Interesting People mailing list archives
IP: In Search of Computer Security
From: Dave Farber <farber () central cis upenn edu>
Date: Tue, 02 Jan 1996 09:17:07 -0500
The New York Times, January 2, 1996, p. C15. Special section "Business World Outlook '96." In Search Of Computer Security By John Markoff Computer security is making a transition from the university and the research laboratory to the real world. So far it is proving to be a rocky evolution. Last year, a series of embarrassing gaffes and shortcomings undermined the faith of potential computer users in the certainty that their data are secure. The flaws have led to a growing realization that computer security systems are largely untested and that in complex environments like the Internet, they do not always respond the way their creators had intended. Paul C. Kocher, a computer security expert who discovered one potential flaw, said, "Many of the security systems that I am examining are good enough to keep out casual snoopers, but they're failing catastrophically when it comes to protecting data against determined attacks." The problems are emerging as the computer industry increasingly relies upon an arcane mathematical discipline that is intended to hide the secrets embedded in digital information behind a veil of imposing math problems. Cryptography, the science of writing secrets, was for centuries largely the province of kings, soldiers and spies. But that has changed in the 1990's as the world has rushed to use personal computers and computer networks as the basis for electronic commerce, communication and entertainment. Data scrambling has become the key to a vision that it will be possible to have private electronic conversations and secure financial transactions. In principle, data coding protects information by scrambling it to keep it out of the reach of everybody but those with a supercomputer and tens or even hundreds of years to crunch the data. But computer researchers have begun discovering flaws, sometimes subtle and sometimes glaring, that can help criminals take devious shortcuts to obtain the mathematical keys used to scramble the data. In August, a French computer hacker proved that it was possible to use a network of work stations to guickly find the secret key created by a coding system developed by the Netscape Communications Corporation, the leading developer of World Wide Web software. The feat cast doubts on the security of a system whose security had been scaled back to meet stringent United States Government export controls. The following month, two computer science graduate students at the University of California at Berkeley reported a flaw in the Netscape that would permit a technically skilled attacker to steal data by circumventing the complex calculations needed to break the code. In October, a team of Berkeley researchers, including the two computer science students, detailed security weaknesses in the fundamental software of the Internet that make it difficult to protect data that is sent between computers. And last month, Mr. Kocher explained a potential flaw in a widely used data coding approach known as public-key cryptography. The flaw could allow eavesdroppers to infer a secret key used to protect data in Internet security software, electronic payment smart cards and related systems by carefully timing how long it takes to compute the secret key. Mr. Kocher said that while he believed that trusted electronic security systems would ultimately emerge, there should be no urgency to rush their deployment. Banks have spent several hundred years perfecting systems for protecting money, he noted, but they have far less experience with the new computerized systems designed to protect information that represents money. One of the pioneers in the mathematics underlying most public key systems agrees that prudence is required in developing digital commerce. "Paul's discovery is one more piece of evidence that designing security mechanisms is tricky," said Whitfield Diffie, a Sun Microsystems researcher who was one of the co-inventors of the original public key technology. "Given the trust that we will be placing in systems for electronic commerce," he continued, "we should be putting all the effort we can into getting them right." [End] ---------- [Box] 1996 Will Be the Year When: "Congress will pass a law restricting public comment on the Internet to individuals who have spent a minimum of one hour actually accomplishing a specific task while on line." Andrew Grove, Intel Corp. CEO
Current thread:
- IP: In Search of Computer Security Dave Farber (Jan 02)