Latest Essays
Page 74
The Secret Story of Nonsecret Encryption
GCHQ, the British equivalent of the U.S. NSA, released a document on December 1 1997, claiming to have invented publickey cryptography several years before it was discovered by the research community (http://www.cesg.gov.uk/ellisint.htm). According to the paper, GCHQ discovered both RSA and Diffie-Hellman, then kept their discoveries secret.
James Ellis the author of the paper (who died a few days before the paper’s release), wrote that he was inspired by an unknown Bell Telephone labs researcher during World War II. This researcher had the idea that a receiver could inject noise onto a communications circuit and effectively drown out any signal. An eavesdropper would only hear the noise, but the receiver could subtract the noise and recover the signal. The interesting idea here is that the sender doesn’t have to know any encryption “key” to send a secret message to the receiverthe receiver does all the work. (This is essentially what ech(>cancelling modems do; they scream at each other along the same line, and subtract out their own signal when they listen for the other.) This was promptly classified by the Li.S. government…
Security for Remote Access VPNs Must Be Simple
Unlike site-to-site VPNs, where remote offices are hard-wired to a central facility firewall, remote access VPNs are fraught with security problems. Much of the security consists of trusted passwords that traveling workers use on their notebook computers.
To be effective, a VPN’s security implementation must be user-friendly while not penalizing your enterprise in other ways, such as by degrading network performance or compromising corporate control of the remote access network.
Think of the lock on the front door of your home. It certainly is easy to use, and it doesn’t force you to endure undue hardship to install, maintain or control…
Security Pitfalls in Cryptography
Magazine articles like to describe cryptography products in terms of algorithms and key length. Algorithms make good sound bites: they can be explained in a few words and they’re easy to compare with one another. “128-bit keys mean good security.” “Triple-DES means good security.” “40-bit keys mean weak security.” “2048-bit RSA is better than 1024-bit RSA.”
But reality isn’t that simple. Longer keys don’t always mean more security. Compare the cryptographic algorithm to the lock on your front door. Most door locks have four metal pins, each of which can be in one of ten positions. A key sets the pins in a particular configuration. If the key aligns them all correctly, then the lock opens. So there are only 10,000 possible keys, and a burglar willing to try all 10,000 is guaranteed to break into your house. But an improved lock with ten pins, making 10 billion possible keys, probably won’t make your house more secure. Burglars don’t try every possible key (a brute-force attack); most aren’t even clever enough to pick the lock (a cryptographic attack against the algorithm). They smash windows, kick in doors, disguise themselves as policemen, or rob keyholders at gunpoint. One ring of art thieves in California defeated home security systems by taking a chainsaw to the house walls. Better locks don’t help against these attacks…
Des chausses-trappes de sécurité en cryptologie
Des articles de périodiques aiment à décrire les produits de cryptologie en termes d’algorithmes et de longueur de clés. Les algorithmes font de bons titres: ils peuvent être expliqués en quelques mots et ils sont faciles à comparer les uns aux autres. “Le triple-DES gage de bonne sécurité”. “Des clés de 40 bits sont une sécurité faible.” ” Le RSA à 2048 bits est meilleur que le RSA à 1024 bits.”
Mais la réalité n’est pas aussi simple. Les clés plus longues ne signifient pas toujours plus de sécurité. Comparez l’algorithme cryptographique au verrou de votre porte d’entrée. La plupart des verrous ont quatre goupilles en métal, qui peuvent prendre chacune dix positions. Une clé place les goupilles dans une configuration particulière. Si la clé les aligne correctement, le verrou s’ouvre. De sorte qu’il n’y a que 10 000 clés possibles, et qu’un cambrioleur prêt à essayer les 10 000 possibilités est sûr d’entrer dans votre maison. Mais un verrou de qualité supérieure à 10 goupilles, qui autorise 10 miliards de clés distinctes, n’améliorera probablement pas la sécurité de votre maison. Des cambrioleurs n’essayent pas toutes les clés (une attaque systématique -“brute-force”); la plupart ne sont pas assez intelligents pour crocheter la serrure (une attaque cryptographique contre l’algorithme). Ils fracassent les fenêtres, donnent des coups de pieds dans les portes, se déguisent en policiers, ou bien dévalisent les détenteurs des clés avec une arme. Un groupe de voleurs en Californie mettait en défaut les systèmes de sécurité en attaquant les murs à la tronçonneuse. Contre ces attaques, de meilleures serrures ne sont d’aucun secours…
Click Here to Bring Down the Internet
The Internet is fragile, rickety. It is at the mercy of every hacker and cracker. In recent Congressional testimony, hackers from the L0pht boasted that they could bring down the Internet in under 30 minutes. Should we be concerned?
In almost every area, those with the expertise to build our social infrastructure also have the expertise to destroy it. Mark Loizeaux is President of Controlled Demolitions, Inc.; he blows up buildings for a living. He’s quoted in the July 1997 Harper’s Magazine: “We could drop every bridge in the United States in a couple of days…. I could drive a truck on the Verrazano Narrows Bridge and have a dirt bike on the back, drop that bridge, and I would get away. They would never stop me.” Ask any doctor how to poison someone untraceably, and he can tell you. Ask someone who works in aircraft maintenance how to knock a 747 out of the sky, and he’ll know. The Internet is no different…
The Challenge of Cryptography
Never underestimate the time and effort attackers will expend to thwart your security systems.These days, security is on the minds of anyone involved in building or using information systems. After all, every form of commerce has had its share of fraud, from farmers rigging their weight scales to counterfeiters passing off phony currency. Electronic commerce is no exception, with fraud taking the form of forgery, misrepresentation, and denial of service. And it doesn’t stop with electronic transactions. There are privacy breaches, with competitors intercepting communications, and electronic vandalism, with attackers destroying Web pages and mail-bombing ISPs. It seems threats are coming from everywhere…
Why Cryptography Is Harder Than It Looks
From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today’s information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can prove your identity or protect your anonymity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital…
Cryptography, Security and the Future
From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today’s information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can protect your anonymity or prove your identity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital…
Cryptographie, sécurité et l'avenir
Translated by Fernandes Gilbert
Des communications par courrier électronique aux cellulaires, des accès protégés sur Internet à l’argent numérique, la cryptographie est une composante essentielle des systèmes d’information actuels. La cryptographie permet d’obtenir comptabilité, justice, précision et confidentialité. Elle empêche la fraude au sein du commerce électronique et assure la validité des transactions financières. Elle peut protéger votre anonymat ou bien prouver votre identité. Elle peut empêcher des vandales d’altérer votre page Internet et empêcher vos adversaires commerciaux de lire vos documents confidentiels. Et dans l’avenir, à mesure que le commerce et les communications se déplacent vers des machines en réseau, la cryptographie va devenir de plus en plus essentielle…
Protect Your E-Mail
Safeguard your messages today, and prepare for electronic commerce tomorrow
You may have just started using the Internet for your business, but scientists, academics, and computer programmers have been using it for years. It was designed specifically as a public network for sharing information. Because the availability of information was the priority, provisions for data security were not considered essential. But now that you’re sending proprietary business information over the Internet that openness can become a drawback. You need to take steps to protect your communications…
Sidebar photo of Bruce Schneier by Joe MacInnis.