Tải bản đầy đủ

SecurityEngineering v1

Preface
For generations, people have defined and protected their property and their privacy
using locks, fences, signatures, seals, account books, and meters. These have been supported by a host of social constructs ranging from international treaties through national laws to manners and customs.
This is changing, and quickly. Most records are now electronic, from bank accounts
to registers of real property; and transactions are increasingly electronic, as shopping
moves to the Internet. Just as important, but less obvious, are the many everyday systems that have been quietly automated. Burglar alarms no longer wake up the neighborhood, but send silent messages to the police; students no longer fill their dormitory
washers and dryers with coins, but credit them using a smartcard they recharge at the
college bookstore; locks are no longer simple mechanical affairs, but are operated by
electronic remote controls or swipe cards; and instead of renting videocassettes, millions of people get their movies from satellite or cable channels. Even the humble
banknote is no longer just ink on paper, but may contain digital watermarks that enable
many forgeries to be detected by machine.
How good is all this new security technology? Unfortunately, the honest answer is
“nowhere near as good as it should be.” New systems are often rapidly broken, and the
same elementary mistakes are repeated in one application after another. It often takes
four or five attempts to get a security design right, and that is far too many.
The media regularly report security breaches on the Internet; banks fight their customers over “phantom withdrawals” from cash machines; VISA reports huge increases
in the number of disputed Internet credit card transactions; satellite TV companies
hound pirates who copy their smartcards; and law enforcement agencies try to stake
out territory in cyberspace with laws controlling the use of encryption. Worse still,
features interact. A mobile phone that calls the last number again if one of the keys is
pressed by accident may be just a minor nuisance—until someone invents a machine

that dispenses a can of soft drink every time its phone number is called. When all of a
sudden you find 50 cans of Coke on your phone bill, who is responsible, the phone
company, the handset manufacturer, or the vending machine operator? Once almost
every electronic device that affects your life is connected to the Internet—which Microsoft expects to happen by 2010—what does ‘Internet security’ mean to you, and
how do you cope with it?
As well as the systems that fail, many systems just don’t work well enough. Medical
record systems don’t let doctors share personal health information as they would like,
but still don’t protect it against inquisitive private eyes. Zillion-dollar military systems
prevent anyone without a “top secret” clearance from getting at intelligence data, but
are often designed so that almost everyone needs this clearance to do any work. Passenger ticket systems are designed to prevent customers cheating, but when trustbusters break up the railroad, they cannot stop the new rail companies cheating each other.

xix


Many of these failures could have been foreseen if designers had just a little bit more
knowledge of what had been tried, and had failed, elsewhere.
Security engineering is the new discipline that is starting to emerge out of all this
chaos.
Although most of the underlying technologies (cryptology, software reliability, tamper resistance, security printing, auditing, etc.) are relatively well understood, the
knowledge and experience of how to apply them effectively is much scarcer. And since
the move from mechanical to digital mechanisms is happening everywhere at once,
there just has not been time for the lessons learned to percolate through the engineering
community. Time and again, we see the same old square wheels being reinvented.
The industries that have managed the transition most capably are often those that
have been able to borrow an appropriate technology from another discipline. Examples
include the reuse of technology designed for military identify-friend-or-foe equipment
in bank cash machines and even prepayment gas meters. So even if a security designer
has serious expertise in some particular speciality—whether as a mathematician working with ciphers or a chemist developing banknote inks—it is still prudent to have an
overview of the whole subject. The essence of good security engineering is understanding the potential threats to a system, then applying an appropriate mix of protective measures—both technological and organizational—to control them. Knowing what
has worked, and more importantly what has failed, in other applications is a great help
in developing judgment. It can also save a lot of money.
The purpose of this book is to give a solid introduction to security engineering, as
we understand it at the beginning of the twenty-first century. My goal is that it works
at four different levels:

• As a textbook that you can read from one end to the other over a few days as
an introduction to the subject. The book is to be used mainly by the working
IT professional who needs to learn about the subject, but it can also be used in
a one-semester course in a university.
• As a reference book to which you can come for an overview of the workings of



some particular type of system. These systems include cash machines, taxi
meters, radar jammers, anonymous medical record databases, and so on.
• As an introduction to the underlying technologies, such as crypto, access con-

trol, inference control, tamper resistance, and seals. Space prevents me from
going into great depth; but I provide a basic road map for each subject, plus a
reading list for the curious (and a list of open research problems for the prospective graduate student).
• As an original scientific contribution in which I have tried to draw out the

common principles that underlie security engineering, and the lessons that
people building one kind of system should have learned from others. In the
many years I have been working in security, I keep coming across these. For
example, a simple attack on stream ciphers wasn’t known to the people who
designed a common antiaircraft fire control radar so it was easy to jam; while
a trick well known to the radar community wasn’t understood by banknote
printers and people who design copyright marking schemes, which led to a
quite general attack on most digital watermarks.

