Some years ago I wrote a subsection in my thesis (sec 8.4.3, p. 154), entitled “How Many Security Officers are Best?”, where I reviewed over the various operating procedures I’d seen for Hardware Security Modules, and pondered why some people chose to use two separate parties to oversee a critical action and some chose to use three. Occasionally a single person is even deliberately entrusted with great power and responsibility, because there can be no question where to lay the blame if something goes wrong. So, “one, two, or three?”, I said to myself.
In the end I plumped for three… with some logic excerpted from my thesis below:
But three security officers does tighten security: a corrupt officer will be outnumbered, and deceiving two people in different locations simultaneously is next to impossible. The politics of negotiating a three-way collusion is also much harder: the two bad officers will have to agree on their perceptions of the third before approaching him. Forging agreement on character judgements when the stakes are high is very difficult. So while it may be unrealistic to have three people sitting in on a long-haul reconfiguration of the system, where the officers duties are short and clearly defined, three keyholders provides that extra protection.
Some time later, I mentioned the subject with Ross, and he berated me for my over-complicated logic. His general line of argument was along these lines “The real threat for Security Officers is not that they blackmail, bribe or coerce one another, it’s that they help! Here, Bob, you go home early mate; I know you’ve got to pack for your business trip, and I’ll finish off installing the software on the key loading PC. That sort of thing. Having three key custodians makes ‘helping’ and such friendly tactics much harder – the bent officer must co-ordinate on two fronts.”
But recently my new job has exposed me to a number of real dual control and split knowledge systems. I was looking over some source code for a key loading HSM command in fact, and I spotted code that took a byte array of key material, and split it into three components each with odd parity. It generates two fresh totally random components with odd parity, and then XORs these onto the third. Hmmm, I thought, so the third component would contain the parity information of the original key, dangerous — a leakage of information preferentially to the third key component holder! But wrong… because the parity of the original key is known anyway in the case of a DES key… it’s always odd.
I chatted to our chief technical bod about this, and he casually dropped a bombshell — that shed new light on why three is best, an argument so simple and elegant that it must be true, yet faintly depressing to now believe that no-one agonised over the human psychology of the security officer numbers issue as I did. When keys are exchanged a Key Check Value (KCV) is calculated for each component, by encrypting a string of binary zeroes with the component value. Old-fashioned DES implementations only accepted keys with odd parity, so to calculate KCVs on these components, each must have odd parity as well as the final key itself. For the final key to retain odd parity from odd parity components, there must be an odd number of components (the parity of keys could be adjusted, but this takes more lines of code, and is less elegant than just tweaking a counter in the ‘for’ loop). Now the smallest odd integer greater than one is three. This is why the most valuable keys are exchanged in three components, and not in two!
So, the motto of the story for me is to make sure to apply Occam’s Razor more thoroughly when I try to deduce the logic behind the status quo, but I still think there are some interesting questions raised about how we share responsibility for critical actions. There still seems to be to me a very marked and qualitative difference in the dynamics of how three people interact versus two, whatever the situation: be it security officers entering keys, pilots flying an aircraft, or even a ménage à trois! Just like the magnitude of the difference between 2D and 3D space.
If one, two and three are all magical numbers, qualitatively different, are there any other qualitative boundaries higher in the cardinal numbers, and if so, what are they? In a security-critical process such as an election, can ten people adjudicate effectively in a way that thirty could not? Is there underlying logic or just mysticism behind the jury of twelve? Or, to take the jury example, and my own tendency to over-complicate, was it simply that in the first proper court room built back a few hundred years ago, there happened only to be space for twelve men on the benches on the right hand side!
13 thoughts on “How many Security Officers? (reloaded)”
Another mathematical (as opposed to social) advantage of 3 over 2 is in high availability. With 2 servers there is a risk of what has become known as the “split brain” problem: if 2 servers can no longer communicate with each other, each assumes the other is down and goes on alone – so the same aeroplane seat gets sold twice, or the same person can vote twice, etc.
With 3 servers you can design it around the idea that any servers still able to talk to each other can keep in sync and if any 2 of the 3 can communicate then they can regard themselves as authoritative and perform transactions, while any 1 out of touch with the other 2 must assume it has fallen behind.
