Notes for November 16, 2000

  1. Greetings and Felicitations!
  2. Puzzle of the day
  3. Snake Oil Cryptography: Warning signs
    1. Pseudo-mathematical gobbledygook
    2. New mathematics
    3. Proprietary cryptography
    4. Extreme cluelessness
    5. Ridiculous key lengths
    6. One-time pads
    7. Unsubstantiated claims
    8. Security proofs
    9. Cracking contests
  4. Ultimate in aging: One-Time Pads
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function
    3. Example: S/Key(tm)
  5. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent on wire or network
    4. Attack: monkey-in-the-middle
    5. Defense: mutual authentication
  6. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  7. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device
  8. Identity
    1. Principal and identity
    2. Users, groups, roles
    3. Identity on the web
    4. Host identity: static and dynamic identifiers
    5. State and cookies
    6. Anonymous remailers

Puzzle of the Day

"Our ancestors, and those who were considered to be wise, were accustomed to say that it was necessary to control Pistoia by means of factions and Pisa by means of fortresses; so they fostered strife in various of their subject towns, so as to control them more easily. In those days, when there was stability of a sort in Italy, this was doubtless sensible; but I do not think it makes a good rule today. I do not believe any good at all ever comes from dissension. On the contrary, on the approach of the enemy, cities which are so divided inevitably succumb at once; the weaker faction will always go over to the invader, and the other will not be able to hold out."1

What does this paragraph say to a system administrator or security officer seeking insight to defend her systems?


  1. Niccolò Machiavelli, The Prince, George Bull trans., Penguin Books, New York, NY ©1995, p. 67

  2. Matt Bishop
    Office: 3059 Engineering Unit II Phone: +1 (530) 752-8060
    Fax: +1 (530) 752-4767
    Copyright Matt Bishop, 2000. All federal and state copyrights reserved for all original material presented in this course through any medium, including lecture or print.

    Page last modified on 11/22/2000