Schneier’s CRYPTO-GRAM Always Informative by M. E. Kabay, PhD, CISSP Associate Professor, Information Assurance Norwich University, Northfield VT
Bruce Schneier , founder and Chief Technical Officer of Counterpane Internet Security < http://www.counterpane.com >, is a celebrated cryptographer and writer about fundamental issues in information assurance. Two of his most famous popular books are _Beyond Fear_ (2003) [ISBN 0-387-02620-7] and _Secrets and Lies : Digital Security in a Networked World_ (2000) [ISBN 0-471-45380-3]. He is the author of _Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition_ (1995) [ISBN 0-471-117099]. He exemplifies the ideal of an active scientist: a contributor to new knowledge, a clarifier of confusing information and a vibrant mover of his entire field. Since 1998, he has published the free _Crypto-Gram_ newsletter, which is always packed with useful and interesting information and insights for everyone interested in security. The March 15, 2005 issue is available from < http://www.schneier.com/crypto-gram-0503.html > and has so many hot topics I won’t list them all. Here are highlights:
SHA-1 Broken The Failure of Two-Factor Authentication ChoicePoint.
Schneier reports on the discovery of methods for finding collisions of the Secure Hash Algorithm 1 (SHA-1) faster than brute force. This finding allows one to locate different messages that have the same 160-bit hash some 2000 times faster than searching the entire keyspace. The discovery does not mean that everyone using SHA-1 has to stop. Schneier writes, “For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.” He suggests, however, that in the long run, we will see a shift towards longer hash functions and urges a concerted effort to develop even stronger functions. In his essay on two-factor authentication, Schneier warns that token-based, two-factor authentication using dynamically-generated data from the token combined with a stable personal identification number (PIN) cannot overcome man-in-the-middle attacks or Trojan attacks. In the former, “An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.” In the Trojan attack, “Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.”
The method is not useless, argues Schneier, but in the long run it will not significantly increase Internet security. Schneier launches a blistering attack on ChoicePoint management for concealing its breach of security: “ChoicePoint's behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October, and it didn't tell any victims until February. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn't require it). Finally, after public outcry, it announced that it would notify everyone affected.” More important, Schneier analyses the situation to its roots and points out that the fundamental problem is that the people whose information is stored by credit bureaus are not viewed as customers and that there are no financial consequences for theft of identity. He makes a strong case for bringing the capitalist system to bear on these people by making them bear the costs of their malfeasance. Well, that’s just a few of the interesting items in this month’s _Crypto-Gram_. I hope that those of you who have not yet subscribed will be moved to visit the archive at < http://www.schneier.com/crypto-gram-back.html > and have fun browsing. *** A Master’s degree in the management of information assurance in 18 months of online study from Norwich University – see < http://www3.norwich.edu/msia > for details. M. E. Kabay, PhD, CISSP is Associate Professor in the Division of Business and Management at Norwich University in Northfield, VT. Mich can be reached by e-mail at < mailto:
[email protected] >; Web site at < http://www.mekabay.com/index.htm >. Copyright 2005 M. E. Kabay. All rights reserved. Permission is hereby granted to Network World to distribute this article at will, to post it without limit on any Web site, and to republish it in any way they see fit.
