Skip to main content
Erschienen in: Wireless Personal Communications 1/2019

19.03.2019

Why Cryptosystems Fail Revisited

verfasst von: Geir M. Køien

Erschienen in: Wireless Personal Communications | Ausgabe 1/2019

Einloggen

Aktivieren Sie unsere intelligente Suche um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

In the paper “Why Cryptosystems Fail”, Ross Anderson ponders the question about why cryptosystems really fail. Obviously, there may be weak crypto-algorithms, too short key lengths and flawed crypto-protocols. However, these were not the main reason why cryptosystems failed. Anderson discovered that the problem had more to do with misplaced trust and misconceptions of the threats the systems faced. Now, more than 25 years later, it seems prudent to revisit the question of why cryptosystems fail. We investigate the original paper, and evaluate to what extent the situation is similar today.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Anhänge
Nur mit Berechtigung zugänglich
Literatur
1.
Zurück zum Zitat Anderson, R. (1993). Why cryptosystems fail. In Proceedings of the 1st ACM conference on computer and communications security (pp. 215–227). ACM. Anderson, R. (1993). Why cryptosystems fail. In Proceedings of the 1st ACM conference on computer and communications security (pp. 215–227). ACM.
2.
Zurück zum Zitat Zimmermann, P. (1998). An introduction to cryptography. Documentation for pretty good privacy. Network Associates: Santa Clara. Zimmermann, P. (1998). An introduction to cryptography. Documentation for pretty good privacy. Network Associates: Santa Clara.
3.
Zurück zum Zitat Schneier, B. Memo to the amateur cipher designer. Crypto-Gram Newsletter. Schneier, B. Memo to the amateur cipher designer. Crypto-Gram Newsletter.
4.
Zurück zum Zitat Heilman, E., Narula, N., Dryja, T., & Virza, M. Iota vulnerability report: Cryptanalysis of the curl hash function enabling practical signature forgery attacks on the iota cryptocurrency. Technical report, MIT Media Lab. Heilman, E., Narula, N., Dryja, T., & Virza, M. Iota vulnerability report: Cryptanalysis of the curl hash function enabling practical signature forgery attacks on the iota cryptocurrency. Technical report, MIT Media Lab.
5.
Zurück zum Zitat Schneier, B. (2016). Cryptography is harder than it looks. IEEE Security & Privacy, 14(1), 87–88.CrossRef Schneier, B. (2016). Cryptography is harder than it looks. IEEE Security & Privacy, 14(1), 87–88.CrossRef
6.
Zurück zum Zitat Walker, J., et al. (2000). Unsafe at any key size; An analysis of the wep encapsulation. IEEE Document, 802(00), 362. Walker, J., et al. (2000). Unsafe at any key size; An analysis of the wep encapsulation. IEEE Document, 802(00), 362.
7.
Zurück zum Zitat Carvalho, M., DeMott, J., Ford, R., & Wheeler, D. A. (2014). Heartbleed 101. IEEE Security & Privacy, 12(4), 63–67.CrossRef Carvalho, M., DeMott, J., Ford, R., & Wheeler, D. A. (2014). Heartbleed 101. IEEE Security & Privacy, 12(4), 63–67.CrossRef
8.
Zurück zum Zitat Barkan, E., Biham, E., & Keller, N. (2003). Instant ciphertext-only cryptanalysis of gsm encrypted communication. In Annual international cryptology conference (pp. 600–616). Springer. Barkan, E., Biham, E., & Keller, N. (2003). Instant ciphertext-only cryptanalysis of gsm encrypted communication. In Annual international cryptology conference (pp. 600–616). Springer.
9.
Zurück zum Zitat ICAO. Convention on International Civil Aviation. (2006). Convention (9th ed., Vol. 7300/9). Montreal: ICAO. ICAO. Convention on International Civil Aviation. (2006). Convention (9th ed., Vol. 7300/9). Montreal: ICAO.
