Showing papers by "Ross Anderson published in 2001"

Why information security is hard - an economic perspective

Abstract: According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.

API-level attacks on embedded systems

Abstract: We have recently discovered a whole new family of attacks on the APIs (application programming interfaces) used by security processors. These attacks are economically important, as security processors are used to support a wide range of services - from ATMs (automated teller machines) to pre-payment utility metering - but designing APIs that resist such attacks is difficult.

Microprocessor resistant to power analysis

Abstract: A secure microprocessor is designed using quad-coded logic which is similar to dual-rail encoded asynchronous logic except that the '11' state propagates an alarm. The alarm signal obliterates secure data in its path. Quad-coded logic provides resilience to power glitches and single-transistor or single-wire failures. The already low data dependency of the power consumption makes power analysis attacks difficult, and they are made even more difficult by inserting random delays in data and control paths, and by a set-random-carry instruction which enables software to make a non-deterministic choice between equivalent instruction sequences. These features are particularly easy to implement well in quad-coded logic.

Undermining data privacy in health information.

Abstract: Since 1910, doctors have been arguing with successive British governments over access to medical records. The compromise that has emerged over the years balances patient privacy, professional autonomy, public health effectiveness, and the needs of scientific research. Past attempts to disturb this balance have foundered—on professional resistance, patient rights, and the property rights of healthcare firms—but the side effects of these disputes have often been debilitating. And now an innocuous sounding clause in the latest bill on health is set to upset the balance again, with potentially damaging effects on both privacy and research. The last government attempt to extend its access to personal health information was the information management and technology strategy, which in 1992 talked of a single electronic health record, accessible to all within the NHS. But the strategy was not designed to facilitate the sharing of health data between clinicians so much as its collection in central databases. This put it on a collision course with the law. For example, the Venereal Diseases Act restricts identifiable data …

Protecting Embedded Systems - The Next Ten Years

Abstract: In this talk, I will speculate about the likely near-term and medium-term scientific developments in the protection of embedded systems. A common view of the Internet divides its history into three waves, the first being centered around mainframes and terminals, and the second (from about 1992 until now) on PCs, browsers, and a GUI.The third wave, starting now, will see the connection of all sorts of devices that are currently in proprietary networks, standalone, or even non-computerized. By the end of 2003, there might well be more mobile phones connected to the Internet than computers. Within a few years we will see many of the world's fridges, heart monitors, bus ticket dispensers, burglar alarms, and electricity meters talking IP. By 2010, 'ubiquitous computing' will be part of our lives. Some of the likely effects of ubiquitous computing are already apparent. For example, applications with intermittent connectivity will have to maintain much of their security state locally rather than globally. This will create new markets for processors with appropriate levels of tamper-resistance. But what will this mean? I will discuss protection requirements at four levels.

The correctness of crypto transaction sets. Discussion

Abstract: An increasing number of systems, from pay-TV to electronic purses, rely on the tamper resistance of smartcards and other security processors. We describe a number of attacks on such systems some old, some new and some that are simply little known outside the chip testing community. We conclude that trusting tamper resistance is problematic; smartcards are broken routinely, and even a device that was described by a government signals agency as `the most secure processor generally available' turns out to be vulnerable. Designers of secure systems should consider the consequences with care. This paper was published by the USENIX Association in The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21, 1996, pp 1-11, ISBN 1-880446-83-9. It won the best paper award at that conference. 1 Tamperproofing of cryptographic equipment Many early cryptographic systems had some protection against the seizure of key material. Naval code books were weighted; rotor machine setting sheets were printed using water soluble ink; and some onetime pads were printed on cellulose nitrate, so that they would burn rapidly if lit [Kah67]. But such mechanisms relied on the vigilance of the operator, and systems were often captured in surprise attacks. So cryptographic equipment designed in recent years has often relied on technical means to prevent tampering. An example is the VISA security module, commonly used in banks to generate and check the personal identification numbers (PINs) with which customers authenticate themselves at automatic teller machines. It is basically a safe containing a microcomputer that performs all the relevant cryptographic operations; the safe has lid switches and circuitry which interrupts power to memory, thus http://www.cl.cam.ac.uk/users/rja14/tamper.html (1 of 19) [9/12/2004 4:16:23 AM] Tamper Resistance a Cautionary Note erasing key material, when the lid is opened [VSM86]. The idea is to deny the bank's programmers access to customer PINs and the keys that protect them; so when a customer disputes a transaction, the bank can claim that the customer must have been responsible as no member of its staff had access to the PIN [And94]. Evaluating the level of tamper resistance offered by a given product is thus an interesting and important problem, but one which has been neglected by the security research community. One of the few recent articles that discuss the subject describes the design of the current range of IBM products and proposes the following taxonomy of attackers [ADD+91]: Class I (clever outsiders): They are often very intelligent but may have insufficient knowledge of the system. They may have access to only moderately sophisticated equipment. They often try to take advantage of an existing weakness in the system, rather than try to create one. Class II (knowledgeable insiders): They have substantial specialized technical education and experience. They have varying degrees of understanding of parts of the system but potential access to most of it. They often have highly sophisticated tools and instruments for analysis. Class III (funded organisations): They are able to assemble teams of specialists with related and complementary skills backed by great funding resources. They are capable of in-depth analysis of the system, designing sophisticated attacks, and using the most advanced analysis tools. They may use Class II adversaries as part of the attack team. The critical question is always whether an opponent can obtain unsupervised access to the device [Mor94]. If the answer is no, then relatively simple measures may suffice. For example, the VISA security module is vulnerable to people with occasional access: a service engineer could easily disable the tamper protection circuitry on one of her visits, and extract key material on the next. But this is not considered to be a problem by banks, who typically keep security modules under observation in a computer room, and control service visits closely. But in an increasing number of applications, the opponent can obtain completely unsupervised access, and not just to a single instance of the cryptographic equipment but to many of them. This is the case that most interests us: it includes pay-TV smartcards, prepayment meter tokens, remote locking devices for cars and SIM cards for GSM mobile phones [And95]. Many such systems are already the target of well