xx


I have tried to keep this book resolutely mid-Atlantic; a security engineering book
has to be, as many of the fundamental technologies are American, while many of the
interesting applications are European. (This isn’t surprising given the better funding of
U.S. universities and research labs, and the greater diversity of nations and markets in
Europe.) What’s more, many of the successful European innovations—from the smartcard to the GSM mobile phone to the pay-per-view TV service—have crossed the Atlantic and now thrive in the Americas. Both the science, and the case studies, are necessary.
This book grew out of the security engineering courses I teach at Cambridge University, but I have rewritten my notes to make them self-contained and added at least as
much material again. It should be useful to the established professional security manager or consultant as a first-line reference; to the computer science professor doing
research in cryptology; to the working police detective trying to figure out the latest
computer scam; and to policy wonks struggling with the conflicts involved in regulating cryptography and anonymity. Above all, it is aimed at Dilbert. My main audience
is the working programmer or engineer who is trying to design real systems that will
keep on working despite the best efforts of customers, managers, and everybody else.
This book is divided into three parts.
• The first looks at basic concepts, starting with the central concept of a security

protocol, and going on to human-computer interface issues, access controls,
cryptology, and distributed system issues. It does not assume any particular
technical background other than basic computer literacy. It is based on an Introduction to Security course that I teach to second-year undergraduates.
• The second part looks in much more detail at a number of important applica-

tions, such as military communications, medical record systems, cash machines, mobile phones, and pay-TV. These are used to introduce more of the
advanced technologies and concepts. It also considers information security
from the viewpoint of a number of different interest groups, such as companies, consumers, criminals, police, and spies. This material is drawn from my
senior course on security, from research work, and from experience consulting.
• The third part looks at the organizational and policy issues: how computer se-

curity interacts with law, with evidence, and with corporate politics; how we
can gain confidence that a system will perform as intended; and how the whole
business of security engineering can best be managed.
I believe that building systems that continue to perform robustly in the face of malice is one of the most important, interesting, and difficult tasks facing engineers in the
twenty-first century.
Ross Anderson
Cambridge, January 2001

xxi


About the Author
Why should I have been the person to write this book? Well, I seem to have accumulated the right mix of experience and qualifications over the last 25 years. I graduated
in mathematics and natural science from Cambridge (England) in the 1970s, and got a
qualification in computer engineering; my first proper job was in avionics; and I became interested in cryptology and computer security in the mid-1980s. After working
in the banking industry for several years, I started doing consultancy for companies
that designed equipment for banks, and then working on other applications of this
technology, such as prepayment electricity meters.
I moved to academia in 1992, but continued to consult to industry on security technology. During the 1990s, the number of applications that employed cryptology rose
rapidly: burglar alarms, car door locks, road toll tags, and satellite TV encryption systems all made their appearance. As the first legal disputes about these systems came
along, I was lucky enough to be an expert witness in some of the important cases. The
research team I lead had the good fortune to be in the right place at the right time when
several crucial technologies, such as tamper resistance and digital watermarking, became hot topics.
By about 1996, it started to become clear to me that the existing textbooks were too
specialized. The security textbooks focused on the access control mechanisms in operating systems, while the cryptology books gave very detailed expositions of the design
of cryptographic algorithms and protocols. These topics are interesting, and important.
However they are only part of the story. Most system designers are not overly concerned with crypto or operating system internals, but with how to use these tools effectively. They are quite right in this, as the inappropriate use of mechanisms is one of
the main causes of security failure. I was encouraged by the success of a number of
articles I wrote on security engineering (starting with “Why Cryptosystems Fail” in
1993); and the need to teach an undergraduate class in security led to the development
of a set of lecture notes that made up about half of this book. Finally, in 1999, I got
round to rewriting them for a general technical audience.
I have learned a lot in the process; writing down what you think you know is a good
way of finding out what you don’t. I have also had a lot of fun. I hope you have as
much fun reading it!

xxii


Foreword
In a paper he wrote with Roger Needham, Ross Anderson coined the phrase “programming Satan’s computer” to describe the problems faced by computer-security engineers. It’s the sort of evocative image I’ve come to expect from Ross, and a phrase
I’ve used ever since.
Programming a computer is straightforward: keep hammering away at the problem
until the computer does what it’s supposed to do. Large application programs and operating systems are a lot more complicated, but the methodology is basically the same.
Writing a reliable computer program is much harder, because the program needs to
work even in the face of random errors and mistakes: Murphy’s computer, if you will.
Significant research has gone into reliable software design, and there are many mission-critical software applications that are designed to withstand Murphy’s Law.
Writing a secure computer program is another matter entirely. Security involves
making sure things work, not in the presence of random faults, but in the face of an
intelligent and malicious adversary trying to ensure that things fail in the worst possible way at the worst possible time ... again and again. It truly is programming Satan’s
computer.
Security engineering is different from any other kind of programming. It’s a point I
made over and over again: in my own book, Secrets and Lies, in my monthly newsletter Crypto-Gram, and in my other writings. And it’s a point Ross makes in every
chapter of this book. This is why, if you’re doing any security engineering ... if you’re
even thinking of doing any security engineering, you need to read this book. It’s the
first, and only, end-to-end modern security design and engineering book ever written.
And it comes just in time. You can divide the history of the Internet into three
waves. The first wave centered around mainframes and terminals. Computers were expensive and rare. The second wave, from about 1992 until now, centered around personal computers, browsers, and large application programs. And the third, starting
now, will see the connection of all sorts of devices that are currently in proprietary
networks, standalone, and non-computerized. By 2003, there will be more mobile
phones connected to the Internet than computers. Within a few years we’ll see many of
the world’s refrigerators, heart monitors, bus and train ticket dispensers, burglar
alarms, and electricity meters talking IP. Personal computers will be a minority player
on the Internet.
Security engineering, especially in this third wave, requires you to think differently.
You need to figure out not how something works, but how something can be made to
not work. You have to imagine an intelligent and malicious adversary inside your system (remember Satan’s computer), constantly trying new ways to subvert it. You have
to consider all the ways your system can fail, most of them having nothing to do with
the design itself. You have to look at everything backwards, upside down, and sideways. You have to think like an alien.
As the late great science fiction editor John W. Campbell, said: “An alien thinks as
well as a human, but not like a human.” Computer security is a lot like that. Ross is

