The RSA Conference is the biggest conference in security. This year there are 50,000 attendees. Yes, security is on everyone's radar, finally. It is in the Moscone center, in all of North, South, and West. Although it feels like the conference is being held on a building site, since half of Moscone North and South are still closed, bridges are being built across the road, and sidewalks are closed. Apparently, it will all be finished by The RSA Conference next year. RSA is the name of the conference, the name of a company, and the name of an algorithm. RSA stands for Rivest-Shamir-Adelman who were the three authors of the original patent on the algorithm, US patent 4,405,829 , It was one of the first asymmetric encryption algorithms, where the key used to encrypt (the public key) and the key used to decrypt (the private key) are not the same. Since the public key is, as the name implies, public, it means solves the key distribution problem of how you get the sender the key required without that transmission being vulnerable. RSA is actually pretty slow, so usually it is not used to transfer the real data. Instead, it is used to transfer a normal symmetric key that can be used for the main data exchange. An interesting wrinkle is that the US patent system then allowed a patent to be filed within a year of first publication, but the rest of the world has no grace period (the US is the same these days). Since the three authors published a paper two weeks before the patent filing, it was not patentable in the rest of the world. The three inventors also founded the company RSA Security (now just RSA), part of Dell-EMC today. The Cryptographers' Panel On the first day of the conference, there is The Cryptographer's Panel, featuring legends in cryptography. This years panel was: Moderator, Zulfikar Ramzan, the CTO of RSA (the company...this is going to get confusing in a moment) Ronald Rivest of MIT. He is the R of RSA (in all its incarnations) Adi Shamir of the Weizmann Institute in Israel (the S of RSA) Whitfiled Diffie (the co-author of, with Martin Hellman, of the original paper describing the idea of public key cryptography) Paul Kocher (who discovered differential power analysis, and the recent Spectre vulnerability of speculative execution in processors) Moxie Marlinspike, the founder of Signal (previously head of security for Twitter. And you won't be surprised to know that's not his real name) Zulfikar kicked off the panel by asking each of them for a highlight of the last year, as a way of getting things started. Ronald Rivest went first. He pointed out that there is much more focus and attention on security. He's especially happy that there is a lot more focus on the security of elections, with the US declaring the election to be critical security infrastructure. Paradoxically, this has led to an increase in paper ballots, since electronic voting machines lack any audit trail. Adi Shamir said that he's been looking at the academic cryptographic literature. It's all proofs and mathematical foundation. But when it's implemented, it's just machines with no proofs. He's been thinking about how to make implementation something more quantative, not just qualitative. Whitfield Diffie remememberd two people who had died last year. The first was his wife, Mary Fisher, who described herself as the elder mother of public key cryptography. The other was Mahlan Doyle, who he said most people had never heard of (I certainly hadn't) because he worked for decades inside the NSA and came up with many of the key concepts in an era when even the existence of the NSA was secret. Paul Kocher obviously went for the work he's been doing on performance/security tradeoffs as a result of discovering the SPECTRE vulnderability (to read more about that, my post Differential Power Analysis and Spectre covers his presentation a couple of months ago). He pointed out that we need a cultural shift since everyone on the stage, and many people in the room, made their careers in an era when more and more performance was the most important thing. But now security is equally important and we need to figure out how to handle that as an industry. Moxie Marlinspike said that last year was when social technology started to be seen less as a hopeful tool for a brighter tomorrow, and more as a weapon (which everyone then perceives as being in the wrong hands). Quantum Computing Zulfikar said that one thing we've had to cope with this year is that "crypto" suddenly means bitcoin. How do we reclaim the word? Adi had read there were 2^64 hashes per second for blockchain, probably many times the number done for real security. But at least we can amortize the heat for keeping the room warm. Ron said blockchain is regarded as security pixie dust, you just sprinkle it on. It is decentralized, public access, and immutable. So that is good for some things, but not other things. For example paper ballots are better for voting. Blockchain actually has limited security properties. The topic moved to quantum computers (RSA, the algorithm, depends on factoring large numbers being hard, and quantum computers are predicted to make it easy, so there is a major interaction between quantum computing and cryptographic strength). Adi talked about the recent NIST workshop on quantum cryptographic workshop recently. There are 82 proposals and 64 remain out of the initial weeding out. But the community cannot analyze 64 proposals. The keysizes are generally around 1-10K bytes "unpleasant but you can live with it". There is an interesting group of algorithms to dig into and NIST will have a hard time choosing a winner within 3 years for the standard. Adi thinks they will be forced to use something old, and tried and tested. After all, it took from 1977 to 1990s for public keys to get accepted. Elliptical curve cryptography evolved from from 1985 to the early 2000s. "If I was in NIST's place I'd be uncomfortable with anything that hasn't withstood 15 years of analysis." Whitfield said that RSA with much longer key lengths could be secure in the post-quantum world. It is still polynomial, so technically weak, but it is unpleasantly polynomial. Paul would put is money on hashing, since it is very well-understood technology. Adi agreed and said he thinks NIST will pick one of the hash-based schemes, they are very well analyzed. There was some debate on just how real progress has been. Paul pointed out