15 November 1998


                 CRYPTO-GRAM



              November 15, 1998

              by Bruce Schneier
                  President
             Counterpane Systems
           schneier@counterpane.com
          http://www.counterpane.com


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on cryptography and computer security.

Back issues are available at http://www.counterpane.com.  To subscribe or
unsubscribe, see below.


Copyright (c) 1998 by Bruce Schneier


** *** ***** ******* *********** *************

In this issue:

     Electronic Commerce: The Future of Fraud
     Counterpane Systems -- Featured Research
     News
     Micro Locks
     Counterpane Systems News
     Software Copy Protection
     More on Steganography (by Peter Wayner)


** *** ***** ******* *********** *************

   Electronic Commerce: The Future of Fraud



Fraud has been perpetrated against every commerce system man has ever
invented, from gold coin to stock certificates to paper checks to credit
cards.  Electronic commerce systems will be no different; if that's where
the money is, that's where the crime will be.  The threats are exactly the
same.

Most fraud against existing electronic commerce systems -- ATM machines,
electronic check systems, stored value tokens -- has been low tech.  No
matter how bad the cryptographic and computer security safeguards, most
criminals bypass them entirely and focus on procedural problems, human
oversight, and old-fashioned physical theft.  Why attack subtle information
security systems when you can just haul an ATM machine away in a truck?

This implies that new commerce systems don't have to be secure, but just
better than what exists.  Don't outrun the bear, just outrun the people
you're with.  Unfortunately, there are three features of electronic
commerce that are likely to make fraud more devastating.

One, the ease of automation.  The same automation that makes electronic
commerce systems more efficient than paper systems also makes fraud more
efficient.  A particular fraud that might have taken a criminal ten minutes
to execute on paper can be completed with a single keystroke, or
automatically while he sleeps.  Low-value frauds, that fell below the radar
in paper systems, become dangerous in the electronic world.  No one cares
if it is possible to counterfeit nickels.  However, if a criminal can mint
electronic nickels, he might make a million dollars in a week.  A
pickpocketing technique that works once in ten thousand tries would starve
a criminal on the streets, but he might get thirty successes a day on the net.

Two, the difficulty of isolating jurisdiction.  The electronic world is a
world without geography.  A criminal doesn't have to be physically near a
system he is defrauding; he can attack Citibank in New York from St.
Petersburg. He can jurisdiction shop, and launch his attacks from countries
with poor criminal laws, inadequate police forces, and lax extradition
treaties.

And three, the speed of propagation.  News travels fast on the Internet.
Counterfeiting paper money takes skill, equipment, and organization.  If
one or two or even a hundred people can do it, so what?  It's a crime, but
it won't affect the money supply.  But if someone figures out how to
defraud an electronic commerce system and posts a program on the Internet,
a thousand people could have it in an hour, a hundred thousand in a week.
This could easily bring down a currency.  And only the first attacker needs
skill; everyone else can just use software.  "Click here to drop the
deutsche mark."

Cryptography has the potential to make electronic commerce systems safer
than paper systems, but not in the ways most people think.  Encryption and
digital signatures are important, but secure audit trails are even more
important.  Systems based on long-term relationships, like credit cards and
checking accounts, are safer than anonymous systems like cash.  But
identity theft is so easy that systems based solely on identity are doomed.

Preventing crime in electronic commerce is important, but more important is
to be able to detect it.  We don't prevent crime in our society.  We detect
crime after the fact, gather enough evidence to convince a neutral third
party of the criminal's guilt, and hope that the punishment provides a
back-channel of prevention.  Electronic commerce systems should have the
same goals.  They should be able to detect that fraud has taken place and
finger the guilty.  And more important, they should be able to provide
irrefutable evidence that can convict the guilty in court.

Perfect solutions are not required -- there are hundred of millions of
dollars lost to credit card fraud every year -- but systems that can be
broken completely are unacceptable.  It's vital that attacks cannot be
automated and reproduced without skill. Traditionally, fraud-prevention has
been a game of catch-up.  A commerce system is introduced, a particular
type of fraud is discovered, and the system is patched.  Money is made
harder to counterfeit.  Online credit card verification makes fraud harder.
Checks are printed on special paper that makes them harder to alter.
These patches reduce fraud for a while, until another attack is discovered.
And the cycle continues.

