Tuesday, April 17, 2001

Networks of Trust - Who Betrayed Harry Potter's Parents?

The best-selling children’s novel, Harry Potter and the Prisoner of Azkaban, illustrates several important points about trust.

Harry’s parents are hiding from the Dark Lord ("He Who Must Not Be Named"). James Potter can nominate one friend to guard the secret of his whereabouts, and chooses his strongest and apparently most trustworthy friend – Sirius Black. But for Sirius, being the obvious choice makes him immediately vulnerable to attack: in systems engineering terms, he is a single point of failure. He decides that the Potters’ secret would be better guarded by a less obvious person, and delegates the responsibility to a weaker wizard – Peter Pettigrew – who immediately betrays the Potters.

This is an example of transitive betrayal. It illustrates the following points:
  • The strongest component is the most obvious place to attack – and this makes it vulnerable. A powerful adversary trying to break the system, or to breach its security, may well think it worth investing effort into finding how to break the strongest component. (The system is as weak as its strongest link.)
  • This leads to the Decoy pattern. A highly visible component draws fire, but isn’t really worth attacking. This is like sending an armoured truck out of the front gate containing the sandwiches, while the gold bullion slips quietly out of the back gate in an unmarked, unarmed van. (The system is stronger than its strongest visible link.)
  • However, the Decoy pattern is worthless once the illusion is broken. Strength that depends on secrecy is always vulnerable to leakage. A linear (one-to-one) delegation chain is as strong as its weakest link.
  • To delegate responsibility to weaker components, we need to use the Distributed Delegation pattern – where the system now relies on the concerted strength of all the components working together, rather than being vulnerable to the weakness of each. Parallel (one-to-many) delegation is much stronger than linear delegation.
  • Trust is transitive – whether you like it or not. If you trust a component or service from company X, and this depends on a component or service from company Y, then you are implicitly trusting company Y as well, although you may not even know that company Y exists.

Extract from an article published in the CBDI Journal, April 2001.

No comments:

Post a Comment