Security Basics mailing list archives
RE: Re[2]: MS in information security
From: "Craig Wright" <cwright () bdosyd com au>
Date: Tue, 28 Feb 2006 10:25:43 +1100
Hi Vladimir, I am sorry, but I do not find your first sentance clear and I am not sure what you stating. In answer to cryptography being everything: Kerckhoff's Principle, "The security of a cryptosystem must not depend on the secrecy of the system used. Rather, the security of a cryptosystem may depend only on the secrecy of the keys used." (Jea Guillaume Hubert Victor Francois Alexandre Auguste Kerckhoffs von Nieuwenhof (1835 to 1903) in La cryptographie militaire). A systems security is only ever as safe as the security of the keys. This leads us to a number of issues: 1 Personal - people can compromise any crypto system either intentionally or not. Trust in the tools alone is a good way to be compromised. 2 No algorithim is perfect, they all have a defined life and expected time to compromise. This time function is also time dependant as crack times decrease as a function of time to an inverse exponential degree. Next there is the fact that it is possible to make a "secure system" without crypto. By securing a private fibre link between two offices using all methods of ensuring that the line is not tapped etc it is possible to make a fairly secure point to point link. The alternative is to encrypt the nodes over a less secure and less costly media. The level of security using any crypto is going to be less in this manner as the security again goes to the security of the keys which are easier to attack becasue of people than a burried fibre line (excluding attack by back-hoe). Crypto is a compromise due to cost. All be if often a good one, it is still a security comprmise. Think of the BEST crypto system, the time to crack creates a cost to crack. When this becomes prohibitive there are other means to compromise the system (ie Security is a RISK function). It is no good to place more expenditure to the protection than the value of the information (cases of life threatening attacks are excluded from this arguement and would be dealt with separately). This is not economic. So if you have information worth $1,000,000 and THE BEST crypto system costing all of that - there is still a way to compromise it. Find an engineer who will accept $250,000 to give you the keys (and it is not likely to cost this much). Thus the best crypto system is compromised without effort. As stated, crypto is but one tool in a toolbox Regards, Craig -----Original Message----- From: Vladimir B. Kropotov [mailto:slyman2000 () Mail ru] Sent: Mon 27/02/2006 10:39 PM To: Craig Wright Cc: security-basics () securityfocus com Subject: Re[2]: MS in information security Hi Craig. CW> Although the maths is useful to have and I will never tell CW> anyone not to study, it is in this case not a part of the answer. CW> Security is not just about crypto. Unfortunately in year 2000 I was amazing, that crypto is the Only way to real security, but now I agree with this opinion. Only cryptography suppose absolutelly open information about all, but encryption keys. You can get all - hardware. storage devices, traffic, files, etc. But you will take NOTHING. Another security measures is like an additional wall, you can jump over the wall, you can brake it, and get control on protected system. Security without cryptography is a kind of superficial glance to security, only Cryptography is real base for Real security. Regards Vladimir Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- RE: MS in information security, (continued)
- RE: MS in information security Craig Wright (Feb 06)
- RE: MS in information security Craig Wright (Feb 06)
- Re[2]: MS in information security Vladimir B. Kropotov (Feb 27)
- Re: MS in information security student (Feb 06)
- RE: MS in information security Bob Radvanovsky (Feb 06)
- Re: RE: MS in information security null_anonymous (Feb 07)
- Re: RE: MS in information security harashid (Feb 07)
- Re: RE: MS in information security Jonathan Loh (Feb 09)
- Re: Re: RE: MS in information security student (Feb 08)
- Re: Re: RE: MS in information security deepakjmanohar (Feb 13)
- RE: Re[2]: MS in information security Craig Wright (Feb 28)