RSA 2004: Magic Carpet Ride
By Seth Ross
The RSA Conference is the world's leading information security
conference and expo, and every year it delivers up prominent keynote
speakers, deep technical sessions, and a sprawling array of product
and service vendor displays. But it also delivers some awesome hard
rock entertainment. Previous years have featured bands like Kansas
and the Jefferson Starship. For this years
conference held the week of Feb. 23 in San Francisco, the planners
went all out with a 70's theme and the World Classic Rockers
a supergroup with former members from Lynyrd Skynyrd, Toto, Steppenwolf,
and the Eagles laid down some crunchy riffs on the show floor
including a rousing rendition of "Magic Carpet Ride":
Last night I held Aladdin's lamp And so I wished that I could
stay Before the thing could answer me Well, someone came and took
the lamp away I looked around, a lousy candle's all I found
In keeping with the Steppenwolf lyric, I'll start out my coverageof
the conference with the candle, and work my way back to Aladdin's
Gates Keynote: Another Brick in the Wall
Bill Gates delivered a keynote presentation 
featuring several forthcoming security subsystems that will debut
in Windows XP Service Pack 2 (SP2): a Windows Security Center, a
personal firewall that looks like Zone Alarm, a new anti-spam technique,
and the "Active Protection" platform, which will incorporate
elements of intrusion prevention.
"No single technology can adequately protect against the many
different kinds of attacks that computers face," Gates said.
"Resiliency can only be achieved with a combination of security
technologies designed to combat the sophisticated threat from worms
Microsoft seems fully committed to a "more is more" approach
to computer security. The security countermeasures slated for SP2
will add another layer of bricks in the wall. All will be fine,
one may infer, if we only build a high enough wall.
So, for example, Gates showed how the new Active Protection technology
can disable the old ActiveX technology in Internet Explorer. An
unsigned ActiveX applet was blocked by Active Protection, leaving
a big hole in the middle of a web page.
While Gates speech seemed reasonable on the surface, a strategy
of addressing security by adding more subsystems violates the principle
that complexity is the enemy of security. Ross Anderson, a computer
security researcher at Cambridge University, has noted that, statistically
speaking, Windows will probably never be bug-free: "The news
for Windows users is about as bad as can be. Once software passes
a certain threshold of complexity, you can expect that its reliability
will be governed by statistics which ensure that it becomes more
reliable at the slowest possible rate."
So, in accordance with the principle of simplicity, it would have
been more compelling if Gates rather than introducing Active
Protection as a way to make Internet Explorer safe from ActiveX
had announced the removal of ActiveX technology from the
Indeed, the new security systems themselves add complexity and
inevitable bugs. They will add more "surface area" for
attackers to probe and exploit. While it's hard to argue against
items like an improved personal firewall, we'll know that Microsoft
is serious about security when Bill Gates comes to RSA and talks
about what's being taken out of Windows, rather than what's being
Gates presentation was smooth and meticulously rehearsed. Every
statement he made was carefully crafted, as one might expect from
one of the most powerful people in the world. Ironically, Gates
has a problem: like the light from a lone candle, Gates comments
cannot be very illuminating. Instead, his words are by necessity
carefully proscribed by legal and financial concerns and by the
needs of his company and its shareholders.
Gates keynote was followed by what many consider to be the
highlight of the RSA Conference each year: the Cryptographers' Panel.
The panel featured five cryptographers Whitfield Diffie,
Paul Kocher, Ronald Rivest, Bruce Schneier, and Adi Shamir -
who lit up the Moscone Center hall with their disarmingly frank
Cryptographers are truth-tellers. They are trained and engrained
in an academic environment that carefully vets their work. As a
largely mathematical field, cryptography is built around proofs
either the math works, or it doesn't. As professional paranoids,
crypto- graphers learn to deconstruct protocols to ascertain whether
one party in a transaction is cheating another, or how an attacker
might break the security of a cryptosystem.
Gates had alluded to the leak of Windows 2000 and NT source code
onto the Internet that Microsoft reported on February 20.
The cryptographers expressed concern. Kocher noted that he wanted
to look at the source to try to assess the impact of the leak, but
was advised not to by his lawyers due to its proprietary nature.
