History of Information Security

By Wayne Pollock

 

Thousands of years old:

·        Kings to other rulers (secret agreements)

·        Leaders to soldiers (military communications)

·        Finance (banking, trading, merchants to partners and branches)

·        More recently, expectations of privacy:

o       Medical records (including genetic data)

o       Employment and other records

o       Mail

o       TV viewing, web surfing

o       computer communications: email, IM, ...

·        Computer transactions (i.e., buying stuff on-line, surfing the web, ...)

Early encryption: Julius Caesar’ cipher: A->C, B->D, C->E, ...

Early bookkeeping: 8500 BC!

Double-entry bookkeeping: Every transaction is posted to two separate books, in one as a credit and in the other as a debit.

Example: Account’s receivable book and the cash account book: A customer pays $100 owed.  That is a debit in the Account’s receivable book (the company is now owed $100 less than before, so that account balance goes down), and a credit in the cash accounts book (the company now has $100 more than before).

The two books are maintained by separate clerks.  (A slip recording the transaction by some teller has one copy go to each clerk, which is why bank forms used to be multipart carbons).

At the end of the month/week/day (banks are daily), the owner/manager collects the books and compares the totals, which must exactly balance each other.

This system of dual control prevents any one employee from cheating the firm.

Seals and Security Printing:  In 2,000 BC Mesopotamia warehouse keepers would take small marker objects or tables known as bullae, one for each item a customer stored there, bake the bulla into a clay ball known as an envelope and make an official seal on the wet clay.  Later a customer could reclaim items by presenting the envelope intact to the warehouse keeper, who would break it open (after inspecting the seals) and allow the customer to take away each item matched by the bulla.

Seals were and are used to authenticate documents.  (Ornate seals are supposed to be hard to forge.)  for example a signet ring would be used to make an impression in some sealing wax melted over a lock.  This wax is brittle and if the seal is broken it cannot be resealed without the original signet ring, without detection.

Today seals have evolved into security printing.  Examples include currency (the Intaglio process and others), watermarks (today, digital watermarks), and price stickers on merchandise that can’t be lifted off without ripping.

Tamper resistance means that something can’t be changed (or in some cases, examined) easily.  Tamper evident means no changing (or examination) without leaving evidence.

Examples include weighted navel code books and lead-lined dispatch cases that could be tossed overboard in the event of immanent capture.  Special papers could be used that instantly burn to fine ash, or are water soluble.  Other forms include foodstuffs and medicine bottles, and computer cases that warn (or reset) if the case is open (HCC uses these!)  Modern versions include smart-cards.

Emission security refers to preventing a system from being attacked using conducted or radiated signals.  Examples include power analysis (power consumption monitoring): writing a “1” to an EEPROM may consume more power than writing a “0”, and analyzing RF signals given off by monitors, cables, etc.

In WWI (1914), field phones were used to talk to headquarters from the front lines.  These were literally grounded, but it was found the signals could be heard in other field phones hundreds of feet away!

Modern information security involves information stored in computers, and thus it’s history stems from early computer security work done since 1950.  Most innovations have been discovered only in the past 30 years or so, making “InfoSec” a young discipline.

The US military has identified electronic communication networks as a new theater of war, and the USAF clearly believes that America should have a robust offensive capability in that theater.  They have formed the AFCYBER Command at www.afcyber.af.mil.

Early on, computers were not networked, but ran one batch job at a time.  No security was implemented, but having the next batch job read leftover data stored on disk or RAM was a potential problem.

By the end of the 1960s, multi-tasking computers permitted multiple users to run jobs concurrently.  One of the first information security related publications was in 1968 by Maurice Wilkes, discussing passwords.  Even today, people don’t heed that advice!

With the growth of networking computers, security became a more difficult concept to fully understand, let alone implement.  For example Internet protocols evolved from ARPAnet, which was concerned that enemies might crash a vital computer.  The protocols invented (which later became TCP/IP) were designed to keep the network functional even if a few nodes were knocked out.  However it was apparently assumed that all users of the network were friendlies, and all nodes and users would “play by the rules”.  Clearly this assumption is no longer true, if it ever was.