Ask Security/Cryptography Expert Paul Kocher

Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.

Serious Threats?

[Prizm]

While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your speciality, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?

Re:Serious Threats?

[cheezedawg]

The overwhelming majority of security exploits (over 95% iirc-sorry, I don't have a source handy) are due to implementation errors and not cryptanalysis. At this point, time is much better spent attacking buggy code than worrying about crytanalysis threats to well known ciphers.

Re:Serious Threats?

[swillden]

The overwhelming majority of security exploits (over 95% iirc-sorry, I don't have a source handy) are due to implementation errors and not cryptanalysis.

Side-channel attacks, technically, *are* attacks against implementations, not the ciphers themselves. They're attacks that exploit the fact that even if the cipher is solid, the execution of the algorithms involves physical effects which can be measured by an attacker with access to the processing device.

Depending on your point of view, you may or may

Re:Serious Threats?

[wfrp01]

That is to say, what are the chances that these methods are actively being used by attackers?

Do you think it's valid to rate the severity of a compromise by whether it's being actively exploited right now?

Triple barreled question

[Sophrosyne]

Should the general public have access to powerful and secure computing as a right, or should cryptography be limited to banks, government agencies, etc.? Do you believe that, as cryptography becomes more prevalent and as computing power increases we will see an increase in criminal activity over the web? And if so, what is the best way to curb illegal activities on the Internet, for example do you give the keys to the Governments that request them?

Re:Triple barreled question

[56ker]

The way to cut down on e-fraud is to have the people in charge educating businesses etc in IT security. There is also an "embarassment factor" - which means that a lot of e-fraud goes unreported. Personally - my thoughts are of employing ex- e-fraudsters - but that wouldn't go down too well!

The banks have major IT security flaws they do nothing about anyway. *whistles innocently*

Personally I feel if the private individual can afford it then yes - they have access to powerful & secure computers. There

Re:Triple barreled question

[lommer]

"There is also an "embarassment factor" - which means that a lot of e-fraud goes unreported."

I think you meant to say e-barassment...

fhnlsfdlkm&5nlkd%Bvbcvbc

[matt4077]

fkgsdf%LDjöofjnvBNlöjbfjsbyv%$bhlvy$knvnlkblnbxcjv byx$LJKFhgsfKNV4346Khndjbgvkbhdfgföljny kny_FYFKdfknyY_LirhrhaeihÖFHGsfihFYbjbK453KhdsFkbs KbfknvyVNkKnfkgnbxfdkn445k3nlDKNAdsSAdkfasdfKLNKdf nDFKgnentk4n4ktn4knt4 kaKdfnjaSDKfnaDKfnaK4n4knaKGAna4ank495p9zhthgugbhf hjbernara?

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[Anonymous Coward]

Uv, V'z jbaqrevat vs lbh guvax gurer'f n shgher sbe EBG13. V'ir urneq vg'f cerggl frpher...

Lbh pna ernq guvf? Qnza!

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[cornjchob]

Wait, let me get out my Little Orphan Annie Decoder Ring...

"Be sure to drink your Ovaltine"?!

What the damn? That parent post was just a crummy commercial; aw nuts.

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[blibbleblobble]

"Uv, V'z jbaqrevat vs lbh guvax gurer'f n shgher sbe EBG13."

uggc://jjj.oyvooyroybooyr.pb.hx/Gbbyf/Grkg/vaqrk .c uc

Lrnu, vg'f n avpr flfgrz...

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[DrDevil]

Whatever you used to encrypt that mate, it repeats things, fkgsdf, the same keys in the similar area of the keyboard. therefore your cipher must be poor!

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[Niles_Stonne]

Great... So now all the lurking worms are going to attack someplace.... Thanks a lot.

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[sacherjj]

qaw zov'u wor cofu i xhffish uaiu iudhifu pf zhbozitdh ivz ollhyf i baiddhvsh uo uah yhizhy. uaiu bordz aimh thhv th toua lrvvw ivz baiddhvspvs iu uah fixh upxh.

u=t

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

[Negatyfus]

dfjh2@inJK783J7893beer*js,*I0kvc_women(8jhs*^()*
978IO$#*(&b*$#(*Yuih789on)Slashdot*(*&@897diu2 79 must get &*(^8923h9sdfjklsdf1more8o0234*women&72816 829
sml789234ls89*(&dammit(*@#(y8sdfljkg89

Secure SMTP?

[silverhalide]

Is there any feasable way to make SMTP authenticated so spammers can't spoof their IP addresses? Everyone keeps asking but noone seems to know if it's possible.

