Download our in-depth report: The Ultimate Guide to IT Security Vendors
SAN FRANCISCO — You can have security or you can have speed, but you can't always have both. That's one of the points made by a panel of experts at the RSA Conference 2018 cryptographers' panel (listed as one of the top 10 sessions by eSecurity Planet for the event this year).
"I've been looking at the performance-security tradeoff, the idea that you can have speed and safety," Paul Kocher said. "I'm pessimistic about that perspective, because when technology has been optimized to be fast, security is a secondary objective."
Kocher is well known in the security community as the author of the SSLv3 security standard and a co-discoverer of the Spectre cyber-security vulnerability that affects silicon vendors. Kocher noted that he found the Spectre issues and reported them to Intel at nearly the same time as Google security researcher Jann Horn.
With Spectre, speculative execution issues in silicon used to help accelerate processing were found to be vulnerable. Kocher noted that the issue had been sitting in chips for years, and was somewhat surprising that it was only publicly reported by both Horn and himself recently.https://o1.qnsr.com/log/p.gif?;n=203;c=204652390;s=9477;x=7936;f=201803191633120;u=j;z=TIMESTAMP;a=20396194;e=i
Kocher lamented the embargoed discovery process for Spectre as well.
"More people were told than could keep a secret and press leaks led to a panic, " Kocher said. "We don't want to be an situation where attackers can make an attack and defenders can't defend."
Follow all our RSA Conference at the eSecurity Planet Guide to RSA Conference 2018.
Ron Rivest, the 'R' in RSA, said that in his view, blockchain is often used by vendors as a form of cyber-security "pixie dust," but it actually has little real useful utility. Adi Shamir, the 'S' in RSA, said blockchain could potentially help in a post-quantum cryptography world.
The risk with quantum computing is that one day, a quantum computer will be able to break RSA cryptography. Shamir said that with blockchain assertions, a digital signature could still have value in a post-quantum world.
Moxie Marlinspike, founder of encrypted messaging protocol Signal, said the primary value of blockchain is its distributed nature. That said, he added that the problem is that for most applications, distributed computing is not a needed property.
The cyptographers' panel also talked about Facebook and its privacy challenges. Kocher said Facebook made decisions that benefited the company and not its users.
"It's in their interest to take advantage of all the data they collect," Kocher said.
Cryptography pioneer Whitfield Diffie said the reason Facebook and others aren't more secure is so they can make more money.
Marlinspike noted that the European Union's General Data Protection Regulation (GDPR) will actually end up helping Facebook. He said part of GDPR is that users must consent to terms of service and Facebook can refuse service if users don't consent.
Shamir said there are lots of other good things in GDPR, such as privacy by design and the right to be forgotten, that will benefit Facebook users and others as well.
Looking forward, the cryptographers found few reasons for optimism. Rivest said he's happy that there is now a focus on elections security. Shamir, however, was a bit more pessimistic about whether or not security is moving forward at all.
"The silver lining I see in cyber security is that our job security is guaranteed," Shamir said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.