[ISN] CRYPTO-GRAM, November 15, 1998

From: mea culpa (jerichoat_private)
Date: Sun Nov 15 1998 - 13:06:16 PST

  • Next message: mea culpa: "[ISN] REVIEW: "VirusHelp", Henri Delger"

    Forwarded From: Bruce Schneier <schneierat_private>
                  November 15, 1998
                  by Bruce Schneier
                 Counterpane Systems
    A free monthly newsletter providing summaries, analyses, insights, and
    commentaries on cryptography and computer security.
    Back issues are available at http://www.counterpane.com.  To subscribe or
    unsubscribe, see below.
    Copyright (c) 1998 by Bruce Schneier
    ** *** ***** ******* *********** *************
    In this issue:
         Electronic Commerce: The Future of Fraud
         Counterpane Systems -- Featured Research
         Micro Locks
         Counterpane Systems News
         Software Copy Protection
         More on Steganography (by Peter Wayner)
    ** *** ***** ******* *********** *************
       Electronic Commerce: The Future of Fraud
    Fraud has been perpetrated against every commerce system man has ever
    invented, from gold coin to stock certificates to paper checks to credit
    cards.  Electronic commerce systems will be no different; if that's where
    the money is, that's where the crime will be.  The threats are exactly the
    Most fraud against existing electronic commerce systems -- ATM machines,
    electronic check systems, stored value tokens -- has been low tech.  No
    matter how bad the cryptographic and computer security safeguards, most
    criminals bypass them entirely and focus on procedural problems, human
    oversight, and old-fashioned physical theft.  Why attack subtle information
    security systems when you can just haul an ATM machine away in a truck?
    This implies that new commerce systems don't have to be secure, but just
    better than what exists.  Don't outrun the bear, just outrun the people
    you're with.  Unfortunately, there are three features of electronic
    commerce that are likely to make fraud more devastating.
    One, the ease of automation.  The same automation that makes electronic
    commerce systems more efficient than paper systems also makes fraud more
    efficient.  A particular fraud that might have taken a criminal ten minutes
    to execute on paper can be completed with a single keystroke, or
    automatically while he sleeps.  Low-value frauds, that fell below the radar
    in paper systems, become dangerous in the electronic world.  No one cares
    if it is possible to counterfeit nickels.  However, if a criminal can mint
    electronic nickels, he might make a million dollars in a week.  A
    pickpocketing technique that works once in ten thousand tries would starve
    a criminal on the streets, but he might get thirty successes a day on the net.
    Two, the difficulty of isolating jurisdiction.  The electronic world is a
    world without geography.  A criminal doesn't have to be physically near a
    system he is defrauding; he can attack Citibank in New York from St.
    Petersburg. He can jurisdiction shop, and launch his attacks from countries
    with poor criminal laws, inadequate police forces, and lax extradition
    And three, the speed of propagation.  News travels fast on the Internet.
    Counterfeiting paper money takes skill, equipment, and organization.  If
    one or two or even a hundred people can do it, so what?  It's a crime, but
    it won't affect the money supply.  But if someone figures out how to
    defraud an electronic commerce system and posts a program on the Internet,
    a thousand people could have it in an hour, a hundred thousand in a week.
    This could easily bring down a currency.  And only the first attacker needs
    skill; everyone else can just use software.  "Click here to drop the
    deutsche mark."
    Cryptography has the potential to make electronic commerce systems safer
    than paper systems, but not in the ways most people think.  Encryption and
    digital signatures are important, but secure audit trails are even more
    important.  Systems based on long-term relationships, like credit cards and
    checking accounts, are safer than anonymous systems like cash.  But
    identity theft is so easy that systems based solely on identity are doomed.
    Preventing crime in electronic commerce is important, but more important is
    to be able to detect it.  We don't prevent crime in our society.  We detect
    crime after the fact, gather enough evidence to convince a neutral third
    party of the criminal's guilt, and hope that the punishment provides a
    back-channel of prevention.  Electronic commerce systems should have the
    same goals.  They should be able to detect that fraud has taken place and
    finger the guilty.  And more important, they should be able to provide
    irrefutable evidence that can convict the guilty in court.
    Perfect solutions are not required -- there are hundred of millions of
    dollars lost to credit card fraud every year -- but systems that can be
    broken completely are unacceptable.  It's vital that attacks cannot be
    automated and reproduced without skill. Traditionally, fraud-prevention has
    been a game of catch-up.  A commerce system is introduced, a particular
    type of fraud is discovered, and the system is patched.  Money is made
    harder to counterfeit.  Online credit card verification makes fraud harder.