10.
Zurück zum Zitat Taleb, N. N. (2018). Skin in the game: Hidden asymmetries in daily life. New York: Random House. Taleb, N. N. (2018). Skin in the game: Hidden asymmetries in daily life. New York: Random House.
11.
Zurück zum Zitat Abadi, M., & Needham, R. (1996). Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 1, 6–15.CrossRef Abadi, M., & Needham, R. (1996). Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 1, 6–15.CrossRef
12.
Zurück zum Zitat Checkoway, S., Fredrikson, M., Niederhagen, R. F., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D. J., & Shacham, H., et al. (2014). On the practical exploitability of dual ec in tls implementations. In Conference; 23rd USENIX security symposium; 2014-08-20; 2014-08-22. Usenix Association. Checkoway, S., Fredrikson, M., Niederhagen, R. F., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D. J., & Shacham, H., et al. (2014). On the practical exploitability of dual ec in tls implementations. In Conference; 23rd USENIX security symposium; 2014-08-20; 2014-08-22. Usenix Association.
13.
Zurück zum Zitat Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., et al. (2018). Where did i leave my keys? Lessons from the juniper dual ec incident. Communications of the ACM, 61(11), 148–155.CrossRef Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., et al. (2018). Where did i leave my keys? Lessons from the juniper dual ec incident. Communications of the ACM, 61(11), 148–155.CrossRef
14.
Zurück zum Zitat Higginbotham, S. (2018). 6 ways IoT is vulnerable. IEEE Spectrum, 55(7), 21.CrossRef Higginbotham, S. (2018). 6 ways IoT is vulnerable. IEEE Spectrum, 55(7), 21.CrossRef
15.
Zurück zum Zitat Thompson, K. (1984). Reflections on trusting trust. Communications of the ACM, 27(8), 761–763.CrossRef Thompson, K. (1984). Reflections on trusting trust. Communications of the ACM, 27(8), 761–763.CrossRef
16.
Zurück zum Zitat Malmedal, B. & Røislien, H. E. (2016). The Norwegian cybersecurity culture. NorSIS: Report. Malmedal, B. & Røislien, H. E. (2016). The Norwegian cybersecurity culture. NorSIS: Report.
17.
Zurück zum Zitat Seacord, R. C. (2008). The CERT C secure coding standard. London: Pearson Education. Seacord, R. C. (2008). The CERT C secure coding standard. London: Pearson Education.
18.
Zurück zum Zitat Shor, P. W. (1994). Algorithms for quantum computation: Discrete logarithms and factoring. In 35th Annual symposium on foundations of computer science, 1994 proceedings (pp. 124–134). IEEE. Shor, P. W. (1994). Algorithms for quantum computation: Discrete logarithms and factoring. In 35th Annual symposium on foundations of computer science, 1994 proceedings (pp. 124–134). IEEE.
19.
Zurück zum Zitat ETSI. (2011). Implementation security of quantum cryptography; Introduction, challenges, solutions. ETSI White Paper 27, ETSI, Sophia Antipolis, France. ETSI. (2011). Implementation security of quantum cryptography; Introduction, challenges, solutions. ETSI White Paper 27, ETSI, Sophia Antipolis, France.
20.
Zurück zum Zitat ETSI. (2015). Quantum safe cryptography and security: An introduction, benefits, enablers and challenges. ETSI White Paper 8, ETSI, Sophia Antipolis, France. ETSI. (2015). Quantum safe cryptography and security: An introduction, benefits, enablers and challenges. ETSI White Paper 8, ETSI, Sophia Antipolis, France.
21.
Zurück zum Zitat Smart, N. P. (ed). (2014). Algorithms, key sizes and parameters report 2014. Technical report, ENISA. Smart, N. P. (ed). (2014). Algorithms, key sizes and parameters report 2014. Technical report, ENISA.
22.