Re:Secure SMTP?

[fruey]

You can run SMTP entirely over TLS/SSL with SMTP AUTH (Cyrus SASL, for example)... but the problem is that the receiving server has to support it too.

You can reject IP addresses that don't reverse and all sorts of hocus pocus with an MTA like Postfix.

So what you are asking is possible.

Re:Secure SMTP?

[bellings]

It should be simple to build a system where the identity of everyone who sends you mail is verified by some authority. However, the price is that everyone who uses it will have to be willing to accept a system where you will have to verify your identity to some authority before you send mail.

So, I guess my question (to stay on subject) is

• is there an identity verificication system that would be suitable for email, and
• barring that, is there some system that would allow us to charge the sender of any email

Re:Secure SMTP?

[NudeZiggy]

actually both certificate and certify are verbs, it's kinda like extract and extracate, used in different but not so clear ways.

redundancy is key

[b_pretender]

Mr. Kocher would point out that in computer security, redundancy is key

Therefore, "Please try not to ask questions that can be answered with a few minutes' worth of online research." should be rewritten as, "Please try not to ask or moderate up questions that can be answered with a few minutes' worth of online research. "

Social engineering

[miratim]

For every advancement in computer security, there seems to be a social backdoor involving the humans that use the system. Is there any research being done on figuring how to effectively solve the social engineering problem at the software/hardware level somehow?

I think....

[unicorn]

They're called Neutron Bombs.

Honestly, as long as a system can be accessed by someone. It can be accessed by someone that shouldn't.

Re:Social engineering

[geekoid]

the only way to do that is to take the access control away from the user.
example:
In stead of letting the user determine the password, have the person scan there finger print at hire, then associate the finger print with permissions on a server, authenticate against the MAC address, and device ID.
This way there is no password to give out, and the user will thing somthing is wrong when 'security' calls and asked for something that isn't used.

Now to get into the system, you have to know the allowed MAC addres

Re:Social engineering

[yugami]

I work in information and network security, and I'd say that you aren't really solving TOO much with your suggestion of fingerprint, MAC address, etc

reducing the ability for outsiders to influence access isn't solving much?

The problem is not people figuring out people's passwords. I'd just like to pose: What happens when a buffer overflow is discovered in the biometric information acceptance daemon?

stop using bad programming practices and allow for dynamic length buffers, or at the very least use che

Re:Social engineering

[ekephart]

In banking many things are under dual (or more) control. Same with government. Since paying people is a recurring cost and is expensive, some businesses have pagers that when activated (by satelite, wireless, etc.) give a password to be used in conjunction with their own personal passwords. The system is synced so that at any moment the password is different from the next. You can do the same thing to restrict physical access to a bulding or room.

Theory vs. Practice

[Anonymous Coward]

It has been said that it is just as important (if not more so) to focus on educating people on what cryptography can do for them as it is to research crypotography to come up with important breakthroughs. What is your opinion on this? Should more focus be put on educating the public?

what should manufacturers do?

[rtphokie]

What should manufacturers of networking equipement and software do help their customers security efforts?

Ok it's well known that

[TerryAtWork]

In Crypto there's the NSA and there's everybody else. It's also well known they're years ahead of the pack etc.

My first question is, how confident are you, as a crypto person, that you're not inadvertently peddling snake oil, that is, crypto the NSA has already cracked?

Second, the NSA allegedly has secret patents it uses to suppress new crypto. Do you think this is a significant inhibiter on research or am I worried for nothing?

NSA may not be that far ahead.

[rjh]

First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.

In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.

But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.

For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.

So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.

Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.

Re:NSA may not be that far ahead.

[swillden]

Good post, but I disagree on a couple of minor points.

Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

This doesn't really follow. Schneier's a smart guy, and he's among the better cryptographers in the world, but his screwup doesn't necessarily mean that the NSA would also.

However, the fact that *every* cryptographer who's been around for a while has had his or her share of public failures does.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Umm, not quite. First, Biham and Shamir invented differential cryptanalysis in 1990; they didn't invent it to attack SKIPJACK (although their paper on SKIPJACK did introduce a new variant, IIRC). Second, there are two possible "lessons" to take away regarding the capabilities of the NSA. One is what you said, that the NSA had built in a lower safety margin than they thought they had, but the other is that they knew what they were doing and deliberately chose 32 rounds because they knew 31 could be broken and they're pretty confident in their analysis.

