Modernizing Authentication — What It Takes to Transform Secure Access
A highlight of the RSA security conference in any year is the annual cryptographers' panel, and the 2015 edition taking place this week in San Francisco is no exception.
Adi Shamir, the "A" in the RSA acronym, said that as an old timer in the security space he knows full well that the more things change the more they remain the same. Shamir noted that he gave a keynote in the 1980s when people thought that cryptography would solve all of IT's security problems. At the time he came up with three laws of security, which he believes to still be relevant today.
The first law is that fully secure systems do not exist today and will never exist in the future. The second law is that cryptography will not be broken, it will be bypassed. The third law is that if you want to halve your vulnerabilities you have to double your costs.
Cryptographer Whitfield Diffie echoed Shamir's sentiment that things haven't changed all that much over the years. While people are talking about data breaches far more, the security challenges remain the same, he noted. In his view, static defensive postures have been underfunded and underrated.
"The current mess would be less if we had a more defensive posture," Diffie said.
Key Escrow, Heck No
A hot topic of debate during the panel was the idea of key escrow for the U.S. government, in which the government would be granted custody of encryption keys for law enforcement purposes. Ron Rivest (the "R" in RSA) said that if the U.S. had this kind of front-door access other governments would ask for the same thing, resulting in lots of keys being held by lots of parties.
"It's just not going to work," Rivest said.
Shamir was somewhat less diplomatic about government and key escrow.
"There is no difference between front and back doors," Shamir said. "The only difference is at the NSA they would just take your house and turn it around."
The panel also took aim at ransomware, a form of malware that encrypts a user's information until they pay a ransom. Cryptographer Paul Kocher referred to it as a "…pure evil incarnation of public key cryptography."
Rivest commented that while cryptography provides lots of good, it has downsides too. Shamir remarked that ransomware is an area where the security community has failed.
The panel also discussed the continued impact of the Edward Snowden NSA revelations. Ed Giorgio, a 30-year veteran of the NSA, had a very specific viewpoint on that issue. Giorgio said that after Snowden the NSA had a new mandate for more internal walls and increased compartmentalization to protect sources and methods.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.