The balance between privacy and security has dominated the sessions at RSA Conference 2015 in San Francisco.
During the annual cryptographers' panel, the escalating tension between the US government, which is demanding back-door access to information, and cryptographers, who are stepping up efforts to maintain privacy, was highlighted.
One of the panellists, Adi Shamir, a professor at the Weizmann Institute of Science in Israel, said: "Whether it's a front door or a back door doesn't matter. It just means that the NSA will have to take your house and turn it around."
The topic of key escrow for the US government was discussed in depth. When discussing the issue of whether the US government should be given custodianship of encryption keys for law enforcement purposes, Professor of Computer Science at MIT, Ron Rivest, stated that should the US be given this sort of access, other governments would start insisting on it too, resulting in too many keys being held by too many parties. "It's not going to work," he added.
However, Ed Giorgio, who has worked with the NSA for 30 years, believes the government will carry on pushing for such access regardless. He said as far back as the 90s, the US government went after a 'key in escrow' in order to be able to view sensitive data. "It's an ongoing negotiation," he added.
Renowned cryptographer and pioneer of public-key encryption, Whitfield Diffie said it isn't just bodies such as the NSA and law enforcement that are looking for ways around encryption. "Companies want you to be secure, just not against them."
The more things change
Shamir added that the more things change, the more they stay the same. He said back in the 80s, there was the perception that cryptography would solve all of IT's security problems. At this time, he formulated three laws of security which he said are still applicable today.
Firstly, he said, completely secure systems do not, and will never, exist. Secondly, cryptography will not be broken, but will be bypassed, and thirdly that if you want to cut your vulnerabilities in half, you need to double your costs accordingly.
Diffie agreed with Shamir that nothing has changed all that much. He said although data breaches are a topic on everyone's lips, the security challenges themselves haven't changed. It is his belief that static defensive measures are underrated and haven't been given enough funding.
He added that the current situation would be less of a mess had the industry adopted a more defensive posture.
Ransomware
The panel also discussed ransomware, a type of malware which hijacks a user's machine, restricting access to system and demanding that a ransom paid to the malware authors to release the machine. Cryptography Research president and chief scientist, Paul Kocher described this scourge as an evil manifestation of public key cryptography.
Shamir agreed, citing ransomware as an example of where the security industry has failed miserably, as people are ill-prepared to handle spear phishing, the most common method that cyber criminals use to spread ransomware.
He also believes there is a danger that this type of malware could spread beyond computers, as the Internet of things sees more and more devices becoming connected.
Share