Ask Security/Cryptography Expert Paul Kocher

Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.

Serious Threats?

[Prizm]

While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your speciality, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?

Triple barreled question

[Sophrosyne]

Should the general public have access to powerful and secure computing as a right, or should cryptography be limited to banks, government agencies, etc.? Do you believe that, as cryptography becomes more prevalent and as computing power increases we will see an increase in criminal activity over the web? And if so, what is the best way to curb illegal activities on the Internet, for example do you give the keys to the Governments that request them?

Social engineering

[miratim]

For every advancement in computer security, there seems to be a social backdoor involving the humans that use the system. Is there any research being done on figuring how to effectively solve the social engineering problem at the software/hardware level somehow?

Theory vs. Practice

It has been said that it is just as important (if not more so) to focus on educating people on what cryptography can do for them as it is to research crypotography to come up with important breakthroughs. What is your opinion on this? Should more focus be put on educating the public?

Ok it's well known that

[TerryAtWork]

In Crypto there's the NSA and there's everybody else. It's also well known they're years ahead of the pack etc.

My first question is, how confident are you, as a crypto person, that you're not inadvertently peddling snake oil, that is, crypto the NSA has already cracked?

Second, the NSA allegedly has secret patents it uses to suppress new crypto. Do you think this is a significant inhibiter on research or am I worried for nothing?

who is the worst to deal with?

[greechneb]

Where do you find the most resistance is in integrating/using a new standard such as this?

- The software developers
- The software distributors
- The end users

My first guess would be the end users, but I am curious as to which group gives you the most problems.

How can I help?

[arnie_apesacrappin]

I just started a Master's program in CS that is specialized in information security. One of the options for degree completion is a thesis.

From the formal side of things, I am new to information security. I have been doing applied security work for about three years. I would really like the challenge of writing a thesis, but so far I haven't come up with anything.

Here are my requirements: I want the topic to be challenging, I want it to be within the grasp of a Master's level understanding of information security, and I want it to be valuable to the community.

Are there any areas or topics that need to be addressed but have not? Is there something the community needs but has not yet received? If background info helps, I really enjoy picking apart IP traffic, and have some interest in fractals from a mathematic perspective.

Also, I'd like to say thanks for the links on your site. I now have tons more reading material.

So....

[GigsVT]

Have you ever forgotten an important password/passphrase?

Re:So....

[tigertigr]

As a follow-up, do you have your own personal system for generating/remembering passwords?

Furthermore, since we require more and more passwords for things such as networks, email, online banking, ebay, and on and on, what do you think is the best method for joe average to keep track of all of these, aside from a) using the same password for all of them and b) using a "trusted" framework (passport, palladium). Can there ever be a solution to such a problem?

Worst implementation?

[burgburgburg]

In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?

Re:Worst implementation?

[rjh]

True story. I won't name the company, nor do I list my employment with this company on my resume'. After you hear the story, you'll know why.

I was recruited from a major telco to work for a competing telco in 1999, ostensibly to work as part of their tiger team. When I showed up for work, there was nobody else on the team. "Don't worry," I was told, "we're hiring more. Just try and get some good design work done on securing our billing back-end, because right now it's wide-open."

Wait, your billing back-end is wide open?

"Yes."

And it's deployed?

"Yes."

Oh, fuck.

So I went to work on the back-end (which, at the time, was handling about $1 billion a year), with a great feeling of doom hanging over my head. When you're getting paid $38K and have no backup and you're told that "if we lose money from insecurity, it's all your fault, regardless of the fact we deployed it without any security to speak of"... well. You can figure it out.

A month later I had a binder full of attacks against the network, and another binder full of design ideas for how to secure it. By "binder", I mean 2-inch binders stuffed to the gills with paper. I was shortly thereafter called into my manager's office. An HR representative was present, so I knew the news was bad.

"Rob," my manager said, "we're concerned that you've made no progress on your task..."

What? I asked. I pulled out the Binders o' Doom from my satchel (we didn't have any secure storage in the development group, so I didn't ever let those binders out of my sight) and set them on her desk.

"Oh," she said as she leafed through the binders. The look on her face was roughly that of an indigenous South Pacific islander who was seeing an indoor toilet for the first time. "Um. Rob. Didn't anyone tell you?"

Tell me what?

"We already have a design we want you to use. You just have to implement it. No, no, you're not anywhere near senior enough to come up with a design for the security of the billing system..."

I breathed a sigh of relief. Sanity at last! And then she handed me a very thin folder.

I opened it up and it was, I shit you not, RFC1991. Classic PGP.

I laughed, handed the binder back, and told her she grabbed the wrong folder. Then she got very angry with me and asked me what, precisely, was wrong with using Classic PGP to secure the back-end?

I gave her the litany:

• Classic PGP is used to protect email traffic in transit. It doesn't protect databases, it doesn't separate privileges, it doesn't set up a redundant network, it doesn't do offsite backups, it doesn't make sure your Verisign certs are current.
• Classic PGP has been superseded by RFC2440, which fixes a lot of problems in the original spec, like no separate subkeys for encryption and signing.
• Classic PGP uses two patented algorithms, and if you can barely afford the $38K budget entry for my salary, there's no way you can afford the patent royalties on a couple of billion dollars of transactions.
• Classic PGP is a protocol: it's not a security design.
• ... and on and on and on.

Finally I asked "so who's the genius who came up with this one?"

Whoops. Turns out said genius was sitting across the desk from me.

By the end of the day I was busy writing Classic PGP in C++, under Management orders. The Sword of Damocles was falling and I was right under it. I protested, loudly and vociferously, until finally I got canned for "not being a team player and not performing according to expectation".

I was climbing in my car to leave the company for the last time when I realized... hey, I still have the Binders o' Doom in my satchel.

I got out of my car and walked back towards the building. An HR representative stopped me at the door and told me that if I walked in, it'd be considered trespass. I explained that I just wanted to drop off something for w

Internet broken?

[bpfinn]

The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?

Palladium

[SiliconEntity]

Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?

Quantum Computing and Cryptography

[Nova+Express]

Will the advent of quantum computing render even current, state-of-the-art cryptography obsolete? Is there any way that cryptography can overcome the challenge presented by quantum computing? And how long will it be, if ever, until quantum computer's can break current, state-of-the-art cryptography?

Dive Right In

[Accidental+Hack]

What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsiblity is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?

DRM systems?

There's much going on in the area of DRM these days. Microsoft/Intel are pushing for a secure nub and a trusted OS (Palladium). DirecTV's P3 is totally hacked and Echostar is open to EJTAG manipulation. The studios are pushing for stronger encryption for the next-generation DVD after CSS has been hacked.

What is your opinion about where DRM systems should go? How can we protect fair use and still get movies released in HD?

Crypto in the scope of the real world.

[matman]

It seems that most cryptographic methods depend on one of a number of hard to solve problems, such as the factoring of large numbers, elliptic curve discrete log, etc. These kinds of methods suffer catastrophic failure when the problems on which they depend are no longer hard. In the foreseeable future, it seems that factoring large primes will become less hard (especially with the help of quantum computers).

What contingency plans are you aware of? What sort of research is being done to avoid this single point of failure problem in future solutions? Are we just hoping for quantum encryption to save us? Of course, the real solution is to not depend solely on crypto for security, as crypto it self will never be perfect (implementation problems, etc). Security organizations, who haven't already, need to update their risk assessments to include risks to crypto solutions. It's still interesting to look at crypto in a more narrow scope than the real world :)

From a Student's Perspective

[TedCheshireAcad]

I am a student pursuing a bachelor's degree in Computational Mathematics.

What is the best way to go about finding a career in cryptography/cryptology?
How did you start in the field?
Is there a "job market" per se, or is it more of a position that one falls into?

64 Bit Computing

[MBCook]

One of the applications that is supposed to get a large boost from going from 32 to 64 bits is cryptography. Are you very excited about the move to 64 bits? Do you really think that it would make that much of a difference? Are there any downsides to going to 64 bit compuiting in cryptography (other than the time to port the software)?

Alternative to uid/pw logins to establish identity

[Blain]

The recent /. discussion of worms exploiting weak passwords got me thinking problems I have with consistently using strong passwords. I have heard many times that we should use strong passwords (mixed case, letters, symbols, no dictionary words in any language, no number patterns that others could derive, etc.), that we should not reuse passwords, that we should not write down passwords, but should always have them memorized.

Now, if I was on a handful of systems, this would make sense. However, I've found that many websites I come to are increasingly requiring registration, including creating a userid and password to log in to their systems. The personalization of my interface with their system is nice, but makes following the rules about passwords unmanageable -- I can't keep track of several dozen strong passwords from memory.

As an alternative to that, for website uses such as I've mentioned, it seems to me that making use of a public-key encryption system, something along the lines of what I understand SSL to do, would seem to make more sense. My system could exchange encrypted data with the web server using our known public keys, enabling us each to know that we are, in fact, who we claim to be. Even if I was required to use my pass-phrase that goes with that public key each time I logged in, it would be easier for me to remember that one pass-phrase (which could be even more secure than a 6-8 character password) than is currently available.

Obviously there would be change-over costs involved with this, but is there some big reason that this kind of a system would be less secure than the current system, particularly if we take into account the problem of weak and repeatedly used passwords?

Your use and abuse of Cryptography

[fruey]

I'd like to know if you practice what you preach. Do you go out of your way to use GPG/PGP or other encryption on all correspondance, run all your web applications under TLS/SSL, and generally advocate this? Or is cryptography something for which you think only specific applications are in order?

The reason I'm asking is because there are a lot of great techies out there, but it's rather the geeks that seem to do most of the advocacy and who seem to be able best to stick to their guns and force their peers to use GPG, etc.

Also, I used the word "abuse" also. Do you think you've ever gone over the top with crypting everything, or have you ever used your knowledge to gain access to information that you should not have seen (however trivial), or have you ever been paid to crack something encrypted, won prizes, that sort of thing?

Interface with Government agencies

[bstadil]

How do you currently interface with various government agencies? What kind of pressure is put to bear, how do you see it evolving and are you able to answer these questions freely.

Your use of cryptography in everyday tasks ...

[Hollins]

To what extent to you use cryptography in everyday life? For instance, under what circumstances do you digitally sign or encrypt email? What information do you encrypt on your hard drive? How do you communicate securely with folks who aren't technically adept with current encryption tools? Are the tools at your disposal easy enough to use to keep up with your level of paranoia?

thanks.

Is the Technology ahead of us?

[Coz]

Thanks for letting us ask you these questions.

Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.

Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?

Thanks, and I'll take my answer off the air :)

The Importance of Cryptography

[presroi]

Ignoring errors in the several implementation, current encryption algorithms software provides everyone the chance to keep information secure as it is simply impractial to break the encryption in a reasonable amount of time and enough money provided. Nevertheless, I notice that the overall awareness about keeping information secret is pretty low (I'm too young to say that it has been higher some time). Anybody, who wants to get encrypted information simply attacks not the data itself but the people with legitimate access to this data. Sometimes, even this is not nescessary (I get unencrypted but highly confidential information (No Nigeria Spam!) almost daily due to a popular internet domain from my government with a simiar spelling. Those people are just guessing the email adress of their friends and sometimes they fail.)
So, my question is this:

Has cryptography to include the human factor itself into the calculation or is it still only about mathematics? Can you imagine a strong encryption system with a special focus on people with low awareness?

SSL and Forward Security

[Effugas]

Paul,

First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.

I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.

In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.

More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?

Thanks again for any insight on the matter you may be able to provide!

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

trust in open p2p communities

[smd4985]

as a software engineer building open source p2p applications (gnutella), we are faced with a huge problem: how do we establish trust in a open environment where any application that speaks the protocol can participate? we've thought of various cryptographic systems to establish trust, but they have several fatal flaws - they require some sort of centralization (a no-no in a p2p environent), they lock out 'untrusted' vendors, etc.

what can we do to maintain an open environment and establish trust between peers?

USPTO

[T.+Bombadil]

Has any of your work been impacted or covered up by the USPTO's ability to declare a patent a secret? Were you compensated for the loss? How do feel about the confiscation both personally and in general?

Grid Computing and Crypto

[Subotai]

Grid Computing seems to be a technology that has the potential to host brute force decryption efforts. Aside from bigger and bigger keys are there any other crypto techiqures or research underway to defeat grid computing? Also, what does this mean for desktop cryptography?

How do you think?

[Charles+Dodgeson]

When I first read about some discovery of a weakness (for example, I know your name from your work on MD5), I am always struck by the thinking beyond the framework of the designer of the system and of the community to date. The same things strikes me about timing attacks and similar sorts of things. These are things that I wouldn't have thought of in a million years. Can you give any insight into how minds like yours work. And to what extent you think that this might be a trainable skill.

I normally hate the cliche of "thinking outside of the box", but here it is fully appropriate.