that we see 20 qbits, 72 qbits...incremental progress but not a big surprise. He thinks we will see "quantum supremacy" soon, where some task can be done faster with quantum computing than normal computing. Adi said he's been trying to follow whether any really good use was made of those 20 or 72 qbits. But he's not seen any jump in performance. "Forget cryptography," he continued, "I'll take improvement in any area, but there is none." Spectre "Tell us about Spectre and Meltdown," Zulfikar asked, a slow pitch right across home plate to Paul Kocher: I was involved with Spectre, not really Meltdown. A friend asked me about this speculative execution thing, where computers do stuff and then fixed up any mistakes. Well. I’ve spent hours in the lab trying to make computers make mistakes. So I thought about it, wrote some code, and found a problem. Then I notified Intel, and apparently Google had done some independent discovery of this. It's odd that in a few months two groups find problems that had been sitting in the open for 25 years. It's in every textbook on computer architecture. But bugs in hardware, compared to software, are a different challenge. We don't have an embargo process for hardware. Who can fix a problem in Arm? There is Arm themselves, their licensees, people building the systems. Who should know about a problem in Intel? In end for differential power analysis, a reporter in Australia was about to break the story, and this time press reports started to come out. So in both cases there was a stampede to release the embargo ahead of when it was planned. I’ve failed twice, so I don’t know what to do. There will be more of these things with hardware systems that can’t be updated easily. Adi is worried about something worse. "You mentioned how difficult it was to fix," he said. "But i’m worried that we will reach a problem where millions of microprocessors will be bricked. With software, at least you can usually reinstall a clean copy." Paul said we shouldn't panic. Looking at the risk in context, we have a giant problem with sofware bugs. These subtle hardware bugs are mainly interesting for computer science reasons, and because they change the outlook needed in designing processors. "You don't design a processor for wire-transfers the same way as one for video games. "We've made advances for power with things like Arm's big.LITTLE and we need an equivalent to extend that to security." Zulfikar switched to China, and the late February announcement that Apple is hosting Chinese data in China, with the keys hosted in China. Paul pointed out that the leadership in China are in for a surprise when their stuff gets hacked. This will not end well for China. Backdoors where only the good guys get to use them never work out well. Ron agreed, saying that the Europeans decided just recently that backdoors are not the way to go. Moxie wants no backdoors, since "it's easier to say 'I can't' than 'I won't'." Ron said that in the US, the FBI still argues that they need access to phones, but increasingly people in congress are saying they didn't try very hard before running to them. Ira turned to Russia, and related the story that Telegram were told to give the keys to the government and refused—so Russia declared Telegram illegal in Russia. Many countries are starting to legislate against security where they, the government, doesn't have the master keys. Moxi reiterated that "I can't is always better than I won't." Facebook From China to Facebook. What about their data problems? Paul said a lot is misalignment. There were lots of things that they could have done, but it wasn't in their interest to protect the data. "The problem is that the people choosing 'my' risk for me don't make the decisions I want, they build what they want." The cost of insecurity is in the trillions. Whitfield agreed, but pointed out that it was the cost to society, not the cost to the people who have to implement the security. Moxie said that Facebook is like Exxon, an indispensable tool that everyone uses but despises. There are not many companies like that. When he added Comcast to the list, that got a big laugh. "For most people, Exxon is civilization, and Facebook is the Internet. After enough oil spills we invested in better barrier technology, and now Facebook is dealing with the metaphorical camera under the ocean showing oil spilling out." Adi thinks GDPR in Europe will be a big thing, and will have a huge effect due to the penalties: 4% of woldwide turnover for violating the provisons, many of which are unclear. "If I wanted to be a cynic I'd say this is how Europe wants to get more tax revenue from the US tech giants." However, there are some serious provisions in it, and everyone should look at it. Moxie is worred that GDPR could entrench the Facebook monopoly since it requires permission to do things with your data. Small companies might have trouble getting it. Facebook can probably get it though, since they can refuse service—and to most people, Facebook is the Internet. Silver Linings Zulfikar asked his last question. "Some of the keynotes this morning addressed silver linings in the clouds. So what are your silver linings?" Ron went back to his favorite topic of election security. There are so many areas where the attackers are winning, but the increased focus on election security means there is more and more voting on paper ballots. "We are learning the hard way." Adi said that Rohit (CEO of RSA) in the first keynote said we are moving at high velocity. "But velocity is a vector, and he forgot to say whether we are going forward or backward." But if you want a silver lining, it is that our job security is guaranteed. "We will be coming to San Francisco for a very long time." Paul wants to reduce the size of the battlefront. Better hardware is a part of that. In cryptography algorithms, the chance of failure is provably low. AES will not get broken in the next year. You can make a separate chip that does crypto and is isolated. "A pennyworth of security, instead of sticking it in the same place." Moxie had the last word. "If I'm forced to be optimistic, privacy and cryptography are less about little pieces of data, and more and more about the infrastructure for the world going forward." I'm not sure that counts as a silver lining, but it does underline just how important all this stuff is. Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧
