RE: Re[2]: MS in information security

["Craig Wright" <cwright () bdosyd com au>]

Hi Vladimir,
I am sorry, but I do not find your first sentance clear and I am not sure what you stating.
 
In answer to cryptography being everything:
 
Kerckhoff's Principle, "The security of a cryptosystem must not depend on the secrecy of the system used. Rather, the 
security of a cryptosystem may depend only on the secrecy of the keys used." (Jea Guillaume Hubert Victor Francois 
Alexandre Auguste Kerckhoffs von Nieuwenhof (1835 to 1903) in La cryptographie militaire).
 
A systems security is only ever as safe as the security of the keys. This leads us to a number of issues:
1   Personal - people can compromise any crypto system either intentionally or not. Trust in the tools alone is a good 
way to be compromised.
2   No algorithim is perfect, they all have a defined life and expected time to compromise. This time function is also 
time dependant as crack times decrease as a function of time to an inverse exponential degree.
 
Next there is the fact that it is possible to make a "secure system" without crypto. By securing a private fibre link 
between two offices using all methods of ensuring that the line is not tapped etc it is possible to make a fairly 
secure point to point link. The alternative is to encrypt the nodes over a less secure and less costly media. The level 
of security using any crypto is going to be less in this manner as the security again goes to the security of the keys 
which are easier to attack becasue of people than a burried fibre line (excluding attack by back-hoe).
 
Crypto is a compromise due to cost. All be if often a good one, it is still a security comprmise.
 
Think of the BEST crypto system, the time to crack creates a cost to crack. When this becomes prohibitive there are 
other means to compromise the system (ie Security is a RISK function). It is no good to place more expenditure to the 
protection than the value of the information (cases of life threatening attacks are excluded from this arguement and 
would be dealt with separately). This is not economic.
 
So if you have information worth $1,000,000 and THE BEST crypto system costing all of that - there is still a way to 
compromise it. Find an engineer who will accept $250,000 to give you the keys (and it is not likely to cost this much).
 
Thus the best crypto system is compromised without effort. As stated, crypto is but one tool in a toolbox
 
Regards,
Craig

        -----Original Message----- 
        From: Vladimir B. Kropotov [mailto:slyman2000 () Mail ru] 
        Sent: Mon 27/02/2006 10:39 PM 
        To: Craig Wright 
        Cc: security-basics () securityfocus com 
        Subject: Re[2]: MS in information security
        
        
        Hi Craig.
        
        
        CW> Although the maths is useful to have and I will never tell
        CW> anyone not to study, it is in this case not a part of the answer.
        CW> Security is not just about crypto.
        
        Unfortunately in year 2000 I was amazing, that crypto is the Only way
        to real security, but now I agree with this opinion.
        Only cryptography suppose absolutelly open information about all, but
        encryption keys. You can get all - hardware. storage devices, traffic,
        files, etc. But you will take NOTHING.
        Another security measures is like an additional wall, you can jump
        over the wall, you can brake it, and get control on protected system.
        Security without cryptography is a kind of superficial glance to
        security, only Cryptography is real base for Real security.
        
        Regards
        Vladimir
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.