November 15, 1998
by Bruce Schneier
A free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security.
Copyright (c) 1998 by Bruce Schneier
In this issue:
- Electronic Commerce: The Future of Fraud
- Counterpane Systems -- Featured Research
- Micro Locks
- Counterpane Systems News
- Software Copy Protection
- More on Steganography (by Peter Wayner)
- About "CRYPTO-GRAM"
Fraud has been perpetrated against every commerce system man has ever invented, from gold coin to stock certificates to paper checks to credit cards. Electronic commerce systems will be no different; if that's where the money is, that's where the crime will be. The threats are exactly the same.
Most fraud against existing electronic commerce systems -- ATM machines, electronic check systems, stored value tokens -- has been low tech. No matter how bad the cryptographic and computer security safeguards, most criminals bypass them entirely and focus on procedural problems, human oversight, and old-fashioned physical theft. Why attack subtle information security systems when you can just haul an ATM machine away in a truck?
This implies that new commerce systems don't have to be secure, but just better than what exists. Don't outrun the bear, just outrun the people you're with. Unfortunately, there are three features of electronic commerce that are likely to make fraud more devastating.
One, the ease of automation. The same automation that makes electronic commerce systems more efficient than paper systems also makes fraud more efficient. A particular fraud that might have taken a criminal ten minutes to execute on paper can be completed with a single keystroke, or automatically while he sleeps. Low-value frauds, that fell below the radar in paper systems, become dangerous in the electronic world. No one cares if it is possible to counterfeit nickels. However, if a criminal can mint electronic nickels, he might make a million dollars in a week. A pickpocketing technique that works once in ten thousand tries would starve a criminal on the streets, but he might get thirty successes a day on the net.
Two, the difficulty of isolating jurisdiction. The electronic world is a world without geography. A criminal doesn't have to be physically near a system he is defrauding; he can attack Citibank in New York from St. Petersburg. He can jurisdiction shop, and launch his attacks from countries with poor criminal laws, inadequate police forces, and lax extradition treaties.
And three, the speed of propagation. News travels fast on the Internet. Counterfeiting paper money takes skill, equipment, and organization. If one or two or even a hundred people can do it, so what? It's a crime, but it won't affect the money supply. But if someone figures out how to defraud an electronic commerce system and posts a program on the Internet, a thousand people could have it in an hour, a hundred thousand in a week. This could easily bring down a currency. And only the first attacker needs skill; everyone else can just use software. "Click here to drop the deutsche mark."
Cryptography has the potential to make electronic commerce systems safer than paper systems, but not in the ways most people think. Encryption and digital signatures are important, but secure audit trails are even more important. Systems based on long-term relationships, like credit cards and checking accounts, are safer than anonymous systems like cash. But identity theft is so easy that systems based solely on identity are doomed.
Preventing crime in electronic commerce is important, but more important is to be able to detect it. We don't prevent crime in our society. We detect crime after the fact, gather enough evidence to convince a neutral third party of the criminal's guilt, and hope that the punishment provides a back-channel of prevention. Electronic commerce systems should have the same goals. They should be able to detect that fraud has taken place and finger the guilty. And more important, they should be able to provide irrefutable evidence that can convict the guilty in court.
Perfect solutions are not required -- there are hundred of millions of dollars lost to credit card fraud every year -- but systems that can be broken completely are unacceptable. It's vital that attacks cannot be automated and reproduced without skill. Traditionally, fraud-prevention has been a game of catch-up. A commerce system is introduced, a particular type of fraud is discovered, and the system is patched. Money is made harder to counterfeit. Online credit card verification makes fraud harder. Checks are printed on special paper that makes them harder to alter. These patches reduce fraud for a while, until another attack is discovered. And the cycle continues.
The electronic world moves too fast for this cycle. A serious flaw in an electronic commerce system could bankrupt a company in days. Today's systems must anticipate future attacks. Any successful electronic commerce system is likely to remain in use for ten years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won't be time to upgrade them in the field.
Why Cryptography is Harder Than it Looks:
Security Pitfalls in Cryptography:
"Toward a Secure System Engineering Methodology"
C. Salter, O. Saydjari, B. Schneier, and J. Wallner, New Security Paradigms Workshop, September 1998, to appear.
This paper, coauthored with three NSA employees, presents a methodology for enumerating the vulnerabilities of a system, and determining what countermeasures can best close those vulnerabilities. We first describe how to characterize possible adversaries in terms of their resources, access, and risk tolerance, then we show how to map vulnerabilities to the system throughout its life cycle, and finally we demonstrate how to correlate the attacker's characteristics with the characteristics of the vulnerability to see if an actual threat exists. Countermeasures need to be considered only for the attacks that meet the adversaries' resources and objectives. Viable countermeasures must meet user needs for cost, ease of use, compatibility, performance, and availability.
An Appraisal Of The Technologies Of Political Control. A very interesting essay.
