Why Cryptography is Harder Than It Looks - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Why Cryptography is Harder Than It Looks

Description:

Why Cryptography is Harder Than It Looks Written by Bruce Schneier Presented by Heather McCarthy Software Systems Security CS 551 Outline Threats to Computer Systems ... – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 15
Provided by: ITCL151
Category:

less

Transcript and Presenter's Notes

Title: Why Cryptography is Harder Than It Looks


1
Why Cryptography is Harder Than It Looks
  • Written by Bruce Schneier
  • Presented by Heather McCarthy
  • Software Systems Security
  • CS 551

2
Outline
  • Threats to Computer Systems
  • Methods of Entry
  • What Cryptography Can Cant Do
  • Security Dependencies
  • Threat Models
  • System Design
  • Implementation
  • Human Factor

3
Introduction
  • Cryptography is essential
  • Current cryptography is not as strong as it
    claims to be
  • Cannot be an afterthought
  • Difficult to identify strong products
  • Wastes money
  • Present computer security systems will not
    withstand attacks for very long

4
Threats to Computer Systems
  • Types of Threats
  • Fraud in Electronic Commerce
  • Forgery
  • Impersonation
  • Denial of Service
  • Cheating
  • Privacy Violations
  • Targeted vs. broad data harvesting attacks
  • Electronic Vandalism
  • Vandals ROUTINELY break into networked computer
    systems

5
Threats to Computer Systems
  • Characteristics of Threats
  • Opportunistic
  • Often, security need only be relative to thwart
    an attack
  • Motivation of attackers
  • Vast knowledge and free time
  • Few financial resources and / or vendetta

6
Methods of Entry
  • Not through typical doorway
  • Steal technical data
  • Bribe insiders
  • Modify software
  • Collude
  • Summary
  • Easy to attack an automated system
  • Need only find one of many weaknesses to gain
    access

7
What Cryptography Can and Cant Do
  • Security is never guaranteed entirely
  • A good system balances actual failures against
    potential failures
  • Non-invasive attacks CAN be totally prevented
  • Targeted attacks can only be withstood up to a
    point
  • The problems with cryptography are not in the
    algorithms and protocols, but the implementation
  • Weakness are found at human interaction level

8
Security Dependencies
  • Security is a chain
  • Cryptography is rarely broken through the
    mathematics
  • Finding flaws is difficult and tedious
  • No test can prove the absence of flaws

9
Threat Models
  • In other words, understanding what to protect
    against
  • What system protects
  • From whom
  • For how long
  • Must take into consideration intended and
    unintended users
  • Often designers dont work to build accurate
    threat models

10
System Design
  • Scientific
  • Requires many fields of mathematics
  • Extensive peer review
  • Years of analysis
  • Art
  • Needs a balance between conflicting goals
  • Security vs. Accessibility
  • Anonymity vs. Accountability
  • Privacy vs. Availability
  • Intuition

11
Implementation
  • Cryptographic algorithms are only part of the
    chain
  • Exact
  • A GUI must be as strong as the protocols
  • Unfortunately, this facet is often overlooked
    because it is not technically interesting
  • Method of Design Make, Break, Repeat

12
The Human Factor
  • Insiders commit most fraud
  • Honest users cause problems because they dont
    care about security
  • Users needs must be considered in order to build
    a smoothly operating system

13
Current State of Security
  • No good way to compare systems
  • Magazines list features instead of evaluating
    their security
  • Marketing lies
  • Secrecy paves the way for breaches
  • Thank goodness for CERT
  • Laws only cure the symptoms, not the cause of
    security failures
  • Average lifetime Five years

14
Conclusion
  • Assume the worst
  • Make, Break, Repeat
  • Leave a margin for error
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com