The Challenge of Cryptography

By Bruce Schneier
Software Magazine
November 1997

Never underestimate the time and effort attackers will expend to thwart your security systems.These days, security is on the minds of anyone involved in building or using information systems. After all, every form of commerce has had its share of fraud, from farmers rigging their weight scales to counterfeiters passing off phony currency. Electronic commerce is no exception, with fraud taking the form of forgery, misrepresentation, and denial of service. And it doesn't stop with electronic transactions. There are privacy breaches, with competitors intercepting communications, and electronic vandalism, with attackers destroying Web pages and mail-bombing ISPs. It seems threats are coming from everywhere.

When security safeguards aren't adequate, trespassers run little risk of getting caught. They can attack a system using techniques the designers never even considered. They steal data, bribe insiders, modify software, and collude.

The odds favor these attackers. Bad guys have more to gain by thoroughly examining a system than the good guys do. Defenders must protect against every possible vulnerability, but an attacker need only find one security flaw to compromise the whole system.

While no one can guarantee 100% security, cryptography can help significantly. The good news is that we already have the algorithms and protocols we need to secure our systems; the bad news is that implementing the protocols successfully requires considerable expertise. More often than not, businesses fail to catch these subtleties and implement insecure algorithms and protocols. The areas of security with which people interact -- key management, human/computer interface security, access control -- often defy analysis. And the disciplines of public-key infrastructure --software security, computer security, network security, and tamper-resistant hardware design -- are very poorly understood.

A good system design starts with developing a threat model: what the system is designed to protect, from whom, and for how long. The threat model must take the entire system into account. This includes the data to be protected, the people who will use the system, and how they will use it. What motivates the attackers? Must attacks be prevented, or can they just be detected?

Threat models allow both product designers and consumers to determine what security measures they need. Can someone inside the company defraud the commerce system? How much would it cost to overcome the tamper-resistance of a smart card? Companies can't design a secure system unless they understand what they're protecting against.

Design work is the mainstay of the science of cryptography, and it's very specialized. Cryptography blends several areas of mathematics: number theory, complexity theory, information theory, probability theory, abstract algebra, and formal analysis. Few can do the science properly, and a little knowledge is a dangerous thing: Inexperienced cryptographers almost always design flawed systems. Nothing substitutes for extensive peer review and years of analysis.

These systems must be implemented perfectly, or they will fail. A poorly designed user interface can make a hard-drive encryption program completely insecure. Under deadline and budget pressures, implementers use bad random- number generators, don't check properly for error conditions, and leave secret information in swap files. Since such mistakes aren't apparent in testing, they end up in finished products.

In the end, many security systems are broken by the people whose organizations they're designed to protect. For example, most fraud against commerce systems is perpetrated by insiders. Then there are the honest users who cause problems because they usually don't care about security -- they choose bad passwords, write them down and leave computers logged on. Security is routinely bypassed by store clerks, top executives, and anyone else who just needs to get the job done.

Any comprehensive system, whether for authenticated communications, secure data storage, or electronic com- merce, will likely remain in use for five years or more. To stay secure, it must be able to withstand future threats. There won't be time to upgrade these systems in the field.

History has taught us to never underestimate the amount of time and effort someone will expend to thwart a security system. It's best to assume the worst. Give yourself a margin for error by implementing more security than you need. When the unexpected happens, you'll be glad you did.

earlier essay: Cryptography, Security, and the Future
later essay: Click Here to Bring Down the Internet
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..