Zurück zum Zitat Microsoft Corporation. Deprecation of SHA-1 for SSL/TLS certificates in microsoft edge and internet explorer 11. Technical report, Microsoft. Microsoft Corporation. Deprecation of SHA-1 for SSL/TLS certificates in microsoft edge and internet explorer 11. Technical report, Microsoft.
23.
Zurück zum Zitat Peters, T. PEP 20—The Zen of Python (2004-08). Peters, T. PEP 20—The Zen of Python (2004-08).
24.
Zurück zum Zitat Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies. Department of Homeland Security. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies. Department of Homeland Security.
25.
Zurück zum Zitat NeSmith, B.. The cybersecurity talent gap is an industry crisis. Forbes (online), 2018-08-09. NeSmith, B.. The cybersecurity talent gap is an industry crisis. Forbes (online), 2018-08-09.
26.
Zurück zum Zitat Anderson, R. (2008). Security engineering. Hoboken: Wiley. Anderson, R. (2008). Security engineering. Hoboken: Wiley.
27.
Zurück zum Zitat Feynman, R. P. (1985). Cargo cult science. In W. W. Norton (Ed.), In surely you’re joking, Mr. Feynman (1st ed.)., Originally a 1974 Caltech commencement address London: Vintage. Feynman, R. P. (1985). Cargo cult science. In W. W. Norton (Ed.), In surely you’re joking, Mr. Feynman (1st ed.)., Originally a 1974 Caltech commencement address London: Vintage.
28.
Zurück zum Zitat Schneier, B. (2003). Beyond fear: Thinking sensibly about security in an uncertain world. New York: Copernicus Book. Schneier, B. (2003). Beyond fear: Thinking sensibly about security in an uncertain world. New York: Copernicus Book.
29.
Zurück zum Zitat Greenberg, A. The untold story of NotPetya, the most devastating cyberattack in history. Wired (online), 22.08.2018. Greenberg, A. The untold story of NotPetya, the most devastating cyberattack in history. Wired (online), 22.08.2018.
30.
Zurück zum Zitat Gollmann, D. (2003). Analysing security protocols. In Formal aspects of security: First international conference, FASec 2002, London, UK, December 16–18, 2002, Revised papers (vol. 1, p. 71). Springer. Gollmann, D. (2003). Analysing security protocols. In Formal aspects of security: First international conference, FASec 2002, London, UK, December 16–18, 2002, Revised papers (vol. 1, p. 71). Springer.
31.
Zurück zum Zitat Knuth, D. (1977). Notes on the van Emde Boas construction of priority deques: An instructive use of recursion. Memo/Letter. Knuth, D. (1977). Notes on the van Emde Boas construction of priority deques: An instructive use of recursion. Memo/Letter.
32.
Zurück zum Zitat ENISA. ENISA threat landscape report 2017. Technical report, ENISA. ENISA. ENISA threat landscape report 2017. Technical report, ENISA.
33.
Zurück zum Zitat Symantec Corporation. Internet security threat report. (2018). Report. Mountain View: Symantec Corporation. Symantec Corporation. Internet security threat report. (2018). Report. Mountain View: Symantec Corporation.
34.
Zurück zum Zitat ETSI Technical Committee Cyber Security. CYBER; methods and protocols; part 1: Method and pro forma for threat, vulnerability, risk analysis (TVRA). Technical Specification 102 165-1 V5.2.3, ETSI (2017). ETSI Technical Committee Cyber Security. CYBER; methods and protocols; part 1: Method and pro forma for threat, vulnerability, risk analysis (TVRA). Technical Specification 102 165-1 V5.2.3, ETSI (2017).
35.
Zurück zum Zitat Adam, S. (2014). Threat modeling: Designing for security (1st ed.). Hoboken: Wiley. Adam, S. (2014). Threat modeling: Designing for security (1st ed.). Hoboken: Wiley.
36.
