IT Management - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  IT Management


Crypto Cuts Both Ways



 By: Peter Coffee
2005-09-05
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this IT Management story.


Rate This Article:
Poor Best
Opinion: Strong algorithms require disciplined management.

As I hiked into our final campsite, above Gem Lake in Californias Ansel Adams Wilderness, the three Boy Scouts whod gotten there ahead of me pointed out an appalling mess. Scattered over an area that we later estimated at 2,000 square feet were chips and splinters of broken glass—some of it in pieces large enough to be identifiable as fragments of beer and liquor bottles, combined with other evidence suggesting a session of drunken pistol practice. It wasnt a pleasant sight as we neared the end of a 30-mile backpacking week.

After lunch, our six-man party went over the site, a few square yards at a time, collecting what turned out to be about 8 pounds of glittering garbage to carry out the next day. That gave us almost an hour and a half to trade witty insults concerning the kind of people who do this kind of damage. One of the Scouts, toward the end of the effort, then added the thought that gave rise to this column: "It probably took only a couple of minutes to make this mess, but youd need a week to clean up every last bit."

Click here to read about choosing the right type of encryption.

Our backpack trips always end with a group discussion of "lessons learned," and that seems like a lesson worth applying to many places other than the wilderness.

Anyone whos tasked with any kind of asset protection should be especially aware of asymmetric threats: things that can cause expense or time loss hugely out of proportion to the size of an innocent mistake or to the effort involved in a deliberate attack. Whether youre protecting your systems and yourself against accident or malice, looking for such asymmetric situations can be a good way to focus your efforts.

Resource Library:

One sharp-edged example that immediately comes to mind is the threat created by crypto proliferation. During the last few years, a huge number of IT elements have incorporated some kind of encryption facility to maintain security or privacy or as part of a digital rights management scheme. Todays essentially unbreakable crypto algorithms, used casually and without proactive management, are pistol shots in the gallery of crucial data.

A document thats encrypted by a user who later turns out to be either unavailable or uncooperative is obviously a potentially time-consuming mess—but how many sites take the logical step to protect themselves against this threat? Do you have in place the password-cracking tools or an established account with a password-cracking service to recover a Word document or other such asset when an unwelcome "password" prompt comes up on the screen?

Better still, Id argue that no enterprise system should allow end-user password assignment to anything unless theres a fallback to some hierarchical master-password system. If you dont like the idea of any one party having access to everything in the store, use a system of split master keys—often called "k of n" sharing, after the usage in the 1979 paper by Adi Shamir of MIT that originated the idea—to let some subset of a trusted group unlock critical assets when an individual asset owner cant or wont do it.

Encryption and backup go hand in hand. Click here to read more.

For that matter, even a cooperative user may not be able to gather up the shards of an encrypted file. Paul Rubin, a celebrated GNU hacker and contributor to the widely used Emacs text editor, once described a crypto trap that users could spring on themselves with the text editor known as "ed." Rubin noted that the "x" command in some versions of that program would invoke a mini screen editor, but the same command in other versions would encrypt and save the file.

"You hit a bunch of keys at random to see why the system seems to have hung; you dont realize that the system has turned off echo so that you can type your secret encryption key," Rubin wrote, adding, "Ive seen people try for hours to bang the keyboard in the exact same way."

To some extent, everything that Ive said so far is a critique of passwords in particular rather than crypto in general. Broader use of tokens or biometrics would mitigate some of these issues, but they would not eliminate the need for considered management of privileges.

There are lots of good reasons to use crypto pervasively and deeply in enterprise systems. Plan ahead, though, to avoid someones pulling a trigger that turns useful data into rigorously randomized trash.

Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.

Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.



  Reader Comments: Crypto Cuts Both Ways
>>> Be the FIRST to comment on this article!
 

