simplicity, reconciliation, and security bob blakley chief scientist, security and privacy, ibm...
TRANSCRIPT
![Page 1: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/1.jpg)
Simplicity, Reconciliation, and Security
Bob Blakley
Chief Scientist, Security and Privacy, IBM
17 October 2005
![Page 2: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/2.jpg)
How do you secure a box of money with a hole in it?
![Page 3: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/3.jpg)
Start with the box empty.
![Page 4: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/4.jpg)
Count what you put into the box.
![Page 5: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/5.jpg)
Know how much should go in or out before you open the box.
![Page 6: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/6.jpg)
Record everything that goes in and everything that comes out each time you
open the box.
![Page 7: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/7.jpg)
Continually update a total using the record of what went in and out.
![Page 8: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/8.jpg)
Count at the end…
![Page 9: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/9.jpg)
Check the end total against the end count.
![Page 10: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/10.jpg)
Security Properties
• Transactionality– Sale price = cash input; refund cost = cash output– Tender - price = change
• Accountability– Receipts, Drawer tape; punishment for infractions
• Reconciliation– Drawer count vs. Drawer tape
• Supervision– Drawer count verification
• Visibility– Operations performed in public
![Page 11: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/11.jpg)
Non-Properties
• Authentication– visibility, supervision used instead
• Data integrity– transactionality used instead
• Authorization– accountability used instead
• Confidentiality– not required
![Page 12: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/12.jpg)
Why don’t we design secure information systems like this?
• We’re computer scientists and don’t like special-purpose systems?
• We like artifacts rather than processes?• We love cryptography?• We are unafraid of complexity?• We’ve overgeneralized the security problem?• There’s not enough at stake?• Some problems aren’t amenable to this approach?
![Page 13: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/13.jpg)
Could our systems look more like this?
• Of course…• In fact, our customers use the artifacts we produce to
design systems which DO look like this– often working against the properties we’ve built into the
artifacts
![Page 14: Simplicity, Reconciliation, and Security Bob Blakley Chief Scientist, Security and Privacy, IBM blakley@us.ibm.com 17 October 2005](https://reader036.vdocument.in/reader036/viewer/2022062423/5697bffc1a28abf838cc1a77/html5/thumbnails/14.jpg)
Example: accountable, reconcilable transaction
signedoffer
viewer
viewer
ledger
signedacceptance
correlator
verif.key
verif.key