CHAPTER
1
What Is Security Engineering?
Outofthecrookedtimberofhumanity,nostraight
thingwasevermade.
—ImmanuelKant
Theworldisnevergoingtobeperfect,eitheron-oroffline;so
let’snotsetimpossiblyhighstandardsforonline.
—EstherDyson
1.1 Introduction
Security engineering is about building systems to remain dependable in the
face of malice, error, or mischance. As a discipline, it focuses on the tools,
processes, and methods needed to design, implement, and test complete
systems,andtoadaptexistingsystemsastheirenvironmentevolves.
Security engineering requires cross-disciplinary expertise, ranging from
cryptographyandcomputersecuritythroughhardwaretamper-resistanceand
formalmethodstoaknowledgeofeconomics,appliedpsychology,organiza-
tions and the law. System engineering skills, from business process analysis
through software engineering to evaluation and testing, are also important;
but they are not sufficient, as they dealonly with errorand mischance rather
thanmalice.
Many security systems have critical assurance requirements. Their failure
may endanger human life and the environment (as with nuclear safety and
control systems), do serious damage to major economic infrastructure (cash
machinesandotherbanksystems),endangerpersonalprivacy(medicalrecord
3
4 Chapter1 ■ WhatIsSecurityEngineering?
systems), undermine the viability of whole business sectors (pay-TV), and
facilitatecrime(burglarandcaralarms).Eventheperceptionthatasystemis
more vulnerablethan it reallyis (paying with a creditcard overthe Internet)
cansignificantlyholdupeconomicdevelopment.
The conventional view is that while software engineering is about ensur-
ingthat certain things happen (‘John can read this file’), security is about
ensuringthattheydon’t(‘TheChinesegovernmentcan’treadthisfile’).Real-
ity is much more complex. Security requirements differ greatly from one
systemtoanother.Onetypicallyneedssomecombinationofuserauthentica-
tion,transactionintegrityandaccountability,fault-tolerance,messagesecrecy,
and covertness. But many systems fail because their designers protect the
wrongthings,orprotecttherightthingsbutinthewrongway.
Gettingprotectionrightthusdependsonseveraldifferenttypesofprocess.
You have to figure out what needs protecting, and how to do it. You also
needtoensurethatthepeoplewhowillguardthesystemandmaintainitare
properly motivated. In the next section, I’ll set out a framework for thinking
aboutthis.Then,inordertoillustratetherangeofdifferentthingsthatsecurity
systems have to do, I will take a quick look at four application areas: a bank,
anairforcebase,ahospital,andthehome.Oncewehavegivensomeconcrete
examplesofthestuffthatsecurityengineershavetounderstandandbuild,we
willbeinapositiontoattemptsomedefinitions.
1.2 A Framework
Good security engineering requires four things to come together. There’s
policy: what you’re supposed to achieve. There’s mechanism: the ciphers,
access controls, hardware tamper-resistance and other machinery that you
assemble in order to implement the policy. There’s assurance: the amount of
relianceyoucanplaceoneachparticularmechanism.Finally,there’sincentive:
the motive that the people guarding and maintaining the system have to do
theirjobproperly,andalsothemotivethattheattackershavetotrytodefeat
yourpolicy.Alloftheseinteract(seeFig.1.1).
Asanexample,let’sthinkofthe9/11terroristattacks.Thehijackers’success
in getting knives through airport security was not a mechanism failure but a
policyone;atthattime,kniveswithbladesuptothreeincheswerepermitted,
and the screeners did their task of keeping guns and explosives off as far as
weknow.Policyhaschangedsincethen:firsttoprohibitallknives,thenmost
weapons (baseball bats are now forbidden but whiskey bottles are OK); it’s
flip-flopped on many details (butane lighters forbidden then allowed again).
Mechanism is weak, because of things like composite knives and explosives
thatdon’tcontainnitrogen.Assuranceisalwayspoor;manytonsofharmless
passengers’ possessions are consigned to the trash each month, while well
1.2 AFramework 5
(cid:8)(cid:2)
Policy Incentives
(cid:1)(cid:5)(cid:5)(cid:9) (cid:3)(cid:4)(cid:3) (cid:1)
(cid:5)(cid:5) (cid:3)(cid:3)
(cid:5)(cid:5) (cid:3)(cid:3)
(cid:5)(cid:5)(cid:3)(cid:3)
(cid:3)(cid:3)(cid:5)(cid:5)
(cid:3)(cid:3) (cid:5)(cid:5)
(cid:3)(cid:3) (cid:5)(cid:5)
(cid:7)(cid:3)(cid:3)(cid:10) (cid:5)(cid:6)(cid:5) (cid:7)
(cid:8)(cid:2)
Mechanism Assurance
Figure1.1:SecurityEngineeringAnalysisFramework
belowhalfofalltheweaponstakenthroughscreening(whetheraccidentially
orfortestpurposes)arepickedup.
Seriousanalystspointoutmajorproblemswithpriorities.Forexample,the
TSAhasspent$14.7billiononaggressivepassengerscreening,whichisfairly
ineffective, while $100m spent on reinforcing cockpit doors would remove
most of the risk[1024]. The President of the Airline Pilots Security Alliance
notes that most ground staff aren’t screened, and almost no care is taken to
guard aircraft parked on the ground overnight. As most airliners don’t have
locks, there’s not much to stop a bad guy wheeling steps up to a plane and
placing a bomb on board; if he had piloting skills and a bit of chutzpah, he
could file a flight plan and make off with it[820]. Yet screening staff and
guardingplanesarejustnotapriority.
Why are such poor policy choices made? Quite simply, the incentives on
the decision makers favour visible controls over effective ones. The result is
whatBruceSchneiercalls‘securitytheatre’—measuresdesignedtoproducea
feelingofsecurityratherthanthereality.Mostplayersalsohaveanincentiveto
exaggeratethethreatfromterrorism:politicianstoscareupthevote,journalists
tosellmorepapers,companiestosellmoreequipment,governmentofficialsto
buildtheirempires,andsecurityacademicstogetgrants.Theupshotofallthis
is that most ofthe damagedoneby terroriststodemocracticcountries comes
from the overreaction. Fortunately, electorates figure this out over time. In
Britain, where the IRA bombed us intermittently for a generation, the public
reactiontothe7/7bombingswasmostlyashrug.
Securityengineershavetounderstandallthis;weneedtobeabletoputrisks
andthreatsincontent,makerealisticassessmentsofwhatmightgowrong,and
giveourclientsgoodadvice.Thatdependsonawideunderstandingofwhat
has gone wrong over time with various systems; what sort of attacks have
worked,whattheirconsequenceswere,andhowtheywerestopped(ifitwas
worthwhiletodoso).Thisbookisfullofcasehistories.I’lltalkaboutterrorism
6 Chapter1 ■ WhatIsSecurityEngineering?
specifically in Part III. For now, in order to set the scene, I’ll give a few brief
examples here of interesting security systems and what they are designed to
prevent.
1.3 Example 1 — A Bank
Banksoperateasurprisinglylargerangeofsecurity-criticalcomputersystems.
1. Thecoreofabank’soperationsisusuallyabranchbookkeepingsystem.
Thiskeepscustomeraccountmasterfilesplusanumberofjournalsthat
recordtheday’stransactions.Themainthreattothissystemisthebank’s
own staff; about one percent of bankers are fired each year, mostly for
pettydishonesty(theaveragetheftisonly afewthousand dollars).The
main defense comes from bookkeeping procedures that have evolved
over centuries. For example, each debit against one account must be
matchedbyanequalandoppositecreditagainstanother;somoneycan
only be moved within a bank, never created or destroyed. In addition,
large transfers of money might need two or three people to authorize
them. There are also alarm systems that look for unusual volumes or
patternsoftransactions, andstaffarerequiredtotakeregularvacations
during which they have no access to the bank’s premises or systems.
2. Onepublicfaceofthebankisitsautomatictellermachines.Authenticat-
ingtransactionsbasedonacustomer’scardandpersonalidentification
number—insuchawayastodefendagainstbothoutsideandinside
attack—isharderthanitlooks!Therehavebeenmanyepidemicsof
‘phantomwithdrawals’invariouscountrieswhenlocalvillains(orbank
staff)havefoundandexploitedloopholesinthesystem.Automaticteller
machinesarealsointerestingastheywerethefirstlargescalecommer-
cialuseofcryptography,andtheyhelpedestablishanumberofcrypto
standards.
