[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
At 12:40 PM -0400 8/17/01, Derek Atkins wrote:
>Stephen Kent <kent@bbn.com> writes:
>
>> I also recall that Steve Bellovin and I participated in a panel at
>> the National Computer Security Conference in the mid-90s, chaired by
>> Dorothy Denning, where the topic was "Will Encryption Thwart
>> Hackers." The panel was unanimous in agreeing that the answer was no,
>> for a variety of reasons that are still valid to day. I know of very
>> few folks in the (larger) Internet community who believe that the
>> principal threat is passive wiretapping of the Internet, vs.
>> unauthorized access to computing resources on organizational LANs.
>> Encryption of lots of Internet traffic, without accompanying
>> authentication and access control, does not address the latter
>> concern.
>
>I think that 'universal encryption' and 'universal authentication' are
>two different and separable problems. Indeed, I think we've found
>that universal authentication is a HARD problem, whereas 'universal
>encryption' does not appear to be quite as hard (albeit with some
>limited protections).
>
>>From where I sit, I passive eavesdropping is a major issue. Is it the
>only issue, hell no. However, just look at all the password-sniffing
>attacks that have happened over the years. An attacker somehow gets
>into an account, sets up a sniffer, and then collects other passwords
>for other break-ins. If universal encryption had been deployed (even
>unauthenticated DH), these sniffers would have been ineffective.
Yes, but most recent attacks have not been of this flavor, and we
have a variety of alternate authentication mechanisms that can be
used when people are concerned about passive wiretapping. I'm not
opposed to using encryption, but we see lots of attacks that exploit
buffer overflows and other bugs that will not be countered by
encryption. Moreover, use of encryption does adversely affect use of
net-based IDS and one has to decide where this negative side effect
outweighs the benefits.
>Would it have solved the authentication problems? No, of course not.
>But does that mean that encryption is useless by itself? No, of
>course not. It would have solved a subset of the problems, and that
>by itself is a worthwhile goal.
Maybe. Since encryption can also interfere with our ability to detect
and track attacks, it's use is not purely beneficial. In recent
experiments sponsored by DARPA, we observed that use of encryption
with faulty authentication techniques allowed attackers to gain
unauthorized access and to hop from system to system without
detection, under cover of the encryption used on a host-to-host basis
in a LAN environment.
>We cannot build a panacea. No such beast exists, and looking for that
>perfect solution will, in the end, cause us to have none.
We agree on the principle, but may differ on where to draw the line.
Steve
Follow-Ups:
References: