Secure Coding mailing list archives

Question about the terms "encypt" and "secure"

From: drwachd at sandia.gov (Wachdorf, Daniel R)
Date: Mon, 6 Mar 2006 08:04:11 -0700

I think it's important to understand the difference between encryption
and security (or being secure).  Encryption is a tool, being secure is a
state.  

Think of encryption as a lock on a door.  Putting a lock on a door
doesn't necessarily make your house any more secure.  If you leave your
windows open or leave your key under the doormat your not really any
more secure.  Even if you don't leave you windows open and have a key
lying around, some one can always break the door down or our force
themselves in as you enter or exit.  Encryption functions much the same
way - it's a tool.  If used properly, it can help to secure your system.


Unfortunately, using encryption rarely translates into having a secure
system.  WEP, the first wireless encryption protocol, has been
vulnerable for a long time (it's pretty much worthless).  WPA, the
successor to WEP, is also vulnerable to attack if you have a weak
encryption key.  Even if you were sure that the protocol to encrypt your
networks works, an attacker could try to steal the key or brute force
it.  Then there is the issue of client security - which brings up a
whole different set of security problems.  

Clicking on a few check boxes and setting a key to a wireless network
may encrypt the traffic between the clients and the WAP, but that
doesn't mean your network is any more secure.  

-dan

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of William L. Anderson
Sent: Sunday, March 05, 2006 10:35 AM
To: Secure Coding Mailing List
Subject: [SC-L] Question about the terms "encypt" and "secure"

Today's NYTimes has an article about "piggybacking" on open wireless
networks and what some people think about it and what some are doing
about it. The link is:
http://www.nytimes.com/2006/03/05/technology/05wireless.html
(subscription may be req'd)

One question popped up for me when I read the following sentence:

"For the Brodeurs in Los Angeles, a close reading of their network's
manual helped them to finally encrypt their network."

My question is whether it's more accurate to say "secure their network"
rather than "encrypt". I'm not clear myself about the meaning of these
terms; I think of encryption as being one way to make a network secure.

And if there is a substantive difference in these terms, then I'd like
to understand it. I believe that a better understanding of security
would help ordinary users take more secure actions. I'm an optimist.

-Bill Anderson

Current thread:

Question about the terms "encypt" and "secure" William L. Anderson (Mar 05)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Steven M. Bellovin (Mar 06)
- <Possible follow-ups>
- Question about the terms "encypt" and "secure" Gary McGraw (Mar 06)
- Question about the terms "encypt" and "secure" Jeremy Epstein (Mar 06)
  - Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Wachdorf, Daniel R (Mar 06)