RSA Panel: Cryptography Can't Foil Human Weakness

    Date25 Feb 2004
    Posted ByAnthony Pell
    Anyone with any savvy in the computer security world already knows that the weakest link is virtually always the users. Technically speaking, the world of cryptography has reached the point where it is feasible to secure static data beyond the reach of any reasonable attack, and streaming data may reach that point soon as well as streaming encryption is replaced by block encryption, which, though it requires more resources, is now well within reach. But none of that helps if users fall victim again and again to the same social engineering attacks, giving away the keys to their own castles. Who now has any doubt that there will be an increasing prevailance of 'phishing' schemes in the coming years? . . . Enhanced security can solve many issues, but it can't improve the thing that sits between the keyboard and the chair--the user--a cryptographers' panel concluded Tuesday.

    The panel, a staple of the RSA Conference here, invited four of the industry's luminaries on stage with Bruce Schneier, author and chief technology officer at Counterpane Internet Security, to discuss the evolution of cryptography. The discussion soon turned to recent failures in information security, however, including the recent leak of some of Microsoft Corp.'s source code and the knotty security problem of social engineering.

    Each panelist--Whitfield Diffie, chief security officer at Sun Microsystems Inc.; Paul Kocher, president and chief scientist at Cryptography Research Inc.; Ron Rivest, Viterbi professor of computer science at the Massachusetts Institute of Technology; and Adi Shamir, professor at the Weizmann Institute of Science in Israel--came to the panel with his own view of security priorities. Rivest, for example, was concerned with the policy of security., Diffie, on the other hand, said the industry was shaping up for a battle over DRM.

    Increasingly, the panelists said, security experts' challenges have had less to do with the intricacies of cryptosystems used to wrap code than the real-world intricacies of standards and government guidelines. Rivest cited the case of Diebold Systems Inc.'s electronic voting machine code, which was found on the Internet and quickly picked apart as insecure. Until a grass-roots movement pushed for paper-based records to prove a voter cast a ballot for one candidate over another, the Diebold machine did not allow for independent verification of results.

    "Why am I, as a cryptographer, talking about such things?" Rivest asked, citing Archimedes' maxim: "Give me one smooth spot to stand on and I will move the world." "We have great levers to move things, if we have a smooth spot to stand on," Rivest said. "We have secure platforms and secure keys to move the earth a bit."

    Similarly, Kocher said he was "terrified" of the only solution he saw to enforcing consumer privacy--government regulation. While consumers have a strong incentive to maintain their privacy, law-enforcement agencies and large corporations do not, he said.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.