3. Anotherpublicfaceisthebank’swebsite.Manycustomersnowdomore
oftheirroutinebusiness,suchasbillpaymentsandtransfersbetween
savingsandcheckingaccounts,onlineratherthanatabranch. Bank
websiteshavecomeunderheavyattackrecentlyfromphishing—from
boguswebsitesintowhichcustomersareinvitedtoentertheirpass-
words.The‘standard’internetsecuritymechanismsdesignedinthe
1990s,suchasSSL/TLS,turnedouttobeineffectiveoncecapablemoti-
vatedopponentsstartedattackingthecustomersratherthanthebank.
Phishingisafascinatingsecurityengineeringproblemmixingelements
fromauthentication,usability,psychology,operationsandeconomics.
I’ll discuss it in detail in the next chapter.
1.4 Example2—AMilitaryBase 7
4. Behindthescenesareanumberofhigh-valuemessagingsystems.These
areusedtomovelargesumsofmoney(whetherbetweenlocalbanks
orbetweenbanksinternationally);totradeinsecurities;toissueletters
ofcreditandguarantees;andsoon.Anattackonsuchasystemisthe
dreamofthesophisticatedwhite-collarcriminal.Thedefenseisamix-
tureofbookkeepingprocedures,accesscontrols,andcryptography.
5. Thebank’sbrancheswilloftenappeartobelarge,solidandprosperous,
givingcustomersthepsychologicalmessagethattheirmoneyissafe.
Thisistheatreratherthanreality:thestonefacadegivesnorealpro-
tection.Ifyouwalkinwithagun,thetellerswillgiveyouallthecash
youcansee;andifyoubreakinatnight,youcancutintothesafeor
strongroominacoupleofminuteswithanabrasivewheel.Theeffective
controlsthesedayscenteronthealarmsystems—whichareinconstant
communicationwithasecuritycompany’scontrolcenter.Cryptography
isusedtopreventarobberorburglarmanipulatingthecommunica-
tionsandmakingthealarmappeartosay‘all’swell’whenitisn’t.
I’lllookattheseapplicationsinlaterchapters.Bankingcomputersecurityis
important: until quite recently, banks were the main non-military market for
many computer security products, so they had a disproportionate influence
onsecuritystandards.Secondly,evenwheretheirtechnologyisn’tblessedby
aninternationalstandard,itisoftenwidelyusedinothersectorsanyway.
1.4 Example 2 — A Military Base
Military systems have also been an important technology driver. They have
motivatedmuchoftheacademicresearchthatgovernmentshavefundedinto
computersecurityinthelast20years.Aswithbanking,thereisnotonesingle
applicationbutmany.
1. Some of the most sophisticated installations are the electronic warfare
systemswhosegoalsincludetryingtojamenemyradarswhileprevent-
ing the enemy from jamming yours. This area of information warfare
is particularly instructive because for decades, well-funded research
labs have been developing sophisticated countermeasures, counter-
countermeasuresandsoon —withadepth,subtletyandrangeofdecep-
tionstrategiesthatarestillnotfoundelsewhere.AsIwrite,in2007,alot
ofworkisbeingdoneonadaptingjammerstodisableimprovisedexplo-
sivedevicesthatmakelifehazardousforalliedtroopsinIraq.Electronic
warfare has given many valuable insights: issues such as spoofing and
service-denialattackswerelivetherelongbeforebankersandbookmak-
ers started having problems with bad guys targeting their websites.
8 Chapter1 ■ WhatIsSecurityEngineering?
2. Militarycommunicationsystemshavesomeinterestingrequirements.
Itisoftennotsufficienttojustenciphermessages:theenemy,onsee-
ingtrafficencryptedwithsomebodyelse’skeys,maysimplylocatethe
transmitterandattackit.Low-probability-of-intercept(LPI)radiolinksare
oneanswer;theyuseanumberoftricksthatarenowbeingadoptedin
applicationssuchascopyrightmarking.Covertcommunicationsarealso
importantinsomeprivacyapplications,suchasindefeatingtheInternet
censorship imposed by repressive regimes.
