The Crypto Rat Pack

• By John K. Waters
• February 21, 2006

The RSA security trade show has come and gone, but before I file my notebook away, I wanted to share my favorite comments and bon mots from my favorite event: The Cryptographers Panel.

This year's stellar panel included Ron Rivest, Viterbi professor of computer science at the Massachusetts Institute of Technology; Whitfield Diffie, chief security officer at Sun Microsystems; Adi Shamir, professor of mathematics and computer science at the Weizmann Institute of Science in Israel; and Martin Hellman, professor emeritus of electrical engineering at Stanford University. Diffie and Hellman are co-inventors of public-key cryptography; Rivest, Shamir, and Len Adleman wrote the RSA algorithm. (The three founded conferende sponsor RSA Security and wrote the RSA algorithm.)

With his long, snowy hair and beard, Diffie looked like a wizard in a blue suit. He talked about a new level of receptivity in Washington to his call for a unification of civilian and military/governmental techniques, and particularly cryptography--the very suggestion of which has long been greeted with ''horse laughs'' from inside the Beltway. At a recent conference, Diffie said, the NSA announced ''Suite B,'' a set of unclassified cryptographic algorithms that are trusted to protect classified information.

''There has been a slow recognition in every quarter that information security is a worldwide problem,'' he said, ''and that cryptography is the cutting edge of securing the interoperability required in a global, computer-mediated economy.''

Diffie offered the best sound bite of the day: ''Write down your passwords; your wallet is a lot more secure than your computer.''

Rivest was jovial-but-serious as he expanded on a discussion that actually began at last year's conference around the weaknesses of SHA-1. The hash algorithm at the center of many security products was compromised during (or close to) that show by three Chinese researchers. Rivest called for an industry-wide push to develop a next-generation hash algorithm to replace it by 2010. ''We are skating too close to the edge with the hash functions we use now,'' he said.

A hash algorithm is a function for examining input data and producing an output value--in other words, it's a way to verify whether a piece of information has been altered. The Secure Hash Algorithm (SHA) refers to a group of related cryptographic hash functions that were designed by the National Security Agency. SHA-1 was the first successor to the original SHA (duh). And there are other variants.

Rivest's best line came with his scary wishes for a happy Valentine's Day: ''As every hacker knows, Valentine's Day is the day, when, with a bouquet of flowers and a deliveryman's uniform, you can get into any locked building in the country.''

Hellman worried about what he called the ''small gene pool'' in public key cryptography. ''There just aren't that many systems to choose among...'' Elliptic Curve Cryptography (ECC), he said, seems to be ''one new gene on a large chromosome.''

ECC is an approach to public-key cryptography based on the mathematics of elliptic curves over finite fields. It uses smaller key sizes and is well suited for smaller mobile devices, such as smart cards and cell phones.''

Speaking with his arms crossed for most of the event, Shamir's body language put him somewhere between defiant and pissed off. But he almost smiled as he disclosed that he and a student had applied side-channel attacks against RFID tags.

''Everyone expects RFID tags to be huge,'' he said. ''They're everywhere. They're going to protect our identities in our passwords. They're going to protect items in stores. But the fact is, the first generation is very weak.''

At one point, the discussion veered to the question of what would have stopped the 911 terrorist attacks.

Shamir: ''If the government had asked everyone before September 11 to take off their shoes and show ID, etc., it wouldn't have prevented the attack. But if all of the guards and all of those people who are in aviation schools, etc., had been more aware of dangers, this would have stopped the attacks. You have to think, not about how to stop a specific attack, but a have a kind of broad spectrum of protection.''

Diffie: ''Two things exactly were needed to stop the 911 attacks: locking the cockpit door and having the passengers beat up anyone who tried to take over the airplane. And we paid for our criminal cowardice over 25 years in handing airplanes to hijackers rather than fighting them.'

Hellman: ''I agree that taking off shoes and all of that wouldn't have stopped the criminals. What I'm saying is that if we had instituted security measures that would have stopped them, people would have complained about the costs and inconvenience.'' Effective security, he said, is a victim of its success. ''It's not crying wolf if you scared the wolf off and he never came,'' he said.

Thanks, guys. Until next year...

BTW: I have to give credit for the title of this entry to Steven Pine, the hyper conference moderator. Funny guy. Might want to consider decaf. 

###