Breaking a 31-round reduction of SKIPJACK does absolutely no good if you need to decrypt messages encrypted with 32-round SKIPJACK.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors

Umm, SKIPJACK *doesn't* have any back doors or weaknesses that we know of. The LEAF (Law Enforcement Access Field) they proposed for Clipper (with SKIPJACK as the cipher) was soundly thrashed by Matt Blaze, but that was the opposite. The NSA intended to design in a back door whereby law enforcement officials could decrypte messages, but Blaze found a way to close that door.

The weakness in the LEAF, however, was almost certainly a significant "braino" by the NSA. Even if for some reason they wanted to be able to defeat the LEAF, they apparently underestimated the ability of academic cryptanalysts. It's more likely, however, that they just plain screwed up, just like they did with the dual counter mode.

who is the worst to deal with?

[greechneb]

Where do you find the most resistance is in integrating/using a new standard such as this?

- The software developers
- The software distributors
- The end users

My first guess would be the end users, but I am curious as to which group gives you the most problems.

Certification and SSL

[Zwack]

Given that an SSL connection is cryptographically secure, and that any security is only as strong as its weakest link...

How secure do you really think an SSL connection is when both parties are having to trust certificates signed by third parties? I don't know how Verisign store their root keys, nor do I know how they verify the identity of someone before issuing a certificate. So can I really trust that a certificate signed by them is valid and can you see any way of removing the trust element?

Z.

Re:Certification and SSL

[lfourrier]

Don't you think there should be an international organization that lists what are the CAs and then everyone should use them?

I, for one, don't trust internationnal organizations. (Who elected them ? governments, money, NSA?)

Formulaic test for primality

[casio282]

How do you think the recent discovery of a formulaic test for the primality [iitk.ac.in] of a number might affect current cryptographic systems? Is there a way to exploit this method into a better system for factoring large primes?

Re:Formulaic test for primality

[Telastyn]

IANANT (number theorist), but from what I understand of the algorithm used, it can most certainly not be used to formulate a factoring algorithm. It could be used by cryptographic systems though to be 100% certain that the keys used are actually primes (right now they use a different algorithm that is nearly [99.99999%] certain iirc).

Re:Formulaic test for primality

[casio282]

You're right, my mistake. What I meant was "factoring the product of two large primes."

If you choose this question, editors, please make the correction?

thanks

How can I help?

[arnie_apesacrappin]

I just started a Master's program in CS that is specialized in information security. One of the options for degree completion is a thesis.

From the formal side of things, I am new to information security. I have been doing applied security work for about three years. I would really like the challenge of writing a thesis, but so far I haven't come up with anything.

Here are my requirements: I want the topic to be challenging, I want it to be within the grasp of a Master's level understanding of information security, and I want it to be valuable to the community.

Are there any areas or topics that need to be addressed but have not? Is there something the community needs but has not yet received? If background info helps, I really enjoy picking apart IP traffic, and have some interest in fractals from a mathematic perspective.

Also, I'd like to say thanks for the links on your site. I now have tons more reading material.

So....

[GigsVT]

Have you ever forgotten an important password/passphrase?

Re:So....

[tigertigr]

As a follow-up, do you have your own personal system for generating/remembering passwords?

Furthermore, since we require more and more passwords for things such as networks, email, online banking, ebay, and on and on, what do you think is the best method for joe average to keep track of all of these, aside from a) using the same password for all of them and b) using a "trusted" framework (passport, palladium). Can there ever be a solution to such a problem?

Not a question, but a comment for slashdot

[Anonymous Coward]

After seeing this story go up, it made me actually think about the interview longer, without being so pressed to try to get my response in quickly. I actually went to their website, and read through more carefully then usual. - Which got me to thinking.

Why not make stories have a ten or fifteen minute delay to allow people to actually READ the articles. Have a little timer that says how long until the story goes live for comments. This might take care of some of those who never read the articles.

Just a thought....

Re:Not a question, but a comment for slashdot

[insanecarbonbasedlif]

After seeing this story go up, it made me actually think about the interview longer, without being so pressed to try to get my response in quickly. I actually went to their website, and read through more carefully then usual. - Which got me to thinking.

Why not make stories have a ten or fifteen minute delay to allow people to actually READ the articles. Have a little timer that says how long until the story goes live for comments. This might take care of some of those who never read the articles.

Ju

Worst implementation?

[burgburgburg]

In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?

Re:Worst implementation?

[rjh]

True story. I won't name the company, nor do I list my employment with this company on my resume'. After you hear the story, you'll know why.

