June 2008

Special report on Eurosec 2007 in Paris

Interview: John O'Leary
Director of Educational Programs, CSI
(Computer Security Institute) Plano, Texas

John, thank you for this interview. You know that we are always pleased to record each year your viewpoints on the evolution of computer security. Two years ago you talked about the RFID coming out, then last year on Social Engineering and this year you devised a set of 3 topics, namelly Encryption, Security Analysis and finaly the idea of a « Flat World ». Is this a shift to more didactic topics ? Some sort ?

John O’Leary : Thank you Bertrand. It is not a shift, but a reorientation to what the EuroSec organizers and attendees need in terms of  topics of concern. Encryption for instance is a good technology to control privacy ; necessary, but not a perfect solution. Like any other controls it has its own problems. And it is not the only control existing. So we had to talk about it.

Encrytion is something many experts know deeply but what does it mean to our neophyte readers ? (some are)

John O’Leary : If  we look at Encryption in term of a network security a few words come to the mind : Availability, Integrity, Confidentiality. Which means that first the information must be available, then that we can trust in that information (so what we put in is what we get out, and  this is Integrity), and finaly Confidentiality, which means that only the appropriate people have the appropriate access to the information. This is what we usualy do with encoded messages that can be deciphered only by the one who has the "Key".

Does it realy work ?

John O’Leary : Encryption address Confidentiality well since that is what it was invented for. From the very early days of encryption, it worked. Today with Digital Signature using Public Key cryptography, encryption can also have a role in Integrity (for instance no one will be able to change the content because only appropriate people have carefully defined and restricted access when they use the appropriate key. So with digital signature and Public Key Cryptography, Encryption can augment Integrity, but Encryption itself does nothing positive for Availability.

May we focus on this last concept ? Do you mean thta Encryption make things less readily available ?

John O’Leary : Encryption is an extra step which takes computer cycles and produces its output that is usualy larger than the input, therefore it consumes resources, in this case – computer cycles- and even more cycles whenever  we have to decrypt. Therefore, it can have a negative effect on the Availability of network processing devices and information.

But the fact that we know that only the appropriate people will get the appropriate information with the appropriate key allows us to display encrypted documents on websites, so in a way it helps the information to be available to the right people ?  

John O’Leary : Right, in this way Encrytion also allows us to put information in easily accessible places which can help Availability. Even sensitive data can be put in encrypted Public Data Bases. 

With a protocol such as PGP (Pretty Good Privacy) the naming itself suggests that it might not be totaly good... Is Encryption definitly subject to pitfalls ?

John O’Leary : Encryption /Decryption takes time so it is not perfect. But the important fact is that no encrypted document cannot stay unbroken provided that you have time enough to break it. There is an assertion by Edgard Alan Poe which reads « the human mind has never concocted a Cipher which the human mind cannot Decipher.» Some human is going to be able to break it some day, maybe by concerted effort, maybe even by accident

So it means  that from any obscure document, a man can come out with some light and I suppose that this assertion by an author that has been the first to question why nights were black has some relevance in the field.

John O’Leary : Right, but just a few people know it.

Judge Jean Louis Bruguière talked about terrorism and this is where Privacy can also be dangerous. We think of orders written by terrorists…

John O’Leary : PGP (Pretty Good Privacy) can be dangerous because it is too good ! PGP can use strong encryption which means that the Cipher is difficult to break. As information is time sensitive, if it takes a long time to break a strong encrypted cipher it can make it impossible to break the code in a limited time : if 10 years is necessary and you have only 2 days, it becomes effectively unbreakable. So it is dangerous [if your authorities cannot easily break a code used by terrorists]. Today, Public Key Cryptography usually uses the RSA protocol (algorithm published 7 years ago by RSA) that is very difficult to break (today even if you have the algorithm it is difficult to break it). It is therefore dangerous because anyone can freely download it and use it. On the other hand some graduate somewhere or some defense worker in China someday may be able to break in, and then every document encrypted with this algorithm will become breakable. [So there must exist some balance between the ability to break into documents related to unlawfull activities and the necessary privacy that businesses and private citizens need against intruders, including overly nosy governments].

Do you think that authorities shoud be able to break any encrypted data ?

John O’Leary : Not necesserily! I would like authorities to break potentialy dangerous messages before a terrorist attack. But I would not like the idea of authorities allowed to read private and corporate data (exemple : medical records). We have already some problem of this kind with RFID for instance. But I have no answer for that problem today, because if you don’t know what is in a document you cannot know in which case you are...

You mean documents on the internet mail boxes or strings of data on the cell phone network ?

John O’Leary : …. Potentially, all of them. Bernard, this is why privacy vs. Security becomes such a complex and delicate issue. The possibility of a government agency going too far with intrusions into personal information is very real, but so too are the possibilities of terrorists hiding plans that, if carried out, could harm people and national infrastructures. Finding the correct balance point is very difficult.

So the issue still remains. Do we have any other drawbacks or backlash with encryption ?

John O’Leary : One [as we said]  is Complexity.  Another one is the fact that the entire procedure is risky for the user. Many things can go wrong. Let’s suppose that I forget the Key... or that a software virus modified the encryption code. This can make the encryted documents locked. [Remember that you encrypt with the Public Key and you decipher with the Private Key]. It’s almost as if every body could slam a door and that just the guy with the key could reopen it ! So this leads to a strong problem - management of security. Someone "has" to manage it. Where are the keys, who has the keys, who does what etc...

We heard about third party. What is that ?

John O’Leary : You can use an external firm (third party) or manage elements of security internally. A Third party will cost you money and you must trust them. And you must know how to secure your procedures. So you must check that they are secure. [Who will do that ? Another third party ?]. It is almost like russian dolls. You will sometimes hire a fourth party to do a security review on the 3rd party.

Are States the ultimate party that can secure the whole system as most people tend to suggest (especialy when they are civil servants) ?

John O’Leary : The image of russian dolls holds and I am concerned and dubious of State control in the ultimate stage of this control set. Maybe it is someone private party that has to guarantee the safety and [this private party] must prove its trustworthiness . I prefer this to having State control. Very few want the State to control. Certainly no democracy wants it. For some, that might seem to produce a market opportunity for trusted private experts.

Like auditors that are professionnals person fully responsible for themselves, and somehow more responsible than their company ?

John O’Leary : Auditors would fit into this, but if they are internal auditors for one company, they wouldn’t necessarily be suitable for some other company

Finaly john, what can we say on the two other topics, Security Analysis and finaly the idea of a « Flat World », you talked about ?

John O’Leary : On Security analysis, we must all realize that the world we operate in has real dangers, but we cannot afford to cripple our organizations’ activities by imposing overly restrictive security. Effective security analysis evaluates the threats in terms of the organization’s environment and focuses on those threats that would cause most damage. Security analysis also includes preparing to handle and recover from an attack or some other security-related incident, since we can never be sure of preventing every attack.

The "Flat World" comes from the title of a book by Thomas Friedman. His thesis in the book is that the connectivity technologies that are in use all around the world today have made the business world "flatter" than it has ever been. By this he means that even a small startup company in Malaysia or Ecuador can compete realistically with French or American or Japanese companies for specific business oportunities. My issue is the security of these technologies. If we don’t carefully monitor and implement all appropriate security controls, the flat world can be a very dangerous place

So we come now to the conclusion. A very last word ?

John O’Leary : Enough words from me. I hope your readers develop and implement realistic security for their organizations.

Words collected by Bertrand Villeret
Editor in chief, Consultingnewsline
Partner to Eurosec 2007

To know more:
Computer Security Institute, Covington Lane, Plano Texas USA

John O'Leary

Copyright Quantorg  2008
pour ConsultingNewsLine
All rights reserved
Reproduction interdite

John O'Leary


Eurosec 2007