Why cryptosystems fail

Designers of cryptographic systems are at a disadvantage to most other engineers, in that information on how their systems fail is hard to get: their major users have traditionally been government agencies, which are very secretive about their mistakes. In this article, we present the results of a survey of the failure modes of retail banking systems, which constitute the next largest application of cryptology. It turns out that the threat model commonly used by cryptosystem designers was wrong: most frauds were not caused by cryptanalysis or other technical attacks, but by implementation errors and management failures. This suggests that a paradigm shift is overdue in computer security; we look at some of the alternatives, and see some signs that this shift may be getting under way.

[1]  Richard Outerbridge,et al.  Des Watch: an Examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the 1990's , 1991, Cryptologia.

[2]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[3]  Michael J. Kelly,et al.  Common Cryptographic Architecture Cryptographic Application Programming Interface , 1991, IBM Syst. J..

[4]  Marie A. Wright Security controls in ATM systems , 1991 .

[5]  Karen R. Sollins,et al.  Towards Security in an Open Systems Federation , 1992, ESORICS.

[6]  T. Kuhn,et al.  The Structure of Scientific Revolutions. , 1964 .

[7]  I. Newton Philosophiæ naturalis principia mathematica , 1973 .

[8]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[9]  Justices Wills,et al.  High Court of Justice.—Queen's Bench Division , 1895 .

[10]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[11]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Jr. Frederick P. Brooks,et al.  The Mythical Man-Month: Essays on Softw , 1978 .

[13]  John Cullyer,et al.  Safety critical systems , 1993, Microprocess. Microsystems.

[14]  Ricky W. Butler,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991 .

[15]  Gordon Welchman The Hut Six Story , 1984 .

[16]  Alan Burns,et al.  On the Meaning of Safety and Security , 1992, Comput. J..

[17]  Rainer A. Rueppel,et al.  Criticism of ISO CD 11166 Banking: Key Management by Means of Asymmetric Algorithms , 1993 .

[18]  Abraham Bookstein,et al.  Cryptography: A new dimension in computer data security ? and ?. Wiley-Interscience, New York (1982). xxi + 775 pp., $43.95. ISBN 0471-04892-5. , 1985 .

[19]  Wai Wong,et al.  Application of formal methods to railway signalling—a case study , 1993 .

[20]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[21]  Charles Cresson Wood,et al.  Security for computer networks : D.W. Davies and W.L. Price New York: John Wiley and Sons, 1984. 386 + xix pages, $19.50 , 1985, Computers & security.

[22]  Ross J. Anderson UEPS - A Second Generation Electronic Wallet , 1992, ESORICS.

[23]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[24]  Joseph Donndelinger,et al.  A rigorous approach to determining objects , 1993, Proceedings of 9th Annual Computer Security Applications Conference.

[25]  Don Coppersmith,et al.  The Data Encryption Standard (DES) and its strength against attacks , 1994, IBM J. Res. Dev..

[26]  Ken Wong Data security — watch out for the new computer criminals , 1987 .

[27]  Harold Joseph Highland,et al.  Perspectives in Information Technology Security , 1992, IFIP Congress.

[28]  Christian Jahl The information technology security evaluation criteria , 1991, [1991 Proceedings] 13th International Conference on Software Engineering.