Why Cryptosystems Fail - Assignment Example

Why Cryptosystems Fail Why Cryptosystems Fail A cryptographic system, also known as a cipher system is a method used so as to renderinformation classified or rather to hide data so that only certain people can view it. It is basically about analyzing and designing systems that serve to block third parties (adversaries), for example, computer passwords or ATM cards. The main importance of this system is in information security as in the confidentiality and integrity of data, authentication and data being challenged. In this paper, cryptosystem failure due to failures in management will be explored and also point out how best the systems should be improved to enhance performance. Most cryptosystems are used by the government, which is very secretive and therefore information about their failure has been hard to come by, causing a challenge to crypto engineers. However, they are also used in banking systems which were studied to provide the information used in this paper in a survey of the failures of the retail banking systems. The author, Ross Anderson paints the difference between cryptography designers and other engineers in the working as well as the information they have access to. Anderson, (1994) states that if an aircraft was involved in an accident, a lot of fuss would be raised about it, investigators would be sent to examine the systems to determine the cause, whether it be a management or machine failure reason and journalists and news reporters would be all over the issue. She points to the strict and serious learning mechanism in the airline industry that is not there in cryptosystems and imparts to it the fact that the system is maintained by human beings but the chances of its failure are very low. Anderson, (1994) points out that in cryptography; same mistakes have been made over and over again and include a poor management of code books and cipher machine procedures that caused network breakdowns. The survey was done on automatic teller machines (ATM’s) to determine how fraud occurs through searching through information channels, interviewing former bank employees and criminals and studying statements made by plaintiffs and victims of ATM fraud. After examination of the ways in which fraud took place, they were compared with the theoretical expectations of the designers concerning the systems weaknesses to draw lessons from them. Anderson, (1994) then states that the threat model that was commonly used by designers was wrong, that most frauds were not due to crypto analysis and other such technical attacks but were from errors in implementation and failures in management. Concerning this, Anderson, (1994) argues that many frauds are carried out with the banks knowledge, or rather, inside access, and that ATM fraud is not any different. Anderson, (1994) points out the one percent of the staff that is dismissed every one year for disciplinary reasons as proof and further gives examples of this, such as a housewife from Hastings who had money stolen from her ATM by a bank clerk. This implies that fighting fraud in the bank should start with instilling the highest possible morals with the bank employees, because they enhance the crime. Anderson, (1994) points out how the banking system was unable to prevent this (the clerk had so done by producing two ATM cards). The system was faulty in not being able to reflect the items featuring in a bank statement in the full statement sent to the account address. The clerk managed to make 43 withdrawals without being noticed and would not have been had he not had guilt attacks and owned up to his crime. Another fault in the banks system was the fact that when the woman later complained, the bank did not believe her until after the clerk owned up. Another example she gives is of a bank in Scotland, where an ATM was fixed with a handheld computer that was able to record all pins and account numbers. Counterfeit cards were made and he stole from the account holders. The customers who complained were dismissed. This shows the lack of concern by the banks not only to take care of the customers’ privacy by overseeing the institution of such as ATM machines, but by failing to investigate the complaints of the customers and thus encouraging technical staff to steal from them. Another bank is pointed out that issues tellers with ATM cards that they can withdraw from and debit to any customer. This practice is convenient, but could also lead to the teller being tempted to steal, especially when they are in need. So it raises the question of how well the bank was taking care of the customers’ money. Another is also depicted that lost finances due to miscommunication by a protégé of the deputy managing director without consultation or communication with anyone. Not only are frauds done with inside access, but also outsiders are seen to have had their share of this. An example was seen by the men who would copy account numbers from discarded ATM cards and loot from those accounts. This worked because the banks printed the account numbers in full on the ATM cards and no problem with the cryptosystem of the magnetic strip. The pin was also another way in which this fraud could take place. An example of a bank that advised customers to not write their pin on their card, but rather conceal it by use of a code they made up randomly increasing the chances of the thief being able to get right the pin. Others which use random pins instead of deriving the pin from an encryption of the account number were featured. It is therefore clear that the problem of fraud and thus failure of the cryptosystems was not due to the problem in their making, rather in the management and how they were applied to use (Anderson, 1994). This goes to show that security is not a separate entity in itself, but is instead a combination of the system and the management of the system resources and thus the need to harmonize both in order to have confidence in the system. Reference Anderson, R. (1994). Why Cryptosystems Fail. Communications of the ACM, 37 (11): 32-40 Read More