On our computers, we always see "Intel Inside" logo, which used to be a sign of quality and does not mean alot nowadays.
Similarly, it will never be rare for us to see see statements about security products like "128-bit encryption inside (so it is unbreakable)" in the security world. This is actually an interesting phenomenon, and in most of cases it should raise our alertness on the products marked such. It's rather a sign of warning than a sign of "quality".
Algorithms, protocols, architecture, implementation and procedures. A security system has to be a whole with these elements. Any failure of these elements can be fatal to the whole system. As any other practical systems, the rule of "weakest link" can always be applied to the security system.
But in reality, as other complex systems, security system is always too complicated to be understood. Due to whatever reasons, some may be historical, poeple always tend to put their focus on Cryptography Algorithms. The picture of whole security system becomes fuzzy, and Cryptography Algorithms start representing everything.
-"Tell me about your security system."
-"It's 1024-bit RSA and 128-bit 3DES."
Unfortunately, if there is any weaker links in elements other than the algoritms, the whole security system is still as weak as the weakest link. 1024-bit RSA is good, but what if you use the same private key for both encryption and signing? 128-bit 3DES is good, but what if you store the plaintext key just besides the encrypted data?
According to my personal observation, vendors of quite some "xxx-bit encryption inside" products do not bother to think about other critical elements such as protocols. This observation is also linked with the nature of marketing hype. Modern marketing strategy is always to hype the "strongest link". If the vendor have an advanced mindset and think more on systematic security, they would rather to make statements like "Audited by xxx" or "FIPS 140-x/Level x Validated".
It's luckly for us that most smart card modules, which will be used on credit cards and eventually e-passports, are marked as "FIPS 140-2/Level 3 Validated" but not merely "ECC inside".
Similarly, it will never be rare for us to see see statements about security products like "128-bit encryption inside (so it is unbreakable)" in the security world. This is actually an interesting phenomenon, and in most of cases it should raise our alertness on the products marked such. It's rather a sign of warning than a sign of "quality".
Algorithms, protocols, architecture, implementation and procedures. A security system has to be a whole with these elements. Any failure of these elements can be fatal to the whole system. As any other practical systems, the rule of "weakest link" can always be applied to the security system.
But in reality, as other complex systems, security system is always too complicated to be understood. Due to whatever reasons, some may be historical, poeple always tend to put their focus on Cryptography Algorithms. The picture of whole security system becomes fuzzy, and Cryptography Algorithms start representing everything.
-"Tell me about your security system."
-"It's 1024-bit RSA and 128-bit 3DES."
Unfortunately, if there is any weaker links in elements other than the algoritms, the whole security system is still as weak as the weakest link. 1024-bit RSA is good, but what if you use the same private key for both encryption and signing? 128-bit 3DES is good, but what if you store the plaintext key just besides the encrypted data?
According to my personal observation, vendors of quite some "xxx-bit encryption inside" products do not bother to think about other critical elements such as protocols. This observation is also linked with the nature of marketing hype. Modern marketing strategy is always to hype the "strongest link". If the vendor have an advanced mindset and think more on systematic security, they would rather to make statements like "Audited by xxx" or "FIPS 140-x/Level x Validated".
It's luckly for us that most smart card modules, which will be used on credit cards and eventually e-passports, are marked as "FIPS 140-2/Level 3 Validated" but not merely "ECC inside".
posted by Joe at 12:55 PM
0 Comments:
Post a Comment
<< Home