Secure Coding mailing list archives
Question about the terms "encypt" and "secure"
From: jeremy.epstein at webmethods.com (Jeremy Epstein)
Date: Mon, 6 Mar 2006 06:04:12 -0800
Encryption is one way to secure the *transport* on the network (subject to various caveats about appropriate use of crypto, trust issues, etc.). I'd strongly disagree with anyone who says that encryption "makes a network secure" - because people interpret that to mean "if I encrypt the network, I don't need to do anything else". In fact, there's lots of other things you need to do, such as authenticating the actions, ensuring you have adequate audit trails, ensuring that there are no security vulnerabilities, etc. Some people consider that to be host security as a separate topic, and so for them, encryption *does* secure the network. But I get nervous when someone says encryption secures the network, lest it be considered as an excuse to ignore all the other problems. WRT the Marine Guards approach, years ago another approach was to run cables through pressurized conduits with sensors to detect if anyone tampered with the conduit before they could tap into the line. No idea if this is still done, or if there are new attacks possible (e.g., measuring the power leakage from the conduits). At that time, "Orange Book" evaluations weren't allowed to rely on cryptography as a security measure, so a network evaluation I worked on suggested using the Marine Guards approach. Not that we expected anyone to do it, but it was the only way to get past the ridiculous requirement... --Jeremy
-----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of ljknews Sent: Monday, March 06, 2006 8:00 AM To: Secure Coding Mailing List Subject: Re: [SC-L] Question about the terms "encypt" and "secure" At 12:35 PM -0500 3/5/06, William L. Anderson wrote:My question is whether it's more accurate to say "securetheir network"rather than "encrypt". I'm not clear myself about themeaning of theseterms; I think of encryption as being one way to make anetwork secure. Another way that was described some years ago was Marine Guards every 5 feet down the Thick Ethernet cable to prevent unauthorized taps. Of course that was by someone in the cryptographic business :-) -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Current thread:
- Question about the terms "encypt" and "secure" William L. Anderson (Mar 05)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Steven M. Bellovin (Mar 06)
- <Possible follow-ups>
- Question about the terms "encypt" and "secure" Gary McGraw (Mar 06)
- Question about the terms "encypt" and "secure" Jeremy Epstein (Mar 06)
- Question about the terms "encypt" and "secure" ljknews (Mar 06)
- Question about the terms "encypt" and "secure" Wachdorf, Daniel R (Mar 06)