| March 12, 2004 |
Volume 5, Number
1
|
http://www.securius.com
|
RSA 2004: Magic Carpet Ride
By Seth Ross The RSA Conference is the world's leading information security
conference and expo, and every year it delivers up prominent keynote
speakers, deep technical sessions, and a sprawling array of product
In keeping with the Steppenwolf lyric, I'll start out my coverageof the conference with the candle, and work my way back to Aladdin's lamp. Gates Keynote: Another Brick in the Wall Bill Gates delivered a keynote presentation [3] featuring several forthcoming security subsystems that will debut in Windows XP Service Pack 2 (SP2): a Windows Security Center, a personal firewall that looks like Zone Alarm, a new anti-spam technique, and the "Active Protection" platform, which will incorporate elements of intrusion prevention. "No single technology can adequately protect against the many different kinds of attacks that computers face," Gates said. "Resiliency can only be achieved with a combination of security technologies designed to combat the sophisticated threat from worms and viruses." Microsoft seems fully committed to a "more is more" approach to computer security. The security countermeasures slated for SP2 will add another layer of bricks in the wall. All will be fine, one may infer, if we only build a high enough wall. So, for example, Gates showed how the new Active Protection technology can disable the old ActiveX technology in Internet Explorer. An unsigned ActiveX applet was blocked by Active Protection, leaving a big hole in the middle of a web page. While Gates’ speech seemed reasonable on the surface, a strategy of addressing security by adding more subsystems violates the principle that complexity is the enemy of security. Ross Anderson, a computer security researcher at Cambridge University, has noted that, statistically speaking, Windows will probably never be bug-free: "The news for Windows users is about as bad as can be. Once software passes a certain threshold of complexity, you can expect that its reliability will be governed by statistics which ensure that it becomes more reliable at the slowest possible rate."[4] So, in accordance with the principle of simplicity, it would have been more compelling if Gates — rather than introducing Active Protection as a way to make Internet Explorer safe from ActiveX — had announced the removal of ActiveX technology from the Windows platform. Indeed, the new security systems themselves add complexity and inevitable bugs. They will add more "surface area" for attackers to probe and exploit. While it's hard to argue against items like an improved personal firewall, we'll know that Microsoft is serious about security when Bill Gates comes to RSA and talks about what's being taken out of Windows, rather than what's being added. The Truth-Tellers Gates presentation was smooth and meticulously rehearsed. Every statement he made was carefully crafted, as one might expect from one of the most powerful people in the world. Ironically, Gates has a problem: like the light from a lone candle, Gates’ comments cannot be very illuminating. Instead, his words are by necessity carefully proscribed by legal and financial concerns and by the needs of his company and its shareholders. Gates’ keynote was followed by what many consider to be the highlight of the RSA Conference each year: the Cryptographers' Panel. The panel featured five cryptographers — Whitfield Diffie, Paul Kocher, Ronald Rivest, Bruce Schneier, and Adi Shamir –- who lit up the Moscone Center hall with their disarmingly frank assessments. Cryptographers are truth-tellers. They are trained and engrained in an academic environment that carefully vets their work. As a largely mathematical field, cryptography is built around proofs — either the math works, or it doesn't. As professional paranoids, crypto- graphers learn to deconstruct protocols to ascertain whether one party in a transaction is cheating another, or how an attacker might break the security of a cryptosystem. Gates had alluded to the leak of Windows 2000 and NT source code onto the Internet that Microsoft reported on February 20.[5] The cryptographers expressed concern. Kocher noted that he wanted to look at the source to try to assess the impact of the leak, but was advised not to by his lawyers due to its proprietary nature. "We can't look at the source code to help people, but the bad guys can look at it for their own purposes, so we are in an awkward situation which represents the worst of both worlds," said Kocher. Shamir — the "S" in RSA - said he would not look at the source code. "Not because I talked to my lawyer," he noted, "But because it is boring. Who wants to look at millions of lines of source code?" Rivest — the "R" in RSA - brought up the risks of electronic voting systems and spoke in favor of keeping things simple with vote- verified paper audit trails. Diffie bemoaned the rise of Digital Rights Management, noting that the day is coming when you won't be able to buy a PC that does what you want it to do. Overall, this year's panel was less controversial than in the past. For the most part, the political and legal struggles over crypto- graphy from the 1990s have been resolved in favor of deregulation and internationalization. While started off by the panel, when the lamp was lit, much of the brilliance emanated from the crypto sessions upstairs in Theatre #1 at the Sony Metreon. New Crypto Techniques: Identity-Based Encryption The RSA Conference used to be devoted almost entirely to crypto- graphy. Each year, however, crypto becomes a smaller part of the larger computer security industry. Still, the conference has a rigorous Cryptography Track, with presentations by cryptographers based on peer-reviewed work. These track sessions never make the news because much of the work is entirely theoretical in nature. Nonetheless, some very interesting developments in cryptography bear notice. New crypto techniques are like the headwaters of a great river: they flow from high mountains and eventually make it down to the solid ground and into products. Two speakers presented developments in related areas: identity-based encryption and intrusion-resilient cryptosystems. Dan Boneh, a professor at Stanford, spoke on Identity Based Encryption (IBE), a set of techniques that simplifies public key and certificate management. With IBE, a user's public key is derived from a simple string such as an email address. This approach could be used to eliminate user-level certificate directories. A bit of history helps contextualize Boneh's work. Prior to the invention of public key cryptography, cryptosystems generally relied on the exchange of symmetric keys among users. Alice and Bob would share a secret (say, a passphrase), and then would use the secret symmetrically to pass encrypted messages back and forth. While this can work well with two parties, it becomes unmanageable as