Hand Drills and the Art of House Building

Some people seem to think that security and cryptography are the same thing. They think that adding cryptography to a product will make it secure. I used to think that, but I was wrong. When reading Secret and Lies by Bruce Schneier, I realised that cryptography can be compared to a hand drill, and that security is like building a house. That is, cryptography is a tool for security, just like a drill is a tool for building a house.

Lots of so-called security courses are in fact cryptography courses, and I believe that this misconception is a big mistake; it is like giving a course about the inner workings of a drill and calling it House Building 101, it doesn't make sense. Worse is that people following this course will think that they're able to build a house, and will end up building a crappy house. You won't be able to make a secure program if you think that cryptography in the only thing needed for security.

In fact, when building a house, you don't even need to understand how a drill works, you only need to know how to use it, the different kinds of drills and when you should or not use them. Again, this is the same for cryptography, you don't need to know the implementations differences between RSA or DH, but you need to know that DH does its key exchange during the transaction while RSA can store its public key in a file for later distribution.

It is also possible to build a house without using a drill, it will be more or less easy depending on the kind of house, but most of the times it will be possible. Once again, this is the same thing for cryptography and security, it is perfectly possible to build a secure program without using cryptography, some kind of programs will be harder to secure without cryptography, but most of the times it will be possible.

I believe that one of the reasons why a lot of security courses focus only on cryptography is because security is hard to teach, it's almost philosophy. Exams are almost impossible to make. I understand that professors can be tempted to drop these vague security ideas and go with the solid maths: explain the RSA equations, and ask the students to encrypt and decrypt Hello World at the exam. That's easy to teach, isn't it? What sucks is that you end up with drill experts trying to build houses.

That's what I witnessed at my University in the last couple years. For quite some time now, the Computer Science department wanted to start a Software Engineering program so they provided a curriculum (list of courses) for that program. One of these courses was called Security, Pirates and Cryptography (I guess they meant hackers/crackers instead of pirates), there was no description for this course, but it looked very interesting. Last year, they got the approbation to start the program, this course is now called Cryptography and Computer Security and when you look at the description, you realise that it only talks about cryptography. Why give a complete security course when you can just drop some mathematical equations on the black board?

Please make sure that you know what you're getting when you're enrolling in a security course. Be sure to read the complete course description, if it only talks about cryptography algorithms and you're interested in security, then you don't need it. You can take it if you want to, but don't pretend to know more about security when you finish the course, you'll know more about drills, but don't hope to know the art of house building. After all, security is an art, and maybe that's why it's so hard to teach. I believe that this is not a valid reason not to teach it.