     Checks are printed on special paper that makes them harder to alter.
    These patches reduce fraud for a while, until another attack is discovered.
     And the cycle continues.
    The electronic world moves too fast for this cycle.  A serious flaw in an
    electronic commerce system could bankrupt a company in days.  Today's
    systems must anticipate future attacks.  Any successful electronic commerce
    system is likely to remain in use for ten years or more.  It must be able
    to withstand the future:  smarter attackers, more computational power, and
    greater incentives to subvert a widespread system.  There won't be time to
    upgrade them in the field.
    Why Cryptography is Harder Than it Looks:
    Security Pitfalls in Cryptography:
    ** *** ***** ******* *********** *************
       Counterpane Systems -- Featured Research
    "Toward a Secure System Engineering Methodology"
    C. Salter, O. Saydjari, B. Schneier, and J. Wallner, New Security Paradigms
    Workshop, September 1998, to appear.
    This paper, coauthored with three NSA employees, presents a methodology for
    enumerating the vulnerabilities of a system, and determining what
    countermeasures can best close those vulnerabilities.  We first describe
    how to characterize possible adversaries in terms of their resources,
    access, and risk tolerance, then we show how to map vulnerabilities to the
    system throughout its life cycle, and finally we demonstrate how to
    correlate the attacker's characteristics with the characteristics of the
    vulnerability to see if an actual threat exists.  Countermeasures need to
    be considered only for the attacks that meet the adversaries' resources and
    objectives. Viable countermeasures must meet user needs for cost, ease of
    use, compatibility, performance, and availability.
    ** *** ***** ******* *********** *************
    An Appraisal Of The Technologies Of Political Control. A very interesting
    More AES speed comparisons are at:
    A new report on the National Security Agency's top-secret spying network
    will soon be sent to members of Congress.  The report -- "Echelon:
    America's Spy in the Sky" was produced by the Free Congress Foundation and
    details the history and workings of the NSA's global electronic
    surveillance system.  The system is reportedly capable of intercepting,
    recording and translating any electronic communication sent anywhere in the
    The OECD is looking at the taxation of Internet businesses.  The second
    document on the web page discusses options for taxation of Internet
    businesses.  In particular, Implementation Option 11 is quite interesting.
    It reads:  "Revenue authorities may consider mechanisms facilitating
    tracing, for tax purposes, of inadequately identified web sites and other
    electronic places of business.  While the majority of enterprises engaged
    in electronic commerce adequately identify the legal entity operating the
    web site or electronic place of business, a small but significant
    percentage of web sites have inadequate identification for tax purposes.
    Revenue authorities, in common with other bodies, require appropriate
    mechanisms to allow tracing of the legal entity operating a business
    through a web site or other electronic place of business.  (e.g. through
    Internet Protocol (IP) number allocation records.)"  Scary, really.
    ** *** ***** ******* *********** *************
                    Micro Locks
    "Sandia National Laboratories has developed a computer security device that
    puts a new spin on firewall technology: The Recodable Locking Device is the
    world's smallest, micromachined combination lock, and it's designed to
    protect computer networks from outside intruders."  --Wired News.
    The idea is that instead of computer-security measures -- cryptography and
    all that -- there is a physical combination lock inside the firewall.  If
    someone enters the correct combination, he gets in.  If he doesn't, he
    stays locked out.  No cryptographic algorithms to break.  No computer
    security measures to try to circumvent.  No software to find bugs in.
    This sounds cool, but adding micro combination locks doesn't change the
    threat model much.  In both systems, the user has to either remember a
    password (combination) or store it somewhere.  In both systems, passwords
    can be sniffed or stolen.  In both systems, an adminstrator can subvert the
    security (either accidentally or maliciously).  In both systems, there is
    software controlling how the access works.  If you trust the cryptographic
    algorithms (which, in any good system, are being used in far more places
    than the access control), then without the crypto key there is no way to
    open the file...just as without the combination there is no way to open the
    lock.  There are probably some advantages to using one way or the other
    depending on the curcumstance, but I don't see a technological leap.
    More telling, the computer security industry hasn't been beating its
    breasts and wailing: "I wish there were a tiny combination lock.  That
    would solve my problems!"  I'm serious.  Combination locks aren't a new
    idea.  If applying them would be a good idea, they would have been applied.