more users need to secure communications: each pair of users needs to exchange a secret and if there are thousands of users, there are potentially millions of secrets to exchange. Public-key cryptography gives each user a public/private key pair. By assigning each user a single key that can be shared publicly, this method reduces the number of key exchanges that must occur. But another problem emerges: the need for a Public Key Infra- structure (PKI), including Certificate Authorities (CA) that bind user identities to their respective public keys. This creates a bootstrap problem for applications like email encryption: Alice needs to send Bob an encrypted email, and thus needs his public key, and thus needs to find the CA that can either provide it or verify it. Identity-based encryption uses the bilinear maps associated with Elliptic Curve Cryptography to enable any string — even the number "1" and most obviously email addresses — to be used as public keys. This way, Alice doesn't need anything but Bob's email address, which she already has, in order to send him an encrypted email. In this scheme, the need for an online public key directory is reduced. Instead, it's replaced by a private key server on the backend that the recipient must authenticate to in order to decrypt incoming messages. Once Bob gets the IBE message sent by Alice, he authenti- cates to the server and gets the corresponding private key that will decrypt Alice's message. Boneh envisions that user-level IBE might be combined with traditional PKI techniques in hybrid systems. The private key servers of large organizations Foo Inc. and Bar Inc. would both have public keys validated by a root CA so that all the users at Foo and Bar could exchange IBE email. Conceptually, this is far simpler thanbr current PKI systems, which assume that every single user has a unique public key. While IBE is interesting — and far more mathematically interesting
than the brief overview offered here — it is not clear that
it will work on large scale in the real world. We'll probably find
out soon enough since there is a company trying to commercialize
the technology.[6] You can find out more about
Boneh's work with IBE by consulting his published work [7]
and his 2003 paper on "Identity New Crypto Techniques: Intrusion-Resilient Public Key Encryption The security of public key encryption schemes relies entirely on the security of the private (secret) key. It's a gnarly problem: when a private key is compromised, the victim loses all security. All past messages can be decrypted by the attacker as well as all future messages encrypted under the corresponding public key. This problem is even more acute given the storage of private keys on lightweight mobile devices that are easy to steal. As part of the Cryptography Track, Atsuko Miyaji presented "A Generic Construction for Intrusion-Resilient Public-Key Encryption", based on work by herself, Yevgeniy Dodis, Matt Franklin, Jonathan Katz, and Moti Yung. She put forth the notion of "intrusion resilience" as a means of mitigating the harmful effects of private key exposure. In the intrusion resilience model, the public key remains the same
while the private key evolves at regular intervals over time. An
attacker who steals the private key is thwarted — only messages This is accomplished by splitting the private key into a user portion and a base portion. The user portion is responsible for decryption operations; the base portion, for periodic key updates. The scheme remains secure even in the event of multiple compromises of either the user portion or the base portion, as long as both portions are not compromised at the same time. Even if they are, messages encrypted in the past and in the future will remain secure. As a rule, consistency is the enemy of security. Predictable, fixed, and unchanging assets are vulnerable targets that are difficult to defend. They put the attacker in control of timing: the attack can be carefully planned and executed at the attacker's discretion. This is the problem with castles, walls, large-scale American military operations, and even "small" assets like private keys. The idea of evolving "shape-shifting" encryption keys is elegant in how it makes time the friend of the defender. The work of Atsuko et al. builds on the work others — Adam Back [9] informally proposed a key updating method in 1996, which Ross Anderson later formalized [10]. Like IBE, this is interesting work that has unproven potential. The details are laid out in the paper, "A Generic Construction for Intrusion-Resilient Public-Key Encryption".[11] PC Guardian News One of the great things about the RSA Conference is the opportunity to meet customers and prospects face to face. PC Guardian had a lot to talk about this year, including a new management console designed to provide policy control over distributed encryption installations: http://pcguardiantech.com/Encryption_Plus_Management_Console/ and a renewed commitment to providing a high level of assurance in our encryption products as demonstrated by a pending EAL4 evaluation under the Common Criteria: http://www.pcguardiantech.com/press/20040225_Start_of_EAL4.html End Note The conference final keynote speaker was David Kahn, a historian who published the definitive history of cryptography in the 1960s: _The Codebreakers_. This massive tome covers centuries of progress in cryptography with extended but breathless coverage of the cryptanalytical exploits of the US in World War II. Kahn spoke to the topic of his new book, _The Reader of Gentleman's Mail: Herbert O. Yardley and the Birth of American Codebreaking_. Kahn is a wonderful weaver of crypto lore, and Yardley was instrumental in establishing the first US organization dedicated to codebreaking. The book is due out this month and can be ordered from Amazon.com: http://www.amazon.com/exec/obidos/ASIN/0300098464/pcguardian-20 _The Codebreakers_ is available now at: http://www.amazon.com/exec/obidos/ASIN/0684831309/pcguardian-20 There are two other books by authors mentioned in this newsletter thatdeserve strong recommendation: _Beyond Fear_ by Bruce Schneier, a sterling analysis that offers several frameworks for thinking about security: http://www.amazon.com/exec/obidos/ASIN/0387026207/pcguardian-20 REFERENCES [1] "Only For A Moment -- RSA Conference
2003 Redux" [2] Full lyrics for "Magic Carpet Ride"
are here: [3] You can find the text of his presentation at [4] The quote is taken from here: See also Anderson's home page: [5] Microsoft's statement on the Windows source
code leak can be found here: [6] Voltage Security is bringing IBE to market: [7] Dan Boneh's publications by topic at [8] "Identity based encryption from the Weil
pairing" [9] "non-interactive forward secrecy",
Cypherpunks posting by Adam Back [10] "Two Remarks on Public Key Cryptology",
Ross Anderson [11] “A Generic Construction for Intrusion-Resilient
Public-Key
ABOUT THE AUTHOR |