"We can't look at the source code to help people, but the
bad guys can look at it for their own purposes, so we are in an
awkward situation which represents the worst of both worlds,"
Shamir the "S" in RSA - said he would not look
at the source code. "Not because I talked to my lawyer,"
he noted, "But because it is boring. Who wants to look at millions
of lines of source code?"
Rivest the "R" in RSA - brought up the risks of
electronic voting systems and spoke in favor of keeping things simple
with vote- verified paper audit trails.
Diffie bemoaned the rise of Digital Rights Management, noting that
the day is coming when you won't be able to buy a PC that does what
you want it to do.
Overall, this year's panel was less controversial than in the past.
For the most part, the political and legal struggles over crypto-
graphy from the 1990s have been resolved in favor of deregulation
While started off by the panel, when the lamp was lit, much of
the brilliance emanated from the crypto sessions upstairs in Theatre
#1 at the Sony Metreon.
New Crypto Techniques: Identity-Based Encryption
The RSA Conference used to be devoted almost entirely to crypto-
graphy. Each year, however, crypto becomes a smaller part of the
larger computer security industry. Still, the conference has a rigorous
Cryptography Track, with presentations by cryptographers based on
peer-reviewed work. These track sessions never make the news because
much of the work is entirely theoretical in nature.
Nonetheless, some very interesting developments in cryptography
bear notice. New crypto techniques are like the headwaters of a
great river: they flow from high mountains and eventually make it
down to the solid ground and into products.
Two speakers presented developments in related areas: identity-based
encryption and intrusion-resilient cryptosystems.
Dan Boneh, a professor at Stanford, spoke on Identity Based Encryption
(IBE), a set of techniques that simplifies public key and certificate
management. With IBE, a user's public key is derived from a simple
string such as an email address. This approach could be used to
eliminate user-level certificate directories.
A bit of history helps contextualize Boneh's work. Prior to the
invention of public key cryptography, cryptosystems generally relied
on the exchange of symmetric keys among users. Alice and Bob would
share a secret (say, a passphrase), and then would use the secret
symmetrically to pass encrypted messages back and forth. While this
can work well with two parties, it becomes unmanageable as more
users need to secure communications: each pair of users needs to
exchange a secret and if there are thousands of users, there are
potentially millions of secrets to exchange.
Public-key cryptography gives each user a public/private key pair.
By assigning each user a single key that can be shared publicly,
this method reduces the number of key exchanges that must occur.
But another problem emerges: the need for a Public Key Infra- structure
(PKI), including Certificate Authorities (CA) that bind user identities
to their respective public keys. This creates a bootstrap problem
for applications like email encryption: Alice needs to send Bob
an encrypted email, and thus needs his public key, and thus needs
to find the CA that can either provide it or verify it.
Identity-based encryption uses the bilinear maps associated with
Elliptic Curve Cryptography to enable any string even the
number "1" and most obviously email addresses to
be used as public keys. This way, Alice doesn't need anything but
Bob's email address, which she already has, in order to send him
an encrypted email. In this scheme, the need for an online public
key directory is reduced.
Instead, it's replaced by a private key server on the backend that
the recipient must authenticate to in order to decrypt incoming
messages. Once Bob gets the IBE message sent by Alice, he authenti-
cates to the server and gets the corresponding private key that
will decrypt Alice's message.
Boneh envisions that user-level IBE might be combined with traditional
PKI techniques in hybrid systems. The private key servers of large
organizations Foo Inc. and Bar Inc. would both have public keys
validated by a root CA so that all the users at Foo and Bar could
exchange IBE email. Conceptually, this is far simpler thanbr current
PKI systems, which assume that every single user has a unique public
While IBE is interesting and far more mathematically interesting
than the brief overview offered here it is not clear that
it will work on large scale in the real world. We'll probably find
out soon enough since there is a company trying to commercialize
the technology. You can find out more about
Boneh's work with IBE by consulting his published work 
and his 2003 paper on "Identity
based encryption from the Weil pairing".
New Crypto Techniques: Intrusion-Resilient Public Key Encryption
The security of public key encryption schemes relies entirely on
the security of the private (secret) key. It's a gnarly problem:
when a private key is compromised, the victim loses all security.
