Lists Home |
Date Index |
On Thursday 30 May 2002 9:28 pm, Seairth Jacobs wrote:
> Okay, maybe I am slow to see what's wrong here, but I don't see what's
> wrong here. I have questions about the security solution presented, but
> isn't the problem itself legitimate? If it isn't, would someone be kind
> enough to educate me why a self-describing data file is not an easier
> target for data theft?
If somebody's already managed to somehow foil a trusted server to divulge the
encrypted information and work around the encryption, then yeah, figuring out
the meaning of what they've obtained is easier with self-describing data.
However, that change in ease is quite negligible compared to the rest of the
If you're transmitting sensitive information without proper precautions so
that figuring out which bit of it's the credit card information is the main
problem facing an invader, then there's something terribly terribly wrong.
Not that it's *bad* to put extra obstacles in an attacker's way - but there's
many orders of magnitude of difference in the difficulty of extracting credit
card numbers from strange message formats and breaking a cryptosystem.
One angle is that XML documents usually start with a <, and often a <?xml
verison='1.0'?>, and that kind of information can be used to help break
cryptosystems. Which is why, if somebody sensible was setting up that system,
they would encrypt 16 bytes of random numbers followed by the gzipped XML,
maybe with that 16 bytes of random numbers XORed into the first 16 bytes of
the file in case the structure of the headers at the start of the gzip stream
provides a lever into the cryptosystem (albeit at an offset into the stream
after random data, and if it's a decent cryptosystem setup it'll be feeding
cyphertext or plaintext back into the later stages anyway).
So to conclude, the underlying data format matters only if your security's
already lame to start with...
Alaric B. Snell
http://www.alaric-snell.com/ http://RFC.net/ http://www.warhead.org.uk/
Any sufficiently advanced technology can be emulated in software