I was recruited from a major telco to work for a competing telco in 1999, ostensibly to work as part of their tiger team. When I showed up for work, there was nobody else on the team. "Don't worry," I was told, "we're hiring more. Just try and get some good design work done on securing our billing back-end, because right now it's wide-open."

Wait, your billing back-end is wide open?

"Yes."

And it's deployed?

"Yes."

Oh, fuck.

So I went to work on the back-end (which, at the time, was handling about $1 billion a year), with a great feeling of doom hanging over my head. When you're getting paid $38K and have no backup and you're told that "if we lose money from insecurity, it's all your fault, regardless of the fact we deployed it without any security to speak of"... well. You can figure it out.

A month later I had a binder full of attacks against the network, and another binder full of design ideas for how to secure it. By "binder", I mean 2-inch binders stuffed to the gills with paper. I was shortly thereafter called into my manager's office. An HR representative was present, so I knew the news was bad.

"Rob," my manager said, "we're concerned that you've made no progress on your task..."

What? I asked. I pulled out the Binders o' Doom from my satchel (we didn't have any secure storage in the development group, so I didn't ever let those binders out of my sight) and set them on her desk.

"Oh," she said as she leafed through the binders. The look on her face was roughly that of an indigenous South Pacific islander who was seeing an indoor toilet for the first time. "Um. Rob. Didn't anyone tell you?"

Tell me what?

"We already have a design we want you to use. You just have to implement it. No, no, you're not anywhere near senior enough to come up with a design for the security of the billing system..."

I breathed a sigh of relief. Sanity at last! And then she handed me a very thin folder.

I opened it up and it was, I shit you not, RFC1991. Classic PGP.

I laughed, handed the binder back, and told her she grabbed the wrong folder. Then she got very angry with me and asked me what, precisely, was wrong with using Classic PGP to secure the back-end?

I gave her the litany:

• Classic PGP is used to protect email traffic in transit. It doesn't protect databases, it doesn't separate privileges, it doesn't set up a redundant network, it doesn't do offsite backups, it doesn't make sure your Verisign certs are current.
• Classic PGP has been superseded by RFC2440, which fixes a lot of problems in the original spec, like no separate subkeys for encryption and signing.
• Classic PGP uses two patented algorithms, and if you can barely afford the $38K budget entry for my salary, there's no way you can afford the patent royalties on a couple of billion dollars of transactions.
• Classic PGP is a protocol: it's not a security design.
• ... and on and on and on.

Finally I asked "so who's the genius who came up with this one?"

Whoops. Turns out said genius was sitting across the desk from me.

By the end of the day I was busy writing Classic PGP in C++, under Management orders. The Sword of Damocles was falling and I was right under it. I protested, loudly and vociferously, until finally I got canned for "not being a team player and not performing according to expectation".

I was climbing in my car to leave the company for the last time when I realized... hey, I still have the Binders o' Doom in my satchel.

I got out of my car and walked back towards the building. An HR representative stopped me at the door and told me that if I walked in, it'd be considered trespass. I explained that I just wanted to drop off something for w

Re:Worst implementation?

[anonymous cupboard]

Love it. You should have oferred to do a presentation for their auditors.

Its like when I heard an android describing the security requirements for an electronic financial derivatives exchange:

"Its not like we're dealing with money"

No, just a government bond worth about $100000.

Another one at a bank, there is a story about the international payments system. It is split into two parts, the payment transmission system and the ledger. Great idea. Then why save money by having one guy to support both wit

what progress...

[MarvinMouse]

is being made towards the implementation and use of elliptic curve cryptography?

I have read a lot about it and it seems to be the direction public-key crypto is going nowadays. Have you done any serious work in this field? and if so, when do you think the public will start to see it implemented full force?

SSL VPNs?

[Jacco de Leeuw]

What's your opinion on VPNs based on SSL/TLS, instead of those using protocols such as IPsec or PPTP?

Are SSL VPNs up to par? What are their strengths and weaknesses? Was SSL designed for such applications?

Re:SSL VPNs?

[digitalsushi]

SSL VPNs have one advantage going for them that IPSEC can't compete with- "stealth" mode. Ok, it's surely not invisible, but you can usually configure the port you want it to run on. OpenVPN [sourceforge.net] is what I have converted five of us over to from working FreeS/WAN VPNs, as most of us have the same ISP who has claimed they will be blocking IPSEC packets from residential customers. We don't want our VPN to disappear, so we're forced to use this TLS VPN package.

I'm unaware of any weaknesses this has versus a real

Re:WHY DONT YOU (etc.)

