[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: ICSA certifies weak crypto as secure
From:       Peter Gutmann <pgut001 () cs ! auckland ! ac ! nz>
Date:       1999-05-27 17:15:21
[Download RAW message or body]

"Lucky Green" <shamrock@netcom.com> writes:

>I am becoming concerned about the apparent lack of professional competence
>within even well-known segments of the security community. I hope the
>incident I discovered is an isolated one, but even a single such incident is
>disquieting.

[...]

>I find it frightening to think that somebody calling themselves a security
>professional might even consider certifying a site using 40bit SSL to
>protect crucial customer information. Especially a site in the financial
>sector. Certifying obfuscation as security is an unacceptable level of
>performance by any computer security professional.

I think it's pretty common, in 1997 I heard of Ernst and Young in NZ certifying
40-bit SSL as being secure for banking use.  I mentioned this in a posting to
sci.crypt titled "Crypto for beancounters" and got several responses from
people saying they'd had similar experiences (not necessarily with E&Y, but
with Big 6 firms who did security audits).  The summary of the responses was:

-- Snip --

[...]

- Getting a security system accepted is more likely if it's been reviewed by
  the company auditors, even if the people involved don't have much experience
  with the technology.

- Even if the auditors don't have much crypto experience, they're generally
  very good at finding things like procedural flaws.  Most real systems fail
  because they're not used properly, not because of technical attacks.
  Accountants/auditing firms are very good at finding problems like this.

- Some firms may have experience in auditing crypto, but more importantly they
  should be able to call in outside experts to check the crypto.  Requiring
  that the audit report include details of how the crypto was evaluated and (if
  external experts were used) by who would be a good idea.

In summary use the auditing firm to cover security procedures, but (unless they
have expertise in the area) leave assessment of the crypto software to known
experts in the field and/or insist in seeing details of how the crypto was
assessed.

-- Snip --

It's really just an issue of being able to prove due diligence - all you need
is the right people to check the "Uses encryption" box and you're OK.  Whether
the encryption is any good or not is largely irrelevant, at least for the
purposes of the exercise, which is to pass the audit.

Peter.

[prev in list] [next in list] [prev in thread] [next in thread]