xxiii


one of those rare people who can think like an alien, and then explain that thinking to
humans. Have fun reading.
Bruce Schneier
January 2001

xxiv


Acknowledgments
A great many people have helped in various ways with this book. I probably owe the
greatest thanks to those who read the manuscript (or a large part of it) looking for errors and obscurities. They were Anne Anderson, Ian Brown, Nick Bohm, Richard
Bondi, Caspar Bowden, Richard Clayton, Steve Early, Rich Graveman, Markus Kuhn,
Dan Lough, David MacKay, John McHugh, Bob Morris, Roger Needham, Jerry Saltzer, Marv Schaefer, Karen Spärck Jones and Frank Stajano. Much credit also goes to
my editor, Carol Long, who (among many other things) went through the first six
chapters and coached me on the style appropriate for a professional (as opposed to
academic) book. At the proofreading stage, I got quite invaluable help from Carola
Bohm, Mike Bond, Richard Clayton, George Danezis, and Bruce Godfrey.
A large number of subject experts also helped me with particular chapters or sections. Richard Bondi helped me refine the definitions in Chapter 1; Jianxin Yan, Alan
Blackwell and Alasdair Grant helped me investigate the applied psychology aspects of
passwords; John Gordon and Sergei Skorobogatov were my main sources on remote
key entry devices; Whit Diffie and Mike Brown on IFF; Steve Early on Unix security
(although some of my material is based on lectures given by Ian Jackson); Mike Roe,
Ian Kelly, Paul Leyland, and Fabien Petitcolas on the security of Windows NT4 and
Win2K; Virgil Gligor on the history of memory overwriting attacks, and on mandatory
integrity policies; and Jean Bacon on distributed systems. Gary Graunke told me the
history of protection in Intel processors; Orr Dunkelman found many bugs in a draft of
the crypto chapter and John Brazier pointed me to the Humpty Dumpty quote.
Moving to the second part of the book, the chapter on multilevel security was much
improved by input from Jeremy Epstein, Virgil Gligor, Jong-Hyeon Lee, Ira Moskowitz, Paul Karger, Rick Smith, Frank Stajano, and Simon Wiseman, while Frank also
helped with the following two chapters. The material on medical systems was originally developed with a number of people at the British Medical Association, most notably Fleur Fisher, Simon Jenkins, and Grant Kelly. Denise Schmandt-Besserat taught
the world about bullae, which provided the background for the chapter on banking
systems; that chapter was also strengthened by input from Fay Hider and Willie List.
The chapter on alarms contains much that I was taught by Roger Needham, Peter Dean,
John Martin, Frank Clish, and Gary Geldart. Nuclear command and control systems are
much the brainchild of Gus Simmons; he and Bob Morris taught me much of what’s in
that chapter.
Sijbrand Spannenburg reviewed the chapter on security printing; and Roger Johnston
has taught us all an enormous amount about seals. John Daugman helped polish the
chapter on biometrics, as well as inventing iris scanning which I describe there. My
tutors on tamper resistance were Oliver Kömmerling and Markus Kuhn; Markus also
worked with me on emission security. I had substantial input on electronic warfare
from Mike Brown and Owen Lewis. The chapter on phone fraud owes a lot to Duncan
Campbell, Richard Cox, Rich Graveman, Udi Manber, Andrew Odlyzko and Roy
Paterson. Ian Jackson contributed some ideas on network security. Fabien Petitcolas

xxv


‘wrote the book’ on copyright marking, and helped polish my chapter on it. Johann
Bezuidenhoudt made perceptive comments on both phone fraud and electronic commerce, while Peter Landrock gave valuable input on bookkeeping and electronic commerce systems. Alistair Kelman was a fount of knowledge on the legal aspects of
copyright; and Hal Varian kept me straight on matters of economics, and particularly
the chapters on e-commerce and assurance.
As for the third part of the book, the chapter on e-policy was heavily influenced by
colleagues at the Foundation for Information Policy Research, notably Caspar Bowden,
Nick Bohm, Fleur Fisher, Brian Gladman, Ian Brown, Richard Clayton—and by the
many others involved in the fight, including Whit Diffie, John Gilmore, Susan Landau,
Brian Omotani and Mark Rotenberg. The chapter on management benefited from input
from Robert Brady, Jack Lang, and Willie List. Finally, my thinking on assurance has
been influenced by many people, including Robin Ball, Robert Brady, Willie List, and
Robert Morris.
There were also many people over the years who taught me my trade. The foremost
of them is Roger Needham, who was my thesis advisor; but I also learned a lot from
hundreds of engineers, programmers, auditors, lawyers, and policemen with whom I
worked on various consultancy jobs over the last 15 years. Of course, I take the rap for
all the remaining errors and omissions.
Finally, I owe a huge debt to my family, especially to my wife Shireen for putting up
with over a year in which I neglected household duties and was generally preoccupied.
Daughter Bavani and dogs Jimmy, Bess, Belle, Hobbes, Bigfoot, Cat, and Dogmatix
also had to compete for a diminished quantum of attention, and I thank them for their
forbearance.

xxvi


Legal Notice
I cannot emphasize too strongly that the tricks taught in this book are intended only to
enable you to build better systems. They are not in any way given as a means of helping you to break into systems, subvert copyright protection mechanisms, or do anything else unethical or illegal.
Where possible I have tried to give case histories at a level of detail that illustrates
the underlying principles without giving a “hacker’s cookbook.”