3. Militaryorganizationshavesomeofthebiggestsystemsforlogisticsand
inventorymanagement,whichdifferfromcommercialsystemsinhaving
anumberofspecialassurancerequirements.Forexample,onemayhave
a separate stores management system at each different security level:a
general system for things like jet fuel and boot polish, plus a second
secretsystemforstoresandequipmentwhoselocationmightgiveaway
tacticalintentions.(Thisisverylikethebusinessmanwhokeepsseparate
setsofbooksforhispartnersandforthetaxman,andcancausesimilar
problems for the poor auditor.)There may also be intelligence systems
and command systems with even higher protection requirements. The
general rule is that sensitive information may not flow down to less
restrictive classifications. So you can copy a file from a Secret stores
system to a Top Secret command system, but not vice versa. The same
rule applies to intelligence systems which collect data using wiretaps:
information must flow up to the intelligence analyst from the target of
investigation,butthetargetmustnotknowwhichofhiscommunications
have been intercepted. Managing multiple systems with information
flow restrictions is a hard problem and has inspired a lot of research.
Since 9/11, for example, the drive to link up intelligence systems has
led people to invent search engines that can index material at multiple
levels and show users only the answers they are cleared to know.
4. Theparticularproblemsofprotectingnuclearweaponshavegivenrise
overthelasttwogenerationstoalotofinterestingsecuritytechnology,
rangingfromelectronicauthenticationsystemsthatpreventweapons
beingusedwithoutthepermissionofthenationalcommandauthor-
ity,throughsealsandalarmsystems,tomethodsofidentifyingpeople
withahighdegreeofcertaintyusingbiometricssuchasirispatterns.
Theciviliansecurityengineercanlearnalotfromallthis.Forexample,many
earlysystemsforinsertingcopyrightmarksintodigitalaudioandvideo,which
usedideasfromspread-spectrumradio,werevulnerabletodesynchronisation
attacks that are also a problem for some spread-spectrum systems. Another
examplecomesfrommunitionsmanagement.There,atypicalsystemenforces
rules such as ‘Don’t put explosives and detonators in the same truck’. Such
1.5 Example3—AHospital 9
techniquescanberecycledinfoodlogistics—wherehygienerulesforbidraw
andcookedmeatsbeinghandledtogether.
1.5 Example 3 — A Hospital
From soldiers and food hygiene we move on to healthcare. Hospitals have a
number of interesting protection requirements—mostly to do with patient
safetyandprivacy.
1. Patientrecordsystemsshouldnotletallthestaffseeeverypatient’s
record,orprivacyviolationscanbeexpected.Theyneedtoimplement
rulessuchas‘nursescanseetherecordsofanypatientwhohasbeen
caredforintheirdepartmentatanytimeduringtheprevious90days’.
Thiscanbehardtodowithtraditionalcomputersecuritymechanisms
asrolescanchange(nursesmovefromonedepartmenttoanother)and
therearecross-systemdependencies(ifthepatientrecordssystemends
uprelyingonthepersonnelsystemforaccesscontroldecisions,thenthe
personnelsystemmayjusthavebecomecriticalforsafety,forprivacyor
for both).
2. Patientrecordsareoftenanonymizedforuseinresearch,butthisis
hardtodowell.Simplyencryptingpatientnamesisusuallynotenough
asanenquirysuchas‘showmeallrecordsof59yearoldmaleswho
weretreatedforabrokencollarboneonSeptember15th1966’would
usuallybeenoughtofindtherecordofapoliticianwhowasknown
tohavesustainedsuchaninjuryatcollege.Butifrecordscannot be
anonymizedproperly,thenmuchstricterruleshavetobefollowed
whenhandlingthedata,andthisincreasesthecostofmedicalresearch.
3. Web-basedtechnologiespresentinterestingnewassuranceproblems
inhealthcare.Forexample,asreferencebooks—suchasdirectories
ofdrugs —moveonline,doctorsneedassurancethatlife-criticaldata,
suchasthefiguresfordosageperbodyweight,areexactlyaspublished
bytherelevantauthority,andhavenotbeenmangledinsomeway.
Anotherexampleisthatasdoctorsstarttoaccesspatients’recordsfrom
homeorfromlaptopsorevenPDAsduringhousecalls,suitableelec-
tronicauthenticationandencryptiontoolsarestartingtoberequired.
4. Newtechnologycanintroducerisksthatarejustnotunderstood.Hos-
pitaladministratorsunderstandtheneedforbackupprocedurestodeal
withoutagesofpower,telephoneserviceandsoon;butmedicalprac-
ticeisrapidlycomingtodependonthenetinwaysthatareoftennot
documented.Forexample,hospitalsinBritainarestartingtouseonline
radiologysystems:X-raysnolongertravelfromtheX-raymachinetothe
10 Chapter1 ■ WhatIsSecurityEngineering?
operatingtheatreinanenvelope,butviaaserverinadistanttown.Soa
networkfailurecanstopdoctorsoperatingjustasmuchasapowerfail-
ure.Allofasudden,theInternetturnsintoasafety-criticalsystem,and
denial-of-service attacks might kill people.
We will look at medical system security too in more detail later. This is a
much younger field than banking IT or military systems, but as healthcare
accounts for a larger proportion of GNP than either of them in all developed
countries,andashospitalsareadoptingITatanincreasingrate,itlookssetto
become important. In the USA in particular, the HIPAA legislation—which
sets minimum standards for privacy—has made the sector a major client of
theinformationsecurityindustry.
1.6 Example 4 — The Home
You might not think that the typical family operates any secure systems. But
considerthefollowing.
1. Manyfamiliesusesomeofthesystemswe’vealreadydescribed.You
mayuseaweb-basedelectronicbankingsystemtopaybills,andinafew
yearsyoumayhaveencryptedonlineaccesstoyourmedicalrecords.
Yourburglaralarmmaysendanencrypted‘all’swell’signaltothesecu-
ritycompanyeveryfewminutes,ratherthanwakinguptheneighbor-
hood when something happens.
2. Yourcarprobablyhasanelectronicimmobilizerthatsendsanencrypted
challengetoaradiotransponderinthekeyfob;thetransponderhasto
respondcorrectlybeforethecarwillstart.Thismakestheftharderand
cutsyourinsurancepremiums.Butitalsoincreasesthenumberofcar
theftsfromhomes,wherethehouseisburgledtogetthecarkeys.The
reallyhardedgeisasurgeincar-jackings:criminalswhowantagetaway
car may just take one at gunpoint.
3. Early mobile phones were easy for villains to ‘clone’: users could
suddenly find their bills inflated by hundreds or even thousands of
dollars. The current GSM digital mobile phones authenticate them-
selves to the network by a cryptographic challenge-response protocol
similar to the ones used in car door locks and immobilizers.
4. SatelliteTVset-topboxesdeciphermoviessolongasyoukeeppaying
yoursubscription.DVDplayersusecopycontrolmechanismsbasedon
cryptographyandcopyrightmarkingtomakeithardertocopydisks(or
toplaythemoutsideacertaingeographicarea).Authenticationproto-
colscannowalsobeusedtosetupsecurecommunicationsonhomenet-
works (including WiFi, Bluetooth and HomePlug).
1.7 Definitions 11
5. Inmanycountries,householdswhocan’tgetcreditcangetprepayment
metersforelectricityandgas,whichtheytopupusingasmartcardor
otherelectronickeywhichtheyrefillatalocalstore.Manyuniversi-
tiesusesimilartechnologiestogetstudentstopayforphotocopieruse,
washing machines and even soft drinks.
6. Aboveall,thehomeprovidesahavenofphysicalsecurityandseclu-
sion.Technologicalprogresswillimpactthisinmanyways.Advances
inlocksmithingmeanthatmostcommonhouselockscanbedefeated
easily;doesthismatter?Researchsuggeststhatburglarsaren’twor-
riedbylocksasmuchasbyoccupants,soperhapsitdoesn’tmatter
much—butthenmaybealarmswillbecomemoreimportantforkeep-
ingintrudersatbaywhenno-one’sathome.Electronicintrusionmight
overtimebecomeabiggerissue,asmoreandmoredevicesstarttocom-
municatewithcentralservices.Thesecurityofyourhomemaycome
todependonremotesystemsoverwhichyouhavelittlecontrol.
So you probably already use many systems that are designed to enforce
someprotectionpolicyorotherusinglargelyelectronicmechanisms.Overthe
nextfewdecades,thenumberofsuchsystemsisgoingtoincreaserapidly.On
pastexperience,manyofthemwillbebadlydesigned.Thenecessaryskillsare
justnotspreadwidelyenough.
The aim of this book is to enable you to design such systems better. To do
this,anengineerorprogrammerneedstolearnaboutwhatsystemsthereare,
how they work, and—at least as important—how they have failed in the
past. Civilengineers learn far more from the one bridge that falls down than
fromthehundredthatstayup;exactlythesameholdsinsecurityengineering.
1.7 Definitions
Manyofthetermsusedinsecurityengineeringarestraightforward,butsome
are misleading or even controversial. There are more detailed definitions of
technical terms in the relevant chapters, which you can find using the index.
Inthissection,I’lltrytopointoutwherethemainproblemslie.
The first thing we need to clarify is what we mean by system. In practice,
thiscandenote:
1. aproductorcomponent,suchasacryptographicprotocol,asmartcard
or the hardware of a PC;
2. acollectionoftheaboveplusanoperatingsystem,communicationsand
otherthingsthatgotomakeupanorganization’sinfrastructure;
3. theaboveplusoneormoreapplications(mediaplayer,browser,word
processor, accounts / payroll package, and so on);
12 Chapter1 ■ WhatIsSecurityEngineering?
4. any or all of the above plus IT staff;
5. any or all ofthe above plus internalusers and management;
6. anyoralloftheabovepluscustomersandotherexternalusers.
Confusion between the above definitions is a fertile source of errors and
vulnerabilities.Broadlyspeaking,thevendorandevaluatorcommunitiesfocus
onthefirst(andoccasionally)thesecondofthem,whileabusinesswillfocuson
the sixth (and occasionally the fifth). We will come across many examples of
systemsthatwereadvertisedorevencertifiedassecurebecausethehardware
was, but that broke badly when a particular application was run, or when
theequipmentwasusedinawaythedesignersdidn’tanticipate.Ignoringthe
humancomponents,andthusneglectingusabilityissues,isoneofthelargest
causesofsecurityfailure.Sowewillgenerallyusedefinition6;whenwetake
amorerestrictiveview,itshouldbeclearfromthecontext.
Thenextsetofproblemscomesfromlackofclarityaboutwhotheplayersare
andwhattheyaretryingtoprove.Intheliteratureonsecurityandcryptology,
it’s a convention that principals in security protocols are identifiedby names
chosenwith(usually)successiveinitialletters—muchlikehurricanes—and
so we see lots of statements such as ‘Alice authenticates herself to Bob’. This
makesthingsmuchmorereadable,butoftenattheexpenseofprecision.Dowe
meanthatAliceprovestoBobthathernameactuallyisAlice,orthatsheproves
she’s got a particular credential?Do we meanthat the authentication is done
byAlicethehumanbeing,orbyasmartcardorsoftwaretoolactingasAlice’s
agent? In that case, are we sure it’s Alice, and not perhaps Cherie to whom
Alicelenthercard,orDavidwhostolehercard,orEvewhohackedherPC?
By a subject I will mean a physical person (human, ET, ...), in any role
including that of an operator, principal or victim. By a person, I will mean
eitheraphysicalpersonoralegalpersonsuchasacompanyorgovernment1.
Aprincipalisanentitythatparticipatesinasecuritysystem.Thisentitycan
beasubject,aperson,arole,orapieceofequipmentsuchasaPC,smartcard,or
cardreaderterminal.Aprincipalcanalsobeacommunicationschannel(which
might be a port number, or a crypto key, depending on the circumstance). A
principal can also be a compound of other principals; examples are a group
(Alice or Bob), a conjunction (Alice and Bob acting together), a compound
role(Aliceacting asBob’s manager)and adelegation(Bobacting forAlicein
herabsence).Bewarethatgroupsandrolesarenotthesame.ByagroupIwill
meanasetofprincipals,whilearoleisasetoffunctionsassumedbydifferent
persons in succession (such as ‘the officer of the watch on the USS Nimitz’
or ‘the president for the time being of the Icelandic Medical Association’). A
principalmayconsideredatmorethanonelevelofabstraction:e.g.‘Bobacting
1Thatsomepersonsarenotpeoplemayseemslightlyconfusingbutit’swellestablished:blame
thelawyers.
1.7 Definitions 13
for Aliceinher absence’ might mean‘Bob’s smartcardrepresentingBobwho
isactingforAliceinherabsence’oreven‘BoboperatingAlice’ssmartcardin
herabsence’.Whenwehavetoconsidermoredetail,I’llbemorespecific.
