SSL Co-Author Reflects on Crypto Success and Failure [VIDEO]
What's wrong and what's right with SSL? Nearly two decades after he helped write SSL 3.0, Paul Kocher is looking to hardware for security.
In 1996, Paul Kocher helped author the SSL 3.0 specification that to this day remains the dominant form of encryption on the Internet.
Kocher is now the president and chief scientist at security vendor Cryptography Research, building hardware-based security solutions. In a video interview with eSecurity Planet, Kocher explains what's wrong and what still works with SSL, 17 years after he helped create it.
Cryptography today is as necessary as ever and Kocher compares it to bricks in a building, in that that it is a foundational technology.
"I started my careers working on protocols like SSL 3 and had this sort of naive optimism that if we got the protocols and the math right, the security would follow from there," Kocher said. "Then I spent a lot of time looking at software security, and realized that software developers are never going to get it right and the whole architectures that we've got are screwed up."
There are 100 million lines of code in some architectures, he added, and a line of buggy code can compromise the whole system. Kocher is now more focused on hardware cores that can perform specific security operations independent of the software.
"You can view this as failure," he said. "I've given up on trying to solve the big problem and am trying to find little problems where we can be successful."
In recent years, there have been a number of reported attacks against SSL, including the recent Lucky13 attack. That said, for the better part of the last 17 years, SSL has done a lot of things right.
"SSL is a simple protocol," Kocher said. "You can sit down, read it in an afternoon and so long as you understand the crypto basics you'll understand what it does, so it doesn't suffer from excess complexity."
The challenge that has emerged over the years with SSL is in converting the protocol definition into a strong implementation.
The large number of SSL certificate authorities (CAs) in modern browsers is not something Kocher expected to see when he authored SSL 3.0 in 1996.
"When I was working on the protocol, I thought that for Web browsers there might be one, two or three root CAs," Kocher said. "If you look in your browser, there are hundreds now."
With the SSL security model, a valid SSL certificate from any trusted CA inherently gives the browser trust in a particular key-pair. The risk of extended trust has been demonstrated to be a legitimate threat in recent years with the exploitation of multiple CAs including Comodo, DigiNotar and Turktrust.
Even with some of the challenges that SSL faces, Kocher remains confident it's better than not having it.
"The difference between sending your traffic in the clear, where any of the computers along the way can intercept it, versus having real encryption from the website to the browser, does make a big difference," he said.
Kocher is confident that SSL has been successful because it is news when a theoretical attack like Lucky13 is disclosed.
"You're unsuccessful when the failures aren't news anymore," he said.
Kocher wants to see an evolution of the current SSL model in which the trust relationship does not depend on all the different CAs. There are multiple options currently being considered by SSL CAs to do that.
In recent years there has been some discussion about the need to expand the crypto key length used in SSL. Today the norm is 1024 bit RSA keys.
"Arguing about key length is like arguing for about how thick a bullet-proof door you should have," Kocher said. "Of the things that I lie awake at night worrying about, the underlying math of the algorithms is not what I'm worried about; it's how the algorithms are used and the implementations."
Watch the video interview with Paul Kocher below:
February 27, 2013
Can the SSL certificate authority system be improved? A panel at the RSA conference discussed several promising approaches.