re: what are realistic threats?

• To: www-buyinfo@allegra.att.com, www-security@ns1.rutgers.edu, zurko@osf.org
• Subject: re: what are realistic threats?
• From: dmk@allegra.att.com (Dave Kristol)
• Date: Tue, 27 Sep 94 13:44:42 EDT
• Reply-To: dmk@allegra.att.com (Dave Kristol)

zurko@osf.org (Mary Ellen Zurko) says [to www-security, not www-buyinfo]:
  > There's a couple ways to attack the threat question. The classic
  > security-centric way is to look at just the technology,
  > uncontextualized, then to lop off the difficult parts of the problem
  > you just don't feel you can solve (government agencies or similarly
  > funded and experienced organizations, denial of service, and traffic
  > analysis often fall into this category).
  > 
  > Then there's "assuming how it's used today, by the people who are
  > using it today, in the ways they're using it today". I think that's
  > where Dave and Phill are mostly coming from. However, if you just talk
  > the technology that will solve the threats (public keys for signing
  > and encrypting, for instance) you shouldn't forget deployment (how
  > people get all the public keys for all the people they'll communicate
  > with, for instance). That means services that are trusted (at least to
  > the extent that they're available, to prevent total denial of
  > service), as well as scalable. Then there are WWW architectural
  > gotchas (proxies and caching). 
  > 
  > The classic security services for contering threats are
  > authentication, authorization, data integrity, and data protection
  > (privacy). Authentication is pretty useless without authorization, but
  > sometimes the authorization models are so simple as to not matter (if
  > I can authenticate them, they can do anything, as in node login). As
  > Phill points out, this is unlikely to be good enough for people using
  > HTTP methods that alter data. We plan on using DCE authorization
  > services to create a simple ACL manager that maps HTTP methods to ACL
  > permissions, as a start. Services like Kerberos, S-HTTP, and Shen seem
  > to address all of these. But they're all communications-centric. In
  > terms of document integrity, people will begin to want signed
  > documents, not signed communication of documents (who's the author,
  > not just who's the server). And there's been some discussion on
  > www-talk of how to control information dissemination from the point of
  > view of publishing (an authorization problem that's classically been
  > solved with Mandatory Access Controls, which would never work on the
  > Internet). 
  > 
  > Then there's "how do people what to use it" or, more likely "how do we
  > think people will want to use it when we've done things to it". It
  > seems to me that how businesses use the network is different from the
  > classic Internet model. Businesses will want the same sorts of
  > services mentioned already, but in ways that are easy to administer,
  > and fall in line with their organization model (usually hierarchies of
  > groups, perhaps loosely connected trees). And, I think we should ask
  > people who they want to use it (I plan on doing that soon). That's
  > something that really can't be done well on www-security, since
  > there's very few "users", and vastly more "providers". 
  > 
  > So, Dave, can you be more specific? :-)

[Sorry to leave all that there.  I couldn't find a good way to summarize.]

Wow!  You covered a lot of ground.
[As I reread Zurko's message and my response, I realized we were
approaching the topic from two different vantage points, I from
"www-buyinfo", she from "www-security".]

Okay, let me ask a very specific question, one that my original posting
asked in an obscure and elliptical way.  The question is, How realistic
a threat are active attacks?  I'm talking about the kind of attack
where you interpose your machine on a wire and can intercept, replace,
or change messages.  (Passively listening and then replaying messages
or pretending to be someone else are also active attacks, I guess, but
I'm primarily concerned with those that require physical access to the
network.)

By "realistic", I mean both feasible and likely, by skilled
non-governmental people or groups (i.e., hackers or organized crime).
(Of course in the organized crime case, it's probably cheaper and
easier to subvert people than technology.)

In my original posting I asserted (recklessly, perhaps) that active
attacks, as I've defined them above, are relatively rare, and that most
"mere mortals" are unlikely to be able to mount them.  If that's true,
then we should be focussing on defeating the kinds of threats that can
be mounted through passive listening.

In any case, I think it's unrealistic to solve the whole security
problem at one shot.  There are big simple parts of the problem we can
solve relatively simply.  (See my original posting for an example.)
When solving the easy stuff, we should also keep in mind the goal of
solving ever more complicated security problems.  But we shouldn't let
our immediate inability to solve the hard stuff prevent us from solving
the easy stuff.

Regarding authorization/authentication:  in the context of www-buyinfo,
these are important only when the server provides information on a
subscription or membership basis.  If there's a way to pay for
information with some anonymous means (e.g., electronic cash, anonymous
credit card), the server doesn't have to know who you are.  It only has
to know that your payment is good.

Dave Kristol

• re: what are realistic threats?
• From: "Jeffrey I. Schiller" <jis@mit.edu>

• Previous: Re: what are realistic threats?
• Next: what are realistic threats?
• Index(es):
  • Index
  • Thread