To implement Byzantine fault-tolerance properly you need four servers. See Mike Reiter’s early papers on things like Rampart and Omega
Prof. Ross Anderson is right, it should be three. Other reasons: “social engineering”, i.e. bluffing the officers into doing something they shouldn’t, and blackmail. Both are harder to do the more people are involved.
This reminds me of a common fallacy in business communication: if I send a message to more people then more people will read it. In practice the busy executive thinks “Lots of other people will read this so I don’t have to”. The result is that nobody reads the message.
If you are one of three security officers asked to approve something, but you need to rush to catch a train, you might think “I don’t need to check this because so long as one of my colleagues checks it I am alright. I don’t think that they will collude”. They don’t need to collude – if two of them think that way then only one needs to be dishonest to do something wrong.
If you are one of two security officers asked to approve something and you need to rush to catch a train, you ought to think “If I don’t check this my colleague can do something dishonest without being noticed”.
Under such circumstances, two security officers are more secure than three.
p.s. A standard SWIFT installation has two security officers, called Left and Right. SWIFT privileges are very flexible, and can accommodate Byzantine security policies, but it is very difficult to add a third security officer.
your post reminded me of simmel and his dyad and triad:
(taken from: http://www2.pfeiffer.edu/~lridener/DSS/Simmel/SIMMELW5.HTML)
A dyadic relationship differs qualitatively from all other types of groups in that each of the two participants is confronted by only one another and not by a collectivity. Because this type of group depends only on two participants, the withdrawal of one would destroy the whole: “A dyad depends on each of its two elements alone–in its death though not in its life: for its life it needs both, but for its death, only one.”
When a dyad is formed into a triad, the apparently insignificant fact that one member has been added actually brings about a major qualitative change. In the triad, as in all associations involving more than two persons, the individual participant is confronted with the possibility of being outvoted by a majority.
The triad is the simplest structure in which the group as a whole can achieve domination over its component members; it provides a social framework that allows the constraining of individual participants for collective purposes. The dyad relies on immediate reciprocity, but the triad can impose its will upon one member through the formation of a coalition between the two others. Thus, the triad exhibits in its simplest form the sociological drama that informs all social life: the dialectic of freedom and constraint, of autonomy and heteronomy.
To Mark Lomas: As I understand the situation, each officer has to do something, not just agree. He has, for example, to take a particular smartcard out of his personal safe and type the password known only to him, and make a suitable entry in a control log. Even if he is tricked into doing something he shouldn’t have done it will be more difficult to hide the traces with three.
I think few would disagree that diminished responsibility sets in as the numbers entrusted rise, but I’m not quite sure Mark’s argument that it sets in as soon as at three is right. But I’m warming to it!
Part of this comes down to an issue I didn’t want to over-complicate the original post with … the difference between what I call “active” and “passive” dual control. Active dual control by my definition is where everyone has something to do during the procedure, whereas passive is where one or more parties remains passive and just watches.
I suspect that some arguments for 2 vs 3, (or for 3 vs 2) apply to active dual control scenarios, and some apply to passive. Maybe it’s 2 man dual control for passive, and 3 man for active? And maybe the role of “key material holding” could be quite a different role from “ensuring a good procedure is followed”, even if both of these activities ultimately result in the same thing… breach of the key.
There’s another reason for preferring 3 components, which I think is even more compelling.
Suppose one key component is compromised (i.e. published). With two components, the other custodian now knows the key. With three components, the key remains confidential.
I smell a small problem with the “security” of the key.
If you have one person they can use or not use the key at their choice, so you have two bad situations,
1, They disclose the key to an untrusted other
2 They withold the key from use at a critical time
Both are bad for the organisation and the second can easily happen accidently (why do people fall under busses 😉
Likewise the more people who share a secret where the secret is dependent on all the parties being available the more oportunity there is for option 2 to happen (there is also the last person problem as well).
So when you split your secret you realy should split it as a set of m from n parts or shares where any m are required to make the whole secret but there are n people who have it this adds resiliance to the system, but also does not detract from the security by the same extent.
