Re: they should have used crypto...

[mea culpa <jericho () DIMENSIONAL COM>]

Reply From: Hal Lockhart <Hal.Lockhart () storagenetworks com>

Dan has put his finger on a vexing issue, but his logic is flawed.

> From: Dan Schrader <Dan_Schrader () trendmicro com>
>
> Steven M. Bellovin wrote:
>
> > Naturally, those of us on this list advocate routine use of
> cryptography.

> Actually, routine use of cryptography will result in huge
> security problems.
>
> Why?  Because the best place to stop computer viruses,
> trojans and other
> malicious code is at the email server - and you can' scan
> encrypted mail.

We will assume that the fact that he works for company that produces
anti-malware has not affected his judgement, but merely caused him to
think about this issue more than most folks. ;-)

Certainly his suggestion has more merit than the other alternative I've
heard proposed -- namely putting a master or escrow key out in the
firewall or boundary router so messages and attachments can be decrypted
and inspected on the fly.

However, his approach is unlikely to be very effective. Keep in mind, that
if we encrypt selectively, the decision to encrypt or not is made by the
sender. There are two cases.

1. The virus comes from an innocent user who is not aware that the
document is infected. In this case, how does the user decide? Security
good practice suggests that documents which are more confidential should
be encrypted (proportionality principle). [Yes, I know that this is
contrary to the Zimmerman/Bellovin/Cypherpunks view.] But what other basis
does the user have to decide? If not level of confidentiality, what
criterion should be used? Anyway, if it is, for example a Word macro
virus, all the user's files will be infected.

Perhaps you say, certain careless users should not be permitted to encrypt
anything. But speaking for someone who spent years consulting with large
corporations, the senior executives who carry the most critical company
secrets around on their laptops are the ones most likely to be careless in
administering their systems, updating their software, etc.

Finally, the modern style of worm which reads the address book and sends
poisoned email to your friends and coworkers, will easily be able to use
the encryption facilities you use.

2. The virus comes from the author or other person of evil intent.
Obviously this tactic will work for a time, but if it is possible to send
your company encrypted email at all, the attacker will be able to do so if
he or she chooses. However, this forces the company to abandon a major
protection in dealing with outside business partners, etc. In any event, I
suspect that this case is vanishingly small compared to case 1.

What is the answer? I don't know. I suspect there is no completely
satisfactory solution, but a series of partial measures.

Hal

===========================================================
Harold W. Lockhart Jr.             StorageNetworks, Inc.
Voice: 781-434-6741                100 Fifth Avenue
Fax:   781-434-6799                Waltham, MA 02451
hal.lockhart () storagenetworks com   www.storagenetworks.com
===========================================================

ISN is sponsored by Security-Focus.COM