[Jacco de Leeuw]

Rudeness aside, this Anonymous Coward makes a valid remark.

However, I was not referring to the same kinds of VPNs the AC mentions. I understand why TCP over TCP is a bad idea [sites.inka.de].

I was thinking of these kinds of products:

• HOB [hobsoft.com]
• Citrix Secure Gateway [citrix.com]
• Netilla [netilla.com]
• Aventail [aventail.com]
• Neoteris [neoteris.com]

Internet broken?

[bpfinn]

The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?

What is worth protecting?

[kryzx]

Paul, What advice do you have for people trying to find the balance between security and convenience? When is it worthwhile to protect something? Should a person try to protect all of their info and communications just for privacy purposes, or make a determination about which things are valuable enough to be worth the effort and/or processing power?

Along these lines, of your own personal communications and data storage, what do you encrypt and what do you leave unencrypted?

Unsecurity

[termos]

The older versions of SSL has been very insecure.
How will the SSL team improve security in the new version of the SSL protocol?

Palladium

[SiliconEntity]

Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?

Quantum Computing and Cryptography

[Nova Express]

Will the advent of quantum computing render even current, state-of-the-art cryptography obsolete? Is there any way that cryptography can overcome the challenge presented by quantum computing? And how long will it be, if ever, until quantum computer's can break current, state-of-the-art cryptography?

Re:Quantum Computing and Cryptography

[zCyl]

And in addition, what do you think is the general applicability of quantum cryptography given that it does not support authentication protocols? Can it be effectively merged with classical authentication protocols, and can any of these still remain effective during the quantum computing era?

Dive Right In

[Accidental Hack]

What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsiblity is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?

DRM systems?

[Anonymous Coward]

There's much going on in the area of DRM these days. Microsoft/Intel are pushing for a secure nub and a trusted OS (Palladium). DirecTV's P3 is totally hacked and Echostar is open to EJTAG manipulation. The studios are pushing for stronger encryption for the next-generation DVD after CSS has been hacked.

What is your opinion about where DRM systems should go? How can we protect fair use and still get movies released in HD?

Crypto in the scope of the real world.

[matman]

It seems that most cryptographic methods depend on one of a number of hard to solve problems, such as the factoring of large numbers, elliptic curve discrete log, etc. These kinds of methods suffer catastrophic failure when the problems on which they depend are no longer hard. In the foreseeable future, it seems that factoring large primes will become less hard (especially with the help of quantum computers).

What contingency plans are you aware of? What sort of research is being done to avoid this single point of failure problem in future solutions? Are we just hoping for quantum encryption to save us? Of course, the real solution is to not depend solely on crypto for security, as crypto it self will never be perfect (implementation problems, etc). Security organizations, who haven't already, need to update their risk assessments to include risks to crypto solutions. It's still interesting to look at crypto in a more narrow scope than the real world :)

From a Student's Perspective

[TedCheshireAcad]

I am a student pursuing a bachelor's degree in Computational Mathematics.

What is the best way to go about finding a career in cryptography/cryptology?
How did you start in the field?
Is there a "job market" per se, or is it more of a position that one falls into?

Re:From a Student's Perspective

[geekoid]

What are you, a dolt?
This had been explained quite clearly in many, many movies.
First, you crack some secret government super hard code, snoop around.
Secret Agency use there 'really good software', written and operated by some overweight obnoxius individule, to track you to your address.
they then send someone to kill you, you narrowly escape, befriend some mysterious former agent.
after he saves you from more assassination attempt, he finally dies saving your life. after which the agency feels bad and brings

64 Bit Computing

[MBCook]

One of the applications that is supposed to get a large boost from going from 32 to 64 bits is cryptography. Are you very excited about the move to 64 bits? Do you really think that it would make that much of a difference? Are there any downsides to going to 64 bit compuiting in cryptography (other than the time to port the software)?

Alternative to uid/pw logins to establish identity

[Blain]

The recent /. discussion of worms exploiting weak passwords got me thinking problems I have with consistently using strong passwords. I have heard many times that we should use strong passwords (mixed case, letters, symbols, no dictionary words in any language, no number patterns that others could derive, etc.), that we should not reuse passwords, that we should not write down passwords, but should always have them memorized.

Now, if I was on a handful of systems, this would make sense. However, I've found that many websites I come to are increasingly requiring registration, including creating a userid and password to log in to their systems. The personalization of my interface with their system is nice, but makes following the rules about passwords unmanageable -- I can't keep track of several dozen strong passwords from memory.