A new report on the National Security Agency's top-secret spying network will soon be sent to members of Congress. The report -- "Echelon: America's Spy in the Sky" was produced by the Free Congress Foundation and details the history and workings of the NSA's global electronic surveillance system. The system is reportedly capable of intercepting, recording and translating any electronic communication sent anywhere in the world.
The OECD is looking at the taxation of Internet businesses. The second document on the web page discusses options for taxation of Internet businesses. In particular, Implementation Option 11 is quite interesting. It reads: "Revenue authorities may consider mechanisms facilitating tracing, for tax purposes, of inadequately identified web sites and other electronic places of business. While the majority of enterprises engaged in electronic commerce adequately identify the legal entity operating the web site or electronic place of business, a small but significant percentage of web sites have inadequate identification for tax purposes. Revenue authorities, in common with other bodies, require appropriate mechanisms to allow tracing of the legal entity operating a business through a web site or other electronic place of business. (e.g. through Internet Protocol (IP) number allocation records.)" Scary, really.
"Sandia National Laboratories has developed a computer security device that puts a new spin on firewall technology: The Recodable Locking Device is the world's smallest, micromachined combination lock, and it's designed to protect computer networks from outside intruders." --Wired News.
The idea is that instead of computer-security measures -- cryptography and all that -- there is a physical combination lock inside the firewall. If someone enters the correct combination, he gets in. If he doesn't, he stays locked out. No cryptographic algorithms to break. No computer security measures to try to circumvent. No software to find bugs in.
This sounds cool, but adding micro combination locks doesn't change the threat model much. In both systems, the user has to either remember a password (combination) or store it somewhere. In both systems, passwords can be sniffed or stolen. In both systems, an adminstrator can subvert the security (either accidentally or maliciously). In both systems, there is software controlling how the access works. If you trust the cryptographic algorithms (which, in any good system, are being used in far more places than the access control), then without the crypto key there is no way to open the file...just as without the combination there is no way to open the lock. There are probably some advantages to using one way or the other depending on the curcumstance, but I don't see a technological leap.
More telling, the computer security industry hasn't been beating its breast and wailing: "I wish there were a tiny combination lock. That would solve my problems!" I'm serious. Combination locks aren't a new idea. If applying them would be a good idea, they would have been applied. Sure, they would have been large. But we've seen all sorts of macro solutions to computer security problems: manual switches disconnecting computers from networks (so called "air walls"), physical keys with EEPROM chips inside, vacuum-filled conduit to detect tampering. I haven't seen combination locks, of any size, used in computer security products. Just because Sandia's locks are smaller doesn't make them more applicable. It only makes them smaller.
I'm not trying to say that combination locks the size of microchips aren't a cool idea. My guess is that there are all sorts of clever uses for these things; probably uses in computer security, but uses that we just can't imagine right now. But firewalls and computer access devices...I have trouble seeing it.
The December 98 issue of Dr. Dobb's Journal has a nice article on Twofish. It's available on their web site:
The problem of software piracy is easy to describe, but the development of effective copy protection methods is a very difficult challenge to solve. Software companies want people to buy their product outright; they want to prevent someone from making a copy of a business program worth hundreds of dollars and giving it to his friend.
There are all sorts of solutions -- embedded code in the software that disables copying, code that makes use of non-copyable aspects of the original disk, hardware "dongles" that the software needs to run. But these solutions all suffer from the same basic conceptual flaw: not even the most sophisticated copy protection scheme can stop a determined hacker.
In the hands of Joe Average computer user, any copy protection system works. He can barely copy files by following the directions, let alone defeat even an unsophisticated copy protection scheme.
In the hands of Jane Hacker, however, no copy protection system works. Jane controls her computer. She can run debuggers, reverse-engineer code, analyze the protected program. If she's smart enough, she can go into the software and disable the copy-protection code. The manufacturer can't do a thing to stop her; all it can do is make her task harder. But to Jane, the challenge entices her even more.
There are many Jane Hackers out there who break copy protection systems as a hobby. They hang out on the net, trading illegal software. There are also those who do it for profit. They rip copy-protection code from software applications and resell them on CD-ROM for less than a tenth of the retail price. Wired Magazine ran an article about these people; see the URL below. The lesson is that any copy protection scheme can be broken; the only question it whether it will take a day or a week.
Hacked programs are called "warez," and you can probably collect quite a bit of the stuff yourself just by looking around the Internet. You won't find manuals, but that's what all the computer books are for. Just about everything is available, usually for trade.
The success of software pirates doesn't stop companies from trying to copy protect their programs. And it doesn't stop them from having copy-protection disasters. For example, the 1996 Quake release came on an encrypted CD-ROM: you could try it for free, but had to call and buy the password to unlock the entire game. It was eventually cracked, along with every other popular copy-protected program ever released. Id Software said that they expected the crack to happen eventually, but that it took long enough for the crack to finally appear for them to make enough money anyway.
There are solutions, but they involve recognizing the realities of copy protection and working with them.
