Cryptographic Security Architecture 134
| Cryptographic Security Architecture: Design and Verification | |
| author | Peter Gutmann |
| pages | 320 |
| publisher | Springer-Verlag |
| rating | 8 |
| reviewer | imaginaryNumber |
| ISBN | 0387953876 |
| summary | A technical book about security architectures, verification techniques, and cryptographic software and hardware |
Cryptographic Security Architecture is a technical book that focuses on security architectures, verification techniques, and cryptographic software and hardware. It is an excellent reference source that intricately captures the design process of a security toolkit that has been in use for several years across the globe. The security architecture presented in the book is platform-independent, but the book does touch on platform-specific issues when necessary, especially when cryptlib implementation details are described. The toolkit has been ported to a slew of platforms.
Even though the book and the toolkit benefit from each other's companionship, both can certainly stand alone. The reader doesn't have to be familiar with or even interested in cryptlib to gain from reading Cryptographic Security Architecture . In this review of the book I will keep toolkit discussion to a minimum. The semi-GPL cryptlib security toolkit is OSI-certified open source. The security toolkit includes an excellent user manual which is a formidable 310 pages.
The Passion of the Cryptographic Security Architecture
Cryptographic Security Architecture's first chapter covers the foundational software architecture and is a bit dull. I would hope that the target audience is familiar with basic subjects like object-oriented design and inter-object communications. Too much attention is given to what should have been prerequisite knowledge at the expense of security related matter. For instance, while Gutmann gives a lot of attention to basic object synchronisation (the Kiwi spelling, which is suitably preferred by him) he only alludes to a class of security issues involved with multi-threading. If you can make it through the first chapter, rest assured that Gutmann avoids this flaw in the rest of the book. To be fair, this back-to-basics review does well at underpinning the rest of the security architecture, even though it often reads like a software architecture primer.
The second chapter covers the security architecture, which features such things as permission-based access, least privilege and isolation, mediation, and other expected elements. The design goals include some common goals, like simplicity and efficient implementation. But three of the design goals represent the core philosophy of Gutmann's architecture: The separation of policy definition and enforcement mechanism, a verifiable design (practical vs. theoretical viability), and a flexible security policy.
The separation of the policy definition from the enforcement mechanism solves problems that exist in previous attempts at security architecture (e.g. some Orange Book-based systems hardcode the policy). One claimed benefit of separation is the reduction of complexity in the enforcement mechanism and the improved verifiability that simplicity brings. But I would argue that complexity has been shifted from the toolkit to the toolkit user, who can opt to configure their specialized security policy. What mechanism is going to be used to verify these user-defined policies? It's unlikely the toolkit user's policy will receive the scrutiny that the open source community bestows upon the factory bits.
But I may not fully understand the capabilities of the security policy scheme. Perhaps, when using Gutmann's cryptlib, it is impossible for the toolkit user to configure an incoherent policy. In George Orwell's 1984, the Party worked to deconstruct the English language so that only 'legal' speech could occur. As designed, Newspeak would make illegal statements unspeakable --- and in time, unthinkable. I'm unconvinced that Gutmann's security policy scheme is such a controlled means of expression, where only safe security policies can be spoken. Granted, one could always use the predefined policies, but this path undermines a chief design goal of the architecture: a flexible security policy.
Notwithstanding my nitpicking about the policy, the security architecture chapter is a good example of how the book shines. Gutmann covers in detail his design process and chocks the chapter full of references for the reader's further study. In all, there are almost 700 reference listings, which consume 15% of the book's 320 pages.
The policy definition scheme is followed by a detailed discussion of the security kernel implementation. (The kernel is the policy enforcement mechanism, referred to earlier.) Like most of the book, the writing is as dense as most detailed architectural designs and sometimes sleep-inducing. But Gutmann's writing style is clear, concise, and sometimes funny. Gutmann's writing talent makes even descriptions of "Access Control List for public-key/certificate access" and "Access Control List for an attribute that triggers an object state change" endurable.
