Information Security News mailing list archives
Expert: Encryption Gets Better, but Remains Imperfect
From: InfoSec News <isn () C4I ORG>
Date: Mon, 19 Jun 2000 00:23:10 -0500
http://www.computeruser.com/news/00/06/19/news8.html By: Kevin Featherly, Newsbytes June 19, 2000 A hacker cracks an e-commerce site, claims to have stolen 300,000 credit cards. An online banking site discovers crooks have transferred money out of legitimate customers' accounts. Microsoft's Windows e-mail platform, having already sustained a withering frontal assault from the Melissa e-mail virus, fails in its next implementation to install corrections that would have kept the subsequent ILOVEYOU attack at bay. All this has happened despite the presence of strong encryption technologies that could short-circuit many of these online nightmares. So why do they keep popping up in the headlines? Because, says Mick Bauer, security practice leader at California-based consulting firm ENRG Inc., implementing the technology is difficult. "Even utilizing their full features," Bauer says, "is neither a given, nor is it easy." Bauer spoke Thursday at the hacker and computer-security convention RootFest in St. Paul, Minn. There he addressed the topic, "Strong Authentication: Keeping the Kiddies Out." Bauer spoke to a crowd of what he called "geeks"--they were a roomful of hackers and system administrators who redefined the phrase "casual dress." There were the overweight nerd sorts in Buddy Holly spectacles. There were skinny skate-punks with loose-fitting pants and red, backward-turned baseball caps. There was at one heavy-metal stud with long flowing blond hair and matching black t-shirt and jeans and at least two middle-aged, bearded computer-culture veterans. They all had one thing in common: a daunting understanding of new technologies that stretches well beyond the reach of even the interested layman. Indeed, for one interested layman, Bauer's speech had the unnerving quality of a college finals test-prep session at which a lazy student shudders with the epiphany that nothing--nothing at all--has been learned all semester. "Radius is going to disappear if and when PKI comes along," is a typically inscrutable observation. "They went and used RC4 as the algorithm that actually encrypts most of the data going through the tunnel," is another. (RC4, by the way, is according to the folks at RSA Laboratories, "a variable key-size stream cipher with byte-oriented operations," if that's any help.) Still, there were several points easy even for the uninitiated to grasp. Chief among them: solid encryption technologies are a fundamental necessity of the Internet age, but they have yet to be widely adopted because all are problematic. "There is some outstanding technology available, and in publicly available algorithms," Bauer told Newsbytes after his speech. "The problem isn't that there's no good cryptographic technology available. The problem is that it's fiendishly difficult to implement the technology in a secure fashion." During his speech, Bauer blasted Microsoft Corp. for its failure to protect its PPTP (point-to-point tunneling protocol) system that is supposed to engender completely secret and secure transactions and communication from terminal to server. "Say you've got a computer at home and you want to connect to a Windows NT server that's connected to the Internet," Bauer said. "You can use PPTP client software to establish an encrypted virtual tunnel between your machine and that machine. We call it a tunnel because everything that goes between your machine and that machine is secret to the outside world. Also, it's a tunnel in that any one chunk of the tunnel is useless outside of the context of the rest of the tunnel--the pipeline." And Microsoft built great protection for the tunnel, he said. But they failed at the most basic "o-ring" component of the system. "The problem," Bauer said, "is that the authentication method for establishing that tunnel in the first place is easily broken. So basically, what you've got is a secure, encrypted tunnel that the bad guys can initiate into your stuff. And that's scary. And Microsoft's not alone." One of the most promising of the security technologies is what is known as biometrics. These have been a staple of spy movies for years--an agent walks to a massive iron door, steps before an electrical scanner that beams a laser into his retina, recognizes unique retinal patterns and unseals the locks. Fiction is very close to fact, Bauer indicates. Which is why biometrics technology may be too expensive for practical application. "With biometrics, by definition there must be a piece of hardware issued to each and every user, or at least each and every device that the user is going to need access to," Bauer said. "If it's an ISP, why don't cable modems have biometrics? Maybe that could solve the cable-modem security fiasco." The answer, he says, is cost. "And that cost has to get passed on to somewhere. And along with the cost of hardware come the logistical problems of deploying additional bits of hardware across an enterprise. Whether it's a commercial or a non-commercial setting, that could be expensive as well." Public key infrastructure (PKI) has promise as a secure technology too, he says. It involves the use of a coded key that an end user can hand out to the public, much as a phone number is given out. Others can use that key to encrypt secure documents and send them back to be opened by the end user. But they cannot be used without PKI's second component, a private key that only they can know or access. It, too, is a strong technology, Bauer says, but there are pitfalls. Suppose a large organization uses PKI to secure transactions online. What if someone in the organization leaves their job or is fired? Any transactions they were responsible for become permanently inaccessible if the user can't be found or if they refuse to give up their key--an obvious security risk created by the security system itself. Most promising of all, according to Bauer, is the smart card technology that has yet to see wide adoption. The cards, which could be swiped through or past a decoding scanner, have tremendous flexibility as well as encryption strength, Bauer said. They are not, like the similar "authentication token" technology, capable only of authenticating the presence of a particular end user or system administrator. They can do much more. "I think it's got the most potential of any of the commonly discussed authentication technologies simply in that it's not a one-trick pony," Bauer told his audience. "If you go to the trouble of deploying a smart card scheme, you can use it for authentication. You can use it for signing (secure) documents. The third thing you can use them for is encryption. Where the 'smart' part comes in is that this is not just a device that only authenticates credentials or stores a static password or something. This is a device that, in addition to having that kind of information stored on it, has software hard-coded into it." He added, "In other words, it has hardware that can defend itself against certain types of attacks and participate in encrypted sessions." Which of course means that it could be used for nefarious purposes by the very hackers in his audience. But that's not an issue particularly galling to the speaker. "Probably the majority here have never done anything illegal online," he smiles. "At least not seriously illegal." The bottom line is that computer security is in its formative stages--getting better, but still imperfect. And it probably always will be imperfect, he said. "What people need to understand is that the Internet is no more and no less safe than a busy street in a large city," he said. Technology is needed to protect unsuspecting computer users from people with maleficent intent, but there is something the public can do that would aid the cause of the security wizards, he said. They can become less unsuspecting. "To my thinking," Bauer said, "the number one problem with computer security is that people, in their heads, mystify computer technology far more than they even do with other technologies that they don't understand, like their car or their toaster or whatever. And a lot of times people chuck common sense at the door. And I don't mean to just beat up on the end user. I mean people who write software, people who manage networks, anybody." He gives an example. "You would never dream of leaving your car keys on the hood of your car when you go to the store. But the same person who would never dream of doing that would leave a sticky note with their password on their monitor of their computer. "I think that education is a big issue right now with security," Bauer concludes. "Awareness isn't enough. Actual education has to be part of that process." RootFest, a three-day convention, continues through Friday. More information on the convention can be found online at http://www.rootfest.org/ ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Expert: Encryption Gets Better, but Remains Imperfect InfoSec News (Jun 19)