Babel tower

Posted on by
Reply

I am currently reading the last book of Olivier BOMSEL: “Gratuit, du déploiement de l’économie numérique”. This book is extremely interesting, as the previous essays of Olivier. Olivier BOMSEL is a French economist who focuses on the economy of the digital industry. His opinions are often provocative. I will probably come back to this book several times.

This book illustrates the network effect on digital economy. He presents an interesting biblical example: the tower of Babel. By introducing new languages, God broke the network effect that made the building of the tower possible.

This raised a question: Is Babel tower better for security or bad? The answer is difficult. There are arguments for both positions.

  •   On one hand, the more a secure system is deployed, the more it may be studied by the community. Thus, we may expect to have a more secure system.
  • On the other hand, the more a secure system is deployed, the more it may be attacked. Furthermore, the attackers may have access to better documentation and have a deeper knowledge. Thus be more efficient
  •   Another negative argument is that if there would one unique secure system, then a class attack would affect a complete ecosystem. This may be extremely dangerous.

Thus, once more, no Manichean answers.

By the way, according to Olivier BOMSEL’s book, the incident of the tower of Babel may be a good thing for humanity. It obliged mankind to spread all over the world. :Wink:

RFID and weak security

Posted on by
Reply

NXP Mifare Classic RFID chips are widely used in transportation or access control in Europe. NOHL Karsten, a researcher, publishes a cryptanalysis of this chip (the paper). His analysis demonstrates that the design was extremely weak. The cipher uses a LSFR and a 48-bit key.

It is obvious that the design was weak. Nevertheless, the main design constraint was probably to have a small number of gates for the implementation to reduce the cost. The security assumed that this algorithm would stay secret, in other words violating the principle of Kerckoffs. Furthermore, using a 48 bit key was inadequate. Currently, it is recommended to have at least a 90 bit key. With 48 bit key, it is easy to have a brut force attack.

Is it a problem? It depends on the application using the chip and its security assumptions. If the hypothesis is that the chip is extremely secure, than the answer is that it is an error. If the goal is to protect low cost assets, then the answer is right solution. As always, security is not simple and Manichean.

Forecasts: RFID will spread. Due to this massive use, cost constraints will be such that we will anticipate that many RFID chip will implement weak algorithm but with low cost. I will surely report many such events.

Launching my blog

Posted on by
Reply

I make the move. I open my blog. You will find news, analysis on these news and thoughts about topics related to security.
To start, it will be Web 1.0. You will not be able to directly edit your comments. Nevertheless, do not hesitate to share them with me through mail. I will switch to Web 2.0 as soon as possible.
The blog will be both in English and French.
I hope you will enjoy it.

Eric