Mythic Monday – Brünnhilde Sleeps

In Wagner’s Ring Cycle, Brünnhilde is cursed by Odin for fighting on the wrong side of a battle. She is put into a coma and hidden behind a wall of impenetrable fire until a rescued by a brave hero. (For those that want more detail, but don’t want to spend 15 hours listening to an opera, look here.) As is always the case in myths and legends, the hero shortly arrives, gets through the fire alright and rescues the “damsel” (who was truly a Valkyrie).

Now, the Ring Cycle is amazingly complex and even this tiny little bit lends itself to a great many security-focused interpretations (firewalls, penetration testing, identity theft), but today I want to look into encryption and steganography.

Essentially, when Brünnhilde upset Odin, he hid her inside a mortal woman (steganography) and isolated her from access to all but one person (the encryption key). Just as in business, there are risks inherent to Odin’s plan. If the encryption is too weak, Brünnhilde might be rescued by someone other than Siegfried, her intended. On the other hand, if it is too strong, or Siegfried happens to fall upon some trouble prior to the rescue, she might never be freed.

Luckily for aficionados of myth and fifteen hour long operas, literary convention protects us from a story involving Brünnhilde roasting behind a wall of flame for millennia or one in which she is rescued by Fred the Handyman. Alas for us though, literary convention does not protect businesses.

When a business protects it’s data with encryption, it takes the risk the the keys may be lost. If they are, it’s all up to the level of encryption used. If the encryption is too strong, the data is effectively lost (Brünnhilde sleeps forever). If, however, it’s too weak, the data may be recoverable by you (or your competitor, Handy Fred).

Similarly, Odin’s plan of hiding his Valkyrie within the form of a mortal woman is quite clever. However, it’s only useful so long as it is rare. If every mortal woman (or even a reasonably large percentage of them) were truly an otherworldly warrior woman, someone who wished to engage in the practice of uncovering the Valkyrie within (never wise) would simply need to get a decent sample of mortals and start decryption activities. In business, this would be like an attacker checking every file on a website for evidence of steganography. Once found, they would know which ones to check out for hidden data.

There are two main lessons to learn from this myth. First of all, if you encrypt something, be sure to have a key. If you think that there is a reasonable risk that your key may be lost (Siegfried did have a troubling habit of battling dragons and otters), it may make sense to make backup copies. Though having a stash of emergency backup heroes would make for a pretty poor myth, it is essential in the business world.

Quite to the opposite, while steganography works well in myth, it’s less effective in the business world. If you hide your vital data (or Valkyries) in other files (or mortals), it’s only useful so long as you remember where it’s hidden. If you want to share the vital data, you have to let others know where it’s hidden… and a shared secret is only good so long as both parties keep it and no third parties listen in. After all, if you have a secure channel through with to share the existence of the steganographic file, you might as well just share the data. Heck, even in the myth, the fact that we know that Odin hid Brünnhilde within a mortal means that the secret wasn’t kept.

That’s not to say that steganography is useless, but it is quite limited within a traditional business environment. Better, perhaps to focus on the encryption side and make sure that the data cannot be read even if found. Then you don’t have to worry about supporting back channels and can devote all your resources to protecting known data rather than trying to hide it. (On the defense side, being aware of steganography as a back channel is very useful, but protecting against it and using it operationally are very different things.)

So, in the end, it would be wise to use encryption where you can, not be distracted by steganography, and avoid Norse sagas as they never really work out well for anyone involved.