Secondly it is possible to create your shares so that you can trace each share back to the originator even when m shares have been put together again to access the secret.
The problem from a technical view point, is that it needs a lot carefull thought and the appropriate hardware/software etc and you could easily put a hole in the whole thing if not properly iplemented.
And no it does not require complex maths just good system design 😉 The next problem is that humans cannot remember sufficient data to do this so you need to put the share onto a token of some form….
However all problems asside there are also very real advantages to m of n shares. For instance with countries implementing laws to say “reveal your key or go to jail for X years” it is quite easily possible for the organisation to show that there is insufficient people who have shares available in the jurisdiction at the same time
I have speculated that the reason petit juries have 12 members is that Jesus was said to have 12 disciples.
It’s a tougher question than one might think. Considering only criminal trial juries, you want few enough jurors that they will be able to reach a unanimous verdict if the evidence supports one. Really, if the jury is too large, such unanimity might be impossible to obtain, regardless of the evidence. Also, it might be hard to summon a very large jury (especially at a 17th Century Assize) without empanelling some people likely to treat the defendant unfairly (either pro or con). On the other hand, you want a large enough jury that no one member will be likely to dominate all the others (by force of personality) to the detriment of justice. Also, there should be many jurors to increase the chance that one of them at least will spot any flaw in the evidence.
I think twelve is a good number. I’m certain that six are too few (despite the U.S. case of Williams v. Florida (1970). Ten? I dunno. At this point I would prefer to stick with twelve just to avoid squabbling.
I have speculated that the reason petit juries have 12 members is that Jesus was said to have 12 disciples.
Good point, and I suspected as much partly, but I guess the issue just moves… Any theologians/historians care to comment why Jesus had 12 disciples? (or should that be 13?)
Complex explanation — number of mystical significance
Simple explanation — number that could easily fit in a fishing boat?
I think the answer is simpler for those who are old enough to remember when Decimal (base 10) systems where considered the worse (French) option than duodecimal (base 12 or dozenal) ones. We see 12 or multiples thereof being used in curency, mathmatics, time, geometry, astronomy, astrology etc. ie in just about every human endevor prior to the industrialised world (in fact the word Hundred was derived from the Old Germanic *hund for multiples of 120).
I have been told (by a Frenchman) that in fact the French pushed Decimal throughout Europe as oposed to duodecimal due to their hatred of the English, I personaly think it is untrue but it makes a good story line 😉 However there might be a grain of truth in it as the original European trading currency was French, before Charlemagne and Offa (of the Dyke on the English/Welsh Boarder) changed things As the Catholic Holy Roman Empire pushed LSD (the money not the drug ;).
Therefore the harsh reality of duodecimal predates that of decimal in England, Europe, and many Near/Middle Eastern cultures by many many centries, if not the odd millenia or five, so easily predates that of Christ, and 12 would have been in very common usage in his time. Interestingly the assumed halving relationship between the Tyrian shekel half shekel and smaller bronze coins of Christ’s time apears to be only assumed not known by modern historians.
The joke on the British Pound-v-Euro supporters is that the Pound (or as it was once known LSD for the Latin leters for Pound=libra, Shilling=solidus, and Pence=denarius,) was a European invention of the fledgling Holy Roman Empire/Church (Popish Knavery again 😉
LSD was the trading currency developed by King Charlemagne (Crownd Emperor of the Holy Roman Empire in Rome on Christmas Day 800AD by Pope Leo III). It only got going in England due to King Offa of Mercia (Anglo-Saxon) being budy-budy with Charlemagne for his own political good. The previous trading currency had been the sou.
Just to be awkward in 1489, King Henry VII gave rise to the English Gold Sovereign (think of divorce as the possible root cause of this). It’s value varied between 20 and 30 shillings over the years and due to this the first machine struck milled edge gold pound coin was struck in the Tower of London (then the Royal Mint). This coin was known as the Guinea, the machine and the milling was down to Sir Isaac Newton the then Mintmaster and was designed to stop coin trimming and illegal minting (an offence if caught in the Mint would give rise to execution for the offender and castration for the Mintmaster as would any other theft so he might have had a little incentive on his mind). Unfortunatly the value of the Guinea also changed due to the inflationary preasures of war etc during the years. It eventually settled at 21 shillings or a Pound and a Shilling which tailors still billed their clients in untill the mid 1970’s (I have such a bill at home from my first “proper jacket”). I belive that some Savile Row tailors still do bill in “Gentleman’s currency” (even though it is probably illegal).