1. Sometimes pirates are your friend. Business software companies realized this. People would use pirated software, learn it, get used to it, and eventually get jobs where their employers would buy them a legal copy. Microsoft has said that they are going to ignore pirating in China. Eventually the Chinese will pay for software, and Microsoft wants them all to have already standardized on their products.
2. Sometimes pirates are not your market. It is the rare software pirate that would pay $500 for a high-end graphics program if he could not get a pirated copy. Often, if a pirate can't get it free, he'll do without.
3. Sometimes you can ignore the software and sell the service. Charge for tech support, so pirates are encouraged to buy legitimate copies. Have other goodies for legitimate owners only. Maybe the game can be hacked, but in order to play on-line you need to be a registered owner.
4. Sometimes the hardware saves you. The discussion above really only applies to programs running on general-purpose hardware. If you're building a set-top box, for example, things are a lot easier. There are no casual pirates; anyone who is going to hack your system is going to need a lab and test equipment. Just make sure he can't resell his solution. Nobody cares if a hacker spends a month in his basement and comes up with a pirate satellite TV decoder. Let him watch all he can. But if he can post an easy-to-run computer program that lets everyone get free satellite television -- that's a problem.
For most software products, copy protection irritates legitimate users more than it prevents pirating. But for some products it makes sense. It raises the bar high enough to keep the honest honest. Nothing will keep the expert hackers out, so the only workable solution is to design your systems with this in mind.
Next month we'll talk about digital watermarking: copy-protecting content.
Wired Magazine's "Warez Wars":
I think Bruce raises some interesting and valuable points in the Oct 15th edition of Crypto-Gram, but the negative conclusions he draws from the insights are too much like throwing the baby out with the bathwater. He's correct that:
1) Steganography software could make a pile of GIF images look suspicious if the police found them on your disk.
2) The sudden change in message format could alert a smart eavesdropper.
3) You need to be careful with reusing your pictures.
But I think these criticisms are equivalent to:
a) Cryptography software could make a pile of random numbers look suspicious if the police found them together on your disk.
b) Sending an encrypted message with PGP tags could alert a smart eavesdropper that there's secret communication.
c) You need to be careful about reusing your keys.
There's no absolute security in either the realm of cryptography or steganography. Good attackers can poke holes in crypto systems and steganographic systems. The goal is to make it as hard as possible to do this.
I actually get a fair number of GIF images in the mail from friends. They're usually cartoons or goofball things. Most people don't run an SMTP server on their desk so they don't care about bandwidth or load. They just send them away.
It is also important to realize that steganography is not a thin veil that can be pierced if someone merely suspects that the data is there. Most steganographic systems include keys and I contend that the keys make it difficult for an eavesdropper to get at the message. Consider this scenario. I send Bruce a picture of my sister's wedding. (I've gotten many pictures of people's kids. My mother takes thirty photos in a weekend. They're common.) Deep in the NSA alarm bells go off. No one's ever sent Schneier a picture before. So they start taking it apart. If the NSA is lucky, the picture is 8k bytes long and I've used every single one of the least significant bits to encode a 1k ASCII message. In reality, the message is probably much smaller than 1/8th the size. It is standard practice to use a key to drive a pseudorandom number generator to choose a subset of the pixels to hide the message. I'm sure there are statistical attacks against this that leverage knowledge of the pseudorandom number generator and what not, but I contend that they're not something that can be accomplished from scratch in a day or two.
There are usually a few other layers thrown on top. It is common practice to compress the message and even encrypt it before storing it in the least significant bits. Then the entire communications is protected by the strength of cryptography AND steganography.
Bruce is correct that you need to be careful about reusing pictures. That's not a big problem for most of us. There's a lot of content floating around the Net and there's more being generated every day. Someone sent a 2 megabyte movie the other day which I just deleted from my mail spool because it took up too much space.
Sure, steganography is not as easy as falling off a logarithm. But I still think it is a perfectly good tool for people in oppressive regimes. What other choice do people have? I think it's a great tool for non-oppressive regimes. The Customs service in England claims the right to search your laptop AND the right to demand the encryption key. What choice do you have if you don't want the British government (which competes directly in some arenas) to know the details on your laptop?
With a few reasonable precautions, the message can be hidden pretty well. There are plenty of digital cameras out there that cost very little. It's easy to generate new content galore! Many people send snapshots back and forth. Many folks send voice files now with their messages. Many folks send the art of children.
(Peter Wayner is the author of _Disappearing_Cryptography_, a book on steganography.)
To subscribe, visit http://www.schneier.com/crypto-gram.html or send a blank message to firstname.lastname@example.org. Back issues are available at http://www.schneier.com. To unsubscribe, visit http://www.schneier.com/crypto-gram-faq.html.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of Counterpane Systems, the author of Applied Cryptography, and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on cryptography.
Counterpane Systems is a five-person consulting firm specializing in cryptography and computer security. Counterpane provides expert consulting in, design and analysis, implementation and testing, threat modeling, product research and forecasting, classes and training, intellectual property, and export consulting. Contracts range from short-term design evaluations and expert opinions to multi-year development efforts.