RSA Panel: Cryptography Cant Foil Human Weakness

At the San Francisco show, cryptography experts tackled recent security failures, including the Microsoft source-code leak, and examined greater government regulation of user privacy.

SAN FRANCISCO—Enhanced security can solve many issues, but it cant improve the thing that sits between the keyboard and the chair—the user—a cryptographers panel concluded Tuesday.

The panel, a staple of the RSA Conference here, invited four of the industrys luminaries on stage with Bruce Schneier, author and chief technology officer at Counterpane Internet Security, to discuss the evolution of cryptography. The discussion soon turned to recent failures in information security, however, including the recent leak of some of Microsoft Corp.s source code and the knotty security problem of social engineering.

Each panelist—Whitfield Diffie, chief security officer at Sun Microsystems Inc.; Paul Kocher, president and chief scientist at Cryptography Research Inc.; Ron Rivest, Viterbi professor of computer science at the Massachusetts Institute of Technology; and Adi Shamir, professor at the Weizmann Institute of Science in Israel—came to the panel with his own view of security priorities. Rivest, for example, was concerned with the policy of security., Diffie, on the other hand, said the industry was shaping up for a battle over DRM.

Increasingly, the panelists said, security experts challenges have had less to do with the intricacies of cryptosystems used to wrap code than the real-world intricacies of standards and government guidelines. Rivest cited the case of Diebold Systems Inc.s electronic voting machine code, which was found on the Internet and quickly picked apart as insecure. Until a grass-roots movement pushed for paper-based records to prove a voter cast a ballot for one candidate over another, the Diebold machine did not allow for independent verification of results.

"Why am I, as a cryptographer, talking about such things?" Rivest asked, citing Archimedes maxim: "Give me one smooth spot to stand on and I will move the world." "We have great levers to move things, if we have a smooth spot to stand on," Rivest said. "We have secure platforms and secure keys to move the earth a bit."

Similarly, Kocher said he was "terrified" of the only solution he saw to enforcing consumer privacy—government regulation. While consumers have a strong incentive to maintain their privacy, law-enforcement agencies and large corporations do not, he said.

Part of the fear engendered by government regulation is additional laws, which tend to entangle and complicate the flow of information, panelists said. For example, Kocher said, he was advised by his lawyer not to examine the leaked Microsoft code.

"So were in an awkward situation that is almost the worst of all possible worlds," he said. "We cant look at proprietary systems to improve our code, but the bad guys can."

Diffie, meanwhile, focused on a fight he said is looming over the definition and implementation of digital-rights-management. Citing the recent lawsuits by the Recording Instiitute of American Artists (RIAA), Diffie said that the notion of compensating copyright holders had evolved into a situation in which those copyright holders had begun to dictate how consumers could use it. "Soon youll only be able to buy a machine … where you wont be able to tell it what you want to do and it does it," he said.

The panel failed to propose a solution for one of the most pernicious and pervasive security problems: the problem of the user itself. "Phishing" scams and other techniques to wrest personal information from users wont go away easily, they agreed.

In perhaps the only actual discussion of cryptography, the Weizmann Institutes Shamir said the sun was setting on stream ciphers used to encode real-time data streams. Instead, the power of todays microprocessors could be used to encode data in blocks via block ciphers, which are more powerful but require a large amount of information to be buffered and then encoded.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.

Be sure to add our Security newsfeed to your RSS newsreader: