RE: Security Use Requirements

[Black_David@emc.com]

I'm not Scott, but some of Doug's comments deserve a rather
blunt response:

> If there is 'required to implement' security that is later found
compromised
> by a man in the middle or through a spoofing mechanism, would such a
mandate
> in the end ensure an open door for those familiar with this 'required to
> provide' security weakness?  Could you recommend a security scheme that is
> safe from this type of attack?

There's no such thing as a perfect security mechanism that is secure from
all attacks for all time.  The reason for using off-the-shelf mechanisms
like
IPSec and TLS is that peer review in the security community has eliminated
not only all of the obvious problems, but also all of the non-obvious ones
that
have turned up.  Asking for a mechanism that is guaranteed to be immune
from all possible attacks is a veiled argument for no security, and is hence
nonsense.

Assuming that keys that are supposed to remain secret do remain secret,
TLS and IPSec are safe from all of the obvious man-in-the-middle attacks
*when properly configured* and are likewise safe from the obvious
spoofing attacks provided that the key distribution mechanism used
works correctly (which can be a tall assumption).  In some cases,
other components also need to be secured, for example, if DNS
names are used as identities, DNS may have to be secured via
something like DNSSEC depending on how DNS is used.

Both IPsec and TLS are frameworks into which various encryption and hash
algorithms can be inserted, so evolution away from algorithms in which
weaknesses are discovered is possible over time (and furthermore is left
in the hands of the security experts who are in the best position to make
these judgements).

> Could security mandates be limited to user authentication and
authorization?
> Compression-Encryptions passes are computationally expensive processes
that
> offer little benefit in many configurations.  If there is a mandated
> security, cryptographic resources should be limited to authentication.

Unfortunately, the answer is "no" if the desire is to avoid computationally
expensive operations on each message exchanged after connection
setup.  The problem is that in order to do authentication sufficient
for a public network, cryptographic integrity is required on the connection
to
avoid well known hijack attacks on TCP (after authentication, the adversary
hijacks the connection by taking over one end of it - attack scripts are
readily
available for this).  The algorithms for cryptographic integrity (e.g., used
to
compute HMACs) tend to be computationally expensive (as much as
encryption, if not moreso), and my current understanding is that unlike
the transition from 3DES to AES/Rijndael that reduces the computational
overhead of encryption, no such overhead reduction is in sight for the
hash algorithms used for integrity (e.g., SHA-1).

--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------