Information Security & Cryptography

Cryptography or the cryptic art started off as the art & science of encryption. It is a wide area of research and implementation. You will find it touching almost a variety area of quantum physics, law, hardware design, advanced mathematics, user interface and even politics! This makes cryptography an interesting area of study and in fact one of the key reasons why I’m personally passionate about it.

Cryptography is one of the key component in the ecosystem. Cryptography by itself, is not that fancy or useful. It adds layer of protection into an existing deployment/infrastructure/functionality. A physical equation of cryptography would be akin to a metal lock. A lock recognizes no legitimate owner (some electronic locks claims so), but only recognises the right metal key to open it. The wielder of the key could be anybody, both legit or not. As i said earlier, cryptography alone is not so useful, but when deployed properly, it will serve a critical role.

In the current technology world, you’d encounter that most attacks aren’t really against cryptography (yes, the more learned would disagree, citing rainbow tables and collisions, but that’s another story – keyspace). So, the current attacks (such as race conditions, buffer overflows) would be centered around other parts of the ecosystem.

Security is only as strong as the weakest link. One can only improve the state of security by improving the vulnerability of the weakest link. Alternatively you could use the layered onion approach, whereby your weakest link is concealed within layers of added security or risk mitigation.

Attacks to the cryptography layer can be deadly. This is because the system can only recognize whether an access is “legitimate” or non-legitimate. It will not be able to detect whether cryptography is broken or not. Similar to burglary, if one pries the lock open, the physical damage of the lock is seen. However if the assailant picks the lock, prove of crime is not present anymore.

What’s ironic about this situation is that, even security systems are vulnerable. The “over-confidence” and the fact that vendors dealing security are “suppose” to be secure is yet to be seen. We see reports of security vendors scurrying to patch their systems when vulnerabilities affecting core cryptography component such as OpenSSL (which is used widely, even in router OS such as Cisco’s IOS and Juniper’s JunOS).

Unlike nature, which is governed by some laws of physics like gravity, there is none when it comes to threat to cryptography. One cannot assume that functions will be called properly, right types are passed as parameters, bounds/limits respected. As such, writing cryptography becomes a daunting task in ensuring that all factors are carefully considered, all risks identified and accounted for.

Again, it is stressed that cryptography alone does not make a system secure. Just like the widely accepted misconception that having a firewall protects your system. When deployed correctly, cryptography provides key protection to data. However, vendors tend to attempt implementing “proprietary” encryption, which has not gone through peer reviews, extensive tests and verification to prove the strength and ability of those algorithms.

Reality is, cryptography stands somewhere near nuclear physics. It is extremely difficult, has complex mathematical equations in its core functions and usually subjects of doctorate studies. It does require a fair amount of effort and understanding on this subject matter.

Operating Systems – Introduction

Operating System Brains

A computer’s heart is the operating system. The core processing is done at the CPU, and it’s only possible if there is an operating system. So what is an Operating System? Operating system is a set of software, written using a low-level programming language (either C/C++ or Assembly).

Operating system is responsible to manage the requests made by any software applications, and direct them to be executed via the hardware that it’s installed upon. In essence, it acts as an interface between the software and the hardware. You might be wondering “Why do i even need an Operating System? I might as well code to use the hardware directly!!”. Valid concerns, but your application will not be the only application running. If you need your application to run at the Operating System level, that can be achieved via kernel mode access (which will be covered at a later stage).

So, you need an operating system. But what exactly does an Operating System do?

  • Process Management – makes sure that your applications runs smoothly without any interruption, and to ensure that it executes successfully
  • Memory Management – the CPU can only execute a limited number of processes/applications at one time. And as these applications are run, they need storage space to manipulate data. This storage (RAM) needs to be managed so that both applications and operating systems have their own space.
  • Input/Output – Your applications will leverage on the existing hardware. As such, the Operating Systems provide a structured means of accessing these devices (by providing a generic access layer called the device drivers) to access myriads of hardware without having to worry about the specifics.

Though this is a limited list, most other functionality are some form of variation of these basic functions. The exact functions will be covered in the later blog entries.