Verification techniques for the security architecture are a major theme of the book. Anyone who has attempted to verify that software does what it was specified to do, especially in the security field, will find Gutmann's insights worthwhile reading. This is especially true for anyone who has ever done a Common Criteria-based evaluation, or a verification employing any of its ilk. Gutmann makes an excellent point about the semantic pitfalls of formal methods: "As with ISO 9000, it's possible to produce an arbitrarily bad product but still claim it's correct, since it complies with the paperwork."
Cryptographic Security Architecture also contains the obligatory chapter on random number generation. The chapter includes more of Gutmann's trademark insights. He discusses many software and hardware implementations, including the generators contained in: PGP (Pretty Good Privacy), /dev/random, ssh, Capstone / Fortezza, Intel Pentium III, Microsoft's CryptoAPI, cryptlib, and others. Random number generation flaws abound. For example, he discusses the flaws in the ssh and SSLeay/OpenSSL generators that make it possible to "...suck infinite amounts of state information out of [the random number generators] by repeatedly connecting to the server..."
Towards the end of the book, Gutmann includes a dessert-like discussion of hardware encryption modules. Gutmann's predilection for security hardware is evident as he writes about problems with crypto on end-user systems. This chapter includes all sorts of cryptographic hardware including the designed-for-hostile-environments HiDan embedded PC. One interesting technique to secure modules like the HiDan is to pour a hardening material (e.g. epoxy) into the chamber before sealing it shut.
Regarding the book's construction, while the references are excellent, the glossary and index are poor. Even if you rely on external sources for acronyms, as the author suggests, some of his acronyms are not included in the glossary. For instance, it took me awhile to determine that CMP stood for Certificate Mismanagement Protocol. The index is also oddly incomplete, considering Gutmann's otherwise good documentation habits.
Conclusion
I expected Cryptographic Security Architecture to treat the topic of security architecture in a general way, offering many alternatives for designers to ponder while designing their own security architecture. The book does this, but often Gutmann whittles down the prudent design options to one, with most paths arriving at a single destination, namely Gutmann's cryptlib. Don't get me wrong: It's good to be decisive when faced with many architectural tradeoffs, and the ugly alternative is all too often design paralysis. And it's no surprise that cryptlib, according to Gutmann, contains the best architectural elements - he is the author of both the book and the toolkit. Still, the homage to cryptlib often made me unsure that a wide spectrum of design options had been considered: Did the security architecture spawn the cryptlib implementation, or did the implementation spawn the architecture?To be clear, the strong points of the book (and concepts therein) far outnumber the weak ones, and I highly recommend it to anyone interested in security architectures, verification techniques, and cryptographic software and hardware in general. Simply put, the book is excellent and it should expand most reader's knowledge of cryptographic security.
You can purchase Cryptographic Security Architecture: Design and Verification from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
An interesting crypto library (Score:4, Informative)
Re:An interesting crypto library (Score:2, Funny)
_DYNAMIC
_GLOBAL_OFFSET_TABLE_
__gmon_s tart__
_fini
__cxa_finalize
_Jv_RegisterClasse s
CRYPTO_get_new_lockid
sk_new_null
BUF_strdup
sk_push
CRYPTO_free
ERR_put_error
CRYPTO_num_lo cks
CRYPTO_get_new_dynlockid
CRYPTO_lock
CRYPTO _malloc
sk_find
CRYPTO_destroy_dynlockid
Screw it, this hard, Just ROT13 everything
....
Re:warning! LibTomCrypt highly insecure! (Score:2)
Stupid AC misleading the others.
Ain't kidding (Score:3, Interesting)
Plus, you get a crypto lib with Makefile.gba. That's Gameboy Advance. Yup.
--Dan
Re:An interesting crypto library (Score:2, Interesting)
Perhaps an immature wanker who flames in 3 out of 5 of his posts can write a really solid crypto library. Why bother, though, when there are solid libraries that already exist and you don't have to deal with the preening little 19 year old?
Re:An interesting crypto library (Score:1, Offtopic)
To nitpick though I'm a "preening little 21.99 yr old". I have been 19 since I was 19.
