An interview with Bruce Schneier on some current trends in cryptography.
I'm a security technologist. My career has been a series of generalizations. I started working in cryptography: mathematical security. Then I realized that all the cryptography in the world won't help if the computer is insecure, and all the computer security won't help if the network is insecure. Since then, I have been concentrating more on the social and economic aspects of security, realizing that all the technology in the world won't help if those aren't done right.
More on my background can be found on schneier.com
NSA licensed Certicom's EC patents for $25 million last year, and recently announced the new US government standard for key agreement and digital signatures, called Suite B. It uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. Do you think that NSA is promoting ECC based crypto because they cannot crack RSA/DSA based one ?
I do not. I believe the NSA believes that ECC is strong. I wrote about ECC here:
Although I wrote that in 1999, I am still skeptical about elliptic curves.
Or maybe just because they can crack RSA/DSA they prefer to protect USbusiness with ECC (supposed to be harder to crack)?
With sufficient key lengths, all of this is uncrackable. I don't believe that the NSA has any secret mathematics that they use to break RSA/DSA or ECC.
Would a quantum computer do the job ?
In theory, yes. In practice, we have no idea how to build one to do it. Maybe in fifty years. Or twenty-five.
Some time ago you co-authored a paper on software monopoly risks. What about crypto monopoly? Don't you think that having just a couple of public-key algorithms based on the same math problem could lead to a catastrophe if cracked ?
The security advantages of a common cryptographic algorithm far outweigh the disadvantages. I've written about that as well:
What would you do if you found a solution to the factorization problem?
Any cryptographer, if they found something so significant as a solution of the factorization, would publish their results. Such a discovery would likely result in profound changes in how we view number theory, and would be the mathematical discovery of the decade...and maybe even more important.
Since most crypto protocols on the internet, such as SSL or SSH, uses public-keys to build a secure channel, wouldn't a unexpected public disclosure create a chaos on the internet ?
No. Chaos is hard to create, even on the Internet.
Here's an example. Go to Amazon.com. Buy a book without using SSL. Watch the total lack of chaos.
In the security community there are various ways of thinking about vulnerabilities disclosure (public-, full-, responsible-, no). What is the situation in the crypto community? What type of disclosure process is there?
Most security professionals believe in full disclosure, and cryptographers are no exception. The advancement of the science is best served by the free exchange of ideas.
Why is often used a money-rewarded challenge to verify a crypto algorithm?
Because it's free consulting work, and money is an attempt to add some financial incentive. Most of the time it's a sham. While there are some legitimate contests, most are just attempts to gain publicity.
Recently some papers addressing hash functions were published, and you suggested on your blog that it's time to get to work replacing SHA. You wrote: "The NIST already has standards for longer -- and harder to break -- hash functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already government standards, and can already be used. This is a good stopgap, but I'd like to see more." Why do you think we need a new hash function?
There have been significant advances in the cryptanalysis of hash functions since SHA was proposed, and there are significant advances still to be had. A competition to choose a new standard is an excellent way to stimulate research in this topic.
It seems that WiFi has the same problem of most (all?) protocols. Do you think that the problem is that we can't develop a secure protocol, or that people who define standards underestimate security threats?
It's both. It is very hard for an experienced cryptographer to design a secure protocol, and most Internet protocols are not designed by experienced cryptographers. Most internet protocols are the result of consensus, which is not how to design security.
Is crypto the only solution?
It depends on the problem.
I mean TCP/IP does not use crypto, while a VPN does. Do you think that in the future we'll use crypto for every type of communication?
No. I think we'll use cryptography where it makes sense to use it. Cryptography is certainly the primary security tool for digital communications, so I expect it will be used in every type of communications that requires some kind of security.
Should we use crypto to stop the spam problem?
Spam is not a problem that cryptography can solve. And I think we're doing well solving the spam problem; it's one of computer security's success stories. The current crop of anti-spam products and services are great; I hardly get any spam.
Wireless is being used everywhere: mouse, keyboard, printers, monitors, computers, rfid, and so on. In the near future we'll get WUSB, a wireless replacement for USB too. Isn't this a dangerous path ?
Wireless is definitely more dangerous than wired, because of the possibility of surreptitious access. But wireless is easier, which is why we're seeing more of it. Yes, it's a dangerous path.
What technology do you expect will replace the use of passwords ?
Authentication can be something you know, something you have, or something you are. Tokens and biometrics are a good addition to passwords, and will be used more and more for security.
You taught us that "security is a process". Looking at the security market, I see that most of the processes are developed to find and block what is considered an attack. Shouldn't be better looking for what is known as a good thing, and block all the rest without analyzing it?
Security professionals always like system[s] that fail closed: don't allow things that are not explicitly permitted. Network administrators -- people more concerned with things working smoothly -- prefer systems that fail open: allow everything except what's explicitly forbidden. Systems that fail closed are always more secure, but the price paid is convenience and ease of use.
Would Palladium (trusted computing) really prevent a user with physical access to the hardware from reaching his target ?
Does a Digital Rights Management system for music files make sense from a cryptographer standpoint ? Can anyone really share a file and be sure that people will be able to use it only the way he likes ?
Most of the biggest breakins in the past 5 years used X.25 networks to attack systems of telcos, banks, governments, military forces, and
multinationals. Why do you think nobody talk anymore about X.25 security ?
The Internet is what's interesting, so that's what gets the press. There are still X.25 vulnerabilities, and attacks. But these days everyone uses, and attacks, the Internet.
Some famous hackers that were caught such as Mitnick or Poulsen, now work as security consultants for big companies in the US. This doesn't happen in every part of the world. Especially in Europe there is a different feeling about convicted hackers: they cannot be trusted, because if they did once, it's probable they'll do it again. Which approach do you consider wiser ?
I think it's wise to hire honest, ethical, qualified, smart people, and that people should be individually evaluated against that criteria. It's
wrong to pass judgement on an entire class of people simply because they may have had chequered past. I don't know the recidivism rate of hackers, but I do know that many people grow up to regret some of the things they did as adolescents. I have no problem hiring people who used to be hackers.
What type of schools, courses, and certifications would you suggest for a high school student interested in cryptography?
I wrote an essay about this: "So, You Want to be a Cryptographer".
Are you currently writing a new book ?
Right now I'm not, but I'm sure I will be before long.