Why cryptosystems fail

Author:
Ross Anderson

University Computer Laboratory, Pembroke Street, Cambridge CB2 3QG

University Computer Laboratory, Pembroke Street, Cambridge CB2 3QG
View Profile

CCS '93: Proceedings of the 1st ACM conference on Computer and communications securityDecember 1993Pages 215–227https://doi.org/10.1145/168588.168615

Published:01 December 1993Publication History

CCS '93: Proceedings of the 1st ACM conference on Computer and communications security

Pages 215–227

ABSTRACT

Designers of cryptographic systems are at a disadvantage to most other engineers, in that information on how their systems fail is hard to get: their major users have traditionally been government agencies, which are very secretive about their mistakes.

In this article, we present the results of a survey of the failure modes of retail banking systems, which constitute the next largest application of cryptology. It turns out that the threat model commonly used by cryptosystem designers was wrong: most frauds were not caused by cryptanalysis or other technical attacks, but by implementation errors and management failures. This suggests that a paradigm shift is overdue in computer security; we look at some of the alternatives, and see some signs that this shift may be getting under way.

References

A1.D Austin, "Marking the Cards", in Banking Technology, Dec 91/Jan 92, pp 18- 21Google Scholar
A2.RJ Anderson, "UEPS- A Second Generation Electronic Wallet". in Computer Security - ES- ORICS 92, Springer LNCS 648, pp 411 - 418 Google ScholarDigital Library
B.M Buckler MP, letter to plaintiff's solicitor, 8 June 1992Google Scholar
BAB."Card Fraud: Banking's Boom Sector", in Banking Automation Bulletin for Europe, Mar 92, pp 1-5Google Scholar
BAN.M Burrows, M Abadi and RM Needham, 'A Logic of Authentication', DEC SRC Research Report 39Google Scholar
BB."Cash Dispenser Security", Bar'clays Briefing (press release) 12/9/92Google Scholar
BGS.JA Bull, L Gong, K Sollins, "Towards Security in an Open Systems Federation", in Proceedings of ESORICS 9~, Springer LNCS 648 pp 3- 20 Google ScholarDigital Library
BMD.A Burns, JA McDermid, JE Dobson, 'On the meaning of safety and security', University of Newcastle upon Tyne Computer Laboratory TR 382 (5/92)Google Scholar
C1.A Collins, "Bank worker guilty of ATM fraud", in Sunday Times, 22 Mar 1992Google Scholar
C2.A Collins, "The Machines That Never Go Wrong", in Computer Weekly, 27 June 1992, pp 24- 25Google Scholar
C3.D Coppersmith, "The Data Encryption Standard (DES) and its strength against attacks", IBM Thomas J Watson Research Center technical report RC 18613 (81421), 22 December 1992Google Scholar
C4.J Cullyer, "Safety-critical systems", in Computing and Control Engineering Journal 2 no 5 (Sep 91) pp 202- 210Google Scholar
C5.B Christianson, "Document Integrity in CSCW", in Proc. Cambridge Workshop on Formal Methods (1993, to appear)Google Scholar
CR.Boeing News Digest, quoted in usenet newsgroup 'comp.risks' 14 no 5 (29 April 1993)Google Scholar
CW.J Cullyer, W Wong, "Application of formal methods to railway signalling - a case study", in Computing and Control Engineering Journal 4 no 1 (Feb 93) pp 15- 22Google Scholar
DP.DW Davies and WL Price, 'Security for Computer Networks ', John Wiley and Sons 1984. Google ScholarDigital Library
E.J Essinger, 'A TM Networks - Their Oryanisation, Security and Future', Elsevier 1987Google Scholar
GO.G Garon and R Outerbridge, "DES Watch: An examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the 1990's, in Cryptologia, XV, no. 3 (July 1991) pp 177- 193 Google Scholar
H.HJ Highland, "Perspectives in Information Technology Security", in Proceedings of the 1992 IFIP Congress, 'Education and Society ', IFIP A-13 vol II (1992) pp 440 - 446 Google ScholarDigital Library
ITSEC.'Information Technology Security Evaluation Criteria', June 1991, EC document COM(90) 314Google Scholar
J1.RB Jack (chairman), 'Banking services: law and practice report by the Review Committee ', HMSO, London, 1989Google Scholar
J2.K Johnson, "One Less Thing to Believe In: Fraud at Fake Cash Machine", in New York Times 13 May 1993 p 1Google Scholar
JAJP.HL Johnson, C Arvin, E Jenkinson, R Pierce, "Integrity and assurance of service protection in a large, multipurpose, critical system" in proceedings of the 15th National Computer Security Conference, NIST (1992) pp 252- 261Google Scholar
JC.Dorothy Judd v Citibank, 435 NYS, 2d series, pp 210 - 212, 107 Misc.2d 526Google Scholar
JDKLM.DB Johnson, GM Dolan, MJ Kelly, AV Le, SM M atyas, "Common Cryptographic Architecture Application Programming Interface", in IBM Systems Journal 30 no 2 (1991) pp 130 - 150 Google ScholarDigital Library
K1.D Kahn, 'The Codebreakers', Macmillan 1967Google Scholar
K2.TS Kuhn, 'The Structure of Scientific Revolutions', Chicago 1970Google Scholar
L1.B Lewis, "How to rob a bank the cashcard way", in Sunday Telegraph 25th April 1992 p 5Google Scholar
L2.D Lane, "Where Cash is King", in Banking Technolo9y, October 1992, pp 38 - 41Google Scholar
M1.S M cConnell, "Barclays defends its cash machines", in The Times, 7 November 1992Google Scholar
M2.R Morris, invited lecture given at Cambridge 1993 formal methods workshop (proceedings to appear)Google Scholar
M3.JA McDermid, "Issues in the Development of Safety Critical Systems", public lecture, 3rd February 1993Google Scholar
MB.McConville & others v Barclays Bank & others, High Court of Justice Queen's Bench Division 1992 ORB no.812Google Scholar
MBW.McConville & others v Barclays Bank & others cit, affidavit by D WhalleyGoogle Scholar
MM.CH Meyer and SM Matyas, 'Cryptography: A New Dimension in Computer Data Security', John Wiley and Sons 1982.Google Scholar
N.I Newton, 'Philosophiae Naturalis Principia Mathematica', University of California Press 1973Google Scholar
NSM.'Network security Module - Application Devel. oper's Manual', Computer Security Associates, 1990Google Scholar
NSP.New Security Paradigms Workshop, 2-5 August 1993, proceedings to be published by the ACM.Google Scholar
P.WR Price, "Issues to Consider When Using Evaluated Products to Implement Secure Mission Systems", in Proceedings of the 15th National Computer Security Conference, National Institute of Standards and Technology (1992) pp 292 - 299Google Scholar
R.RA Rueppel, "Criticism of ISO CD 11166 Banking: Key Management by Means of Asymmetric Algorithms", in Proceedings of 3rd Symposium of State and Progress of Research in Cryptography, Fondazione Ugo Bordoni, Rome 1993Google Scholar
RM.R v Moon, Hastings Crown Court, Feb 92Google Scholar
RSH.R v Stone and Hider, Winchester Crown Court July 1991Google Scholar
S.A Stone, "ATM cards & fraud", manuscript 1993Google Scholar
SSWDC.L Sutterfield, T Schell, G White, K Doster and D Cuiskelly, "A Model for the Measurement of Computer Security Posture", in Proceedings of the 15th National Computer Security Conference, NIST (1992) pp 379 - 388Google Scholar
TCSEC.'Trusted Computer System Evaluation Criteria, US Department of Defense, 5200.28-STD, December 1985Google Scholar
VSM.'VISA Security Module Operations Manual', VISA, 1986Google Scholar
W1.G Welchman, The Hut Siz Story, McGraw-Hill, 1982Google Scholar
W2.MA Wright, 'Security Controls in ATM Systems', in Computer Fraud and Security Bulletin, November 1991, pp 11 - 14Google Scholar
W3.K Wong, 'Data security ~ watch out for the new computer criminals", in Computer Fraud and Security Bulletin, April 1987, pp 7- 13Google ScholarCross Ref