Zurück zum Zitat Kalenderi, M., Pnevmatikatos, D., Papaefstathiou, I., & Manifavas, C. (2012). Breaking the gsm a5/1 cryptography algorithm with rainbow tables and high-end fpgas. In 22nd International conference on field programmable logic and applications (FPL), 2012 (pp. 747–753). IEEE. Kalenderi, M., Pnevmatikatos, D., Papaefstathiou, I., & Manifavas, C. (2012). Breaking the gsm a5/1 cryptography algorithm with rainbow tables and high-end fpgas. In 22nd International conference on field programmable logic and applications (FPL), 2012 (pp. 747–753). IEEE.
37.
Zurück zum Zitat Nohl, K. (2010). Attacking phone privacy. Black Hat USA, pp. 1–6. Nohl, K. (2010). Attacking phone privacy. Black Hat USA, pp. 1–6.
38.
Zurück zum Zitat Dunkelman, O., Keller, N., & Shamir, A. (2010). A practical-time related-key attack on the kasumi cryptosystem used in gsm and 3g telephony. In Annual cryptology conference (pp. 393–410). Springer. Dunkelman, O., Keller, N., & Shamir, A. (2010). A practical-time related-key attack on the kasumi cryptosystem used in gsm and 3g telephony. In Annual cryptology conference (pp. 393–410). Springer.
39.
Zurück zum Zitat Florêncio, D., & Herley, C. (2013). Where do all the attacks go? In Economics of information security and privacy III (pp. 13–33). Springer. Florêncio, D., & Herley, C. (2013). Where do all the attacks go? In Economics of information security and privacy III (pp. 13–33). Springer.
40.
Zurück zum Zitat Kruger, J., & Dunning, D. (1999). Unskilled and Unaware of it: How difficulties in recognizing one’s own incompetence lead to inflated self-assessments. Journal of Personality and Social Psychology, 77(6), 1121.CrossRef Kruger, J., & Dunning, D. (1999). Unskilled and Unaware of it: How difficulties in recognizing one’s own incompetence lead to inflated self-assessments. Journal of Personality and Social Psychology, 77(6), 1121.CrossRef
41.
Zurück zum Zitat Plous, S. (1993). The psychology of judgment and decision making., McGraw-Hill series in social psychology New York: Mcgraw-Hill Book Company. Plous, S. (1993). The psychology of judgment and decision making., McGraw-Hill series in social psychology New York: Mcgraw-Hill Book Company.
42.
Zurück zum Zitat Schneier, B. Drawing the wrong lessons from horrific events. CNN.com. Schneier, B. Drawing the wrong lessons from horrific events. CNN.com.
43.
Zurück zum Zitat Taleb, N. N. (2007). The black swan: The impact of the highly improbable. New York: Random House Publishing Group. Taleb, N. N. (2007). The black swan: The impact of the highly improbable. New York: Random House Publishing Group.
44.
Zurück zum Zitat Cavoukian, A. (2009). Privacy by design: The 7 foundational principles. Ontario: Information and Privacy Commissioner of Ontario. Cavoukian, A. (2009). Privacy by design: The 7 foundational principles. Ontario: Information and Privacy Commissioner of Ontario.
45.
Zurück zum Zitat EU. (2016). Regulation (EU) 2016/679 (General data protection regulation). Regulations 679, EU, 04. EU. (2016). Regulation (EU) 2016/679 (General data protection regulation). Regulations 679, EU, 04.
46.
Zurück zum Zitat NSM. (2016). S-01 Fire effektive tiltak mot dataangrep. NSM. (2016). S-01 Fire effektive tiltak mot dataangrep.
47.
Zurück zum Zitat NSM. (2016). S-02 Ti viktige tiltak mot dataangrep. NSM. (2016). S-02 Ti viktige tiltak mot dataangrep.
Metadaten
Titel
Why Cryptosystems Fail Revisited
verfasst von
Geir M. Køien
Publikationsdatum
19.03.2019
Verlag
Springer US
Erschienen in
Wireless Personal Communications / Ausgabe 1/2019
Print ISSN: 0929-6212
Elektronische ISSN: 1572-834X
DOI
https://doi.org/10.1007/s11277-019-06265-6

Weitere Artikel der Ausgabe 1/2019

Wireless Personal Communications 1/2019 Zur Ausgabe