Expert: Encryption Gets Better, but Remains Imperfect

[InfoSec News <isn () C4I ORG>]

http://www.computeruser.com/news/00/06/19/news8.html

By: Kevin Featherly, Newsbytes
June 19, 2000

A hacker cracks an e-commerce site, claims to have stolen 300,000
credit cards. An online banking site discovers crooks have transferred
money out of legitimate customers' accounts. Microsoft's Windows
e-mail platform, having already sustained a withering frontal assault
from the Melissa e-mail virus, fails in its next implementation to
install corrections that would have kept the subsequent ILOVEYOU
attack at bay.

All this has happened despite the presence of strong encryption
technologies that could short-circuit many of these online nightmares.
So why do they keep popping up in the headlines? Because, says Mick
Bauer, security practice leader at California-based consulting firm
ENRG Inc., implementing the technology is difficult. "Even utilizing
their full features," Bauer says, "is neither a given, nor is it
easy."

Bauer spoke Thursday at the hacker and computer-security convention
RootFest in St. Paul, Minn. There he addressed the topic, "Strong
Authentication: Keeping the Kiddies Out."

Bauer spoke to a crowd of what he called "geeks"--they were a roomful
of hackers and system administrators who redefined the phrase "casual
dress." There were the overweight nerd sorts in Buddy Holly
spectacles. There were skinny skate-punks with loose-fitting pants and
red, backward-turned baseball caps. There was at one heavy-metal stud
with long flowing blond hair and matching black t-shirt and jeans and
at least two middle-aged, bearded computer-culture veterans.

They all had one thing in common: a daunting understanding of new
technologies that stretches well beyond the reach of even the
interested layman.

Indeed, for one interested layman, Bauer's speech had the unnerving
quality of a college finals test-prep session at which a lazy student
shudders with the epiphany that nothing--nothing at all--has been
learned all semester.

"Radius is going to disappear if and when PKI comes along," is a
typically inscrutable observation. "They went and used RC4 as the
algorithm that actually encrypts most of the data going through the
tunnel," is another. (RC4, by the way, is according to the folks at
RSA Laboratories, "a variable key-size stream cipher with
byte-oriented operations," if that's any help.)

Still, there were several points easy even for the uninitiated to
grasp. Chief among them: solid encryption technologies are a
fundamental necessity of the Internet age, but they have yet to be
widely adopted because all are problematic.

"There is some outstanding technology available, and in publicly
available algorithms," Bauer told Newsbytes after his speech. "The
problem isn't that there's no good cryptographic technology available.
The problem is that it's fiendishly difficult to implement the
technology in a secure fashion."

During his speech, Bauer blasted Microsoft Corp. for its failure to
protect its PPTP (point-to-point tunneling protocol) system that is
supposed to engender completely secret and secure transactions and
communication from terminal to server.

"Say you've got a computer at home and you want to connect to a
Windows NT server that's connected to the Internet," Bauer said. "You
can use PPTP client software to establish an encrypted virtual tunnel
between your machine and that machine. We call it a tunnel because
everything that goes between your machine and that machine is secret
to the outside world. Also, it's a tunnel in that any one chunk of the
tunnel is useless outside of the context of the rest of the
tunnel--the pipeline."

And Microsoft built great protection for the tunnel, he said. But they
failed at the most basic "o-ring" component of the system. "The
problem," Bauer said, "is that the authentication method for
establishing that tunnel in the first place is easily broken. So
basically, what you've got is a secure, encrypted tunnel that the bad
guys can initiate into your stuff. And that's scary. And Microsoft's
not alone."

One of the most promising of the security technologies is what is
known as biometrics. These have been a staple of spy movies for
years--an agent walks to a massive iron door, steps before an
electrical scanner that beams a laser into his retina, recognizes
unique retinal patterns and unseals the locks.

Fiction is very close to fact, Bauer indicates. Which is why
biometrics technology may be too expensive for practical application.

"With biometrics, by definition there must be a piece of hardware
issued to each and every user, or at least each and every device that
the user is going to need access to," Bauer said. "If it's an ISP, why
don't cable modems have biometrics? Maybe that could solve the
cable-modem security fiasco." The answer, he says, is cost. "And that
cost has to get passed on to somewhere. And along with the cost of
hardware come the logistical problems of deploying additional bits of
hardware across an enterprise. Whether it's a commercial or a
non-commercial setting, that could be expensive as well."

Public key infrastructure (PKI) has promise as a secure technology
too, he says. It involves the use of a coded key that an end user can
hand out to the public, much as a phone number is given out. Others
can use that key to encrypt secure documents and send them back to be
opened by the end user. But they cannot be used without PKI's second
component, a private key that only they can know or access.

It, too, is a strong technology, Bauer says, but there are pitfalls.
Suppose a large organization uses PKI to secure transactions online.
What if someone in the organization leaves their job or is fired? Any
transactions they were responsible for become permanently inaccessible
if the user can't be found or if they refuse to give up their key--an
obvious security risk created by the security system itself.

Most promising of all, according to Bauer, is the smart card
technology that has yet to see wide adoption. The cards, which could
be swiped through or past a decoding scanner, have tremendous
flexibility as well as encryption strength, Bauer said. They are not,
like the similar "authentication token" technology, capable only of
authenticating the presence of a particular end user or system
administrator. They can do much more.

"I think it's got the most potential of any of the commonly discussed
authentication technologies simply in that it's not a one-trick pony,"
Bauer told his audience. "If you go to the trouble of deploying a
smart card scheme, you can use it for authentication. You can use it
for signing (secure) documents. The third thing you can use them for
is encryption. Where the 'smart' part comes in is that this is not
just a device that only authenticates credentials or stores a static
password or something. This is a device that, in addition to having
that kind of information stored on it, has software hard-coded into
it."

He added, "In other words, it has hardware that can defend itself
against certain types of attacks and participate in encrypted
sessions."

Which of course means that it could be used for nefarious purposes by
the very hackers in his audience. But that's not an issue particularly
galling to the speaker. "Probably the majority here have never done
anything illegal online," he smiles. "At least not seriously illegal."

The bottom line is that computer security is in its formative
stages--getting better, but still imperfect. And it probably always
will be imperfect, he said.

"What people need to understand is that the Internet is no more and no
less safe than a busy street in a large city," he said.

Technology is needed to protect unsuspecting computer users from
people with maleficent intent, but there is something the public can
do that would aid the cause of the security wizards, he said. They can
become less unsuspecting.

"To my thinking," Bauer said, "the number one problem with computer
security is that people, in their heads, mystify computer technology
far more than they even do with other technologies that they don't
understand, like their car or their toaster or whatever. And a lot of
times people chuck common sense at the door. And I don't mean to just
beat up on the end user. I mean people who write software, people who
manage networks, anybody."

He gives an example. "You would never dream of leaving your car keys
on the hood of your car when you go to the store. But the same person
who would never dream of doing that would leave a sticky note with
their password on their monitor of their computer.

"I think that education is a big issue right now with security," Bauer
concludes. "Awareness isn't enough. Actual education has to be part of
that process."

RootFest, a three-day convention, continues through Friday.

More information on the convention can be found online at
http://www.rootfest.org/

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".