Establishing Digital Trust: Don't Sacrifice Security for Convenience
SAN FRANCISCO: At the core of modern security is the idea that cryptography is essential. Yet this premise was challenged today by a panel of the world's top cryptographers at the RSA 2013 conference.
"Cryptography is becoming less important," Shamir flatly stated to the shock of his fellow panelists. "In the 21st century, even the most secure isolated systems have been penetrated."
Shamir challenged his fellow panelists and the capacity RSA conference crowd to rethink the question of how enterprises protect data. He argued that the security industry has traditionally based its approaches on the idea of preventing the insertion of malicious threats onto a system. This idea led to the creation of firewall and anti-virus software.
In recent years, however, hackers have demonstrated the ability to get past the perimeter firewall and avoid anti-virus detection as well. In an environment where attackers are placing advanced persistent threats (APTs) on systems, Shamir thinks that crypto is no longer useful.
"It's very hard to use crypto if you assume an APT is watching everything that is being done on a system, including the encryption," Shamir said.
Shamir suggested that security pros think in a different way, about how to protect systems. One idea he mentioned: Make useful files so large it would not be feasible for attackers to remove them from a system without detection. He also suggested that all file names should have no real identity and use meaningless titles.
Whitfield Diffie retorted that the latter idea wouldn't work and would only serve to confuse the good guys.
Dan Boneh, professor of Computer Science and Electrical Engineering at Stanford University, chimed in to opine that cryptography is not being properly implemented.
There is lots of client code that implements SSL that is not Web browser-based code, Boneh said. Web browsers have the integrated capability to check the validity of a given SSL certificate. In the case of mobile applications that don't leverage browser-based code, they still need to verify with a certification authority (CA).
Boneh noted that he recently conducted his own study looking at apps to see if they were verifying SSL correctly.
"Almost every one has a misunderstanding and mis-configuration," Boneh said. "So a man in the middle attack could be fairly easily executed."