Managing encryption
Posted: Mon Nov 07, 2005 6:09 pm
[url]http://www.schneier.com/blog[/url] has an interesting (quite long) read at link [url]http://www.fas.org/irp/eprint/heath.pdf[/url]
It is a masters thesis for Master of Military Science and describes the failures in security policies which allowed John Walker to sell so many secrets to the Russians in the 60s and 70s.
Interesting quotes :
"[security] policy must be implemented primarily by personnel who were selected, rewarded and promoted for their success as sailors. When inevitable conflicts arise between the demands of security policy and mission accomplishment, the personnel who will resolve the dilemma will be primarily focused on mission requirements"
"Key management - in theory the distribution of key material was tightly restricted on a need-to-know basis, in practice this principle was trumped by the need to ensure that all Navy ships had all the key material they might need for any potential mission worldwide. ...
The auditing system ..... While highly elaborate and regarded with significant apprehension by the sailors who had to face them, this report will show that they were totally incapable of detecting illicit copying of the key material, even if the audits had been carried out 100 percent perfectly."
Worth learning a little history if you are intending to use encryption.
It is a masters thesis for Master of Military Science and describes the failures in security policies which allowed John Walker to sell so many secrets to the Russians in the 60s and 70s.
Interesting quotes :
"[security] policy must be implemented primarily by personnel who were selected, rewarded and promoted for their success as sailors. When inevitable conflicts arise between the demands of security policy and mission accomplishment, the personnel who will resolve the dilemma will be primarily focused on mission requirements"
"Key management - in theory the distribution of key material was tightly restricted on a need-to-know basis, in practice this principle was trumped by the need to ensure that all Navy ships had all the key material they might need for any potential mission worldwide. ...
The auditing system ..... While highly elaborate and regarded with significant apprehension by the sailors who had to face them, this report will show that they were totally incapable of detecting illicit copying of the key material, even if the audits had been carried out 100 percent perfectly."
Worth learning a little history if you are intending to use encryption.