Should This Book Be Published at All?
There are people who believe that the knowledge contained in this book should not be
published. This is an old debate; in previous centuries, people objected to the publication of books on locksmithing, on the grounds that they were likely to help the bad
guys more than the good guys.
I think that these fears are answered in the first book in English that discussed
cryptology. This was a treatise on optical and acoustic telegraphy written by Bishop
John Wilkins in 1641 [805]. He traced scientific censorship back to the Egyptian
priests who forbade the use of alphabetic writing on the grounds that it would spread
literacy among the common people and thus foster dissent. As he said:
It will not follow that everything must be suppresst which may be abused... If all those
useful inventions that are liable to abuse should therefore be concealed there is not
any Art or Science which may be lawfully profest.
The question was raised again in the nineteenth century, when some well-meaning
people wanted to ban books on locksmithing. A contemporary writer on the subject
replied [750]:
Many well-meaning persons suppose that the discussion respecting the means for
baffling the supposed safety of locks offers a premium for dishonesty, by showing
others how to be dishonest. This is a fallacy. Rogues are very keen in their profession,
and already know much more than we can teach them respecting their several kinds of
roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed
it among themselves ... if there be harm, it will be much more than counterbalanced by
good.
These views have been borne out by long experience since. As for me, I worked for
two separate banks for three and a half years on cash machine security, but I learned
significant new tricks from a document written by a convicted card fraudster that circulated in the U.K. prison system. Many government agencies are now coming round
to this point of view. It is encouraging to see, for example, that the U.S. National Security Agency has published the specifications of the encryption algorithm (Skipjack) and
the key management protocol (KEA) used to protect secret U.S. government traffic.

xxvii


Their judgment is clearly that the potential harm done by letting the Iraqis use a decent
encryption algorithm is less than the good that will be done by having commercial offthe-shelf software compatible with Federal encryption standards.
In short, while some bad guys will benefit from a book such as this, they mostly
know the tricks already, and the good guys will benefit much more.

xxviii


About the Author

Why should I have been the person to write this book? Well, I seem to
have accumulated the right mix of experience and qualifications over the last
25 years. I graduated in mathematics and natural science from Cambridge
(England) in the 1970s, and got a qualification in computer engineering; my
first proper job was in avionics; and I became interested in cryptology and
computer security in the mid-1980s. After working in the banking industry for
several years, I started doing consultancy for companies that designed equipment for banks, and then working on other applications of this technology,
such as prepayment electricity meters.
I moved to academia in 1992, but continued to consult to industry on security
technology. During the 1990s, the number of applications that employed
cryptology rose rapidly: burglar alarms, car door locks, road toll tags, and
satellite TV encryption systems all made their appearance. As the first legal
disputes about these systems came along, I was lucky enough to be an expert
witness in some of the important cases. The research team I lead had the
good fortune to be in the right place at the right time when several crucial
technologies, such as tamper resistance and digital watermarking, became hot
topics.
By about 1996, it started to become clear to me that the existing textbooks
were too specialized. The security textbooks focused on the access control
mechanisms in operating systems, while the cryptology books gave very
detailed expositions of the design of cryptographic algorithms and protocols.
These topics are interesting, and important. However they are only part of
the story. Most system designers are not overly concerned with crypto or
operating system internals, but with how to use these tools effectively. They
are quite right in this, as the inappropriate use of mechanisms is one of the
main causes of security failure. I was encouraged by the success of a number
xxxiii


xxxiv About the Author

of articles I wrote on security engineering (starting with ‘Why Cryptosystems
Fail’ in 1993); and the need to teach an undergraduate class in security led to
the development of a set of lecture notes that made up about half of this book.
Finally, in 1999, I got round to rewriting them for a general technical audience.
I have learned a lot in the process; writing down what you think you know
is a good way of finding out what you don’t. I have also had a lot of fun. I
hope you have as much fun reading it!


