security lessons from bletchley park and enigma
TRANSCRIPT
![Page 1: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/1.jpg)
Franklin Heath Ltd
Security Lessons from Bletchley Park and Enigma
09 Dec 2014
Image: Bletchley Park Mansion by Antoine Taveneaux
![Page 2: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/2.jpg)
CC BY 3.0
Topics
Why we should remember Bletchley Park
Where the German cipher bureau went wrong
Similar mistakes that are still made today
How we might avoid these mistakes in future
09 Dec 2014 2 © Franklin Heath Ltd
![Page 3: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/3.jpg)
CC BY 3.0
Why We Should Remember Bletchley Park (and Enigma)
09 Dec 2014 3 © Franklin Heath Ltd
“… the greatest achievement of Britain during 1939-45 …” – George Steiner, 1983 “Those who cannot remember the past are condemned to repeat it.” – George Santayana, 1906
![Page 4: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/4.jpg)
CC BY 3.0
Enigma and the Bombe
09 Dec 2014 4 © Franklin Heath Ltd
Image Credit: Antoine Taveneaux Image Credit: Greg Goebel
![Page 5: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/5.jpg)
CC BY 3.0
Cryptanalytic Heroes – Enigma
09 Dec 2014 5 © Franklin Heath Ltd
Rejewski, Różycki &
Zygalski
John Herivel
Alan Turing
Gordon Welchman
“Dilly” Knox
Mavis Lever
![Page 6: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/6.jpg)
CC BY 3.0
Lorenz and Colossus
09 Dec 2014 6 © Franklin Heath Ltd
Image Credit: Adam Foster Image Credit: Robin Zebrowski
![Page 7: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/7.jpg)
CC BY 3.0
Cryptanalytic Heroes – Lorenz
09 Dec 2014 7 © Franklin Heath Ltd
John Tiltman
Bill Tutte
Max Newman
Tommy Flowers
![Page 8: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/8.jpg)
CC BY 3.0
Lesson 1. Metadata Matters
09 Dec 2014 8 © Franklin Heath Ltd
Image Credit: John McCafferty
![Page 9: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/9.jpg)
CC BY 3.0
2. Detect Compromise and Respond to it
09 Dec 2014 9 © Franklin Heath Ltd
HMS Gleaner 12 Feb 1940 HMS Griffin 26 Apr 1940
HMS Somali 04 Mar 1941 & 07 May 1941 HMS Bulldog 09 May 1941
HMS Tartar 28 Jun 1941 HMS Petard 24 Oct 1942
![Page 10: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/10.jpg)
CC BY 3.0
3. Don’t Ask for Too Much from Users
09 Dec 2014 10 © Franklin Heath Ltd
Image Credit: Helge Fykse
![Page 11: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/11.jpg)
CC BY 3.0
4. Be Properly Random
09 Dec 2014 11 © Franklin Heath Ltd
![Page 12: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/12.jpg)
CC BY 3.0
5. Don’t Underestimate Your Adversaries
09 Dec 2014 12 © Franklin Heath Ltd
![Page 13: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/13.jpg)
CC BY 3.0
How We Still Make the Same Types of Mistake
Insecure metadata Document info, call records, HTTPS routing …
Undetected compromise e.g. Oct 2014 White House security breach … or unable to respond “Class breaks”, hardcoded keys, non-upgradable algorithms …
Relying on users passwords, insecure defaults, security prompts …
Poor randomness Flaws in PRNGs for key generation
Underestimating Adversaries Rainbow tables, GPUs, weak copy protection …
09 Dec 2014 13 © Franklin Heath Ltd
![Page 14: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/14.jpg)
CC BY 3.0
How Can We Avoid Such Mistakes in Future?
Don’t be dazzled by the new and shiny
Use sound Information Theory and Computer Science e.g. Saltzer & Schroeder’s principles (1975):
Economy of Mechanism Fail-safe Defaults Complete Mediation Open Design (c.f. Kerckhoff’s Principle, 1883) Separation of Privilege (c.f. Defence in Depth) Least Privilege Least Common Mechanism Psychological Acceptability
09 Dec 2014 14 © Franklin Heath Ltd
![Page 15: Security Lessons from Bletchley Park and Enigma](https://reader034.vdocument.in/reader034/viewer/2022051414/55a7c5961a28ab51128b4924/html5/thumbnails/15.jpg)
CC BY 3.0
Summary
09 Dec 2014 15 © Franklin Heath Ltd
Enigma, although theoretically strong, was undermined by poor operating procedures and traffic analysis
Five specific lessons: Metadata Matters Detect Compromise and Respond to it Don’t Ask for Too Much from Users Be Properly Random Don’t Underestimate Your Adversaries
Good information security then = good cybersecurity now
Come and visit Bletchley Park!