information security in open systems
DESCRIPTION
OpenBSD meeting (invited), Coimbra 2007 It was my intent in this talk to bring a discussion on current enforcement of Information Security and the issues arising from its path from academia, to industry, to the user.TRANSCRIPT
![Page 2: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/2.jpg)
What this will not be about...
• ... a study of security and cryptography in OpenBSD...
• ... I know too little to make any serious comment on the subject
![Page 3: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/3.jpg)
What this will not be about...
• ... a study of security and cryptography in OpenBSD...
• ... I know too little to make any serious comment on the subject
![Page 4: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/4.jpg)
What this will not be about
• curves suitable for identity based cryptography
• algebraic attacks on AES
• breaks on SHA-1, SHA-0, MD5
![Page 5: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/5.jpg)
What this will not be about
• curves suitable for identity based cryptography
• algebraic attacks on AES
• breaks on SHA-1, SHA-0, MD5
![Page 6: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/6.jpg)
What this will be about
• A light chat regarding the security paradigm and state of situation, from the academia to software developers and users
• WARNING... I am at the most abstract corner you can think of
![Page 7: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/7.jpg)
Things that get me thinking
• “So say I want a good security software - what should I choose / where should I look at?”
• “How do I know that it is safe to use my credit card with site X?”
• “... does that mean it’s not safe? Have they broken cryptography?”
![Page 8: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/8.jpg)
The Babel Tower
The researchers
The specs writers
The developers
The admins
The users
![Page 9: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/9.jpg)
The Babel Tower
The researchers
The specs writers
The developers
The admins
The users
![Page 10: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/10.jpg)
Things slip through the creases
• Phong Nguyen’s look at GPG in 2003 revealed compromised ElGamal keys (when sign+encrypt was used)
• Arnold Yau and Kenny Patterson’s attacks on IPsec via lack of authentication/integrity protection
![Page 11: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/11.jpg)
Are attacks realistic?
• For many it’s debatable. Cryptographers look at the worst case scenario... take “chosen ciphertext attacks”, for example
• And then comes efficiency, flexibility, backward-compatibility
• ... confusing warnings...
• ... still, Murphy’s law
![Page 12: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/12.jpg)
Good things about open systems
• audit, peer-reviews, source code availability...
• does not necessarily mean that it is
• ... and more important still, by the “experts”
![Page 13: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/13.jpg)
the present and future
• Information security is turning more and more into management that IT: protocols, directives
• ... which are not always clear (take IPsec series of RFCs, for example)
• Schneier’s recent article speaks of a shift from apps to services
![Page 14: Information Security in Open Systems](https://reader034.vdocuments.us/reader034/viewer/2022051818/54943e99b47959424d8b4a86/html5/thumbnails/14.jpg)
Questions?More importantly,
discussion...