Themeaningofthewordidentityiscontroversial.Whenwehavetobecare-
ful,Iwilluseittomeanacorrespondencebetweenthenamesoftwoprincipals
signifying that they refer to the same person or equipment. For example, it
may be important to know that the Bob in ‘Alice acting as Bob’s manager’ is
thesameastheBobin‘BobactingasCharlie’smanager’andin‘Bobasbranch
managersigningabankdraftjointlywithDavid’.Often,identityisabusedto
mean simply ‘name’, an abuse entrenched by such phrases as ‘user identity’
and‘citizen’sidentitycard’.Wherethereisnopossibilityofbeingambiguous,
I’llsometimeslapseintothisvernacularusageinordertoavoidpomposity.
The definitions of trust and trustworthy are often confused. The following
example illustrates the difference: if an NSA employee is observed in a toilet
stall at Baltimore Washington International airport selling key material to a
Chinese diplomat, then (assuming his operation was not authorized) we can
describe him as ‘trusted but not trustworthy’. Hereafter, we’ll use the NSA
definitionthatatrustedsystemorcomponentisonewhosefailurecanbreakthe
securitypolicy,whileatrustworthysystemorcomponentisonethatwon’tfail.
Beware, though, that there are many alternative definitions of trust. A UK
militaryviewstressesauditabilityandfail-secureproperties:atrustedsystems
element is one ‘whose integrity cannot be assured by external observation of
its behaviour whilst in operation’. Other definitions often have to do with
whetheraparticularsystemisapprovedbyauthority:atrustedsystemmight
be‘asystemwhichwon’t getmefiredifitgetshacked onmywatch’ oreven
‘a systemwhich we can insure’. I won’t use either of these definitions. When
we mean a system which isn’t failure-evident, or an approved system, or an
insuredsystem,I’llsayso.
The definition of confidentiality versus privacy versus secrecy opens another
canofworms.Thesetermsclearlyoverlap,butequallyclearlyarenotexactly
the same. If my neighbor cuts down some ivy at our common fence with the
result that his kids can look into my garden and tease my dogs, it’s not my
confidentiality that has been invaded. And the duty to keep quiet about the
affairsofaformeremployerisadutyofconfidence,notofprivacy.
ThewayI’llusethesewordsisasfollows.
Secrecyisatechnicaltermwhichreferstotheeffectofthemechanisms
usedtolimitthenumberofprincipalswhocanaccessinformation,such
as cryptography or computer access controls.
Confidentialityinvolvesanobligationtoprotectsomeotherperson’sor
organization’s secrets if you know them.
Privacyistheabilityand/orrighttoprotectyourpersonalinformation
andextendstotheabilityand/orrighttopreventinvasionsofyour
14 Chapter1 ■ WhatIsSecurityEngineering?
personalspace(theexactdefinitionofwhichvariesquitesharplyfrom
onecountrytoanother).Privacycanextendtofamiliesbutnottolegal
persons such as corporations.
For example, hospital patients have a right to privacy, and in order to
upholdthisrightthedoctors,nursesandotherstaffhaveadutyofconfidence
towards their patients. The hospital has no right of privacy in respect of its
business dealings but those employees who are privy to them may have a
dutyofconfidence.Inshort,privacyissecrecyforthebenefitoftheindividual
whileconfidentialityissecrecyforthebenefitoftheorganization.
Thereisafurthercomplexityinthatit’softennotsufficienttoprotectdata,
such as the contents of messages; we also have to protect metadata, such as
logs ofwho spoketowhom. For example,many countries havelaws making
the treatment of sexually transmitted diseases secret, and yet if a private eye
could find out that you were exchanging encrypted messages with an STD
clinic, he might well draw the conclusion that you were being treated there.
(A famous model in Britain recently won a privacy lawsuit against a tabloid
newspaperwhichprintedaphotographofherleavingameetingofNarcotics
Anonymous.) So anonymity can be just as important a factor in privacy (or
confidentiality) as secrecy. To make things evenmore complex, some writers
refer to what we’ve called secrecy as message content confidentiality and to
what we’ve called anonymity as message source (or destination) confidentiality.