The electronic world moves too fast for this cycle.  A serious flaw in an
electronic commerce system could bankrupt a company in days.  Today's
systems must anticipate future attacks.  Any successful electronic commerce
system is likely to remain in use for ten years or more.  It must be able
to withstand the future:  smarter attackers, more computational power, and
greater incentives to subvert a widespread system.  There won't be time to
upgrade them in the field.

Why Cryptography is Harder Than it Looks:
http://www.counterpane.com/whycrypto.html

Security Pitfalls in Cryptography:
http://www.counterpane.com/pitfalls.html


** *** ***** ******* *********** *************

   Counterpane Systems -- Featured Research



"Toward a Secure System Engineering Methodology"

C. Salter, O. Saydjari, B. Schneier, and J. Wallner, New Security Paradigms
Workshop, September 1998, to appear.

This paper, coauthored with three NSA employees, presents a methodology for
enumerating the vulnerabilities of a system, and determining what
countermeasures can best close those vulnerabilities.  We first describe
how to characterize possible adversaries in terms of their resources,
access, and risk tolerance, then we show how to map vulnerabilities to the
system throughout its life cycle, and finally we demonstrate how to
correlate the attacker's characteristics with the characteristics of the
vulnerability to see if an actual threat exists.  Countermeasures need to
be considered only for the attacks that meet the adversaries' resources and
objectives. Viable countermeasures must meet user needs for cost, ease of
use, compatibility, performance, and availability.

http://www.counterpane.com/secure-methodology.html


** *** ***** ******* *********** *************

                     News



An Appraisal Of The Technologies Of Political Control. A very interesting
essay.
http://www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm

More AES speed comparisons are at:
http://home.cyber.ee/helger/crypto/varia/aesspeed.html

A new report on the National Security Agency's top-secret spying network
will soon be sent to members of Congress.  The report -- "Echelon:
America's Spy in the Sky" was produced by the Free Congress Foundation and
details the history and workings of the NSA's global electronic
surveillance system.  The system is reportedly capable of intercepting,
recording and translating any electronic communication sent anywhere in the
world.
http://www.freecongress.org/ctp/echelon.html

The OECD is looking at the taxation of Internet businesses.  The second
document on the web page discusses options for taxation of Internet
businesses.  In particular, Implementation Option 11 is quite interesting.
It reads:  "Revenue authorities may consider mechanisms facilitating
tracing, for tax purposes, of inadequately identified web sites and other
electronic places of business.  While the majority of enterprises engaged
in electronic commerce adequately identify the legal entity operating the
web site or electronic place of business, a small but significant
percentage of web sites have inadequate identification for tax purposes.
Revenue authorities, in common with other bodies, require appropriate
mechanisms to allow tracing of the legal entity operating a business
through a web site or other electronic place of business.  (e.g. through
Internet Protocol (IP) number allocation records.)"  Scary, really.
http://www.oecd.org/daf/fa/e_com/Ottawa.htm


** *** ***** ******* *********** *************

                Micro Locks



"Sandia National Laboratories has developed a computer security device that
puts a new spin on firewall technology: The Recodable Locking Device is the
world's smallest, micromachined combination lock, and it's designed to
protect computer networks from outside intruders."  --Wired News.

What?

The idea is that instead of computer-security measures -- cryptography and
all that -- there is a physical combination lock inside the firewall.  If
someone enters the correct combination, he gets in.  If he doesn't, he
stays locked out.  No cryptographic algorithms to break.  No computer
security measures to try to circumvent.  No software to find bugs in.

This sounds cool, but adding micro combination locks doesn't change the
threat model much.  In both systems, the user has to either remember a
password (combination) or store it somewhere.  In both systems, passwords
can be sniffed or stolen.  In both systems, an adminstrator can subvert the
security (either accidentally or maliciously).  In both systems, there is
software controlling how the access works.  If you trust the cryptographic
algorithms (which, in any good system, are being used in far more places
than the access control), then without the crypto key there is no way to
open the file...just as without the combination there is no way to open the
lock.  There are probably some advantages to using one way or the other
depending on the curcumstance, but I don't see a technological leap.

