1 / 7

Why Cryptosystems Fail ?

Why Cryptosystems Fail ?. Mitesh Dave. What is Cryptography?. The science of code and cipher systems used by governments,banks and other organizations to keep information secure.

emily
Download Presentation

Why Cryptosystems Fail ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why Cryptosystems Fail ? Mitesh Dave

  2. What is Cryptography? • The science of code and cipher systems used by governments,banks and other organizations to keep information secure. • After government, the next biggest application of cryptosystems is in banking and has evolved to protect automatic teller machines (ATMs) from fraud.

  3. How ATM encryption works? • Account number : 8807012345691715 • Pin key : FEFEFEFEFEFEFE • Result of DES: A2CE126C69AEC82D • Result of decimalised : 0224126269042823 • Natural pin : 0224 • Offset : 6565 • Customer PIN : 6789

  4. How ATM fraud takes place? • Frauds carried out without any great technical sophistication. • Frauds due to inside knowledge or access. • Outsiders attacking ATM systems. • PIN guessing techniques.

  5. Technically sophisticated frauds • PIN key can be found out by system programmers without too much effort. • The `buy IBM or else` policy has backfired causing many a bank frauds in the past. • Not all security products are good and very few banks have the expertise to tell the good ones from the bad ones. • Poor implementation or sloppy operating procedures can leave the bank exposed. • Cryptanalysis cannot be completely ruled out.

  6. The implications for equipment vendors • Only huge projects have a capable security expert on hand during the whole of development and implementation process. • Indirect government encouragement by certifying wrong products under schemes like ITSEC. • Banking institutions have sophisticated products to use but lack the skills to do a proper job and end up with systems having bugs. • Threat environment scenario keeps changing. • Sloppy quality control.

  7. Conclusion • Designers of cryptographic systems have suffered from a lack of information about how their products fail in practice, as opposed to how they might fail in theory.This lack of feedback has led to a false threat being accepted.Designers focussed on what could possibly go wrong, rather than on what was likely to go wrong.As a result most security failures are due to implementation and management errors.Component level certification as embodied in both the ITSEC and TCSEC programs is unlikely to achieve its stated goals.Certification must cover not just the hardware and software design, but also installation, training, maintenance, documentation and all the support that may be required by the applications and environment in which the system will operate.

More Related