Why is Cryptography Hard? Response

wispsyndicateΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 5 μήνες)

129 εμφανίσεις

David James

ITEC 6323


Cryptography


Why is Cryptography Hard?


Response


After reading this essay I find my self smiling and nodding at the last paragraph.
It simply states one of the most universal and fundamental truths of any attempt at
computer sec
urity.


“History has taught us: never underestimate the amount of money, time, and effort
someone will expend to thwart a security system.”

Bruce Schneier


In short, if a user is aware of the security measures put in place, then they will try to get
aroun
d them. We all deal every day with users that have a zero
-
length password or
complain loudly when they have to change their passwords once every 90 days or write
their passwords down on a Post
-
It and stick them to their monitor. (Begin pulling out
hair h
ere.)

Second problem is the general perception of security to Developers and
Network Managers; that it is something that can be bolted on afterwards and work.(Ala
Microsoft). As my esteemed instructor says, “There is no point in putting a bank vault
door

on a tent.”


SO! Solutions.


Starting with users. For tight security is necessary for several layers of physical
and cryptographic authentications designed in such a way that the users are not aware that
they are even being authenticated. An example
might be of a Smart card coupled with an
encrypted password or

biometric authentication. The hard drive would then be tied to the
security system and secured with hardware encryption that would be totally useless to
anyone who didn’t have the card and bio
metric. Simple points like encryption of hard
drives would stop a lot of the false O/S booting to obtain critical files
. Endpoint
encryption is what is necessary for a vast majority of physical assets since it tends to be
almost completely transparent to

the users.


As to the mention of online commerce, strong controls are only the first step to
safe shopping. A control that would make it much more difficult to sniff or ‘Man in the
Middle’ attack an e
-
commerce site would be strong cryptography
for each

and every site
visitor which is keyed individual to that user (akin to an HTTPS connection?) for their
whole site visit rather than just their checkout session. Whatever it is, security with
encryption has to be totally transparent to the user and built
in to the very fabric that is
the web site rather than bolted on as an after thought.