Cinderella and the signature-based detection

We examine the tale of Cinderella, one of the earliest stories that attempts to teach children basic cybersecurity principles.

In the olden days, people were not exactly au fait with technologies that wouldn’t appear for centuries or even millennia, which is why the cybersecurity lessons we find in fairy tales tend to need some excavation. Encrusted in metaphor, conjecture, and literary tinsel, the original meanings of familiar fairy tales can be distorted or lost entirely. Fortunately, Cinderella managed to escape that fate.

The earliest version of the tale was recorded on Egyptian papyrus; Cinderella isn’t just another European folk story. In short, it is about a young woman in distress who finds traditional happiness with the aid of a supernatural entity. (In the version by Charles Perrault, that entity is the fairy godmother; for the Brothers Grimm, it’s a tree growing on Cinderella’s mother’s grave. In the ancient Egyptian rendering, the god Horus assumes the role. Such minor discrepancies need not distract from the core message.)

The common element — and the most important aspect from a cybersecurity perspective — is the pivotal shoe/glass slipper incident. Despite the exotic spice of the Egyptian original, we will rely on the European versions as the most familiar to the reader.

Fake identity

Let’s begin. Our heroine lives in a house with her father, stepmother, and stepsisters. Tasked with menial jobs such as sorting grain, Cinderella tries to automate the drudgery by engaging the help of pigeons and doves. Even in the earliest version of the tale, this is possibly a reference to sorting not physical objects but rather huge amounts of data.

At the same time, Cinderella dreams of going to a ball at the king’s palace, but she cannot — not because of work but because she won’t be allowed in. She would need a beautiful dress and a carriage, and her family refuses to help. The fairy godmother comes to her rescue, turning a pumpkin into a carriage, mice into horses, and rags into a gown.

In essence, the fairy godmother creates a fake identity for Cinderella so she can attend the ball incognito. Remember that in days of yore the word hacker did not exist as such, and people attributed such wizardry to sorcerers and enchantresses. But never mind the days of yore — even now, hackers are portrayed in popular culture as omnipotent technoshamans!

Access to the ball clearly doesn’t require an invitation (that is, initial authentication), so all Cinderella has to do is register at the entrance. Trouble is, her original identity does not fit the selection criteria, whereas the fairy godmother’s fake obviously takes them into account.

Digital certificate

The details of Cinderella’s identity alteration soon become clear, when the fairy godmother warns her that her new image will disappear at midnight. When that happens, everyone will see rags, not a gown, vermin in place of horses and servants, and so on. What could form the basis of this plot device? Judging by the realities of medieval Europe, absolutely nothing. It seems instead to be some kind of artificial limitation. But let’s recall what exactly happens at midnight: The date changes.

Anyone who’s ever forgotten to renew a website’s SSL certificate understands this scenario very well. Literally one second ago, the certificate was valid and users were calmly browsing your site. Then the certificate expired, and browsers started displaying warnings and stubs instead of your content. The website turned into a pumpkin at the stroke of midnight.

Certificates work roughly the same way in digital tokens — that is, access keys. They are valid for a limited time, which means that at some point they too stop working, whereupon the system instantly ends the connection (assuming everything is set up properly). All of a sudden, poor Cinderella becomes an imposter at the ball. Why the fairy godmother is unable to make a more reliable certificate is not clear, but most likely she lacks direct access to a certificate authority.

Signature-based detection

Realizing that her time is running out, Cinderella runs from the palace, losing a shoe or glass slipper, the only part of her new identity that is real, in the process. The Brothers Grimm version is especially interesting here. In their interpretation, the shoe is not lost by chance, but rather because the prince smeared the stairs with pitch to obtain a fragment of the mystery girl and use it to trace her. In other words, he deployed some kind of cyberthreat-detection system. The prince then uses the shoe as a basis for a tool for detecting objects of the “Cinderella” type and launches a global search, checking the feet of all young maidens in the land.

That is basically how many antivirus engines work. Antivirus experts take a section of malware code, create a “shoe” from it (called a hash), and then match it against incoming data. We use this technology, called signature-based detection, in our solutions, although it hasn’t been our main method of detection in quite some time.

Hash spoofing attempt

In any event, the Brothers Grimm — who, for some reason, creepily focused on blood in their early fairy tales — take this lesson one (shoeless) step further. In their version of the tale, Cinderella’s stepsisters try to spoof the hash by literally cutting their feet to fit the shoe. But hash spoofing is not easy. Unsurprisingly, the sisters’ hash is off the mark, and the prince’s signature-analysis engine rejects it.

Thus, using this tale and our post, you can explain to your kids such basic concepts as identity forgery, digital certificates, and signature analysis. We recommend availing yourself of this opportunity — if only to keep the efforts of such eminent cybersecurity experts as Charles Perrault and Jacob and Wilhelm Grimm alive.