 
 
>>> More IT Management Articles          >>> More By Peter Coffee
 


xr㶲(;; YڦxH)ْZc[Zf&U(SIy 7](ɗd}dlFwh4#I"nZΘ\ܦd轿O$w}Lj9UQ#C3W)9bPg34mZΠN@\~}@^}fwD%x_'Щ=ѩ:€wɄZIPQۗ>}^~l .hrL⎲IlG5tuGѦ%yH#ERΎȏm@|׶cַ(>r@ߨVANé-}!*{>"E%k4ًʏшqGOП{/ !X]~ꄽ4-fGdh-vu=yͰ { /\1r.b,{{4ɿTݱu6{R'-,v2M*-f{е:9z u v=r@J53ҧ =K;O=k\w=jP?B1 To[©̝ wQk|wUMSU#GA mkh[J"ZA;l^wz>|j]\r m NַRߘ 0QT&*rpJAͼ94o ߆I@w[@k+UykQ 4+@_x0ND=jSfMr,eg{0@M)61tGv!fByM)oz@@ZR~nV(U7$ٛ"G;ž_"ʥcp1S{.ӰuarqZoV͉*]XYujZlE?´;\g\?k5[Mvzt[0*>cq4Y`A-. :oo:jal:?o|5"+rOLf[ԑplP)uu<|0 ZC>OtvϧԴPwP?: M/G˥~n1@ LNa p|w͇v1s/|\aR֔ZN;=H:6(Z\χ`c˖C@B뎂9{׻ޚB<QݻCi`y1&զ@CAX\7 >)@}9g)nвc@5mVAL  |U=kb$`~f Д +< +1!Y/tzS\ &99IAw ew貟F=ĿL?ͺz+YF^u 9R@{4 m 246@Ȱ\k_X5QW(:,)T ŠaYl`cy1Csz QIä7 kSkdQ6qoaQ54 )Kۊ7q~4EkaZ,<>kp6X"@@7wL)mT.mTv3XSԝyд\"қy}@n&zw@>8`3ǟGRlC2DhR+}ne@ͤԪ)X[3T2.Q\&V,'`#z3F K~,Y\X/#]55e"@0oʵLuzh< VȲO[:¿٤ RۃYk;kH %1cs@M$ knV2 &Gmܑk}6euE׏$cifSKr M~ά!VӈPQ1"YOu/F5GaΠܧ^۬v"5w.Bāh<.Z6[Ro==޻ئ\Q݂+6E)'>5 cd]Dz@4`D pHE&A|Zkhp B@U.(L19r2b*X[PTB$ᦼ6t߂ĒbtXQ =j={e|h322 yӅZ JLo39*ERgD+ϏxWG"MϨH_ଯ?p&o1ZpY9Joֿu>rIWdw%eXY81f-1_0kE /ÊTU5ݧ+i fB1&} leA{X~\U4Uud¹`Qеa⢉!h{+4khý235RzVU;OP(;Ђw>k-4ۤ-`"+jUv~Ie(#N枏~5 φS F1j>Lk}\Sa]{nxE0ksv-fdaD4@w=bC-ɬB3go|렀6RaMxޜ9"yea@WIlJhL6;_JO&hTJE,}&-nj^[uѷ p]g8ýo~Qby6UG3 Ⱦ ,(R!7;Jr zĀy@?uUJ [0LdT~#t=l)[36p]?`̧vѯ`jd膫zOtv>@d􁯌C-s# dK&3sK]7a ZƞnRHrX%:iZ=$CeT͛#UX)TԒP/YTAtUYbke`WPF4`W&{\x&\_{sƋ(bo)Q^aD]Rx*+nQ/ewS? &i^IW:.Wky*1a2N4D knIG:aF*ݔ[Y`'\U%P-HjYt>80xnX N zW8pL\'eM=J6z7EM+v@l+J9wwG2M3 t@ ɢ\' WeR8p,g$ ,$%,rF<"MMxhG=a?qq-<92=QZaǰ^P(k㘘ٿ~?؇^?hUeqbsE1 7k{J~Zg^pR t(+i7G}U_:k\/>&~?G:KEIP^S(+RJ)"4FYO |Ϛu3_f| Rt4zUrڿPעo1Mr!}J_cNfo4~ ɮP=8Y,lrh%縵vRt.0?xԾhj?