Information Security 101 - the Rules of Thumb

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue Jun 23 23:28:27 BST 2009 

I haven't finished writing/compiling the security design 101 rules yet,
but so far:

In these rules an "enemy" is someone who wants to steal some secret
information an honest system designer doesn't want him to steal, or to 
prevent authorised access to it, or to mislead a friend about its 
authenticity.

A "friend" is someone who the system designer is willing to share a
particular secret with, or who is allowed to create, modify or store a
secret in the system.

This naming is purely a convention. From the point of view of someone
who wants access to information the system designer doesn't want him to
have, it may seem the other way round.


Rule 1: Do not underestimate the enemy, they are cleverer, more numerous 
and more determined than you think.

Rule 2: Keep it simple, simplicity limits where an enemy can attack.

Rule 3: Limit the people who can access secrets, only they can steal them.

   Rule 3 alternative wording : Limit the people you trust, only they
can betray you.

Rule 4: Protect plaintext first, it's far more valuable to an enemy
than ciphertext.

Rule 5: Think out-of-the-box, an enemy will attack in ways you don't expect.

Rule 6: Make it cheap and easy to use, a security system which isn't
used isn't useful.






Some more, unfinished and in no particular order:

The best person to control access to a secret is a person who already
knows it.

Whether something should be considered secret or not depends on what it
can be used for, not on what you want to use it for.

Two or more pieces of information when put together may divulge a secret
which is more than the sum of their parts.

If a secret can be inserted, changed or deleted by an enemy, a friend
can't rely on it's accuracy.

The purposes of an enemy may be fulfilled by preventing a friend
accessing a secret.

The security of a secret is approximately proportional to the square of
the number of people who can access it.

Limit everyone's ability to access secrets to that necessary, the
ability to access a secret is the ability to steal it.

Only tell friends the secrets they need to know, they don't need to know
them all.

Limit the information you store, information which isn't stored can't be
stolen from the store.

Limit the information you collect, information which isn't collected
can't be stolen during collection.

Knowing if or when someone has accessed a secret can be as revealing as
knowing the secret itself.

It is better to knowingly lose a secret than to have it stolen, deleted
or modified.

Security by obscurity is worse than no security at all.

Consider the positions of everybody involved, both enemies and friends,
at all times.

Information is not a thing, it can be stolen and still be there.

Peer review in invaluable, and hard to get.


security is in the keys:
no unexpected behaviour:
friends can turn into enemies:
fail safe:
quantity of accesses by one friend:
use of logs:
file sizes:
secrets are expensive to keep:
logs, and security thereof:
insiders:
deletion is hard:
look at the system from outside, an enemy will.
look at the system from inside, an enemy will.

Other suggestions, and corrections, gratefully accepted.


Peter Fairbrother

More information about the ukcrypto mailing list