More telling, the computer security industry hasn't been beating its
breasts and wailing: "I wish there were a tiny combination lock.  That
would solve my problems!"  I'm serious.  Combination locks aren't a new
idea.  If applying them would be a good idea, they would have been applied.
Sure, they would have been large.  But we've seen all sorts of macro
solutions to computer security problems: manual switches disconnecting
computers from networks (so called "air walls"), physical keys with EEPROM
chips inside, vacuum-filled conduit to detect tampering.  I haven't seen
combination locks, of any size, used in computer security products.  Just
because Sandia's locks are smaller doesn't make them more applicable.  It
only makes them smaller.

I'm not trying to say that combination locks the size of microchips aren't
a cool idea.  My guess is that there are all sorts of clever uses for these
things; probably uses in computer security, but uses that we just can't
imagine right now.  But firewalls and computer access devices...I have
trouble seeing it.

http://www.wired.com/news/news/technology/story/15572.html


** *** ***** ******* *********** *************

          Counterpane Systems News



The December 98 issue of Dr. Dobb's Journal has a nice article on Twofish.
It's available on their web site:

http://www.ddj.com/ddj/1998/1998_12/schn/schn.htm


** *** ***** ******* *********** *************

          Software Copy Protection



The problem of software piracy is easy to describe, but the development of
effective copy protection methods is a very difficult challenge to solve.
Software companies want people to buy their product outright; they want to
prevent someone from making a copy of a business program worth hundreds of
dollars and giving it to his friend.

There are all sorts of solutions -- embedded code in the software that
disables copying, code that makes use of non-copyable aspects of the
original disk, hardware "dongles" that the software needs to run.  But
these solutions all suffer from the same basic conceptual flaw: not even
the most sophisticated copy protection scheme can stop a determined hacker.

In the hands of Joe Average computer user, any copy protection system
works.  He can barely copy files by following the directions, let alone
defeat even an unsophisticated copy protection scheme.

In the hands of Jane Hacker, however, no copy protection system works.
Jane controls her computer.  She can run debuggers, reverse-engineer code,
analyze the protected program.  If she's smart enough, she can go into the
software and disable the copy-protection code.  The manufacturer can't do a
thing to stop her; all it can do is make her task harder.  But to Jane, the
challenge entices her even more.

There are many Jane Hackers out there who break copy protection systems as
a hobby.  They hang out on the net, trading illegal software.  There are
also those who do it for profit.  They rip copy-protection code from
software applications and resell them on CD-ROM for less than a tenth of
the retail price.  Wired Magazine ran an article about these people; see
the URL below.  The lesson is that any copy protection scheme can be
broken; the only question it whether it will take a day or a week.

Hacked programs are called "warez," and you can probably collect quite a
bit of the stuff yourself just by looking around the Internet.  You won't
find manuals, but that's what all the computer books are for.  Just about
everything is available, usually for trade.

The success of software pirates doesn't stop companies from trying to copy
protect their programs.  And it doesn't stop them from having
copy-protection disasters.  For example, the 1996 Quake release came on an
encrypted CD-ROM: you could try it for free, but had to call and buy the
password to unlock the entire game.  It was eventually cracked, along with
every other popular copy-protected program ever released.  Id Software said
that they expected the crack to happen eventually, but that it took long
enough for the crack to finally appear for them to make enough money anyway.

There are solutions, but they involve recognizing the realities of copy
protection and working with them.

1.  Sometimes pirates are your friend.  Business software companies
realized this.  People would use pirated software, learn it, get used to
it, and eventually get jobs where their employers would buy them a legal
copy.  Microsoft has said that they are going to ignore pirating in China.
Eventually the Chinese will pay for software, and Microsoft wants them all
to have already standardized on their products.

2.  Sometimes pirates are not your market.  It is the rare software pirate
that would pay $500 for a high-end graphics program if he could not get a
pirated copy.  Often, if a pirate can't get it free, he'll do without.

3.  Sometimes you can ignore the software and sell the service.  Charge for
tech support, so pirates are encouraged to buy legitimate copies.  Have
other goodies for legitimate owners only.  Maybe the game can be hacked,
but in order to play on-line you need to be a registered owner.

4.  Sometimes the hardware saves you.  The discussion above really only
applies to programs running on general-purpose hardware.  If you're
building a set-top box, for example, things are a lot easier.  There are no
casual pirates; anyone who is going to hack your system is going to need a
lab and test equipment.  Just make sure he can't resell his solution.
Nobody cares if a hacker spends a month in his basement and comes up with a
pirate satellite TV decoder.  Let him watch all he can.  But if he can post
an easy-to-run computer program that lets everyone get free satellite
television -- that's a problem.

