Friday, 17 August 2007

Are we missing the point?

I'm a big fan of encryption, always have been, always will be. I'm a fan in much the same way I'm a fan of crosswords, and used to spend hours playing with Caesar ciphers as a child. I was disappointed when the InfoSec Europe 2007 website didn't finish their puzzle series, I was on the leaderboard until the very last puzzle, which I just couldn't work out... and still can't, so I know I didn't come anywhere near winning, which I could care less about, but I REALLY want to know what the answer to that puzzle was...

I've worked with a number of encryption providers over the years, and spoke recently with Voltage about their elliptic curve identity based stuff. It's all very clever, but as with all encryption I'm beggining to wonder if we really need to be spending so much time working out new secure methods of obfuscation, or tying up the entry points.

To anyone who has spent any time in this area, this will seem simple, but I've read a number of articles this morning about encryption (in the name of research), which imply that this is not common knowledge.

I'd love to spend the next 4 hours telling you about everything from Diffie-Hellman to ECB, CBC, IVs and all manner of other TLAs. I don't have enough room on the blog and you don't have enough patience however.

The problem is, even with the strongest encryption in the world, if I have your password and account details, I can see that data. Data security doesn't just sit in and with the data, it is totally dependent on user security. The fact is that there is no such thing as unbreakable encryption. Given enough time, and an infinite number of monkeys, I could break anything you provided me with. Sure it might take 1000 years with a million PCs, but it's not unbreakable, there is no fully secure encryption method, and thus it must be or we wouldn't be able to decrypt.

Also, access controls are probably about as good as they're going to get. We can polish the management of them, but you either let someone access the data, or you don't. What aren't so good, and what really needs educating about a lot more, and soon, is user security.

If we had this implemented properly in our networks already, we'd be a lot more secure. Two-factor is just about strong enough for corporate use in my opinion, single factor should be reserved for blog comments and signing up for demos. Banking should be as tight as possible.

I appreciate that there are people working on AAA to address these issues too, but isn't it time we had an end to end message for the clients and users of the systems. Security is way too confusing for most people, and we're way too busy to educate on every part of it aren't we? Well, if we make the time now, I have a feeling it will make our lives a whole lot easier moving forwards.

And hey, we might actually learn something ourselves.

No comments: