Thursday, 1 March 2012
I spent Tuesday of this week at RSA Conference 2012 in San Francisco. Somehow, I ended up going to three panel discussions rather than actual talks. The most entertaining, in my opinion, was the Cryptographers' Panel. To begin with, it had an outstanding list of panelists none of which require any special introductions: Whitfield Diffie (most know for Diffie-Hellman key exchange), Ron Rivest (the "R" co-author of RSA), Adi Shamir (the "S" co-author of RSA), and Stefan Savage (most known for his work on network worms, malware propagation, and distributed denial of service attacks).
The discussion started with dissection of a paper titled, appropriately for this panel, "Ron was wrong, Whit is right". The main idea behind the paper is to check how secure keys found in the wild are. Turns out that unlike keys that are used in Diffie-Hellman based algorithms, RSA keys available on the internet are less secure: two out of about one thousand public keys share common factors, probably due to insecure random number generators used for their creation. Another point raised during this discussion was the fact that there are no studies of malicious pseudo-random number generators, and that in general, traditional cryptography is based on the assumption that the keys are secure and are kept secure, which is clearly not the case. Defining a model for cryptanalysis in which this assumption does not hold is one of Shamir's latest research areas.
A number of other interesting questions were brought up. Savage and Shamir disagreed on whether it's harder to keep secrets now, with Stefan saying "no", and Adi saying "yes". However, all agreed that while cybersecurity will never become a science, security practitioners should apply scientific methods, such as rigorous gathering of experimental data, to many more scenarios than we do now.
The panelists also highlighted several major achievements that have occurred in the world of theoretical cryptography recently. The list is topped by the first key recovery attack on the full AES-128, which you can read about here. This is huge, even though it is not practically possible! The next one is the fact that ГОСТ – the Russian alternative to triple DES and AES-256 -- has also been theoretically broken in May 2011 after being thought secure for the past 20 years. Finally, SHA-3 competition is down to 5 finalists, and the winner should be announced later this year.
In the closing remarks, Rivest and Shamir touched upon more down to earth topics. Being one of the biggest names behind research in electronic voting, Rivest emphasized once again that online voting is a bad idea, and that we are simply not ready for it. And Shamir ridiculed Iranian government for shutting down internet access to its citizens.
All in all, it was a great discussion, which led me to the following thought: even though the number of security breaches rises with every year, none of these breaches have anything to do with breaking cryptographic algorithms. Even though, both AES-128 and ГОСТ have been broken, it’s nothing to lose your sleep over because the attacks are not possible in practice. This means that we're doing well on the crypto side. This is an incredible achievement! Of course, the other side of the coin is less bright – application-level flaws are still a problem and are usually the causes of these breaches. Which is why we are still here, doing our job at HP Fortify.