"Only for a moment" — RSA conference 2003 REDUX

By Seth Ross

Nobody can accuse RSA of not knowing how to host a great conference or throw a great party. This year's show was held last week in San Francisco, where former RSA President Jim Bidzos kicked it off on an exquisite note by introducing the surprise musical guest: Kansas. The band delivered a rousing rendition of their 1977 hit "Dust in the Wind".

Kansas' lyric, "Don't hang on, nothing lasts forever but the earth and sky", fit nicely with the Mayan theme for the conference -- the Mayan civilization that blew away like dust in the tenth century. Indeed, a quick walk about the trade show floor illustrated the role of impermanence in the computer security industry: many of the new companies that swept over the conference in the past two or three years were gone, blown away by either deep fiscal crisis or business failure

It wasn't supposed to work out that way, either for the new security firms or the Mayans, who had the most sophisticated writing system in the Americas. Just a couple of short years ago, the conference was exultant and expansive. Encryption was riding the wave of the Internet boom; President Clinton liberalized export control laws twice, and the venture capital dollars were flowing. New entrants in the industry were solving problems most customers didn't even know they had. Last year, even as the boom was receding, the computer security industry was preparing for a boost in demand due to the terrorist attacks on 9/11. That boost never happened, and the Internet bust dragged the whole IT industry down with it.

The impermanence theme resonated throughout the five-day-long show and probably amplified the festivities, which were sparked off by several good keynote presentations. The Cryptographers' Panel featured Whitfield Diffie's admonitions against various trusted computing initiatives like the TCPA (Trusted Computing Platform Alliance), its successor, the TCG (Trusted Computing Group), and Microsoft's Next Generation Secure Computing Base. "Hold the keys to your own computers", Diffie warned. These new security standards were recurring themes during the conference. Depending on the speaker, they will usher in either an era of secure computing or an era of monopolistic hegemon

Paul Kocher spoke to the importance of the validation stage of security product development in his "Rational Paranoia" talk. Michael Coe captivated the audience with a recounting of how the Mayan writing system was decoded. Stephen Wolfram presented a new kind of science based on simple computations, prompting the question: is he mad, a genius, or both?

The real nitty-gritty of the conference is in the class tracks, held this year in the Sony Metreon's spacious theaters. Phillip Hallam-Baker, principal scientist at VeriSign, delivered one of the most interesting classes, "XKMS: The Second Coming of PKI". He cited some of the many barriers to PKI acceptance and use: How do you find Alice's public key when you don't even know which directory holds it? The XML Key Management Standard is in place and provides a lightweight and simplified approach to PKI that can be applied to a variety of devices (PCs, PDAs, phones). It's designed to work across organizational boundaries: as Baker says, "It's not about Alice and Bob. It's about GM, Ford, and Chrysler." Baker sees a future in which key lookups are handled like email: through DNS pointers.

Kevin Mitnick held a session on "The Art of Deception: Controlling the Human Element of Security". Now that he's out of prison, Mitnick is able to exploit his notoriety. He's a very charismatic speaker and it's easy to see how he was able to pull off his social engineering attacks. He told of breaking into Novell's network by fooling an IT administrator. It's worth noting, for those of you who don't know the story's epilogue, that the admin happened to be in the audience and is good friends with Mitnick now. Mitnick is one of the most flamboyant and controversial figures in computer security and a great storyteller. Regardless of the strong reactions he engenders, his advice on how large organizations can ward off social engineering attacks is spot on.

Bruce Schneier's session on "How to Think About Security" covered analogies between computer security and real world security. Schneier feels that computer security can inform other kinds of security and that the computer security community needs to speak out. He noted how many security measures are really driven by non-security agendas. He has a new book coming out -- "Beyond Fear: Thinking Sensibly About Security in an Uncertain World" -- which seems certain to join _Applied Cryptography_ and _Secrets & Lies_ in the library of classic computer security texts.

Thomas Berson's talk on "Cryptography After the Boom" provided some philosophical fodder as well as a timely overview of the essential elements of successful security technologies like SSL and Kerberos. They are: secure enough for the job; simple to understand; placing trust assumptions under user control; a "verb" (performing action); reusable; addressing a killer app.

Steve Ross of Deloitte & Touche held forth on "The Case For (and Against) International Security Standards". It's interesting to think about the ways that security standards can actually decrease security since they often take a least common denominator approach. I will discuss international standards in general and the Common Criteria in the next issue of the Securius Newsletter. One of the conference highlights for me was the brief ceremony where a representative from NIST awarded a Common Criteria certificate for Encryption Plus Hard Disk to Noah Groth, President of PC Guardian, which sponsors this newsletter.

Beyond the keynotes and classes, much of the conference revolved around food and drink. While RSA didn't have any really compelling announcements at its press luncheon, the roast chicken at Jillian's was excellent. The company did unveil Nightingale, a secret splitting technology for ecommerce servers. The idea is that rather than storing sensitive info like credit card numbers on a server, where it's subject to both external and internal attack, you split it across two separate servers -- a Nightingale server and an application server -- so that both servers can verify a secret without seeing it. An attacker who compromises either server gets no access to any of the sensitive data.

The pinnacle of the RSA experience is the annual Cryptographers' Gala, which was held in San Francisco City Hall this year. City Hall was refurbished a few years ago; the towering rotunda gleamed in "Mayan Orange" lighting. The event was very posh, with drinks flowing from bars stuck in the hall's every nook and corner, ambient jungle sounds, and women dressed in minimal and untraditional Mayan outfits walking about on stilts. I made a taco, shared random conference impressions with interesting folks, and trolled for new newsletter subscribers (send this issue to a friend or colleague!). My only complaint -- about the gala or the conference -- is that the martini I tried from the martini bar was shaken, not stirred. It wasn't the end of civilization as we know it. Next year I'll have a scotch.