Acknowledgments

A great many people have helped in various ways with this book. I probably
owe the greatest thanks to those who read the manuscript (or a large part of
it) looking for errors and obscurities. They were Anne Anderson, Ian Brown,
Nick Bohm, Richard Bondi, Caspar Bowden, Richard Clayton, Steve Early,
Rich Graveman, Markus Kuhn, Dan Lough, David MacKay, John McHugh,
Bob Morris, Roger Needham, Jerry Saltzer, Marv Schaefer, Karen Sp¨arck Jones
and Frank Stajano. Much credit also goes to my editor, Carol Long, who
(among many other things) went through the first six chapters and coached
me on the style appropriate for a professional (as opposed to academic) book.
At the proofreading stage, I got quite invaluable help from Carola Bohm, Mike
Bond, Richard Clayton, George Danezis, and Bruce Godfrey.
A large number of subject experts also helped me with particular chapters
or sections. Richard Bondi helped me refine the definitions in Chapter 1;
Jianxin Yan, Alan Blackwell and Alasdair Grant helped me investigate the
applied psychology aspects of passwords; John Gordon and Sergei Skorobogatov were my main sources on remote key entry devices; Whit Diffie
and Mike Brown on IFF; Steve Early on Unix security (although some of my
material is based on lectures given by Ian Jackson); Mike Roe, Ian Kelly, Paul
Leyland, and Fabien Petitcolas on the security of Windows NT4 and Win2K;
Virgil Gligor on the history of memory overwriting attacks, and on mandatory
integrity policies; and Jean Bacon on distributed systems. Gary Graunke told
me the history of protection in Intel processors; Orr Dunkelman found many
bugs in a draft of the crypto chapter and John Brazier pointed me to the
Humpty Dumpty quote.
Moving to the second part of the book, the chapter on multilevel security was
much improved by input from Jeremy Epstein, Virgil Gligor, Jong-Hyeon Lee,
Ira Moskowitz, Paul Karger, Rick Smith, Frank Stajano, and Simon Wiseman,
xxxv


xxxvi

Acknowledgments

while Frank also helped with the following two chapters. The material on
medical systems was originally developed with a number of people at the
British Medical Association, most notably Fleur Fisher, Simon Jenkins, and
Grant Kelly. Denise Schmandt-Besserat taught the world about bullae, which
provided the background for the chapter on banking systems; that chapter
was also strengthened by input from Fay Hider and Willie List. The chapter
on alarms contains much that I was taught by Roger Needham, Peter Dean,
John Martin, Frank Clish, and Gary Geldart. Nuclear command and control
systems are much the brainchild of Gus Simmons; he and Bob Morris taught
me much of what’s in that chapter.
Sijbrand Spannenburg reviewed the chapter on security printing; and Roger
Johnston has taught us all an enormous amount about seals. John Daugman
helped polish the chapter on biometrics, as well as inventing iris scanning which I describe there. My tutors on tamper resistance were Oliver
Kommerling
and Markus Kuhn; Markus also worked with me on emission
¨
security. I had substantial input on electronic warfare from Mike Brown and
Owen Lewis. The chapter on phone fraud owes a lot to Duncan Campbell,
Richard Cox, Rich Graveman, Udi Manber, Andrew Odlyzko and Roy Paterson. Ian Jackson contributed some ideas on network security. Fabien Petitcolas
‘wrote the book’ on copyright marking, and helped polish my chapter on it.
Johann Bezuidenhoudt made perceptive comments on both phone fraud and
electronic commerce, while Peter Landrock gave valuable input on bookkeeping and electronic commerce systems. Alistair Kelman was a fount of knowledge on the legal aspects of copyright; and Hal Varian kept me straight on matters of economics, and particularly the chapters on e-commerce and assurance.
As for the third part of the book, the chapter on e-policy was heavily influenced by colleagues at the Foundation for Information Policy Research, notably
Caspar Bowden, Nick Bohm, Fleur Fisher, Brian Gladman, Ian Brown, Richard
Clayton — and by the many others involved in the fight, including Whit Diffie,
John Gilmore, Susan Landau, Brian Omotani and Mark Rotenberg. The chapter
on management benefited from input from Robert Brady, Jack Lang, and Willie
List. Finally, my thinking on assurance has been influenced by many people,
including Robin Ball, Robert Brady, Willie List, and Robert Morris.
There were also many people over the years who taught me my trade. The
foremost of them is Roger Needham, who was my thesis advisor; but I also
learned a lot from hundreds of engineers, programmers, auditors, lawyers,
and policemen with whom I worked on various consultancy jobs over the last
15 years. Of course, I take the rap for all the remaining errors and omissions.
Finally, I owe a huge debt to my family, especially to my wife Shireen for
putting up with over a year in which I neglected household duties and was
generally preoccupied. Daughter Bavani and dogs Jimmy, Bess, Belle, Hobbes,
Bigfoot, Cat, and Dogmatix also had to compete for a diminished quantum of
attention, and I thank them for their forbearance.


Further Acknowledgments for
the Second Edition

Many of the folks who helped me with the first edition have also helped
update the same material this time. In addition, I’ve had useful input, feedback
or debugging assistance from Edmond Alyanakian, Johann Bezuidenhoudt,
Richard Clayton, Jolyon Clulow, Dan Cvrcek, Roger Dingledine, Saar Drimer,
Mike Ellims, Dan Geer, Gary Geldart, Wendy Grossman, Dan Hagon, Feng
Hao, Roger Johnston, Markus Kuhn, Susan Landau, Stephen Lewis, Nick
Mathewson, Tyler Moore, Steven Murdoch, Shishir Nagaraja, Roger Nebel,
Andy Ozment, Mike Roe, Frank Stajano, Mark Staples, Don Taylor, Marc
Tobias, Robert Watson and Jeff Yan. The members of our security group
in Cambridge, and the Advisory Council of the Foundation for Information
Policy Research, have been an invaluable sounding-board for many ideas. And
I am also grateful to the many readers of the first edition who pointed out
typos and other improvements: Piotr Carlson, Peter Chambers, Nick Drage,
Austin Donnelly, Ben Dougall, Shawn Fitzgerald, Paul Gillingwater, Pieter
Hartel, David H˚as¨ather, Konstantin Hypponen,
Oliver Jorns, Markus Kuhn,
¨
Garry McKay, Joe Osborne, Avi Rubin, Sam Simpson, M Taylor, Peter Taylor,
Paul Thomas, Nick Volenec, Randall Walker, Keith Willis, Stuart Wray and
Stefek Zaba.

