Cryptography at the core of sound IT security

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,81955,00.html

By Chris Conrath
ITWorldCanada.com
JUNE 09, 2003

TORONTO - Whitfield Diffie, chief security officer at Sun Microsystems
Inc., likes to dole out his first tenet of IT security -- one no one
should forget.

"Whenever you have a secret, you have a vulnerability."

The tenet, given during the keynote at the Infosecurity Canada
conference in Toronto last week, points to one of cryptography's --
and IT security's, for that matter -- basic pillars: if you have
something you want to control, you have a problem.

Diffie, who is best known for his discovery of public key cryptography
more than a quarter century ago, spoke via satellite to a packed room
of IT experts, all of whom are trying to come to grips with their
growing difficulties controlling corporate information.

"The problem has diversified out around the solutions," he said,
noting that increased use of cell phones, pagers and mobile computing
devices has made an already difficult situation worse. Regardless,
there is too much business value passing through these devices for the
security issues to be ignored, he added.

Part of the larger problem is that there is no one effective way to
channel cryptographic needs since there are so many different
protocols, he said.

Diffie traced the entire security issue back to the origins of
cryptography hundreds of years ago, but he keyed in on radio as the
first example of a new technology that made the dissemination of
information easy but the control proportionally more difficult.

It was a great way to communicate but everyone else had access to your
data, he explained.

Diffie asserted that companies will have to get a lot better at
protecting their proprietary data if they don't want to find
themselves in the position of the dress designer who hands a pattern
to a dress maker only to find knock-off copies being produced days
later.

The solution may lie in the use of the new advanced encryption
standard (AES) Rijndael, Diffie offered, "If AES is as strong as it
appears.

"Assuming we are correct and the system is sound" we are looking at
tens of thousands of years before it could be cracked, he explained.

This assertion seems open for debate. In a Bruce Schneier CryptoGram
newsletter late last year, Schneier brought up the possibility that
AES could be cracked by techniques faster than brute force. However,
even Schneier -- himself a world renown cryptographer -- said there is
no need to panic, as the discussion around AES' vulnerability is
entirely theoretical.

Diffie added that even with the advent of quantum computing in the
near future, AES "traffic is not going to be read in the foreseeable
future."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.