Security

What my grandmother taught me about IT security


The Identity Theft Enforcement and Restitution Act of 2007 passed the Senate by unanimous consent. As is often the case in our nation's legislature, the two houses of the federal legislature — the House of Representatives and the Senate — are working at roughly redundant purposes, and have each worked on very similar bills. The House version, however, has not yet left subcommittee deliberation for consideration by the House of Representatives at large.

The Senate bill, should it be enacted as law, amends Title 18 of the US Code to address conspiracy to commit what our Congress terms "cybercrime", close loopholes in current law against extortion, give victims of identity theft increased ability to seek restitution, and specifically address the phenomenon of botnets. Dealing with botnets is attempted in the ITERAct by making it a crime to "damage", whatever that means, ten or more computers in a single year.

Tim Bennett, the president of the CSIA, said "This cybercrime bill is an integral part of the cybercrime fight, but it is also imperative that this Congress address through legislation other aspects of the problem, such as data security, to prevent criminals from getting sensitive personal information in the first place."

Security industry vendors don't seem terribly optimistic about the prospects of such a bill passing the House of Representatives before the end of the year, however, considering the way most of the House's time has been diverted by matters related to the war in Iraq and "homeland security". Add to that the return of deliberations over fiscal year budgeting, and it's no wonder Symantec's federal government relations manager Kevin Richards said "prospects for this year don't look so good".

If such a data protection bill passes Congress, its phrasing will bear watching. It could easily go one of several ways. The best possible outcome, in my estimation, would be a true digital privacy bill that reinforces the implications of the Fourth and Fifth Amendments of the US Constitution. Assuming it was more than a lame duck law, such an act would to a significant degree protect against the type of abuses of power we've seen in wiretap scandals of recent years, USA PATRIOT Act provisions, and the potential for NSA-designed backdoors in common encryption standards such as the speculated intentional weakness in the Dual_EC_DRBG NIST encryption standard.

While the above-linked Wired article by Bruce Schneier is certainly worth the read, I'll summarize a bit for you:

  1. NIST released a new official standard for random number generation software used in encryption algorithms, called NIST Special Publication 800-90 [PDF].
  2. That standard defines a set of four DRBGs approved for government use and recommended for widespread public use.
  3. The NSA championed the elliptical curve based generator, Dual_EC_DRBG, for inclusion in the NIST standards.
  4. Dual_EC_DRBG is slower than pond scum running uphill and contains a small, but measurable, numerical bias — problems none of the other new NIST standard DRBGs share, which makes one wonder why the NSA bothered to push for its inclusion.
  5. Dual_EC_DRBG contains a mathematical "back door", one that may or may not have been intentional and for which the NSA may or may not have the key. Reverse-engineering the key should be a significantly difficult task, perhaps effectively impossible at current technology levels, but it could very easily have been generated at the time of creation of the constants used to define the algorithm's elliptic curve. For more information on what that means, I recommend some heavy Googling — it's a subject well beyond the scope of this article.

The backdoor problem was brought to light by Dan Shumow and Niels Ferguson at the CRYPTO 2007 conference. Thank the diligent cryptographers of the world for helping keep you safe, in part by pointing out the flaws in government recommended encryption systems before you run afoul of them. If we're very, very lucky, we may soon be able to thank Congress for passing a data security law that might make the NSA step a little more carefully when it comes to trying to maintain backdoors into our private communications.

Even if you believe that everyone in the NSA that would have access to the keys to the kingdom will be trustworthy, and will not harm you or your business with such tools at their disposal, allowing the US government to maintain backdoors in your encryption software is a monumentally bad idea. Consider that in the last few years ostensibly security-conscious government agencies have lost laptops with personally identifying information stored on them about large numbers of citizens, had their network security compromised by foreign governments, and issued improperly redacted PDFs so that the parts they did not intend to release were easily recovered from the files (hint: don't just paint black lines over text with Adobe Acrobat). All of this and more has been in the news since 2001.

The lesson is that even if you trust the NSA with the keys to the kingdom, you might want to think about who can get those keys from the NSA, and how common, everyday incompetence can help those keys fall into the wrong hands.

As my grandmother once said, "It's not you I don't trust with my secrets. It's the people you'd tell."

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks