Information Security in Open Systems

796 views
713 views

Published on

OpenBSD meeting (invited), Coimbra 2007

It was my intent in this talk to bring a discussion on current enforcement of Information Security and the issues arising from its path from academia, to industry, to the user.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
796
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Information Security in Open Systems

  1. 1. Information Security in Open Systems Paula Valença pvalenca@di.uminho.pt
  2. 2. What this will not be about... • ... a study of security and cryptography in OpenBSD... • ... I know too little to make any serious comment on the subject
  3. 3. What this will not be about... • ... a study of security and cryptography in OpenBSD... • ... I know too little to make any serious comment on the subject
  4. 4. What this will not be about • curves suitable for identity based cryptography • algebraic attacks on AES • breaks on SHA-1, SHA-0, MD5
  5. 5. What this will not be about • curves suitable for identity based cryptography • algebraic attacks on AES • breaks on SHA-1, SHA-0, MD5
  6. 6. What this will be about • A light chat regarding the security paradigm and state of situation, from the academia to software developers and users • WARNING... I am at the most abstract corner you can think of
  7. 7. Things that get me thinking • “So say I want a good security software - what should I choose / where should I look at?” • “How do I know that it is safe to use my credit card with site X?” • “... does that mean it’s not safe? Have they broken cryptography?”
  8. 8. The Babel Tower The researchers The specs writers The developers The admins The users
  9. 9. The Babel Tower The researchers The specs writers The developers The admins The users
  10. 10. Things slip through the creases • Phong Nguyen’s look at GPG in 2003 revealed compromised ElGamal keys (when sign+encrypt was used) • Arnold Yau and Kenny Patterson’s attacks on IPsec via lack of authentication/integrity protection
  11. 11. Are attacks realistic? • For many it’s debatable. Cryptographers look at the worst case scenario... take “chosen ciphertext attacks”, for example • And then comes efficiency, flexibility, backward-compatibility • ... confusing warnings... • ... still, Murphy’s law
  12. 12. Good things about open systems • audit, peer-reviews, source code availability... • does not necessarily mean that it is • ... and more important still, by the “experts”
  13. 13. the present and future • Information security is turning more and more into management that IT: protocols, directives • ... which are not always clear (take IPsec series of RFCs, for example) • Schneier’s recent article speaks of a shift from apps to services
  14. 14. Questions? More importantly, discussion...

×