Money aside there is a simple argument for base12 which is similar to base 10 which is to do with your hands. Base 10 is obviously the number of digits (fingers and thumbs) on both hands. Base 12 less obviously is the number of finger sections on one hand (excluding the thumb) and this would have provideded an esentialy easier way of counting, whilst keeping your other hand on your valubales 😉 .
Added to this is the simple fact that for trading 12 is an easy number to subdivide into equal parts based on 4-n-3 (the number of fingers and the number of joints).
However one of the oldest trading civilisations is that of the Babylonians, who used base 60, which they inherated from the Sumerians. Because of their sense of navigation and trade.
If you think about it 60 is a logical extension of base 12 finger counting in that you use the thumb as a pointer and then fold down the unused fingers and thumb of the other hand to give you the multiples of 12 upto sixty. Likewise you can also count easily upto 144 or an “Old English Gross” by simply using the methord of the first hand to count multiples of twelve.
Another touted reason for picking 60 is due to the average number of visable sun diameters within the day (360 or 720 including the night) so time could be fairly roughly calculated by experiance just by glancing into the sky etc. Time is quite important for navigation at sea so this is plausable, and in the Mediterainian Sea clouds are not realy that common during the day and are usually quite small. Esentiallytime alowance for the motion of the Sun would give a reliable way of obtaining a (reasonably) fixed point of refrence for a mariner to navigate by. This method actually gave rise to the sun compass used during the second world war by the 8th Army (Desert Rats) and David Stirlings fledgling SAS (which is why their berets are sand coloured).
The Babylonian civilisation in Mesopotamia replaced the Sumerian civilisation and the Akadian civilisation and are belived to be perhaps the oldest civilisations to trade outside of their base geographical regeions and record their endevers. This belife is based on the simple fact of their written records in clay tablets (which historians use for their arguments).
The Babylonians where also thought to be the first civilisation to use written cryptography and “tamper proof envelopes” for secrecy (ie bake your clay tablet, get fresh clay sprinkle it with something dry such as sand or flour on one side, fold the sprinkled clay over the baked tablet seal the sides down like a pastry, put the receipiets address etc on the outside and bake again, if it’s unbroken when the recipient gets it it is unlikley to have been tampered with).
One person of historical note on the subject of number bases was the Greek mathematician who worked in Alexandria known as “Theon of Alexandria” who in the fourth Century AD asked a similar question as to number bases and their uses by different cultures. He argued that 60 was used as it was a number that was evenly divisable by 1,2,3,4,5,6,10,12,15… (however his argument does not hold true for the points of the compas which are at 22.5 degree intervals). In fact base 60 was used for mathmatics well into the last millenium so some traditions hold longer than others, Donald Knuth has an argument for continuing to use it in his Art of Computer Programing books.
The often touted argument that the Babylonians thought the world was considerd to rotate in 360 days which is an easy multiple of 60 is obviously false from their written records, they knew that it was (almost 365.25 days) the near equivelant to 13 periods of 28 days (phases of the moon) and 364 surficed as a realistic measure to them simply because the Moon featured strongly in navigation etc. The short year survived in Europe up until Pope Gregory and his advisers had enough of season slippage, which is why we now have leap years, and leap centuries. Most other non christian cultures still use the Lunar calender for religeous activities. Amongst other things Pope Gregory is also belived to be the first person to write music down so that Religeous songs could be maintained across the Holy Roman Empire.
Interestingly the Babylonian writen script for numbers up to 60 is actually based on two charecters the Least significant being base 10… Which is why the usual arguments touted about Babylonian base 60 usage fall down.
The current argument is that the Babylonians picked 60 due to the historical intermingerling of two seperate races one that used base 12 the other that used base 10. And that over time a compromise that all were happy with (ie base 60) was reached.
So we come back to the argument that base 12 is just easier (by tradition etc) for humans to work with.