyk is exciting for me. Their technique may turn out to be a relevant attack for some secret-key ciphers, possibly including the AES. BUT: Currently, the study of these ciphers is research in progress, no more, no less. It is much too early to consider the AES broken. People should wait for more results. (I don't write this to blame the authors. The have done great work. But good research needs time, and researchers have to publish their "work in progress" to get feedback from their peers.)
In general, the technique works like this:
1. Find a special "trick" to describe the cipher as a largely overdefined system of quadratic (or low-degree) equations (for secret-key cryptosystems typically in GF(2)).
2. Check if there are any obvious reasons why XL won't be able to solve the system (e.g., extremely many linear dependencies).
3. Use XL (some variant of XL) to solve the system and cross your fingers. That is, artificially increase the number of equations by multiplying some of the equations with some of the terms to get a system of non-linear (higher-degree) equations. If the number of equations exceeds the number of terms, linearise the system; i.e., treat each term as an independent linear variable.
4. Solve this (huge) system of linear equations.
The problem is going from step 2 to step 3. Courtois and Pieprzyk describe some necessary conditions for XL to work in their paper. We can check for these conditions in step 2. But these conditions are unlikely to be sufficient. Especially in the case of the AES, there are some doubts.
There are some experimental indications that XL works at least sometimes. Unfortunately, the "real" attacks are by far too expensive be implemented today. So we can't directly verify the attack experimentally.
Good ciphers are like good wine; both need much time to mature. AES is still young, only five years old, and I wouldn't mind if people considered three-key triple DES as a possible alternative to the AES, for the next five years or so.
From: Ulrich Kunitz <ulrich.kunitzfreenet.de>
I've seen one-time pads used in the East German army, I even did some encryption personally, not exactly in line with the rule book. I served as a private in a surface-air-missile base with old SA-2 Voichov missiles from 1987 to 1989. Short messages about the frequency plan for friend-detection, encoding of the coordinate system and troop movements were encrypted with one-time pads. Encryption and decryption had to be done by officers, one of them explained it to me. Blocks were numerated and stored in special sealed boxes fixed in the concrete walls of the command bunker. Key exchange was the task of armed couriers (two men) with a sealed transport case. Everybody using the system knew that code blocks must not be reused. But this was still a German army with Prussian traditions, which double-counted every bullet. That the Russians in the Soviet embassy didn't do the right thing, might be caused by their mentality to always cut corners to meet ends.
Here in Germany banks are using one-time pads for the authentication of financial orders. This system is used by millions of bank customers, even my mother. It's called the PIN/TAN-system. The TAN blocks are sent by the postal service, some banks even require the customer to acknowledge the receipt by a signed letter. For every order you enter into your browser or home banking application, you have to use one transaction number (TAN) from the block. The bank system checks the TAN and enforces the single use. The scheme doesn't prevent attackers from changing the message before sending it over the encrypted connection, but limits effectively the number of orders an attacker can send, as long as the customer doesn't store his TANs on the computer. By limiting the amount of money per order on the bank side, risks are reduced by the system.
I've implemented here in Germany online-banking-systems using several cryptographic methods with keys in a file, tokens, and smartcards. Standard algorithms, no snake oil, we know our limits. It still strikes me how easy to understand, easy to apply (no drivers or additional devices), and relatively secure the PIN/TAN method is. Limiting the number of orders an attacker could do is far more difficult with available smartcard technology or even keys in a file. And customers have no problems to develop the right model about PIN/TAN, but smartcards aren't doing what most people think they do.
By the way, please remind your readers that even one-time pads are insecure, if somebody uses a "random" generator like C-library's rand() to generate the pads. Murphy's law says it will happen---and it did.
Home banking fraud here in Germany is a popular media theme, but in reality it isn't a problem. This is caused by the checks built in the classic banking system and its capability to handle errors and fraud. That we never use the PIN alone in Germany does contribute, but how much, I really don't know.
"Secret & Lies" helped a me a lot to understand what is going on. Technology will never solve the security problem alone: you need organization, infrastructure, people, processes and a legal system to produce security.
From: John Gateley <gateleyjriver.com>
"Software with a key strength of 109^4000 + 109^3999 + ... 109^1."
It gets worse. I found the following on the Web site: "Users can choose keys that are as short or as long as they wish. But, only the first 4,000 valid characters submitted as a key are used in the program. There are 109 valid key characters."
So, instead of 109^4000 different keys, they somehow come up with 109^4000 + 109^3999 + ... +109^1.
Makes me wonder about the rest of their math.
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to email@example.com. To unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography.
Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane's expert security analysts protect networks for Fortune 1000 companies world-wide.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.