     Sure, they would have been large.  But we've seen all sorts of macro
    solutions to computer security problems: manual switches disconnecting
    computers from networks (so called "air walls"), physical keys with EEPROM
    chips inside, vacuum-filled conduit to detect tampering.  I haven't seen
    combination locks, of any size, used in computer security products.  Just
    because Sandia's locks are smaller doesn't make them more applicable.  It
    only makes them smaller.
    I'm not trying to say that combination locks the size of microchips aren't
    a cool idea.  My guess is that there are all sorts of clever uses for these
    things; probably uses in computer security, but uses that we just can't
    imagine right now.  But firewalls and computer access devices...I have
    trouble seeing it.
    ** *** ***** ******* *********** *************
              Counterpane Systems News
    The December 98 issue of Dr. Dobb's Journal has a nice article on Twofish.
    It's available on their web site:
    ** *** ***** ******* *********** *************
              Software Copy Protection
    The problem of software piracy is easy to describe, but the development of
    effective copy protection methods is a very difficult challenge to solve.
    Software companies want people to buy their product outright; they want to
    prevent someone from making a copy of a business program worth hundreds of
    dollars and giving it to his friend.
    There are all sorts of solutions -- embedded code in the software that
    disables copying, code that makes use of non-copyable aspects of the
    original disk, hardware "dongles" that the software needs to run.  But
    these solutions all suffer from the same basic conceptual flaw: not even
    the most sophisticated copy protection scheme can stop a determined hacker.
    In the hands of Joe Average computer user, any copy protection system
    works.  He can barely copy files by following the directions, let alone
    defeat even an unsophisticated copy protection scheme.
    In the hands of Jane Hacker, however, no copy protection system works.
    Jane controls her computer.  She can run debuggers, reverse-engineer code,
    analyze the protected program.  If she's smart enough, she can go into the
    software and disable the copy-protection code.  The manufacturer can't do a
    thing to stop her; all it can do is make her task harder.  But to Jane, the
    challenge entices her even more.
    There are many Jane Hackers out there who break copy protection systems as
    a hobby.  They hang out on the net, trading illegal software.  There are
    also those who do it for profit.  They rip copy-protection code from
    software applications and resell them on CD-ROM for less than a tenth of
    the retail price.  Wired Magazine ran an article about these people; see
    the URL below.  The lesson is that any copy protection scheme can be
    broken; the only question it whether it will take a day or a week.
    Hacked programs are called "warez," and you can probably collect quite a
    bit of the stuff yourself just by looking around the Internet.  You won't
    find manuals, but that's what all the computer books are for.  Just about
    everything is available, usually for trade.
    The success of software pirates doesn't stop companies from trying to copy
    protect their programs.  And it doesn't stop them from having
    copy-protection disasters.  For example, the 1996 Quake release came on an
    encrypted CD-ROM: you could try it for free, but had to call and buy the
    password to unlock the entire game.  It was eventually cracked, along with
    every other popular copy-protected program ever released.  Id Software said
    that they expected the crack to happen eventually, but that it took long
    enough for the crack to finally appear for them to make enough money anyway.
    There are solutions, but they involve recognizing the realities of copy
    protection and working with them.
    1.  Sometimes pirates are your friend.  Business software companies
    realized this.  People would use pirated software, learn it, get used to
    it, and eventually get jobs where their employers would buy them a legal
    copy.  Microsoft has said that they are going to ignore pirating in China.
    Eventually the Chinese will pay for software, and Microsoft wants them all
    to have already standardized on their products.
    2.  Sometimes pirates are not your market.  It is the rare software pirate
    that would pay $500 for a high-end graphics program if he could not get a
    pirated copy.  Often, if a pirate can't get it free, he'll do without.
    3.  Sometimes you can ignore the software and sell the service.  Charge for
    tech support, so pirates are encouraged to buy legitimate copies.  Have
    other goodies for legitimate owners only.  Maybe the game can be hacked,
    but in order to play on-line you need to be a registered owner.
    4.  Sometimes the hardware saves you.  The discussion above really only
    applies to programs running on general-purpose hardware.  If you're
    building a set-top box, for example, things are a lot easier.  There are no
    casual pirates; anyone who is going to hack your system is going to need a
    lab and test equipment.  Just make sure he can't resell his solution.
    Nobody cares if a hacker spends a month in his basement and comes up with a
    pirate satellite TV decoder.  Let him watch all he can.  But if he can post
    an easy-to-run computer program that lets everyone get free satellite
    television -- that's a problem.
    For most software products, copy protection irritates legitimate users more
    than it prevents pirating.  But for some products it makes sense.  It
    raises the bar high enough to keep the honest honest.   Nothing will keep
    the expert hackers out, so the only workable solution is to design your
    systems with this in mind.