xxxvii



Legal Notice

I cannot emphasize too strongly that the tricks taught in this book are intended
only to enable you to build better systems. They are not in any way given as
a means of helping you to break into systems, subvert copyright protection
mechanisms, or do anything else unethical or illegal.
Where possible I have tried to give case histories at a level of detail that
illustrates the underlying principles without giving a ‘hacker’s cookbook’.

Should This Book Be Published at All?
There are people who believe that the knowledge contained in this book
should not be published. This is an old debate; in previous centuries, people
objected to the publication of books on locksmithing, on the grounds that they
were likely to help the bad guys more than the good guys.
I think that these fears are answered in the first book in English that
discussed cryptology. This was a treatise on optical and acoustic telegraphy
written by Bishop John Wilkins in 1641 [805]. He traced scientific censorship
back to the Egyptian priests who forbade the use of alphabetic writing on the
grounds that it would spread literacy among the common people and thus
foster dissent. As he said:
It will not follow that everything must be suppresst which may be abused. . .
If all those useful inventions that are liable to abuse should therefore be
concealed there is not any Art or Science which may be lawfully profest.
The question was raised again in the nineteenth century, when some wellmeaning people wanted to ban books on locksmithing. A contemporary writer
on the subject replied [750]:
xxxix


xl

Legal Notice

Many well-meaning persons suppose that the discussion respecting the
means for baffling the supposed safety of locks offers a premium for
dishonesty, by showing others how to be dishonest. This is a fallacy.
Rogues are very keen in their profession, and already know much more
than we can teach them respecting their several kinds of roguery. Rogues
knew a good deal about lockpicking long before locksmiths discussed
it among themselves . . . if there be harm, it will be much more than
counterbalanced by good.
These views have been borne out by long experience since. As for me, I
worked for two separate banks for three and a half years on cash machine
security, but I learned significant new tricks from a document written by
a convicted card fraudster that circulated in the U.K. prison system. Many
government agencies are now coming round to this point of view. It is
encouraging to see, for example, that the U.S. National Security Agency has
published the specifications of the encryption algorithm (Skipjack) and the key
management protocol (KEA) used to protect secret U.S. government traffic.
Their judgment is clearly that the potential harm done by letting the Iraqis
use a decent encryption algorithm is less than the good that will be done by
having commercial off-the-shelf software compatible with Federal encryption
standards.
In short, while some bad guys will benefit from a book such as this, they
mostly know the tricks already, and the good guys will benefit much more.


Security Engineering: A Guide to Building Dependable Distributed Systems

PART

One
In this section of the book, I cover the basics of security engineering technology.
The first chapter sets out to define the subject matter by giving an overview of the
secure distributed systems found in four environments: a bank, an air force base, a
hospital, and the home. The second chapter is on security protocols, which lie at
the heart of the subject: they specify how the players in a system—whether people,
computers, or other electronic devices—communicate with each other. The third,
on passwords and similar mechanisms, looks in more detail at a particularly simple
kind of security protocol that is widely used to authenticate people to computers,
and provides the foundation on which many secure systems are built.
The next two chapters are on access control and cryptography. Even once a client (be it a phone, a PC, or whatever) has authenticated itself satisfactorily to a
server—whether with a password or a more elaborate protocol—we still need
mechanisms to control which data it can read or write on the server, and which
transactions it can execute. It is simplest to examine these issues first in the context of a single centralized system (access control) before we consider how they
can be implemented in a more distributed manner using multiple servers, perhaps
in different domains, for which the key enabling technology is cryptography.
Cryptography is the art (and science) of codes and ciphers. It is much more than a
technical means for keeping messages secret from an eavesdropper. Nowadays it is
largely concerned with authenticity and management issues: “taking trust from
where it exists to where it’s needed” [535].
The final chapter in this part is on distributed systems. Researchers in this field
are interested in topics such as concurrency control, fault tolerance, and naming.
These take on subtle new meanings when systems must be made resilient against
malice as well as against accidental failure. Using old data—replaying old transactions or reusing the credentials of a user who has left some time ago—is a serious problem, as is the multitude of names by which people are known to different
systems (email addresses, credit card numbers, subscriber numbers, etc.). Many
system failures are due to a lack of appreciation of these issues.
Most of the material in these chapters is standard textbook fare, and the chapters
are intended to be pedagogic rather than encyclopaedic, so I have not put in as

1


Chapter 1: What is Security Engineering?

many citations as in the rest of the book. I hope, however, that even experts will
find some of the case studies of value.

