Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM [email protected] 17 October 2005
Jan 18, 2016
Simplicity, Reconciliation, and Security
Bob Blakley
Chief Scientist, Security and Privacy, IBM
17 October 2005
How do you secure a box of money with a hole in it?
Start with the box empty.
Count what you put into the box.
Know how much should go in or out before you open the box.
Record everything that goes in and everything that comes out each time you
open the box.
Continually update a total using the record of what went in and out.
Count at the end…
Check the end total against the end count.
Security Properties
• Transactionality– Sale price = cash input; refund cost = cash output– Tender - price = change
• Accountability– Receipts, Drawer tape; punishment for infractions
• Reconciliation– Drawer count vs. Drawer tape
• Supervision– Drawer count verification
• Visibility– Operations performed in public
Non-Properties
• Authentication– visibility, supervision used instead
• Data integrity– transactionality used instead
• Authorization– accountability used instead
• Confidentiality– not required
Why don’t we design secure information systems like this?
• We’re computer scientists and don’t like special-purpose systems?
• We like artifacts rather than processes?• We love cryptography?• We are unafraid of complexity?• We’ve overgeneralized the security problem?• There’s not enough at stake?• Some problems aren’t amenable to this approach?
Could our systems look more like this?
• Of course…• In fact, our customers use the artifacts we produce to
design systems which DO look like this– often working against the properties we’ve built into the
artifacts
Example: accountable, reconcilable transaction
signedoffer
viewer
viewer
ledger
signedacceptance
correlator
verif.key
verif.key