[1728] in cryptography@c2.net mail archive
Re: Crypto in real life
daemon@ATHENA.MIT.EDU (Rick Smith)
Thu Oct 9 20:02:54 1997
In-Reply-To: <Pine.BSI.3.91.971009120741.8042E-100000@ivan.iecc.com>
Date: Thu, 9 Oct 1997 17:01:16 -0600
To: John R Levine <johnl@iecc.com>, cryptography@c2.net
From: Rick Smith <smith@securecomputing.com>
John Levine's premise seems to be that crypto products can only be deemed
trustworthy if the source code is available for review. He asserts that
this is a peculiar property of crypto programs.
Here are some of my own observations, and I'm sure there will be disagreement:
1) Crypto *is* different, but a fundamental difference is that "bugs" will
not necessarily be obvious from the source code. Mistakes in implementing a
particular crypto algorithm can probably be spotted, and dumb PRNGs or
feeble seeding techniques should also be visible to knowledgable eyes. But
mistakes brought about by peculiarities of usage or evolving threats can't
be predicted.
In other words, you'll find bugs simply by deploying the software and
watching people use it. Some of the bugs might have been caught by a source
code review, but many of them will be due to the newness of crypto in the
hands of The People At Large.
2) Publishing the source code doesn't prevent bugs from appearing. At best
it can expedite the finding and fixing of some bugs. While this does
benefit the community of product users in general (at least, once you take
into account newer users and upgraders that get the fixed version of the
software) it doesn't help people with the old code containing the bug. This
is true of any software, of course.
3) Good software is the product of scarce resources, and most people are
going to pay the development cost by selling software products. Very few
vendors are able to pay for software development and simultaneously make
their source code available for anyone to review.
Netscape claims that there are 40 million copies of the Navigator out there
with some form of SSL. This probably makes it the most widely used crypto
product there is. Its source code isn't available even though the Navigator
is often downloaded for free.
4) Lots of security problems tend to be based on poor design choices -- a
bad algorithm, weak key handling, bad random numbers, and so on. You can
essentially produce a checklist of these design requirements and eliminate
lots of crypto products just by comparing their stated properties against
sensible choices. That's why I put lists of requirements in my book
"Internet Cryptography." We might not always know if the PRNG is in fact
correctly coded, but we at least might learn if the vendor's design
intentions were sound. It doesn't give us perfect assurance but it gives us
more reason for confidence in a given product.
5) Security and ease of use *MUST* go hand in hand. Hard to use security
mechanisms aren't used and they get bypassed. IPSEC VPNs are easy on the
users except when they try to use the same link to talk to plaintext sites.
SSL across the Web is very easy to use -- many folks don't even know it's
there.
6) Given that we're deploying crypto software atop commercial operating
systems, the weak link is the OS. Motivated attackers aren't going to try
to break Blowfish or Triple DES or even RC4/40, they're going to snatch the
data from under NT's protective sieve, or Win95's stout wall of swiss
cheese. Or they'll cobble up a root userid on Unix. Then the world's their
oyster, especially if they have source code for their victim's crypto
package.
7) The notion of "trustworthy" is a very slippery one in the security
marketplace, regarless of whether you're selling crypto, firewalls, or
locks. People don't always go for the most secure product even when they're
shopping for a security device.
Nothing here is intended to endorse or slam Authentex or any other crypto
vendor. On the whole, I look at crypto products the same way as commercial
locks -- they give you some protection, and the right one will convince an
attacker to choose a different target. That's the most you can expect from
any security technology. I'm permanently skeptical of any claims of
perfection.
Rick.
smith@securecomputing.com Secure Computing Corporation
"Internet Cryptography" now in bookstores http://www.visi.com/crypto/
