Security Engineering: A Guide to Building Dependable Distributed Systems
Format: PDF / Kindle (mobi) / ePub
The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here?s straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.
through software engineering to evaluation and testing, are also important; but they are not sufﬁcient, as they deal only with error and mischance rather than malice. Many security systems have critical assurance requirements. Their failure may endanger human life and the environment (as with nuclear safety and control systems), do serious damage to major economic infrastructure (cash machines and other bank systems), endanger personal privacy (medical record 3 4 Chapter 1 ■ What Is
that a trusted system or component is one whose failure can break the security policy, while a trustworthy system or component is one that won’t fail. Beware, though, that there are many alternative deﬁnitions of trust. A UK military view stresses auditability and fail-secure properties: a trusted systems element is one ‘whose integrity cannot be assured by external observation of its behaviour whilst in operation’. Other deﬁnitions often have to do with whether a particular system is approved by
at our lab that initial passwords are always handed by the sysadmin to the user on paper. Sun Microsystems had a policy that the root password for each machine is a 16-character random alphanumeric string, kept in an envelope with the machine, and which may never be divulged over the phone or sent over the network. If a rule like this is rigidly enforced throughout an organization, it will make any pretext attack on a root password conspicuous. The people who can get at it must be only those who
were largely used in the background to support other operations; much of the technology was developed to manage the keys used by cash machines and banks to communicate with each other. But now, systems such as pay-TV use key management to control access to the system directly. Authentication protocols are now also used in distributed computer systems for general key management purposes, and are therefore becoming ever more important. Kerberos was the ﬁrst such system to come into widespread use,
(unsurprisingly known as a key recovery attack). This precision about attacks is important. When someone discovers a vulnerability in a cryptographic primitive, it may or may not be relevant to your 145 146 Chapter 5 ■ Cryptography application. Often it won’t be, but will have been hyped by the media — so you will need to be able to explain clearly to your boss and your customers why it’s not a problem. So you have to look carefully to ﬁnd out exactly what kind of attack has been found,