Re:An interesting crypto library (Score:2)
I read sci.crypt regularly, even if I don't post there. Granted, Tom comes forward as someone who has certain attitude problems (yes, I'm willing to go on record saying this) but the library is still a marvelous piece of work. It's not like we haven't seen controversial [cr.yp.to] personalities in this field before. Also, LTC is nothing but a simple building block, and you can actually verify its functionality and integrity by running the algorithms against any known and verifiable test vector sets. (Locating these is
Re:I used to work with PETER GRUBMANN (Score:2)
Who worries about security these days anyway? (Score:1, Funny)
I fail to see how this "cryptography" is anything more than another attempt at making nerds seem valuable. Self-promoting sons of bitches gonna get swirlies if they cross my path.
Paean (Score:5, Funny)
Re:Paean (yes it is funny) (Score:5, Informative)
From Dictionary.com:
paean also pean
n.
1. A song of joyful praise or exultation.
2. A fervent expression of joy or praise: "The art... was a paean to paganism" (Will Durant).
3. An ancient Greek hymn of thanksgiving or invocation, especially to Apollo.
So "A paean in the ass" or "A [fervent expression of joy] in the ass" is indeed very different from "a pain in the ass."
Re:Paean (yes it is funny) (Score:2)
Of course, the one could lead to the other.
Re:Paean (yes it is funny) (Score:1)
No offence meant, but this made me chuckle. It's the star trek approach to humour: "the computer has analyzed your claim and detected a trace of sarcasm. this is entirely illogical. capt. kirk will now beat the sh*t out of you."
I'm not so sure that whether something is funny is something that research and analysis uncovers...
Re:Reverse Security (Score:2, Funny)
Re:Reverse Security (Score:5, Interesting)
Re:Good FUCKING Lord! (Score:3)
Wow, you should really switch to decaf. If you get this worked up over a technical discussion, I can't imagine trying to discuss something controversial with you. I'd probably be beaten to death by your jerking knees.
That said, nobody ever said it was bad to have obscurity in the system, only that is was bad to rely on that obscurity to provide security. To use your example, it's okay that th
Re:Reverse Security (Score:1, Informative)
Re:Reverse Security (Score:1, Funny)
Security through obscurity isn't a good thing.
Oh yeah? Prove it: hack my (an AC's) box!
Re:Reverse Security (Score:5, Funny)
Re:Reverse Security (Score:5, Insightful)
Okay, I'll put it another way. Everyone knows how to do DES. The math is quite well understood. However, this doesn't make DES any less secure. In fact, it makes it more secure, because people, due to the openness of DES, have been able to find flaws in the algorithm (such as weak key groups).
Now, in the case of the ATM, if an ATM is designed such that breaking the machine open is sufficient to nullify the bank's security systems, then the bank needs to rethink how it's ATM's work, as their system isn't truly secure.
Re:Reverse Security (Score:4, Interesting)
exactly - in fact suppose I want to hack into an ATM - if I'm bright I'll certainly look at the open source ATM code ... and if it is indeed well designed and protected by lots of lovelly large primes that I don't know I'll probably look elsewhere. On the other hand Diebold's recent voting machine snafu's would probably have me looking long and hard at any ATM they make (or in my case be looking for a different bank to put my money in should my bank start using them)
Re:Reverse Security (Score:2)
And exactly WHICH of these primes is not know to the public? Perhap, and JUST perhaps, the NSA has been hording big primes, but I seriously don't think Diebold has access to them. If its prime factors that prevent you from cracking the system, you have bigger problems than knowing how to do DES.
Re:Reverse Security (Score:3, Funny)
Re:Reverse Security (Score:2)
Re:Reverse Security (Score:1)
Also, from the post, the goal of crypto is to make the *only* secret the secret key. The goal is not to make the *algorithm* secret. There is work on code obfuscation where the goal is to make the code secret. It's okay to compare reverse engineering ATM's to crypto, but realize that the goals are different. One is an academic disciple, abstract in many way
Re:Reverse Security (Score:2)
You can analyse robustness against differential and linear attacks. See for example notes on the S-box generation of Tiger [cam.ac.uk].
There's also the "Publish or die" aspec
Re:Reverse Security (Score:1)
Robustness against diff/lin attacks is not the same as understanding the mathematics of an sbox. this only shows security against a few known attacks, but does not reduce the security of the sbox to intractiblity or information-theoretic limits.
Good link, though.
Re:Reverse Security (Score:1)
Josh [culver.org]
Now... I will confess that he uses a restricted key space and requires MS documents to be encrypted for the real time crack so he can take advantage of formatting clues, but still.Re:Reverse Security (Score:3, Insightful)
most practical attacks utilize flaws in the implementation, not the algorithms.
to use the atm analogy, most atms use hardware that is protected by anti-reverse engineering schemes such as X-ray detectors, temperature detectors (to prevent someone from freezing the memory cells - which can sometimes keep data around for up to several weeks!), and a +-ground mesh that has been potted in polymer resin. a short in any of
Re:Reverse Security (Score:2, Interesting)
However, to answer your question, the reason security concepts are being opened to the public is mainly because they have to be standardized rather than oligopolized. This allows the security concepts (like RSA algorithms, DES, Blowfish, PKI) to be used on various platforms with various tools. If it were closed, or discreet, it would be even more incon
Re:Reverse Security (Score:3, Insightful)
I am more concerned about people in the know making easy to use software that automates cracking functions than I am about them writing books. In general, the books require considerable knowledge to apply
quick synopsis (Score:4, Informative)
"A cryptographic security architecture constitutes the collection of hardware and software that protects encryption keys and other related security parameters from misuse. If the process used to generate the cryptographic code is insecure then even the most sophisticated protection mechanics will not do any good. This topic is extremely important, especially for "embedded"-hardware products and services like smart cards. The author offers a novel design that allows for a great deal of customization."
Encryption / circumvention (Score:1, Insightful)
Cryptlib contains code that violates GPL (Score:4, Interesting)
Re:Cryptlib contains code that violates GPL (Score:3)
Re:Cryptlib contains code that violates GPL (Score:2)
Re:Cryptlib contains code that violates GPL (Score:2)
"waah! I wanted to contribute patches and the developers ignored me outright!!!! mommmmy!"
And also, as of tonight your services are no longer required.
Re:Cryptlib contains code that violates GPL (Score:3, Interesting)
-----------------
Hello, I'm new to the GNUPG devel scene and would like to contribute some
patches
http://iahu.ca:8080/mygpg_patches
8b2da885281114a5c0275ed7f954c878]
The patches are to the files in the
the changes
- Clean up the code, use portable load/store macros
- Added test vectors to the hashes
- Made all ciphers/hashes call test routine in their regis
Re:Cryptlib contains code that violates GPL (Score:2)
So if I'm such a weak developer get a copy of libtomcrypt and let loose with the bug reports [in any public forum to show how bad I am].
Fucktard, learn to read before you become a critic.
Re:Cryptlib contains code that violates GPL (Score:3, Interesting)
I *think* my code is secure [or at least statically secure]. Hey, you think otherwise? That's good, you want to scream about it in public? Why not prove it?
Re:Cryptlib contains code that violates GPL (Score:2, Informative)
Funny how you feel so persecuted. Look back at my messages. Did I ever once say your code wasnt good? I have never looked at it, and don't really care to, so I have no way to tell if it is good or not. My complant is that you're an asshole. I don't think someone who acts as unprofessionally as you is worth dealing with. Your behavior does not fil
Re:Cryptlib contains code that violates GPL (Score:5, Insightful)
Re:Cryptlib contains code that violates GPL (Score:2)
More importantly your mother is a whore.
Re:Cryptlib contains code that violates GPL (Score:1)
Re:Cryptlib contains code that violates GPL (Score:2)
That and your mother is a loose whore. Stupid bitch.
Re:Cryptlib contains code that violates GPL (Score:3, Interesting)
Just like allegro for instance [which is a wicked coo package] has a whole slew of "authors" [I'm one of them] who have mostly just contributed a line or two at most. [IIRC I contributed about 7 lines or so to a 3d clipping function...
As I say in sci.crypt if you find fault with my ideas, posts, projects, packages, etc
Re:Cryptlib contains code that violates GPL (Score:1)
Re:Cryptlib contains code that violates GPL (Score:2, Informative)
I know this is slashdot, but is it too much to expect 6 seconds of research?
No it doesn't (Score:1, Informative)
The fact some might also be available elsewhere under the GPL in irrelevant.