2


Security Engineering: A Guide to Building Dependable Distributed Systems

C H A P TE R

1
What Is Security Engineering?

Out of the crooked timber of humanity, no straight thing was ever made
—IMMANUEL KANT
The world is never going to be perfect, either on- or offline; so let’s not set impossibly
high standards for online
—ESTHER DYSON

Security engineering is about building systems to remain dependable in the face of
malice, error, or mischance. As a discipline, it focuses on the tools, processes, and
methods needed to design, implement, and test complete systems, and to adapt existing
systems as their environment evolves.
Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance and formal methods to
a knowledge of applied psychology, organizational and audit methods and the law.
System engineering skills, from business process analysis through software engineering to evaluation and testing, are also important; but they are not sufficient, as they
deal only with error and mischance rather than malice.
Many security systems have critical assurance requirements. Their failure may endanger human life and the environment (as with nuclear safety and control systems), do
serious damage to major economic infrastructure (cash machines and other bank systems), endanger personal privacy (medical record systems), undermine the viability of
whole business sectors (pay-TV), and facilitate crime (burglar and car alarms). Even
the perception that a system is more vulnerable than it really is (as with paying with a
credit card over the Internet) can significantly hold up economic development.
The conventional view is that while software engineering is about ensuring that certain things happen (“John can read this file”), security is about ensuring that they don’t
(“The Chinese government can’t read this file”). Reality is much more complex. Security requirements differ greatly from one system to another. One typically needs some
combination of user authentication, transaction integrity and accountability, fault-

3


Chapter 1: What is Security Engineering?

tolerance, message secrecy, and covertness. But many systems fail because their designers protect the wrong things, or protect the right things but in the wrong way.
In order to see the range of security requirements that systems have to deliver, we
will now take a quick look at four application areas: a bank, an air force base, a hospital, and the home. Once we have given some concrete examples of the kind of protection that security engineers are called on to provide, we will be in a position to attempt
some definitions.

1.1 Example 1: A Bank
Banks operate a surprisingly large range of security-critical computer systems:
• The core of a bank’s operations is usually a branch bookkeeping system. This

keeps customer account master files plus a number of journals that record the
day’s transactions. The main threat to this system is the bank’s own staff;
about one percent of bankers are fired each year, mostly for petty dishonesty
(the average theft is only a few thousand dollars). The main defense comes
from bookkeeping procedures that have evolved over centuries. For example,
each debit against one account must be matched by an equal and opposite
credit against another; so money can only be moved within a bank, never created or destroyed. In addition, large transfers of money might need two or
three people to authorize them. There are also alarm systems that look for unusual volumes or patterns of transactions, and staff are required to take regular
vacations during which they have no access to the bank’s premises or systems.
• The public face of the bank is its automatic teller machines. Authenticating
transactions based on a customer’s card and personal identification number—in such a way as to defend against both outside and inside attack—is
harder than it looks! There have been many local epidemics of “phantom withdrawals” when villains (or bank staff) have found and exploited loopholes in
the system. Automatic teller machines are also interesting as they were the
first large-scale commercial use of cryptography, and they helped establish a
number of crypto standards.
• Behind the scenes are a number of high-value messaging systems. These are

used to move large sums of money (whether between local banks or between
banks internationally); to trade in securities; to issue letters of credit and guarantees; and so on. An attack on such a system is the dream of the sophisticated
white-collar criminal. The defense is a mixture of bookkeeping procedures,
access controls, and cryptography.
• Most bank branches still have a large safe or strongroom, whose burglar
alarms are in constant communication with a security company’s control center. Cryptography is used to prevent a robber manipulating the communications and making the alarm appear to say “all’s well” when it isn’t.
• Over the last few years, many banks have acquired an Internet presence, with

a Web site and facilities for customers to manage their accounts online. They
also issue credit cards that customers use to shop online, and they acquire the
resulting transactions from merchants. To protect this business, they use stan-

4


Security Engineering: A Guide to Building Dependable Distributed Systems

dard Internet security technology, including the SSL/TLS encryption built into
Web browsers, and firewalls to prevent people who hack the Web server from
tunneling back into the main bookkeeping systems that lie behind it.
We will look at these applications in later chapters. Banking computer security is
important for a number of reasons. Until quite recently, banks were the main nonmilitary market for many computer security products, so they had a disproportionate
influence on security standards. Second, even where their technology isn’t blessed by
an international standard, it is often widely used in other sectors anyway. Burglar
alarms originally developed for bank vaults are used everywhere from jewelers’ shops
to the home; they are even used by supermarkets to detect when freezer cabinets have
been sabotaged by shop staff who hope to be given the food that would otherwise
spoil.

1.2 Example 2: An Air Force Base
Military systems have also been an important technology driver. They have motivated
much of the academic research that governments have funded into computer security in
the last 20 years. As with banking, there is not one single application but many:
• Some of the most sophisticated installations are the electronic warfare systems

whose goals include trying to jam enemy radars while preventing the enemy
from jamming yours. This area of information warfare is particularly instructive because for decades, well-funded research labs have been developing sophisticated countermeasures, counter-countermeasures, and so on—with a
depth, subtlety, and range of deception strategies that are still not found elsewhere. Their use in battle has given insights that are not available anywhere
else. These insights are likely to be valuable now that the service-denial attacks, which are the mainstay of electronic warfare, are starting to be seen on
the Net, and now that governments are starting to talk of “information warfare.”
• Military communication systems have some interesting requirements. It is of-

ten not sufficient just to encipher messages: an enemy, who sees traffic encrypted with somebody else’s keys may simply locate the transmitter and
attack it. Low-probability-of-intercept (LPI) radio links are one answer; they
use a number of tricks, such as spread-spectrum modulation, that are now being adopted in applications such as copyright marking.
• Military organizations have some of the biggest systems for logistics and in-

ventory management, and they have a number of special assurance requirements. For example, one may have a separate stores management system at
each different security level: a general system for things like jet fuel and boot
polish, plus a second secret system for stores and equipment whose location
might give away tactical intentions. (This is very like the business that keeps
separate sets of books for its partners and for the tax man, and can cause similar problems for the poor auditor.) There may also be intelligence systems and
command systems with even higher protection requirements. The general rule
is that sensitive information may not flow down to less-restrictive classifica-

