Slashdot Mirror

← Back to Stories (view on slashdot.org)

Decrypting the Secret to Strong Security

Posted by michael on from the common-sense dept.

farrellj writes "Cnet has an excellent article by Whitfield Diffie, who has probably has forgotten more about crypto than 99.9% of us will ever know, explains why secrecy does not equal security. The article also addresses the whole "open source vs proprietary software" security issue. A definite *must read* for anyone concerned about security...and that should be everyone!"

6 of 261 comments (clear)

  1. random eyes by oliverthered · · Score: 4, Insightful

    Whilst not quite in the random eye meaning of the article.

    OSS does need proper audit and change tracking.
    I've looked thorough quite a bit of OSS, and I've fixed a few bugs,
    But apart from a patch there's no real way to track what code I thought needed atention, what was good and what was a mess.

    Patches are good for tracking maturity/stability if used well, a section of the code that hasn't been patched for a while is either very stable or needs looking at.

    --
    thank God the internet isn't a human right.
  2. Ancient Knowledge... by MarvinMouse · · Score: 5, Insightful

    Diffie is definitely the guy to be talking about this. Considering a main form of private key-exchange is called Diffie-Hellman.

    But, nontheless, it's silly that people don't know this inherently. A secure system is only as secure as its weakest point. If that point is compromised and cannot be easily fixed and/or repaired. It's useless.

    Depending on the secrecy of the code or "Security through Obscurity" is useless. Anyone who tells you otherwise is a quack or is trying to sell you something and doesn't want to do all the work necessary to do the proper job.

    If you want a secure system, you have to instantly assume that the system, code, and key will eventually be completely compromised, and then you can begin to think about. Now, if any of these were compromised, how can I fix the problem. The current solution is to reset the keys, and using modern mathematics (most of which was developed by Dif) You can do this securely.

    Now, the only problem that remains with modern cryptography, is if the factoring problem is solved _and_ the elliptic curve problem is solved efficiently, then modern crypto becomes useless, and we are back to square one.

    Albeit, Quantum Cryptography has some potential as it provides a mathematically verifiable form of perfect cryptography, since it is one time pads. It just currently cannot be done over long enough distances to be completely effective. When the technical/engineering details are solved for QC, then crypto is guaranteed secure. Assuming no one compromises your system directly (Human Error).

    Dependence on Security through Obscurity is bad, incredibly bad, and I hope anyone programming security software out there will realize that, and begin to use proper cryptographic techniques.

    ** I am going to write a couple of journal articles soon reviewing the various techniques for those who are interested. **

    --
    ~ kjrose
  3. Re:Accuracy by monkeydo · · Score: 5, Insightful

    That may be an excellent article for someone who has never been told that secrecy != security, but he didn't really say anything new. He didn't even really support any of his points. It isn't even really an article, more like a blurb. It's like someone at CNET said, "Give us 1,000 words on why OSS is good."

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  4. Re:100% secure by binaryDigit · · Score: 4, Insightful

    But of course, physical security won't help at all if the company has a wireless network ...

    yes, another good point. Which simply stresses the importance of taking a, uh, holistic approach to security and to not to get too wrapped up in just a single aspect. We've all been in companies where they spend good money trying to secure their systems against "crackers" but yet anyone in the company has access to the server boxes and/or the passwords are written on the side of the monitors, etc.

  5. Re:Accuracy by HawkinsD · · Score: 5, Insightful
    Dude, CNet is a general-audience wide-circulation publication. Yes, the geeks that hang out in here all know this stuff already, but my clients, with whom my company must exchange data securely, may not know anything about why open source is good.

    Anything that helps convince my crypto-less clients to use GnuPG is very, very helpful.

    --
    Never attribute to malice that which can be explained by mere idiocy.
  6. Passwords by Virtex · · Score: 4, Insightful

    Passwords can be seen as a secret used for security. The author also mentions cryptographic keys in the same context. He justifies them by saying that because they can be easily changed, they aren't a great detriment to security. I'm not sure I agree. In the past, the most common way to gain unauthorized access to a machine was through weak passwords. And even if you have a strong password, it may be difficult to know if it becomes compromised.

    I've always wished for a system like RSA'a SecurID cards. They give you a password that changes every 60 seconds, and you carry around a token that shows the latest password for you. Unfortunately, such technology is priced out of the range of individuals like me.

    --
    For every post, there is an equal and opposite re-post.