RSA Panel: Cryptography Can't Foil Human Weakness

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1538027,00.asp

By Mark Hachman 
February 24, 2004 

SAN FRANCISCO - Enhanced security can solve many issues, but it can't 
improve the thing that sits between the keyboard and the chair - the 
user - a cryptographers' panel concluded Tuesday. 

The panel, a staple of the RSA Conference here, invited four of the 
industry's luminaries on stage with Bruce Schneier, author and chief 
technology officer at Counterpane Internet Security, to discuss the 
evolution of cryptography. The discussion soon turned to recent 
failures in information security, however, including the recent leak 
of some of Microsoft Corp.'s source code and the knotty security 
problem of social engineering. 

Each panelist - Whitfield Diffie, chief security officer at Sun 
Microsystems Inc.; Paul Kocher, president and chief scientist at 
Cryptography Research Inc.; Ron Rivest, Viterbi professor of computer 
science at the Massachusetts Institute of Technology; and Adi Shamir, 
professor at the Weizmann Institute of Science in Israel - came to the 
panel with his own view of security priorities. Rivest, for example, 
was concerned with the policy of security., Diffie, on the other hand, 
said the industry was shaping up for a battle over DRM. 

Increasingly, the panelists said, security experts' challenges have 
had less to do with the intricacies of cryptosystems used to wrap code 
than the real-world intricacies of standards and government 
guidelines. Rivest cited the case of Diebold Systems Inc.'s electronic 
voting machine code, which was found on the Internet and quickly 
picked apart as insecure. Until a grass-roots movement pushed for 
paper-based records to prove a voter cast a ballot for one candidate 
over another, the Diebold machine did not allow for independent 
verification of results. 

"Why am I, as a cryptographer, talking about such things?" Rivest 
asked, citing Archimedes' maxim: "Give me one smooth spot to stand on 
and I will move the world." "We have great levers to move things, if 
we have a smooth spot to stand on," Rivest said. "We have secure 
platforms and secure keys to move the earth a bit." 

Similarly, Kocher said he was "terrified" of the only solution he saw 
to enforcing consumer privacy—government regulation. While consumers 
have a strong incentive to maintain their privacy, law-enforcement 
agencies and large corporations do not, he said. 

Part of the fear engendered by government regulation is additional 
laws, which tend to entangle and complicate the flow of information, 
panelists said. For example, Kocher said, he was advised by his lawyer 
not to examine the leaked Microsoft code. 

"So we're in an awkward situation that is almost the worst of all 
possible worlds," he said. "We can't look at proprietary systems to 
improve our code, but the bad guys can." 

Diffie, meanwhile, focused on a fight he said is looming over the 
definition and implementation of digital-rights-management. Citing the 
recent lawsuits by the Recording Instiitute of American Artists 
(RIAA), Diffie said that the notion of compensating copyright holders 
had evolved into a situation in which those copyright holders had 
begun to dictate how consumers could use it. "Soon you'll only be able 
to buy a machine … where you won't be able to tell it what you want to 
do and it does it," he said. 

The panel failed to propose a solution for one of the most pernicious 
and pervasive security problems: the problem of the user itself. 
"Phishing" scams and other techniques to wrest personal information 
from users won't go away easily, they agreed. 

In perhaps the only actual discussion of cryptography, the Weizmann 
Institute's Shamir said the sun was setting on stream ciphers used to 
encode real-time data streams. Instead, the power of today's 
microprocessors could be used to encode data in blocks via block 
ciphers, which are more powerful but require a large amount of 
information to be buffered and then encoded. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.