&i^3_"TS8L,ӤN)fTDSeoy0;F{8쀒N1{LElOء F]nցGS9^)ŔN yr< GAGJ脊fye5))eH5NRMLC]OC/$;kB:Tz{ nj{@İ&{6wg Kڗwn_"GX:[ .VH0_Ӹ\bOD XY+oxt7>CT䵤 g[YUHN~'%6 TTz@0Hr刜|1{~U=gnR;-zc1o~=Ϥ2]a*w}o}VZtC.q@)&d/.)%/E 5 OKt1ڮ/=اH?V5BĬhw V2?_BWc+YT>9bqĨ`box?r`f[w|!24rڶUP k\wt;y,Hb=~${szġmSg=W7&(bO_.tqlx@Gȣ$scl9(j@t=vP's?p@?Hڑ=wB^8LR/p=L_la|VR֊I`_E} 5q 1ٱE0q{ϽQC۷lQʊ3ΧQ?V0MHXܥr1IaaIKABzt'oaI][@3%,b2k<,+t9:){bR:f9z'Cq$ܙeX2Fh@n2@1|AhS׆+vK#1QTU(bb[3" * /LU㾔j,V=bMDJ^I?x@E^\Vk{i܂FJ};ܠeZs>EC33 3uDn@'$0Jm϶@Q1?q@=[@x2>߬ēq3<C(05z^ϜqְPZpaH( h kÿ( V&`9Xmޤwx%?3ڌ,KlHA^jeܷIl8D}y zܘAwC.[K{X%rEݞ|.P:3Ϩf̑A V|*A 0;T(X0%d)d_o]uvU7%_S&eR|zOCIMzGmwƖ8-*y(RMjX0`fe0— y![Z\gWVJjq[V) j>K'NlV2D!p0\8XlCEM]jD&mRLnt;3 bFqڗ`J_Bc `K7=ɂw/ @BCA! ~[[V܉{*RTe[)={DL`IJѐ;LIk?Btҗ>AM8BȤTZxCs<@5`f|)j%T^`S,'Z< '}š$&S"ڌ2BFI(F3@OmH֗#`@$JRP~)2.X\d6%`MM% XXDj^t3hx9a<PϥG;ىŪR [/ */bM:WpB ^ _$C_7 ۀS=|9pەW\0^\VUUS}u;acH Gx ;ݷDۤ6eUcHxxToa囂GD lNfaac6aוOǷ{oSsL/3'2 {_̖\b._6罿%_{jnH5 xLVK:/]ٍ_} t]ϗԂZ,(aYZ<\kY>}0+~Mȧlz՟ bK|Kr- b׽85Ϩa0M/:< וl9Z/zeW?Ne]̫e-'(~E AԳU䄗&Wփ1Fh05^#?qpDYhp|Τt(?%Ļi}cvT\I0A8"l2#kF(y{] aN #Zַ=yI\>חy AРRzJ_gw!, +lyҫ_ᒣ*3w+?BKj/z;{[tp=wnwmZm/v QKkvmXosڔ<֌fzDRso Z1ߦ̳m_mau!^~/{lȪhֲFwt)۬R2ײ#1}Ǣil»؆_ ZRˬkr1$I3Ʊ0"*NhV#P2}aBDKop @dh<WI|`u1 +p\| B`'y!ZpP]}zUccf̹FExm~y>{*{A'я"s@9Ъ esޟ7>kE_A--iΞCu×s}L[AqCb$sW !^tEw'y{LdL8e G)32; ?`CP}fɷw1V c\2Qȏ~D% B~3 t'8~/7$&ТC>y|Ǔ [D pS\x?*Ɲ@ M~﫲>Faw9Ƕ,VG˸1}pXފAH e _M Ba;D0‡~-bv˫1ʵm <ߋ.!(C^PB^C’M=1Ir9ꊚbMl@~LZ# O]c)IˋDAE!Lje3)K6qN"F drkB.]sI /*ʡZr^:XuZ.˘x'V@gLHk̘xl4vlNz ytFui*Z!ѤF -F5GllG <)fFllz^C `5olz^C M` oJ.қ≠D37:Q9as;vXKb=삟UFlSaZ ~rsyB*1̶cB ?}zڡ<oO\^+UMhբ fG@VTlcsf`\k]ZcOc,TOಈ֞uvüclTҊj9yKG0R`nKߚRFK,飏ji' 1 m0=-5g? |t|P3z1ĖV]Mj(`ǢX>S:AagXCc {wi/1~J+kѱF<Νiҩ HZ۠[*н"%hPY۫u) +K=Ό@WlfmmIU+ ַg%.pSsagGr;c±\~7:IoF Ki~RBJuT{W"Y0lƞ J 3ƘO\9#ZNHh5J\M_x_!