[2800] in cryptography@c2.net mail archive
Re: DRUDGE-REPORT-EXCLUSIVE 5/20/98 (fwd) -Reply
daemon@ATHENA.MIT.EDU (Kawika Daguio)
Mon Jun 8 11:12:51 1998
Date: Mon, 08 Jun 1998 10:58:23 -0400
From: "Kawika Daguio" <Kdaguio@aba.com>
To: cryptography@c2.net, cds@mcmurdo.gov, bill.stewart@pobox.com
Maintenance attacks are always a problem that one should manage against, =
but most operational environments require that the organization operate =
under an expectation of employee trustworthiness. The banking system is =
built on an overlay of "limited trust," within individual banks parameters =
based on their risk management evals, over a no trust systemic risk =
control modeled system. Banks use multiparty control, audit, and physical =
security to limit these risks to tolerable levels, but we have found most =
others have little or no understanding of the issue much less meaningful =
mitigation measures.
One example of related problems we are having outside of the networks =
under our direct control are bankcard point of sale devices deployed by =
firms like oil companies in gas stations. These POS devices are being =
corrupted by bad guys intent on collecting bankcard information and =
committing fraud. The losses hit the card issuing bank and the firms =
where the fraud originated walk away from the problem whistling carefree =
tunes.
This is why we are going to systems that provide for authentication of =
entities and devices throughout the path and why we will continue to =
deploy tamperproof crypto and other modules.
kawika daguio
while the above are my views, they may not be shared by organization or =
those we represent
>>> Bill Stewart <bill.stewart@pobox.com> 06/07/98 03:14am >>>
At 06:34 AM 6/3/98 +0000, Chris Liljenstolpe wrote:
>On Mon, Jun 01, 1998 at 01:20:14AM -0700, Bill Stewart wrote:
>> Tamper-resistance is nice, but public-key technology means you don't
>> _care_ if the Other Guys read your ROMs, because there's nothing secret =
needed.
...
>Ahh - you do want to prevent them from reading your private key from
>the PROM. As a general rule, REAL crypto hardware, even if it is
>public key, is tamper-resistant, tamper-evident, tamper-zeroizing....
The best way to protect secrets is to avoid having them.
You only need a private key if you're going to sign or decrypt things.
The main need for crypto in a satellite is validating commands
sent to it from the ground, to prevent Bad Guys from giving it bad orders.
That means you need the public key of the authorized ground-based users.
As long as you can prevent the ground crew from replacing the public key,
you're safe, and if they _can_ tamper with your equipment,
crypto modules aren't the only things they can replace....
Thanks!=20
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
=
=20