5


Chapter 1: What is Security Engineering?

tions. So you can copy a file from a Secret stores system to a Top Secret command system, but not vice versa. The same rule applies to intelligence systems
that collect data using wiretaps: information must flow up to the intelligence
analyst from the target of investigation, but the target must not know which
communications have been intercepted. Managing multiple systems with information flow restrictions is a difficult problem that has inspired a lot of research.
• The particular problems of protecting nuclear weapons have given rise over

the last two generations to a lot of interesting security technology. These range
from electronic authentication systems, which prevent weapons being used
without the permission of the national command authority, through seals and
alarm systems, to methods of identifying people with a high degree of certainty using biometrics such as iris patterns.
The civilian security engineer can learn a lot from these technologies. For example,
many early systems for inserting copyright marks into digital audio and video, which
used ideas from spread-spectrum radio, were vulnerable to desynchronization attacks,
which are also a problem for some spread-spectrum systems. Another example comes
from munitions management, in which a typical system enforces rules such as, “Don’t
put explosives and detonators in the same truck.” Such techniques may be more widely
applicable, as in satisfying hygiene rules that forbid raw and cooked meats being handled together.

1.3 Example 3: A Hospital
From food hygiene we move on to healthcare. Hospitals use a number of fairly standard systems for bookkeeping and the like, but also have a number of interesting protection requirements—mostly to do with patient safety and privacy:
• As Web-based technologies are adopted in hospitals, they present interesting

new assurance problems. For example, as reference books—such as directories
of drugs—are moved online, doctors need assurance that life-critical data
(such as the figures for dosage per body weight) are exactly as published by
the relevant authority, and have not been mangled in some way, whether accidental or deliberate. Many of these safety problems could affect other Web
systems in a few years’ time. Another example is that as doctors start to access
Web pages containing patients’ records from home or from laptops in their
cars, suitable electronic authentication and encryption tools are starting to be
required.
• Patient record systems should not let all the staff see every patient’s record, or

privacy violations can be expected. These systems need to implement rules
such as, “nurses can see the records of any patient who has been cared for in
their department at any time during the previous 90 days.” This can be hard to
do with traditional computer security mechanisms, as roles can change (nurses
move from one department to another); and there are cross-system dependencies (the patient records system may end up relying on the personnel system
for access control decisions, so any failure of the personnel system can have

6


Security Engineering: A Guide to Building Dependable Distributed Systems

implications for safety, for privacy, or for both). Applications such as these are
inspiring research in role-based access control.
• Patient records are often anonymized for use in research, but this is difficult to
do well. Simply encrypting patient names is usually not adequate, as an enquiry such as “Show me all records of 59-year-old males who were treated for
a broken collarbone on September 15, 1966,” would usually be enough to find
the record of a politician who was known to have sustained such an injury as a
college athlete. But if records cannot be anonymized properly, then much
stricter rules will usually have to be followed when handling the data, and this
will increase the cost of medical research.
• New technology can introduce risks that are just not understood. Hospital ad-

ministrators understand the need for backup procedures to deal with outages of
power, telephone service, and so on, but medical practice is rapidly coming to
depend on the Net in ways that are often not documented. For example, individual clinical departments may start using online drug databases; stop keeping adequate paper copies of drug formularies; and never inform the
contingency planning team. So attacks that degrade network services (such as
viruses and distributed denial-of-service attacks) might have serious consequences for medical practice.
We will look at medical system security in more detail later. This is a much younger
field than banking IT or military systems, but as healthcare accounts for a larger proportion of GNP than either of them in all developed countries, and as hospitals are
adopting IT at an increasing rate, it looks set to become important.

1.4 Example 4: The Home
You might not think that the typical family operates any secure distributed systems.
But consider the following:
• Many people use some of the systems we’ve already described. You may use a

Web-based electronic banking system to pay bills; and in a few years you may
have encrypted online access to your medical records. Your burglar alarm may
send an encrypted “all’s well” signal to the security company every few minutes, rather than waking up the neighborhood when something happens.
• Your car may have an electronic immobilizer that sends an encrypted chal-

lenge to a radio transponder in the key fob; the transponder has to respond correctly before the car will start. Since all but the most sophisticated thieves now
have to tow the car away and fit a new engine controller before they can sell it,
this makes theft harder, and reduces your insurance premiums. However, it
also increases the number of car-jackings: criminals who want a getaway car
are more likely to take one at gunpoint.
• Early mobile phones were easy for villains to “clone.” Users could suddenly

find their bills inflated by hundreds or even thousands of dollars. The current
GSM digital mobile phones authenticate themselves to the network by a cryp-

7


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×