Re:Here's a different viewpoint: (Score:1, Flamebait)
"random numbers" do not exist at all [ever]. At best "random number *generators*" [relatively speaking] may exist.
So next time how about you get a clue before you grab hold of the big wide internet and try to speak in the big-boy voice.
Re:Here's a different viewpoint: (Score:1, Offtopic)
Re:The logical implication... (Score:2)
Therefore, I'm smarter than most
With me so far?
So then if I'm smarter than most
Re:A logical fallacy... (Score:2)
Maybe you're the one who doesn't understand the logical implication of it?
Of which there is none. Point is your mother is whore.
Self Promotion, and Incoherent Policies (Score:5, Insightful)
Wouldn't it be more helpful, not to mention better motivation to purchase his own security toolkit, if he were to go into more detail of what is wrong with other toolkits than just saying they 'lack real security features altogether.'
Why not write a short critique of other toolkits, ideally explaing advantages and disadvantages each one has..... or is this not supposed to be a book on Security in general, but just documentation on his own toolkit?
I suppose even if you don't want to buy his toolkit you can get ideas from reading about it.
But I may not fully understand the capabilities of the security policy scheme. Perhaps, when using Gutmann's cryptlib, it is impossible for the toolkit user to configure an incoherent policy. In George Orwell's 1984, the Party worked to deconstruct the English language so that only 'legal' speech could occur. As designed, Newspeak would make illegal statements unspeakable --- and in time, unthinkable. I'm unconvinced that Gutmann's security policy scheme is such a controlled means of expression, where only safe security policies can be spoken. Granted, one could always use the predefined policies, but this path undermines a chief design goal of the architecture: a flexible security policy.
Problem with this is that Managment who don't understand the software are often making the decisions, and that is why there are incoherent policies. Maybe if you have pre-defined policies to work with, all of which will work, then Management can choose from the pre-defined policy, resulting in much less hair pulling frustration to the admin.
Re:Self Promotion, and Incoherent Policies (Score:2)
Cryptlib is GPL'd, although you can buy a commercial license as well. But you don't have to pay anything if you are using it in a GPL project.
Another thing not noted in the review, the book is actually Peter's PhD thesis. It's pretty technical; I looked through a draft at a crypto conference. I don't think it would be of interest other than to the kind of person who might be wanting to implement a crypt
Re:Self Promotion, and Incoherent Policies (Score:3, Insightful)
Re:Self Promotion, and Incoherent Policies (Score:2)
Crypto only as safe as the math under it (Score:5, Informative)
If some mathematician creates an easy way to factor large numbers (and they have been finding better and better ways to do this), then systems like RSA become vulnerable even if they use umpteen bits. Any math-based crypto system faces this challenge. Ironically, the strength of the system is, in part, based on the weakness of out understand of the math. Unless someone can prove that a lower bounds exists, the system is of unknown uncrackability.
Re:Crypto only as safe as the math under it (Score:3, Interesting)
In fact, if the factoring is sufficiently efficient the whole system comes to bits. Yes you can just double the key size to make it unfactorable, but you can only do that so many times before
(1) The key gets so large that it is hard to manage (this is certainly at the upper end, but large keys can be proble
Re:Crypto only as safe as the math under it (Score:3, Informative)
So, working sketchily, we're talking roughly 2^2040 primes in that range (note, that's pure ballpark, but it does give a rough order of magnitude - we're talking LOTS of primes, not just a few).
Jedidiah.
Well, now... (Score:3, Insightful)
Symmetric cryptography hardly suffers from any weakness in this area. Even an instant factorization or quantum computing would do little to change that.
Public cryptography on the other hand, must by definition rely on some mathematical relationship between the public and private key. Like e.g.multiplicationfactorization, but that is not the only
Re:Well, now... (Score:2)
I don't quite have the time to refute this in depth, but this is completely wrong. Security of cyphers based on prime factorization depends on this operation being a very hard problem. A O(N) or O(N*ln N) (or even N^2 or N^p for smallish values of p) algorithm would m
Re:Crypto only as safe as the math under it (Score:1)
I have a very basic understanding of crypto, so for example I know what a secure hashing algorithim does, but I may be tempted to use it for a hash where the reverse transform is not actually important, but where some properties of a hash like that may actually i
So what the heck do I do? (Score:1, Insightful)
So how can I trust anybody's crypto code?