All past messages can be decrypted by the attacker as well as all
future messages encrypted under the corresponding public key.
This problem is even more acute given the storage of private keys
on lightweight mobile devices that are easy to steal.
As part of the Cryptography Track, Atsuko Miyaji presented "A
Generic Construction for Intrusion-Resilient Public-Key Encryption",
based on work by herself, Yevgeniy Dodis, Matt Franklin, Jonathan
Katz, and Moti Yung. She put forth the notion of "intrusion
resilience" as a means of mitigating the harmful effects of
private key exposure.
In the intrusion resilience model, the public key remains the same
while the private key evolves at regular intervals over time. An
attacker who steals the private key is thwarted only messages
within a distinct time period can be compromised.
This is accomplished by splitting the private key into a user portion
and a base portion. The user portion is responsible for decryption
operations; the base portion, for periodic key updates. The scheme
remains secure even in the event of multiple compromises of either
the user portion or the base portion, as long as both portions are
not compromised at the same time. Even if they are, messages encrypted
in the past and in the future will remain secure.
As a rule, consistency is the enemy of security. Predictable, fixed,
and unchanging assets are vulnerable targets that are difficult
to defend. They put the attacker in control of timing: the attack
can be carefully planned and executed at the attacker's discretion.
This is the problem with castles, walls, large-scale American military
operations, and even "small" assets like private keys.
The idea of evolving "shape-shifting" encryption keys
is elegant in how it makes time the friend of the defender.
The work of Atsuko et al. builds on the work others Adam
Back  informally proposed a key updating method
in 1996, which Ross Anderson later formalized .
Like IBE, this is interesting work that has unproven potential.
The details are laid out in the paper, "A Generic Construction
for Intrusion-Resilient Public-Key Encryption".
PC Guardian News
One of the great things about the RSA Conference is the opportunity
to meet customers and prospects face to face. PC Guardian had a
lot to talk about this year, including a new management console
designed to provide policy control over distributed encryption installations:
a renewed commitment to providing a high level of assurance in our
encryption products as demonstrated by a pending EAL4 evaluation
under the Common Criteria: http://www.pcguardiantech.com/press/20040225_Start_of_EAL4.html
The conference final keynote speaker was David Kahn, a historian
who published the definitive history of cryptography in the 1960s:
_The Codebreakers_. This massive tome covers centuries of progress
in cryptography with extended but breathless coverage of the cryptanalytical
exploits of the US in World War II. Kahn spoke to the topic of his
new book, _The Reader of Gentleman's Mail: Herbert O. Yardley and
the Birth of American Codebreaking_.
Kahn is a wonderful weaver of crypto lore, and Yardley was instrumental
in establishing the first US organization dedicated to codebreaking.
The book is due out this month and can be ordered from Amazon.com:
_The Codebreakers_ is available now at: http://www.amazon.com/exec/obidos/ASIN/0684831309/pcguardian-20
There are two other books by authors mentioned in this newsletter
thatdeserve strong recommendation:
_Beyond Fear_ by Bruce Schneier, a sterling analysis that offers
several frameworks for thinking about security: http://www.amazon.com/exec/obidos/ASIN/0387026207/pcguardian-20
 "Only For A Moment -- RSA Conference
 Full lyrics for "Magic Carpet Ride"
 You can find the text of his presentation at
 The quote is taken from here:
See also Anderson's home page:
 Microsoft's statement on the Windows source
code leak can be found here:
 Voltage Security is bringing IBE to market:
 Dan Boneh's publications by topic at
 "Identity based encryption from the Weil
 "non-interactive forward secrecy",
Cypherpunks posting by Adam Back
 "Two Remarks on Public Key Cryptology",
 A Generic Construction for Intrusion-Resilient
Encryption, Yevgeniy Dodis, Matt Franklin, Jonathan Katz,
Miyaji, and Moti Yung
ABOUT THE AUTHOR
Seth is the Chief Strategy Officer at PC Guardian and author of
the book, _UNIX System Security Tools_ (McGraw-Hill 1999): http://www.amazon.com/exec/obidos/ASIN/0079137881/pcguardian-20