simplicity, reconciliation, and security bob blakley chief scientist, security and privacy, ibm...

Simplicity, Reconciliation, and Security

Bob Blakley

Chief Scientist, Security and Privacy, IBM

blakley@us.ibm.com

17 October 2005

How do you secure a box of money with a hole in it?

Start with the box empty.

Count what you put into the box.

Know how much should go in or out before you open the box.

Record everything that goes in and everything that comes out each time you

open the box.

Continually update a total using the record of what went in and out.

Count at the end…

Check the end total against the end count.

Security Properties

• Transactionality– Sale price = cash input; refund cost = cash output– Tender - price = change

• Accountability– Receipts, Drawer tape; punishment for infractions

• Reconciliation– Drawer count vs. Drawer tape

• Supervision– Drawer count verification

• Visibility– Operations performed in public

Non-Properties

• Authentication– visibility, supervision used instead

• Data integrity– transactionality used instead

• Authorization– accountability used instead

• Confidentiality– not required

Why don’t we design secure information systems like this?

• We’re computer scientists and don’t like special-purpose systems?

• We like artifacts rather than processes?• We love cryptography?• We are unafraid of complexity?• We’ve overgeneralized the security problem?• There’s not enough at stake?• Some problems aren’t amenable to this approach?

Could our systems look more like this?

• Of course…• In fact, our customers use the artifacts we produce to

design systems which DO look like this– often working against the properties we’ve built into the

artifacts

Example: accountable, reconcilable transaction

signedoffer

viewer

viewer

ledger

signedacceptance

correlator

verif.key

verif.key