ƄQcq1 \TVďd*bUfwܠ~z*ڟOle^fB =Nl~#&Ź*4;-RlΦA:& )<]Сr@JoIg4ߌ Pm̼܏@GBSx&㗒GxFވ7p" XRW7˽}D['鍀I% U# `xH(zh_M﷮{a7? ̇u^̖~?q= 9asH ]TW\Ax՝!:dWQк|ŧtS!B|1[GB(W9Ĝ#MYFS[ֺp}S%ER2O0ឩTH\TdL4B&(qTi+$<|tVnOKZ&G6@@P0H7cWwshbZ#7 5,ǰlFLN1|[ɻ21Faŷ^(l;b21#|>OS$],%r@3 "PV: ![C P/1MFs ޻6XLi0q>"(S[]ă0N]qPOɁAVp͒wgy6t0VQ1e&}簈s!aZ;<Q7IB uXRFB(s ֞Ogulb̒ =<RXX_1[> MꪂOJBveX &zYqKwy |fY3{8~BOz%ruW0`A-'i92bg4t\K ,C? &O=lFLrgrֹ& rvjǓuowIs} \MGݩ;'NYսn_s3˃Rf&R<eje)sC9lꌹ6W#\]drxixɎ(ah,.6tI(%lGyї51o&Ll+s=fiԊkm9 g5^LkFN]3C)*-h7Q21C-W܄qP "Z>\rФo%uCF/PKF5_/?m62;P(GN/o S(?]_~9ˠ{חsv3Wo73ʡ}QogC/W( ח_ 0/3_f^fsAK2K Oѫ >As(?(#/3a|2 *C~`2Ưd:_: .x:z/_?}OP)'ߧ @MV9M@7d_ryr픊$dK " SV9,2u"[~|^YlفGhO WYn-Jbġ${zgzY)W8#u^ LUbmo|Z+OTq4 j5%p&!H81 H-L{HN08 a箩-gWCtJ# ۘn~oc0ts`ƎHn6J墦 V˕R;~O;F"5EA(.#&T$`vXrF(RB4|;یW)57tSs&m\ŠMC7ao/aKZö`Z;=9dj y }d)049Khw]=ƾw<AYz'aLЫȥ>KfDr&ߢjOG T*A[`Ɍ.|s˸ [-FlX❫l+ H|r[ '$}'r>t瑅adQkf tEfW4w= 1sW3o ݗi`wƨ&[c~0l3_7U' U?„/޺chd1Sk+P<ՍPnD8c;/kx).,x(ZJoē}⎮tA6Hm\wrlCknܙ%O_l:h}r]spnnU3(}cF«)p?}KT =`?GcС2WSXNՂ[#rF331F#qyU YT8['Ҥwvgcw[/AI)H[aD.v D^®?x.^| 3Obx`#Y ߚR TDO"vy9m$KY[zQڗ@1a璧ێf*i/5 K7? J,݈ AQ6+yJ>? T|- 5{\6$DR }F0~N]v0NA9DEPޙ!/;v2R*4%NSPxSEz?X \ vHV&{0SpY .Ыvc75W,Ff9e7Cx9_=c$z l|_Odxƪ~axh=&=з57d(Q|ӽǼ5HJ "d3@FC0!im.KE%&(Xp\'AΙls;>Ba2\DGx kok3gzϷ;<v7͇OV2qEnBVJrX}P/):OOgsZ%.^Hv"],{ QAbFKΠpshՆGXƸ[[) qy6`;Щ0DM.vj]nJQXƺa#®u4mvщ߉n^sQaW_0 'Ɣ ϰ" s]׶GS<"Y4.쑥"?X=<,͇d'KWek+[ȀH>Y;D5R7LP9˓z0~ s͹!vgs\9,Cc|ʲcv90ä޳`=`Z>^}]x O!0gWPR Y -f1%IDb88)yv&ж?8"acTx 1L(_F,.גu!{xZ~΋{El>byx ^ŧ$NS?xDtƩW.rW?a%P|Zk/oYY/5.xH%D=Sw ɳqFK+O(QF~?ZQ|ڹ\`gh-/=i~xxՔŠ6#EKB\7[i B";m4ɊxO0]\}l4n_?[3ˬZY$I#;ob[b$- U.ɡRv3F'e9TU>\JBS+$Y/WfTN˚J܄;"6BKFslx6 [1(