Tiny Bytes: RSA
tldr RSA works by exploiting the fact we can’t easily factor 2 large prime numbers and group theory to make a trapdoor permutation, aka a function that turns x into y but y can’t easily be turned into x without a secret. However, implementing RSA gets tricky because there’s lots of subtle attacks.MathRSA takes advantage of the group Z^*_{n} (multiplicative group of integers modulo n). This is the non-negative integers less than n that have an inverse modulo n. 1 x 1 mod n = 1. 0 x int = 0 so ...
Tiny Bytes: Chilling
Hi, Just chilling tonight. Aiming to finish up chapter tomorrow. Night, Lucas
Tiny Bytes: Quickie
Hi, Did much more writing on RSA. Will finish soon. Bye, Lucas
Tiny Bytes: RSA
tldr RSA works by exploiting the fact we can’t easily factor 2 large prime numbers and group theory to make a trapdoor permutation, aka a function that turns x into y but y can’t easily be turned into x without a secret. However, implementing RSA gets tricky because there’s lots of subtle attacks.MathRSA takes advantage of the group Z^*_{n} (multiplicative group of integers modulo n). This is the non-negative integers less than n that have an inverse modulo n. 1 x 1 mod n = 1. 0 x int = 0 so ...
Tiny Bytes: Chilling
Hi, Just chilling tonight. Aiming to finish up chapter tomorrow. Night, Lucas
Tiny Bytes: Quickie
Hi, Did much more writing on RSA. Will finish soon. Bye, Lucas
Subscribe to ldnovak
Subscribe to ldnovak
Share Dialog
Share Dialog
<100 subscribers
<100 subscribers
Hello,
A large percentage of my posts so far have been related to privacy but security has been pushed a little to the side. So today, I want to give security some love. I want to spend sometime defining what exactly security is and, if time permits, discuss why it’s important.
Security is all about “who is allowed to do what?”
My bank account should let me withdraw money while preventing everyone else
My car should allow anyone people with the key to drive the car
A school’s grade system should allow students to see only their grades, instructors the ability to see and modify only their students grandes, and administrators to create new classes and students.
Getting a little wordier:
An application allows userA, userB, userC… to take actionsA, actionsB, actionsC… respectively. The application is secure if this is properly enforced (i.e., userA can only take actionsA).
What makes security tricky is that there is a bad actor who will do anything in their power to violate this (i.e., take an action they aren’t allowed to take or prevent someone from being able to take an action they should be allowed to take). The amount of power a bad actor are the security assumptions you make. If you assume a bad actor can break encryption than it’s really hard to protect data. If you assume a bad actor can’t use a computer then it’s really easy.
Does there need to be a bad actor for security to be important?
I’d argue no.
Rather a powerful actor trying to do harm increases the difficulty.
There are 2 big things to worry about with security:
Someone doing something they aren’t supposed to
Someone not being able to do something they are supposed to
For 1:
If there are no passwords, I could still accidentally log into the wrong account.
I could send money to the wrong person either by accident or being tricked. Regardless if a bad actor was involved, I took an action I shouldn’t have. I’d argue that a feature that prevents me from sending to the wrong address would be a security feature because it would prevent me from taking an action I shouldn’t be allowed to take.
Where this gets tricky is that a feature that prevents me from sending money to an address could also be a security violation. The security feature to prevent me from sending to sketchy addresses could prevent me from sending to an address I want to send to. This gets into point 2.
For 2:
In a similar vein to above, I could be prevented from sending money to someone because they are a known bad person or there is a bug. If someone is exploiting this to prevent me from sending money, clearly this is a security issues. What if there’s no bad actor and it’s just a bug. I’d argue that this still is a security issue. It’s also a usability issues. Security and usability are tied together; it a security feature is annoying to use then I won’t use it (e.g., if I get warnings all the time about sending money to an unknown address I will ignore all warnings). The feature to prevent me from sending money to bad addresses is also a security feature and a bug in a security features is a security issue.
Where this gets trickier for me to think about is what happens if a website is down. A bad actor causing this is definitely a security issue. What if it was just a bad bug. I’d still argue it’s a security issue. First, if everything is down it’s an everyone problem. Second, people can’t take actions they expect to take. Regardless of if a bad actor took this action you want to be able to prevent it. Are there things that could be done to have prevented this issue from happening? Or if this issue happens again, are there things we could do to make sure the consequences are smaller?
Got to go. Can’t edit. I like the thought I put in today.
Lucas
Hello,
A large percentage of my posts so far have been related to privacy but security has been pushed a little to the side. So today, I want to give security some love. I want to spend sometime defining what exactly security is and, if time permits, discuss why it’s important.
Security is all about “who is allowed to do what?”
My bank account should let me withdraw money while preventing everyone else
My car should allow anyone people with the key to drive the car
A school’s grade system should allow students to see only their grades, instructors the ability to see and modify only their students grandes, and administrators to create new classes and students.
Getting a little wordier:
An application allows userA, userB, userC… to take actionsA, actionsB, actionsC… respectively. The application is secure if this is properly enforced (i.e., userA can only take actionsA).
What makes security tricky is that there is a bad actor who will do anything in their power to violate this (i.e., take an action they aren’t allowed to take or prevent someone from being able to take an action they should be allowed to take). The amount of power a bad actor are the security assumptions you make. If you assume a bad actor can break encryption than it’s really hard to protect data. If you assume a bad actor can’t use a computer then it’s really easy.
Does there need to be a bad actor for security to be important?
I’d argue no.
Rather a powerful actor trying to do harm increases the difficulty.
There are 2 big things to worry about with security:
Someone doing something they aren’t supposed to
Someone not being able to do something they are supposed to
For 1:
If there are no passwords, I could still accidentally log into the wrong account.
I could send money to the wrong person either by accident or being tricked. Regardless if a bad actor was involved, I took an action I shouldn’t have. I’d argue that a feature that prevents me from sending to the wrong address would be a security feature because it would prevent me from taking an action I shouldn’t be allowed to take.
Where this gets tricky is that a feature that prevents me from sending money to an address could also be a security violation. The security feature to prevent me from sending to sketchy addresses could prevent me from sending to an address I want to send to. This gets into point 2.
For 2:
In a similar vein to above, I could be prevented from sending money to someone because they are a known bad person or there is a bug. If someone is exploiting this to prevent me from sending money, clearly this is a security issues. What if there’s no bad actor and it’s just a bug. I’d argue that this still is a security issue. It’s also a usability issues. Security and usability are tied together; it a security feature is annoying to use then I won’t use it (e.g., if I get warnings all the time about sending money to an unknown address I will ignore all warnings). The feature to prevent me from sending money to bad addresses is also a security feature and a bug in a security features is a security issue.
Where this gets trickier for me to think about is what happens if a website is down. A bad actor causing this is definitely a security issue. What if it was just a bad bug. I’d still argue it’s a security issue. First, if everything is down it’s an everyone problem. Second, people can’t take actions they expect to take. Regardless of if a bad actor took this action you want to be able to prevent it. Are there things that could be done to have prevented this issue from happening? Or if this issue happens again, are there things we could do to make sure the consequences are smaller?
Got to go. Can’t edit. I like the thought I put in today.
Lucas
No activity yet