mailing list archives
RE: Re: MS in information security
From: "Craig Wright" <cwright () bdosyd com au>
Date: Tue, 28 Feb 2006 10:25:43 +1100
I am sorry, but I do not find your first sentance clear and I am not sure what you stating.
In answer to cryptography being everything:
Kerckhoff's Principle, "The security of a cryptosystem must not depend on the secrecy of the system used. Rather, the
security of a cryptosystem may depend only on the secrecy of the keys used." (Jea Guillaume Hubert Victor Francois
Alexandre Auguste Kerckhoffs von Nieuwenhof (1835 to 1903) in La cryptographie militaire).
A systems security is only ever as safe as the security of the keys. This leads us to a number of issues:
1 Personal - people can compromise any crypto system either intentionally or not. Trust in the tools alone is a good
way to be compromised.
2 No algorithim is perfect, they all have a defined life and expected time to compromise. This time function is also
time dependant as crack times decrease as a function of time to an inverse exponential degree.
Next there is the fact that it is possible to make a "secure system" without crypto. By securing a private fibre link
between two offices using all methods of ensuring that the line is not tapped etc it is possible to make a fairly
secure point to point link. The alternative is to encrypt the nodes over a less secure and less costly media. The level
of security using any crypto is going to be less in this manner as the security again goes to the security of the keys
which are easier to attack becasue of people than a burried fibre line (excluding attack by back-hoe).
Crypto is a compromise due to cost. All be if often a good one, it is still a security comprmise.
Think of the BEST crypto system, the time to crack creates a cost to crack. When this becomes prohibitive there are
other means to compromise the system (ie Security is a RISK function). It is no good to place more expenditure to the
protection than the value of the information (cases of life threatening attacks are excluded from this arguement and
would be dealt with separately). This is not economic.
So if you have information worth $1,000,000 and THE BEST crypto system costing all of that - there is still a way to
compromise it. Find an engineer who will accept $250,000 to give you the keys (and it is not likely to cost this much).
Thus the best crypto system is compromised without effort. As stated, crypto is but one tool in a toolbox
From: Vladimir B. Kropotov [mailto:slyman2000 () Mail ru]
Sent: Mon 27/02/2006 10:39 PM
To: Craig Wright
Cc: security-basics () securityfocus com
Subject: Re: MS in information security
CW> Although the maths is useful to have and I will never tell
CW> anyone not to study, it is in this case not a part of the answer.
CW> Security is not just about crypto.
Unfortunately in year 2000 I was amazing, that crypto is the Only way
to real security, but now I agree with this opinion.
Only cryptography suppose absolutelly open information about all, but
encryption keys. You can get all - hardware. storage devices, traffic,
files, etc. But you will take NOTHING.
Another security measures is like an additional wall, you can jump
over the wall, you can brake it, and get control on protected system.
Security without cryptography is a kind of superficial glance to
security, only Cryptography is real base for Real security.
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within
those States and Territories of Australia where such legislation exists.
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by
a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference,
interception, corruption or unauthorised access.
- RE: MS in information security, (continued)