Re:So what the heck do I do? (Score:2, Funny)
Hello, I'm from Microsoft and I'm here to help you.
Re:So what the heck do I do? (Score:2)
Re:So what the heck do I do? (Score:1)
Re:So what the heck do I do? (Score:2)
Step 2. Sit back and watch people flame you for no reason other than they wish they had a 1/100th of your talent.
Step 3. Laugh all the way to the corner store where you will work the rest of your life living in a van down by the fucking river!
Re:So what the heck do I do? (Score:2)
Re:So what the heck do I do? (Score:1)
As for "suffering for my art" I'd like to think I'm more humble than that. Sure I contributed stuff but it wasn't earth shattering can't live without. I helped a few people. That's what I was looking for [and maybe a job down the line].
See I don't "work/think" like the average person. I can't live in the world where you basically have to lie to your customers because everyone else does it. This is how it started... nice warm day in the
Re:So what the heck do I do? (Score:3, Insightful)
So how can I trust anybody's crypto code?
You presume that as long as the code is openly published, and at least somewhat widely used, that there are number theorists and crypto experts picking through it. As far as popular open crypto code goes, that is certainly true.
That's not to say people couldn't slip a backdoor in, but if you're publishing your code openly, there's always a chance
Re:So what the heck do I do? (Score:1)
Good security is much more about implementation than number theory. A good cypher is very hard to break. Will a smart attacker, attack the cypher which is very hard to break or some implementation mistake which is probably much easier to exploit?
Re:So what the heck do I do? (Score:1)
Working on it... (Score:5, Informative)
It is worth noting that this is exactly what SELinux from the NSA was seeking to apply to Linux at a kernel level. The principle is to confine all user programs and system daemons to an absolute minimum required level of access. That is there is an access manager in the kernel that mediates requests. In turn, there is a policy manager (seperate from the access manager) that maintains policy. Effectively the access manager queries the policy manager and then applies whatever access decision the policy manager returns. This means buffer overflows don't get you anywhere - there is no root account with universal access to exploit!
The system is, in fact, even more flexible than that - seperate access managers exist for processes, filesystem access, and IPC (socket or System V), but the hooks are provided in a way that this is completely modular, and new access managers can be added/written for whatever else you want to control (database access for instance).
The point is, a very fine, well thought out, secure system for access conrol has already been implemented for Linux (and has been folded into the 2.6 kernel). People ought to be using it! If you're running a 2.6 kernel, see if you've got LSM compiled in, if not, do a recompile to include it. Example policies can be found here [nsa.gov], and policy management tools (even GUI ones) can be found here [tresys.com]. If you're serious about security, the you ought to to be using this stuff. If you're not serious about security, use it anyway and help make Linux as secure as we like to pretend it is.
Jedidiah.
Re:Working on it... - if you are up to it (Score:2)
Put it this way, right now when you do a linu
Other crypto resources (Score:3, Interesting)
OK, I admit it I just wanted to use Google Sets for something.
Re:Other crypto resources (Score:2)
It's been a while since I tinkered with sets!
Crypto++ (Score:1)
But when I looked around 2 years ago for the best crypto library to actually write code with, I settled on Wei Dai's Crypto++
http://www.eskimo.com/~weidai/cryptlib.html
Solving abstract problems? no one will see this ;) (Score:1, Interesting)
Solving abstract problems with implemented ideas first??? Shame on you sir...
0.) post so late, no one will ever see this
1.) Epoxy potting compounds are NOT SECURE and only add to design and calibration problems during manufacture. See 1980's...
2.) Hardware Data encryption? Only possible with embedded recursive encryption algorithms that are dependent on uniqu
Re:Dear Gibson/Gutmann (Score:3, Funny)
Isn't it The Passion of the Christ Security Architecture?
J.C. was very well secured; those fancy nails has large, flat heads on them so he couldn't slip off. Rumour has it they were going to resort to washers before they found those.
Re:Dear Gibson/Gutmann (Score:2)