The Crypto Rat Pack
- By John K. Waters
security trade show has come and gone, but before I file my notebook
away, I wanted to share my favorite comments and bon mots from my
favorite event: The Cryptographers Panel.
This year's stellar panel included Ron Rivest, Viterbi
professor of computer science at the Massachusetts
Institute of Technology; Whitfield Diffie, chief security officer at Sun Microsystems; Adi Shamir, professor of mathematics
and computer science at the Weizmann
Institute of Science in Israel; and Martin Hellman, professor emeritus of
electrical engineering at Stanford
University. Diffie and Hellman are co-inventors of public-key cryptography;
Rivest, Shamir, and Len Adleman wrote the RSA algorithm. (The three founded
conferende sponsor RSA Security
wrote the RSA algorithm.)
With his long, snowy hair and beard, Diffie looked
like a wizard in a blue suit. He talked about a new level of receptivity in
Washington to his call for a unification of
civilian and military/governmental techniques, and particularly cryptography--the very suggestion of which
has long been greeted with ''horse laughs'' from inside the Beltway. At a
recent conference, Diffie said, the NSA announced ''Suite B,'' a set of unclassified
cryptographic algorithms that are trusted to protect classified information.
''There has been a slow recognition in every quarter that information
security is a worldwide problem,'' he said, ''and that cryptography is the
cutting edge of securing the interoperability required in a global,
Diffie offered the best sound bite of the day: ''Write down your passwords;
your wallet is a lot more secure than your computer.''
Rivest was jovial-but-serious as he expanded on a discussion that actually
began at last year's conference around the weaknesses of SHA-1. The hash
algorithm at the center of many security products was compromised during (or
close to) that show by three Chinese researchers. Rivest called for an
industry-wide push to develop a next-generation hash algorithm to replace it by
2010. ''We are skating too close to the edge with the hash functions we use
now,'' he said.
A hash algorithm is a function for examining input data and producing an
output value--in other words, it's a way to verify whether a piece of
information has been altered. The Secure Hash Algorithm (SHA) refers to a group
of related cryptographic hash functions that were designed by the National
Security Agency. SHA-1 was the first successor to the original SHA (duh). And
there are other variants.
Rivest's best line came with his scary wishes for a happy Valentine's Day:
''As every hacker knows, Valentine's Day is the day, when, with a bouquet of
flowers and a deliveryman's uniform, you can get into any locked building in the
Hellman worried about what he called the ''small gene pool'' in public key
cryptography. ''There just aren't that many systems to choose among...''
Elliptic Curve Cryptography (ECC), he said, seems to be ''one new gene on a
ECC is an approach to public-key cryptography based on the mathematics of
elliptic curves over finite fields. It uses smaller key sizes and is well suited
for smaller mobile devices, such as smart cards and cell phones.''
Speaking with his arms crossed for most of the event, Shamir's body language
put him somewhere between defiant and pissed off. But he almost smiled as he
disclosed that he and a student had applied side-channel attacks against RFID
''Everyone expects RFID tags to be huge,'' he said. ''They're everywhere.
They're going to protect our identities in our passwords. They're going to
protect items in stores. But the fact is, the first generation is very weak.''
At one point, the discussion veered to the question of what would have
stopped the 911 terrorist attacks.
Shamir: ''If the government had asked everyone before September 11 to take
off their shoes and show ID, etc., it wouldn't have prevented the attack. But if
all of the guards and all of those people who are in aviation schools, etc., had
been more aware of dangers, this would have stopped the attacks. You have to
think, not about how to stop a specific attack, but a have a kind of broad
spectrum of protection.''
Diffie: ''Two things exactly were needed to stop the 911 attacks: locking the
cockpit door and having the passengers beat up anyone who tried to take over the
airplane. And we paid for our criminal cowardice over 25 years in handing
airplanes to hijackers rather than fighting them.'
Hellman: ''I agree that taking off shoes and all of that wouldn't have
stopped the criminals. What I'm saying is that if we had
instituted security measures that would have stopped them, people would
have complained about the costs and inconvenience.'' Effective security, he
said, is a victim of its success. ''It's not crying wolf if you scared the wolf
off and he never came,'' he said.
Thanks, guys. Until next year...
BTW: I have to give credit for the title of this entry to Steven Pine,
the hyper conference moderator. Funny guy. Might want to consider
John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at [email protected].