Secure Coding mailing list archives
Question about the terms "encypt" and "secure"
From: drwachd at sandia.gov (Wachdorf, Daniel R)
Date: Mon, 6 Mar 2006 08:04:11 -0700
I think it's important to understand the difference between encryption and security (or being secure). Encryption is a tool, being secure is a state. Think of encryption as a lock on a door. Putting a lock on a door doesn't necessarily make your house any more secure. If you leave your windows open or leave your key under the doormat your not really any more secure. Even if you don't leave you windows open and have a key lying around, some one can always break the door down or our force themselves in as you enter or exit. Encryption functions much the same way - it's a tool. If used properly, it can help to secure your system. Unfortunately, using encryption rarely translates into having a secure system. WEP, the first wireless encryption protocol, has been vulnerable for a long time (it's pretty much worthless). WPA, the successor to WEP, is also vulnerable to attack if you have a weak encryption key. Even if you were sure that the protocol to encrypt your networks works, an attacker could try to steal the key or brute force it. Then there is the issue of client security - which brings up a whole different set of security problems. Clicking on a few check boxes and setting a key to a wireless network may encrypt the traffic between the clients and the WAP, but that doesn't mean your network is any more secure. -dan -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of William L. Anderson Sent: Sunday, March 05, 2006 10:35 AM To: Secure Coding Mailing List Subject: [SC-L] Question about the terms "encypt" and "secure" Today's NYTimes has an article about "piggybacking" on open wireless networks and what some people think about it and what some are doing about it. The link is: http://www.nytimes.com/2006/03/05/technology/05wireless.html (subscription may be req'd) One question popped up for me when I read the following sentence: "For the Brodeurs in Los Angeles, a close reading of their network's manual helped them to finally encrypt their network." My question is whether it's more accurate to say "secure their network" rather than "encrypt". I'm not clear myself about the meaning of these terms; I think of encryption as being one way to make a network secure. And if there is a substantive difference in these terms, then I'd like to understand it. I believe that a better understanding of security would help ordinary users take more secure actions. I'm an optimist. -Bill Anderson
Current thread:
- Question about the terms "encypt" and "secure" William L. Anderson (Mar 05)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Steven M. Bellovin (Mar 06)
- <Possible follow-ups>
- Question about the terms "encypt" and "secure" Gary McGraw (Mar 06)
- Question about the terms "encypt" and "secure" Jeremy Epstein (Mar 06)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Wachdorf, Daniel R (Mar 06)