RealTime IT News

Cryptographers Debate Top Security Needs

SAN FRANCISCO -- A panel discussion on cryptography might seem to some like a cure for insomnia, but the group of experts gathered here at the RSA security conference kept the discussion lively and relevant to the latest news.

"Internet security is a complete mess," said Whitfield Diffie, chief security officer at Sun and co-inventor, along with panelist Martin Hellman, of Diffie-Hellman public key encryption . "The exact reasons aren't clear."

Adi Shamir, professor of computer science at Israel's Weizmann Institute of Science, said "There's no silver bullet in security, it's about subtlety and multiple lines of defense. We're doing OK in many elements, but we haven't reached nirvana."

Shamir said new ideas and approaches are needed like a GPS for data that would give IT departments, or perhaps individual users, the ability to find data they created on the Internet. "This will have a minimal invasion of privacy because you'd need to ask a very precise question," he said.

But the panel also agreed that it will take a coordinated effort to address America's security challenges and that technology alone isn't enough. Martin Hellman, a Professor Emeritus of Electrical Engineering at Stanford, said, for example, that if all e-mail was protected by encryption or other technology, it would be vastly more secure but probably won't happen because "spy agencies wouldn't like it."

The controversy over electronic voting also came up for discussion. Ronald Rivest, a professor of electrical engineering and computer science at MIT, urged the security professionals in the audience and the public at large to get involved to insure a secure and reliable electronic voting system is deployed.

Rivest helped coin the term "software independence" for voting systems, an approach he said would keep the process safe from malware and external tampering because an audit would be able to show if the system was tampered with.

Shamir praised Intel's plans to include Advanced Encryption Standard (AES) instructions in some of its microprocessors set for release next year. Having AES built into the chips is "wonderful news, because AES in software is very vulnerable," said Shamir.

He noted Intel's advance would prevent certain potential breaches that bypass encryption.

Diffie was quick to add Sun already offers a cryptographic co-processor in its UltraSPARC T2 processor.

"But Intel sells more chips," said Shamir.

"Who executes more instructions at the major Web sites?" Diffie retorted.

Are you a really bad guy?

Hellman and Shamir criticized the Department of Homeland Security's plan to spend $300 million upgrading a fingerprint system used at airports for security clearance. The current system scans two fingers, the upgrade would scan all ten fingers. "Is ten fingers worth $300 million?" asked Hellman. "We need to do more cost benefit tradeoffs, we need to get more rational."

Shamir was more critical. "I think if they went to a ten-finger system they'd probably catch one more guy, a very expensive guy," he added, to a chorus of laughs from an audience comprised chiefly of security professionals.

Shamir, who travels frequently to the U.S. from Israel, said U.S. immigration security procedures sometimes border on the comical. He noted during the Cold War the immigration service might ask questions like "Are you a member of the Communist Party" to try and identify Communist sympathizers entering the U.S.

"Now I'm asked if I'm specially trained to operate an atomic or nuclear device. It's a joke," said Shamir. "Why don't they just ask you to do a self-assessment:

'Are you a bad guy? [If yes, choose one]:

Bad. Really Bad. Extremely Bad.

As the audience laughed, Diffie quipped such an assessment would have to account for dialects where being "bad" is actually good.