Quoting from the November 15 issue of Bruce Schneier's CRYPTO-GRAM:
"** *** ***** ******* *********** *************
Micro Locks
"Sandia National Laboratories has developed a computer security device
that
puts a new spin on firewall technology: The Recodable Locking Device is
the
world's smallest, micromachined combination lock, and it's designed to
protect computer networks from outside intruders." --Wired News.
What?
The idea is that instead of computer-security measures -- cryptography
and
all that -- there is a physical combination lock inside the firewall.
If
someone enters the correct combination, he gets in. If he doesn't, he
stays locked out. No cryptographic algorithms to break. No computer
security measures to try to circumvent. No software to find bugs in.
This sounds cool, but adding micro combination locks doesn't change the
threat model much. In both systems, the user has to either remember a
password (combination) or store it somewhere. In both systems,
passwords
can be sniffed or stolen. In both systems, an adminstrator can subvert
the
security (either accidentally or maliciously). In both systems, there
is
software controlling how the access works. If you trust the
cryptographic
algorithms (which, in any good system, are being used in far more places
than the access control), then without the crypto key there is no way to
open the file...just as without the combination there is no way to open
the
lock. There are probably some advantages to using one way or the other
depending on the curcumstance, but I don't see a technological leap.
More telling, the computer security industry hasn't been beating its
breasts and wailing: "I wish there were a tiny combination lock. That
would solve my problems!" I'm serious. Combination locks aren't a new
idea. If applying them would be a good idea, they would have been
applied.
Sure, they would have been large. But we've seen all sorts of macro
solutions to computer security problems: manual switches disconnecting
computers from networks (so called "air walls"), physical keys with
EEPROM
chips inside, vacuum-filled conduit to detect tampering. I haven't seen
combination locks, of any size, used in computer security products.
Just
because Sandia's locks are smaller doesn't make them more applicable.
It
only makes them smaller.
I'm not trying to say that combination locks the size of microchips
aren't
a cool idea. My guess is that there are all sorts of clever uses for
these
things; probably uses in computer security, but uses that we just can't
imagine right now. But firewalls and computer access devices...I have
trouble seeing it.
http://www.wired.com/news/news/technology/story/15572.html"
--
Mike Stay
Cryptographer / Programmer
AccessData Corp.
mailto:[EMAIL PROTECTED]