For most software products, copy protection irritates legitimate users more
than it prevents pirating.  But for some products it makes sense.  It
raises the bar high enough to keep the honest honest.   Nothing will keep
the expert hackers out, so the only workable solution is to design your
systems with this in mind.

Next month we'll talk about digital watermarking: copy-protecting content.

Wired Magazine's "Warez Wars":
http://www.wired.com/wired/archive/5.04/ff_warez_pr.html


** *** ***** ******* *********** *************

    More on Steganography (by Peter Wayner)

I think Bruce raises some interesting and valuable points in the Oct 15th
edition of Crypto-Gram, but the negative conclusions he draws from the
insights are too much like throwing the baby out with the bathwater.  He's
correct that:

1) Steganography software could make a pile of GIF images look suspicious
if the police found them on your disk.

2) The sudden change in message format could alert a smart eavesdropper.

3) You need to be careful with reusing your pictures.

But I think these criticisms are equivalent to:

a) Cryptography software could make a pile of random numbers look
suspicious if the police found them together on your disk.

b) Sending an encrypted message with PGP tags could alert a smart
eavesdropper that there's secret communication.

c) You need to be careful about reusing your keys.

There's no absolute security in either the realm of cryptography or
steganography.  Good attackers can poke holes in crypto systems and
steganographic systems. The goal is to make it as hard as possible to do this.

I actually get a fair number of GIF images in the mail from friends.
They're usually cartoons or goofball things.  Most people don't run an SMTP
server on their desk so they don't care about bandwidth or load.  They just
send them away.

It is also important to realize that steganography is not a thin veil that
can be pierced if someone merely suspects that the data is there.  Most
steganographic systems include keys and I contend that the keys make it
difficult for an eavesdropper to get at the message. Consider this
scenario.  I send Bruce a picture of my sister's wedding.  (I've gotten
many pictures of people's kids. My mother takes thirty photos in a weekend.
They're common.)  Deep in the NSA alarm bells go off. No one's ever sent
Schneier a picture before.  So they start taking it apart.  If the NSA is
lucky, the picture is 8k bytes long and I've used every single one of the
least significant bits to encode a 1k ASCII message.  In reality, the
message is probably much smaller than 1/8th the size.  It is standard
practice to use a key to drive a pseudorandom number generator to choose a
subset of the pixels to hide the message.  I'm sure there are statistical
attacks against this that leverage knowledge of the pseudorandom number
generator and what not, but I contend that they're not something that can
be accomplished from scratch in a day or two.

There are usually a few other layers thrown on top.  It is common practice
to compress the message and even encrypt it before storing it in the least
significant bits.  Then the entire communications is protected by the
strength of cryptography AND steganography.

Bruce is correct that you need to be careful about reusing pictures.
That's not a big problem for most of us.  There's a lot of content floating
around the Net and there's more being generated every day.  Someone sent a
2 megabyte movie the other day which I just deleted from my mail spool
because it took up too much space.

Sure, steganography is not as easy as falling off a logarithm.  But I still
think it is a perfectly good tool for people in oppressive regimes. What
other choice do people have?  I think it's a great tool for non-oppressive
regimes.  The Customs service in England claims the right to search your
laptop AND the right to demand the encryption key.  What choice do you have
if you don't want the British government (which competes directly in some
arenas) to know the details on your laptop?

With a few reasonable precautions, the message can be hidden pretty well.
There are plenty of digital cameras out there that cost very little.  It's
easy to generate new content galore!  Many people send snapshots back and
forth.  Many folks send voice files now with their messages.  Many folks
send the art of children.

(Peter Wayner is the author of _Disappearing_Cryptography_, a book on
steganography.)


** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
visit http://www.counterpane.com/unsubform.html.  Back issues are available
on http://www.counterpane.com.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.  He
is a frequent writer and lecturer on cryptography.

Counterpane Systems is a five-person consulting firm specializing in
cryptography and computer security.  Counterpane provides expert consulting
in: design and analysis, implementation and testing, threat modeling,
product research and forecasting, classes and training, intellectual
property, and export consulting.  Contracts range from short-term design
evaluations and expert opinions to multi-year development efforts.
http://www.counterpane.com/

Copyright (c) 1998 by Bruce Schneier