Index Terms

Why cryptosystems fail

Recommendations

Securely combining public-key cryptosystems
CCS '01: Proceedings of the 8th ACM conference on Computer and Communications Security

It is a maxim of sound computer-security practice that a cryptographic key should have only a single use. For example, an RSA key pair should be used only for public-key encryption or only for digital signatures, and not for both.In this paper we show ...
Read More
Fail-Stop Signatures

Fail-stop signatures can briefly be characterized as digital signatures that allow the signer to prove that a given forged signature is indeed a forgery. After such a proof has been published, the system can be stopped. This type of security is strictly ...
Read More
Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can "freely" perform the operation inevitably means ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '93: Proceedings of the 1st ACM conference on Computer and communications security
December 1993
250 pages
ISBN:0897916298
DOI:10.1145/168588
Chairmen:
Dorothy Denning
Georgetown Univ., Washington, DC
,
Ray Pyle
Bell Atlantic
,
Ravi Ganesan
Bell Atlantic
,
Ravi Sandhu
George Mason Univ., Fairfax, VA
,
Victoria Ashby
MITRE Corp.
Copyright © 1993 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 December 1993
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 139
  Total Citations
  View Citations
- 3,274
  Total Downloads
- Downloads (Last 12 months)465
- Downloads (Last 6 weeks)49
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Why cryptosystems fail

CCS '93: Proceedings of the 1st ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Securely combining public-key cryptosystems

Fail-Stop Signatures

Chosen ciphertext secure keyed-homomorphic public-key cryptosystems