In general, anonymity is hard. It’s difficult to be anonymous on your own;
you usually need a crowd to hide in. Also, our legal codes are not designed
to support anonymity: it’s much easier for the police to get itemized billing
information from the phone company, which tells them who called whom,
thanitistogetanactualwiretap.(Andit’softenveryuseful.)
The meanings of authenticity and integrity can also vary subtly. In the
academic literature on security protocols, authenticity means integrity plus
freshness:youhaveestablishedthat youare speakingtoagenuine principal,
notareplayofpreviousmessages.Wehaveasimilarideainbankingprotocols.
In a country whose banking laws state that checks are no longer valid after
six months, a seven month old uncashed check has integrity (assuming it’s
not been altered) but is no longer valid. The military usage tends to be that
authenticity applies to the identity of principals and orders they give, while
integrity applies to stored data. Thus we can talk about the integrity of a
databaseofelectronicwarfarethreats(it’snotbeencorrupted,whetherbythe
othersideorbyMurphy)buttheauthenticityofageneral’sorders(whichhas
anoverlapwiththeacademicusage).However,therearesomestrangeusages.
Forexample,onecantalkaboutanauthenticcopyofadeceptiveordergivenby
theotherside’selectronicwarfarepeople;heretheauthenticityreferstotheact
of copying and storage. Similarly, a police crime scene officer will talk about
preservingtheintegrityofaforgedcheck,byplacingitinanevidencebag.
1.8 Summary 15
ThelastmatterI’llclarifyhereistheterminologywhichdescribeswhatwe’re
trying to achieve. A vulnerability is a property of a system or its environment
which,inconjunctionwithaninternalorexternalthreat,canleadtoasecurity
failure,whichisabreachofthesystem’ssecuritypolicy.BysecuritypolicyIwill
meanasuccinctstatementofasystem’sprotectionstrategy(forexample,‘each
credit must be matched by an equal and opposite debit, and all transactions
over$1,000mustbeauthorizedbytwomanagers’).Asecuritytargetisamore
detailedspecificationwhichsetsoutthemeansbywhichasecuritypolicywill
be implemented in a particular product—encryption and digital signature
mechanisms,accesscontrols,auditlogsandsoon—andwhichwillbeusedas
theyardsticktoevaluatewhetherthedesignersandimplementershavedone
aproperjob.Betweenthesetwolevelsyoumayfindaprotectionprofilewhich
is like a security target except written in a sufficiently device-independent
waytoallowcomparativeevaluationsamongdifferentproductsanddifferent
versionsofthesameproduct.I’llelaborateonsecuritypolicies,securitytargets
and protection profiles in later chapters. In general, the word protection will
mean a property such as confidentiality or integrity, defined in a sufficiently
abstractwayforustoreasonaboutitinthecontextofgeneralsystemsrather
thanspecificimplementations.
1.8 Summary
There is a lot of terminological confusion in security engineering, much
ofwhich is due to the element of conflict. ‘Security’ is a terribly overloaded
word,whichoftenmeansquiteincompatiblethingstodifferentpeople.
Toacorporation,itmightmeantheabilitytomonitorallemployees’email
andwebbrowsing;totheemployees,itmightmeanbeingabletouseemailand
thewebwithoutbeingmonitored.Astimegoeson,andsecuritymechanisms
areusedmoreandmorebythepeoplewhocontrolasystem’sdesigntogain
some commercial advantage overthe other peoplewho use it,we can expect
conflicts,confusionandthedeceptiveuseoflanguagetoincrease.
OneisremindedofapassagefromLewisCarroll:
‘‘When I use a word,’’ Humpty Dumpty said, in a rather scornful tone, ‘‘it
meansjustwhatIchooseittomean—neithermorenorless.’’‘‘Thequestionis,’’
saidAlice,‘‘whetheryoucanmakewordsmeansomanydifferentthings.’’‘‘The
questionis,’’saidHumptyDumpty,‘‘whichistobemaster—that’sall.’’
Thesecurityengineershoulddevelopsensitivitytothedifferentnuancesof
meaningthatcommonwordsacquireindifferentapplications,andtobeableto
formalizewhatthesecuritypolicyandtargetactuallyare.Thatmaysometimes
beinconvenientforclientswhowishtogetawaywithsomething,but,ingen-
eral,robustsecuritydesignrequiresthattheprotectiongoalsaremadeexplicit.