As an alternative to that, for website uses such as I've mentioned, it seems to me that making use of a public-key encryption system, something along the lines of what I understand SSL to do, would seem to make more sense. My system could exchange encrypted data with the web server using our known public keys, enabling us each to know that we are, in fact, who we claim to be. Even if I was required to use my pass-phrase that goes with that public key each time I logged in, it would be easier for me to remember that one pass-phrase (which could be even more secure than a 6-8 character password) than is currently available.

Obviously there would be change-over costs involved with this, but is there some big reason that this kind of a system would be less secure than the current system, particularly if we take into account the problem of weak and repeatedly used passwords?

Passwords

[jamienk]

My wife and I each are forced to have several dozen usernames and passwords for various websites, programs, email accounts, accounts at work's computer systems, etc. It seems that each sys admin/org has a different policy for creating these accounts, so that we are unable to memorize a few possibilities and choose from among those. (sometimes usernames/passwords are assigned, sometimes they insist on having #s, sometimes capital letters, etc.)

My wife has several files and pieces of paper with all of her passwords written down. She has to keep these on 3 or 4 computers, in her wallet, in her hotmail account, etc.

How problematic is this? Can this ever be solved? How?

Re:Passwords

[kenthorvath]

Yes, just find the criteria that ALL websites allow. For instance, using a combination of letters numbers and different cases. Just because a sight allows you to have a risky password, doesn't mean that you NEED to have one.

Why should the public care?

[httpamphibio.us]

Can you present a brief argument that you believe should raise the interest level of the general public in the need for cryptography?

Your use and abuse of Cryptography

[fruey]

I'd like to know if you practice what you preach. Do you go out of your way to use GPG/PGP or other encryption on all correspondance, run all your web applications under TLS/SSL, and generally advocate this? Or is cryptography something for which you think only specific applications are in order?

The reason I'm asking is because there are a lot of great techies out there, but it's rather the geeks that seem to do most of the advocacy and who seem to be able best to stick to their guns and force their peers to use GPG, etc.

Also, I used the word "abuse" also. Do you think you've ever gone over the top with crypting everything, or have you ever used your knowledge to gain access to information that you should not have seen (however trivial), or have you ever been paid to crack something encrypted, won prizes, that sort of thing?

Which algorithm / program...

[Rui del-Negro]

Which algorithm / program do you use to protect your "top secret" files? And is there any commonly-used algorithm / program that you wouldn't trust to protect your shopping list?

