Essays in the Category "Computer and Information Security"

Page 28 of 30

The 1998 Crypto Year-in-Review

  • Bruce Schneier
  • Information Security
  • December 19, 1998

1998 was an exciting year to be a cryptographer, considering all the developments in algorithms, attacks and politics. At first glance, the important events of the year seem completely unrelated: done by different people, at different times and for different reasons. But when we step back and reflect on the year-that-was, some common threads emerge — as do important lessons about the evolution and direction of cryptography.

New Algorithms

In June, the NSA declassified KEA and Skipjack. KEA is a public-key Key Exchange Algorithm, while Skipjack is a block cipher first used in the ill-fated Clipper Chip. The NSA wanted Fortezza in software, and the only way they could get that was to declassify both algorithms…

WORD IN EDGEWISE: Scrambled Message

Key recovery is like trying to fit a square peg into a round hole. No matter how much you finagle it, it's simply not going to work.

  • Bruce Schneier
  • Information Security
  • October 19, 1998

In the September issue of Information Security, Commerce Undersecretary William Reinsch suggests that U.S. crypto export policy hinges on the concept of “balance” (Q&A: “Crypto’s Key Man”).

For key recovery policy to be successful, he argues, it must achieve a balance between privacy and access, between the needs of consumers and the requirements of the law-enforcement community.

For those who have followed the key recovery debate, Reinsch’s comments will have a familiar ring. Ever since the Clipper chip first made headlines in 1993, the crypto community has debated the notion of key recovery (or key escrow, or data recovery, or trusted third party or any other marketing term used to describe the same concept)…

The Crypto Bomb Is Ticking

  • Bruce Schneier
  • Byte
  • May 1998

Today’s faster, less expensive computers can crack current encryption algorithms easier than ever before. So what’s next?

Cryptographic algorithms have a way of degrading over time. It’s a situation that most techies aren’t used to: Compression algorithms don’t compress less as the years go by, and sorting algorithms don’t sort slower. But encryption algorithms get easier to break; something that sufficed three years ago might not today.

Several things are going on. First, there’s Moore’s law. Computers are getting faster, better networked, and more plentiful. The table “Cracking for Dollars” on page 98 illustrates the vulnerability of encryption to computer power. Cryptographic algorithms are all vulnerable to brute force–trying every possible encryption key, systematically searching for hash-function collisions, factoring the large composite number, and so forth–and brute force gets easier with time. A 56-bit key was long enough in the mid-1970s; today that can be pitifully small. In 1977, Martin Gardner wrote that 129-digit numbers would never be factored; in 1994, one was…

The Secret Story of Nonsecret Encryption

  • Bruce Schneier
  • Dr. Dobb's Journal
  • April 1998

GCHQ, the British equivalent of the U.S. NSA, released a document on December 1 1997, claiming to have invented publickey cryptography several years before it was discovered by the research community (http://www.cesg.gov.uk/ellisint.htm). According to the paper, GCHQ discovered both RSA and Diffie-Hellman, then kept their discoveries secret.

James Ellis the author of the paper (who died a few days before the paper’s release), wrote that he was inspired by an unknown Bell Telephone labs researcher during World War II. This researcher had the idea that a receiver could inject noise onto a communications circuit and effectively drown out any signal. An eavesdropper would only hear the noise, but the receiver could subtract the noise and recover the signal. The interesting idea here is that the sender doesn’t have to know any encryption “key” to send a secret message to the receiverthe receiver does all the work. (This is essentially what ech(>cancelling modems do; they scream at each other along the same line, and subtract out their own signal when they listen for the other.) This was promptly classified by the Li.S. government…

Security for Remote Access VPNs Must Be Simple

  • Bruce Schneier
  • Network World
  • March 2, 1998

Unlike site-to-site VPNs, where remote offices are hard-wired to a central facility firewall, remote access VPNs are fraught with security problems. Much of the security consists of trusted passwords that traveling workers use on their notebook computers.

To be effective, a VPN’s security implementation must be user-friendly while not penalizing your enterprise in other ways, such as by degrading network performance or compromising corporate control of the remote access network.

Think of the lock on the front door of your home. It certainly is easy to use, and it doesn’t force you to endure undue hardship to install, maintain or control…

Click Here to Bring Down the Internet

  • Bruce Schneier
  • 1998

The Internet is fragile, rickety. It is at the mercy of every hacker and cracker. In recent Congressional testimony, hackers from the L0pht boasted that they could bring down the Internet in under 30 minutes. Should we be concerned?

In almost every area, those with the expertise to build our social infrastructure also have the expertise to destroy it. Mark Loizeaux is President of Controlled Demolitions, Inc.; he blows up buildings for a living. He’s quoted in the July 1997 Harper’s Magazine: “We could drop every bridge in the United States in a couple of days…. I could drive a truck on the Verrazano Narrows Bridge and have a dirt bike on the back, drop that bridge, and I would get away. They would never stop me.” Ask any doctor how to poison someone untraceably, and he can tell you. Ask someone who works in aircraft maintenance how to knock a 747 out of the sky, and he’ll know. The Internet is no different…

Security Pitfalls in Cryptography

  • Bruce Schneier
  • Information Management & Computer Security
  • 1998

French translation

Magazine articles like to describe cryptography products in terms of algorithms and key length. Algorithms make good sound bites: they can be explained in a few words and they’re easy to compare with one another. “128-bit keys mean good security.” “Triple-DES means good security.” “40-bit keys mean weak security.” “2048-bit RSA is better than 1024-bit RSA.”

But reality isn’t that simple. Longer keys don’t always mean more security. Compare the cryptographic algorithm to the lock on your front door. Most door locks have four metal pins, each of which can be in one of ten positions. A key sets the pins in a particular configuration. If the key aligns them all correctly, then the lock opens. So there are only 10,000 possible keys, and a burglar willing to try all 10,000 is guaranteed to break into your house. But an improved lock with ten pins, making 10 billion possible keys, probably won’t make your house more secure. Burglars don’t try every possible key (a brute-force attack); most aren’t even clever enough to pick the lock (a cryptographic attack against the algorithm). They smash windows, kick in doors, disguise themselves as policemen, or rob keyholders at gunpoint. One ring of art thieves in California defeated home security systems by taking a chainsaw to the house walls. Better locks don’t help against these attacks…

The Challenge of Cryptography

  • Bruce Schneier
  • Software Magazine
  • November 1997

Never underestimate the time and effort attackers will expend to thwart your security systems.These days, security is on the minds of anyone involved in building or using information systems. After all, every form of commerce has had its share of fraud, from farmers rigging their weight scales to counterfeiters passing off phony currency. Electronic commerce is no exception, with fraud taking the form of forgery, misrepresentation, and denial of service. And it doesn’t stop with electronic transactions. There are privacy breaches, with competitors intercepting communications, and electronic vandalism, with attackers destroying Web pages and mail-bombing ISPs. It seems threats are coming from everywhere…

Cryptography, Security and the Future

  • Bruce Schneier
  • Communications of the ACM
  • January 1997

French translation

From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today’s information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can protect your anonymity or prove your identity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital…

Why Cryptography Is Harder Than It Looks

  • Bruce Schneier
  • Information Security Bulletin
  • 1997

From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today’s information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can prove your identity or protect your anonymity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital…

Sidebar photo of Bruce Schneier by Joe MacInnis.