Encryption is often touted as the ultimate weapon in the computer security wars. It is not. It is certainly a valuable tool, but it, like everything else, is a tool toward an ultimate goal. Indeed, if encryption is used improperly, it can hurt the real goals of the organization.
Predictor: Bellovin, Steven M.
Prediction, in context:In their 1994 book “Firewalls and Internet Security,” Steven Bellovin and William Cheswick write: ”Encryption is often touted as the ultimate weapon in the computer security wars. It is not. It is certainly a valuable tool, but it, like everything else, is a tool toward an ultimate goal. Indeed, if encryption is used improperly, it can hurt the real goals of the organization. Some aspects of improper use are obvious. One must pick a strong enough cryptosystem for the situation, or an enemy might cryptanalyze it. Similarly, the key distribution center must be safeguarded, or all of your secrets will be exposed. Other dangers exist as well. For one thing, encryption is best used to safeguard file transmission, rather than file storage, especially if the encryption key is generated from a typed password. Few people bequeath knowledge of their passwords in their wills; more have been known to walk in front of trucks. There are schemes to deal with such situations, but these are rarely used in practice. Admittedly, you may not be concerned with the contents of your files after your untimely demise, but your organization – in some sense the real owner of the information you produce at work – might feel differently. Even without such melodrama, if the machine you use to encrypt and decrypt the files is not physically secure, a determined enemy can simply replace the cryptographic commands with variants that squirrel away a copy of the key. Have you checked the integrity of such commands on your disk recently? Did someone corrupt your integrity-checker? Finally, the biggest risk of all may be your own memory. Do you remember what password you used a year ago? (You do change your password regularly, do you not?) You used that password every day; how often would you use a file encryption key? If a machine is physically and logically secure enough that you can trust the encryption process, encryption is most likely not needed. If the machine is not that secure, encryption may not help.”
Date of prediction: January 1, 1994
Topic of prediction: Communication
Subtopic: Security/Encryption
Name of publication: Firewalls and Internet Security
Title, headline, chapter name: Introduction
Quote Type: Direct quote
Page number or URL of document at time of study:
http://www.wilyhacker.com/1e/
This data was logged into the Elon/Pew Predictions Database by: Anderson, Janna Quitney