RMN
~~~

Re:Which algorithm / program...

[SlashdotLemming]

He keeps a web page with a hidden link that allows him to access his secret directory named "MSSys32"
The beauty is that he can securely access his files from anywhere he as an internet connection.

Pure genius

Re:Which algorithm / program...

[kenthorvath]

Which algorithm / program do you use to protect your "top secret" files?

Doesn't everybody store secret information on the Gibson, relying on ThePlague to keep the information safe?

Interface with Government agencies

[bstadil]

How do you currently interface with various government agencies? What kind of pressure is put to bear, how do you see it evolving and are you able to answer these questions freely.

Password...

[Shadow Wrought]

Can you tell us your password?

TLS/SSL as a sockopt?

[brianjcain]

Hey, is there a feasability problem with making the addition of TLS a socket option? For TCP/UDP/SCTP clients (connection/datagram initiators), it would be great to use a system-wide certificate store (perhaps in kernel space?), and just say "turn on TLS". This would make writing network clients with encrypted traffic a dream.

Granted, openssl's interface may be trivially more complex, but just the thought of managing yet another set of certificates makes me cringe.

Is Cryptology a House of Cards?

[kakos]

All of cryptology is built on a group of cryptographic primitives. Block ciphers, hash functions, factoring problems, discrete log problems, etc. are all used to build higher order cryptographic structures, such MACs, encryption, and signature schemes. However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?

You're actually +1 Funny!

[droleary]

However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?

Are you aware how amusing it is that you posted this question over a connection based on IP primitives?

Your use of cryptography in everyday tasks ...

[Hollins]

To what extent to you use cryptography in everyday life? For instance, under what circumstances do you digitally sign or encrypt email? What information do you encrypt on your hard drive? How do you communicate securely with folks who aren't technically adept with current encryption tools? Are the tools at your disposal easy enough to use to keep up with your level of paranoia?

thanks.

Re:Your use of cryptography in everyday tasks ...

[Cruciform]

Good question. I've thought about using PGP or other methods to communicate important info, or even sort spam out of my mail (no key, no read), but the big stumbling block is having friends and family with no other concept than "i have the internet on my web browser".

Transparency to the user is a great thing, until they break something. (Eg. XP encrypted folders)

If the public won't learn something new, what do you do to make the tools more attractive to them?

Is the Technology ahead of us?

[Coz]

Thanks for letting us ask you these questions.

Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.

Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?

Thanks, and I'll take my answer off the air :)

Books, scientific journals etc

[ralphus]

Everyone's read Applied Cryptography Some have read Handbook of Applied Cryptography I've read Security Engineering also, which a lot haven't seen and has a good amount of crypto in it.

Can you recommend some good hardcore books, or journals to follow for what's going on currently in the crypto scientific community?

Cryptography for Dual Computing Paradigms

[HeelToe]

I know I'm making a lot of assumptions here, but my guesses on what will happen to cryptrographic algorithms with the advent of an atomic computing paradigm mostly center around how useless current cryptography methods (designed for the turing machine) will become.

Do you envision it being possible to design a cryptographic algorithm that is "one-way" and remains that way in both the turing machine computing paradigm and the quantum computing paradigm, and if so, how long do you think developing those alg

The Human Factor

[Anonymous Coward]

Cryptography is great, but it's only part of the solution. Seems to me that all cryptography and security measures are no more than "levels of deterence". If someone wants to gain access to your critical data, the easiest way is not going to be to break an algorithm, or try to guess a Key. Corporate espianoge and social engineering both play a huge role in the security of information. If you can dig through a trash can to find a password, or pose as a technician to gain a key to a system, why would you ever want to try to break the algorithm? How can you eliminate employees choosing passwords like 'secret', 'password', or '12345', especially when the company heads are not technical enough to enforce company policies. Afterall, just because someone pays you for your advice as a consultant, doesn't mean they'll take it. On the other end of the argument, you can't expect people to remember 16 8-bit hexidecimal numbers that are generated at random monthly, so how to do let them carry around their password in a secure fashion? Biometrics seems promising, but what if someone is able to copy your fingerprints? It's not like you can get a new finger... Any suggestions on this would be helpful... thanks!

Roles of quantum cryptography

[Cyran0]

With recent developments, such as the capability to "store" photon states within a physical substance, and the progress in quantum NOT gates, there seems to be steady advancement towards quantum computing / quantum cryptography. What roles do you see quantum computing and quantum cryptography taking in changing the way cryptography is handled at present? What hurdles would have to be overcome in order to make these of practical use?

Which side would you take?

[CracktownHts]

As an authority in the "private industry", I'm assuming you earn more money and get more public respect than someone working for the NSA. My question is, if it weren't for the secrecy and (probable) lower pay in the NSA or a similar agency, would you want to work for them? That is, if the recognition and material rewards were equal on both sides, which would you choose?

The Importance of Cryptography

[presroi]

Ignoring errors in the several implementation, current encryption algorithms software provides everyone the chance to keep information secure as it is simply impractial to break the encryption in a reasonable amount of time and enough money provided. Nevertheless, I notice that the overall awareness about keeping information secret is pretty low (I'm too young to say that it has been higher some time). Anybody, who wants to get encrypted information simply attacks not the data itself but the people with legitimate access to this data. Sometimes, even this is not nescessary (I get unencrypted but highly confidential information (No Nigeria Spam!) almost daily due to a popular internet domain from my government with a simiar spelling. Those people are just guessing the email adress of their friends and sometimes they fail.)
So, my question is this:

Has cryptography to include the human factor itself into the calculation or is it still only about mathematics? Can you imagine a strong encryption system with a special focus on people with low awareness?

How does the Via C3 "Nehemiah" RNG work?

[Anonymous Coward]

VIA's web site [via.com.tw] says that you are testing their hardware RNG, and "preliminary results show high-quality output".

So... how does it work? I know Intel's chipsets count cycles of a high-speed (~300 MHz) clock between cycles of a low-speed VCO controlled by resistor noise.

Did they repeat Intel's mistake implementing hardware whitening, or is it feasable to implement on-like quality checks by testing to see if the deviation from randomness is as expected?

What's the software interface?

Experts and/or The Masses

[jfmiller]

I have heard from everyone with any real experence in cryptography that of all the areas of computing, cryptography is the one best left to the experts. What most programmers (including myself) might think of as a very secure encryption, when analysied by the experts, turns out to be as transparent as ROT13.

On the other hand no where is the Open Source Modle more touted as the panacea of computing then in cryptography. Many eyes it is said will catch backdoors and reveil poor implimentations before they become security issues.

My question then: When developing and implementing encryption, How would you weigh the need for experties with the trust and scrutiny availible from Open Source development?

SSL and Forward Security

[Effugas]

Paul,

First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.

I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.

In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.

More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?

Thanks again for any insight on the matter you may be able to provide!

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Threat from professional brute force methods

[tchdab1]

There are several questions posted here regarding the government's (USA and others) ability to crack what is publically considered to be good encryption. I hope you answer one of them.
James Bamford's books on the NSA tell us that government security agencies have a long and documented history of obtaining back doors (political engineering?) or outright cracking codes. I remember a very public government effort several years ago to lobby for backdoors ("clipper chip" and others), an effort that seems to ha

trust in open p2p communities

[smd4985]

as a software engineer building open source p2p applications (gnutella), we are faced with a huge problem: how do we establish trust in a open environment where any application that speaks the protocol can participate? we've thought of various cryptographic systems to establish trust, but they have several fatal flaws - they require some sort of centralization (a no-no in a p2p environent), they lock out 'untrusted' vendors, etc.

what can we do to maintain an open environment and establish trust between peers?

Factoring

[rmcnutt]

What impact would a factoring algorhitm which reduced prime factoring to a non exponential problem have on the encryption industry in general?

USPTO

[T. Bombadil]

Has any of your work been impacted or covered up by the USPTO's ability to declare a patent a secret? Were you compensated for the loss? How do feel about the confiscation both personally and in general?

Grid Computing and Crypto

[Subotai]

Grid Computing seems to be a technology that has the potential to host brute force decryption efforts. Aside from bigger and bigger keys are there any other crypto techiqures or research underway to defeat grid computing? Also, what does this mean for desktop cryptography?

Security/Cryptography vs Development

[sirrube]

How difficult is it to implement very secure algorithms for the common developer with little experience in implementing security. As innovations in making more complex algorithms comes into play, what types of innovatoins are being done for implementing these algorithms? Could the lack of understanding how to implement these algorithms be in itself a reason for lack security in applications / processes?

How do you think?

[Charles Dodgeson]

When I first read about some discovery of a weakness (for example, I know your name from your work on MD5), I am always struck by the thinking beyond the framework of the designer of the system and of the community to date. The same things strikes me about timing attacks and similar sorts of things. These are things that I wouldn't have thought of in a million years. Can you give any insight into how minds like yours work. And to what extent you think that this might be a trainable skill.

I normally hate the cliche of "thinking outside of the box", but here it is fully appropriate.

Human adoption?

[kirkjobsluder]

It seems that the primary problem with cryptography is sociology, not mathematics. I spent about two weeks signing messages before co-workers complained that it made mail more difficult to read. A talk I gave last year on the importance in securing reseach data was attended by a total of 3 people. What do you see as the biggest barriers to adoption of digital signatures?

Re:Legit Question

[larien]

Sheesh, you're asking the wrong place. This deserves an entire "Ask Slashdot".

Re:Combining cryptographic hashes

[TerryAtWork]

I think it is the strength of the weaker hash, which is MD5.

Don't know how weak MD5 is, but Applied Cryptography disses it.

NOT an interview question ...

[silvakow]

Just thought you'd like to know, ROT13 is outdated. There is a new protocol out to replace it as of a couple of days ago called ROT-13+ [unixeunuchs.com].

Re:NOT an interview question ...

[epictetus]

That's nothing. My corporate VPN runs on double-Rot-13, also known as Rot-26. It's twice as secure!

Re:RISC, Quantums and Security

[Sophrosyne]

Lester is alive never again?

Re:The Government

[angst_ridden_hipster]

I like Bruce Schneier's analogy.

Unbreakable encryption is not achievable.

The goal is to make the cost of breaking the encryption more than the value of the information.

Governments have a great deal of money to throw at a problem. But they're not going to throw that much money at cracking your PGP-encrypted email unless they think they're going to find something worth while. They couldn't care less about your personal life (excepting the case where you somehow have become, through your own fault or not, a

Please use Google.

[rjh]

*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.

In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)

That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.

To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.

Let me repeat this.

It requires

650000000000000000000000000000000000000000000000 00 0000000

... joules of power.

By comparison, the Sun's annual power output is in the realm of 1.2 * 10**34 joules.

Or

120000000000000000000000000000000000

... joules of power.

Are you beginning to see why it's such a silly question to ask whether or not modern ciphers can be brute-forced with Crays?

Please. Use Google before asking questions.