    Next month we'll talk about digital watermarking: copy-protecting content.
    Wired Magazine's "Warez Wars":
    ** *** ***** ******* *********** *************
        More on Steganography (by Peter Wayner)
    I think Bruce raises some interesting and valuable points in the Oct 15th
    edition of Crypto-Gram, but the negative conclusions he draws from the
    insights are too much like throwing the baby out with the bathwater.  He's
    correct that:
    	1) Steganography software could make a pile of GIF images look suspicious
    if the police found them on your disk.
    	2) The sudden change in message format could alert a smart eavesdropper.
    	3) You need to be careful with reusing your pictures.
    But I think these criticisms are equivalent to:
    	a) Cryptography software could make a pile of random numbers look
    suspicious if the police found them together on your disk.
    	b) Sending an encrypted message with PGP tags could alert a smart
    eavesdropper that there's secret communication.
    	c) You need to be careful about reusing your keys.
    There's no absolute security in either the realm of cryptography or
    steganography.  Good attackers can poke holes in crypto systems and
    steganographic systems. The goal is to make it as hard as possible to do this.
    I actually get a fair number of GIF images in the mail from friends.
    They're usually cartoons or goofball things.  Most people don't run an SMTP
    server on their desk so they don't care about bandwidth or load.  They just
    send them away.
    It is also important to realize that steganography is not a thin veil that
    can be pierced if someone merely suspects that the data is there.  Most
    steganographic systems include keys and I contend that the keys make it
    difficult for an eavesdropper to get at the message. Consider this
    scenario.  I send Bruce a picture of my sister's wedding.  (I've gotten
    many pictures of people's kids. My mother takes thirty photos in a weekend.
    They're common.)  Deep in the NSA alarm bells go off. No one's ever sent
    Schneier a picture before.  So they start taking it apart.  If the NSA is
    lucky, the picture is 8k bytes long and I've used every single one of the
    least significant bits to encode a 1k ASCII message.  In reality, the
    message is probably much smaller than 1/8th the size.  It is standard
    practice to use a key to drive a pseudorandom number generator to choose a
    subset of the pixels to hide the message.  I'm sure there are statistical
    attacks against this that leverage knowledge of the pseudorandom number
    generator and what not, but I contend that they're not something that can
    be accomplished from scratch in a day or two.
    There are usually a few other layers thrown on top.  It is common practice
    to compress the message and even encrypt it before storing it in the least
    significant bits.  Then the entire communications is protected by the
    strength of cryptography AND steganography.
    Bruce is correct that you need to be careful about reusing pictures.
    That's not a big problem for most of us.  There's a lot of content floating
    around the Net and there's more being generated every day.  Someone sent a
    2 megabyte movie the other day which I just deleted from my mail spool
    because it took up too much space.
    Sure, steganography is not as easy as falling off a logarithm.  But I still
    think it is a perfectly good tool for people in oppressive regimes. What
    other choice do people have?  I think it's a great tool for non-oppressive
    regimes.  The Customs service in England claims the right to search your
    laptop AND the right to demand the encryption key.  What choice do you have
    if you don't want the British government (which competes directly in some
    arenas) to know the details on your laptop?
    With a few reasonable precautions, the message can be hidden pretty well.
    There are plenty of digital cameras out there that cost very little.  It's
    easy to generate new content galore!  Many people send snapshots back and
    forth.  Many folks send voice files now with their messages.  Many folks
    send the art of children.
    (Peter Wayner is the author of _Disappearing_Cryptography_, a book on
    ** *** ***** ******* *********** *************
    CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
    insights, and commentaries on cryptography and computer security.
    To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
    blank message to crypto-gram-subscribeat_private  To unsubscribe,
    visit http://www.counterpane.com/unsubform.html.  Back issues are available
    on http://www.counterpane.com.
    Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
    find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long as
    it is reprinted in its entirety.
    CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
    Counterpane Systems, the author of "Applied Cryptography," and an inventor
    of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
    the International Association for Cryptologic Research, EPIC, and VTW.  He
    is a frequent writer and lecturer on cryptography.
    Counterpane Systems is a five-person consulting firm specializing in
    cryptography and computer security.  Counterpane provides expert consulting
    in: design and analysis, implementation and testing, threat modeling,
    product research and forecasting, classes and training, intellectual
    property, and export consulting.  Contracts range from short-term design
    evaluations and expert opinions to multi-year development efforts.
    Copyright (c) 1998 by Bruce Schneier
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:22 PDT