Slashdot Mirror
Ask Security/Cryptography Expert Paul Kocher
Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.
While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your speciality, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?
Should the general public have access to powerful and secure computing as a right, or should cryptography be limited to banks, government agencies, etc.? Do you believe that, as cryptography becomes more prevalent and as computing power increases we will see an increase in criminal activity over the web? And if so, what is the best way to curb illegal activities on the Internet, for example do you give the keys to the Governments that request them?
fkgsdf%LDjöofjnvBNlöjbfjsbyv%$bhlvy$knvnlkblnbxcjv byx$LJKFhgsfKNV4346Khndjbgvkbhdfgföljny kny_FYFKdfknyY_LirhrhaeihÖFHGsfihFYbjbK453KhdsFkbs KbfknvyVNkKnfkgnbxfdkn445k3nlDKNAdsSAdkfasdfKLNKdf nDFKgnentk4n4ktn4knt4 kaKdfnjaSDKfnaDKfnaK4n4knaKGAna4ank495p9zhthgugbhf hjbernara?
Fleur de Sel
Is there any feasable way to make SMTP authenticated so spammers can't spoof their IP addresses? Everyone keeps asking but noone seems to know if it's possible.
Therefore, "Please try not to ask questions that can be answered with a few minutes' worth of online research." should be rewritten as, "Please try not to ask or moderate up questions that can be answered with a few minutes' worth of online research. "
For every advancement in computer security, there seems to be a social backdoor involving the humans that use the system. Is there any research being done on figuring how to effectively solve the social engineering problem at the software/hardware level somehow?
~ The Fudge Report @ http://mywebpages.comcast.net/fudgereport/
It has been said that it is just as important (if not more so) to focus on educating people on what cryptography can do for them as it is to research crypotography to come up with important breakthroughs. What is your opinion on this? Should more focus be put on educating the public?
What should manufacturers of networking equipement and software do help their customers security efforts?
In Crypto there's the NSA and there's everybody else. It's also well known they're years ahead of the pack etc.
My first question is, how confident are you, as a crypto person, that you're not inadvertently peddling snake oil, that is, crypto the NSA has already cracked?
Second, the NSA allegedly has secret patents it uses to suppress new crypto. Do you think this is a significant inhibiter on research or am I worried for nothing?
It's Christmas everyday with BitTorrent.
Where do you find the most resistance is in integrating/using a new standard such as this?
- The software developers
- The software distributors
- The end users
My first guess would be the end users, but I am curious as to which group gives you the most problems.
Given that an SSL connection is cryptographically secure, and that any security is only as strong as its weakest link...
How secure do you really think an SSL connection is when both parties are having to trust certificates signed by third parties? I don't know how Verisign store their root keys, nor do I know how they verify the identity of someone before issuing a certificate. So can I really trust that a certificate signed by them is valid and can you see any way of removing the trust element?
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
How do you think the recent discovery of a formulaic test for the primality of a number might affect current cryptographic systems? Is there a way to exploit this method into a better system for factoring large primes?
:wq
From the formal side of things, I am new to information security. I have been doing applied security work for about three years. I would really like the challenge of writing a thesis, but so far I haven't come up with anything.
Here are my requirements: I want the topic to be challenging, I want it to be within the grasp of a Master's level understanding of information security, and I want it to be valuable to the community.
Are there any areas or topics that need to be addressed but have not? Is there something the community needs but has not yet received? If background info helps, I really enjoy picking apart IP traffic, and have some interest in fractals from a mathematic perspective.
Also, I'd like to say thanks for the links on your site. I now have tons more reading material.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
Have you ever forgotten an important password/passphrase?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
They're called Neutron Bombs.
Honestly, as long as a system can be accessed by someone. It can be accessed by someone that shouldn't.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Why not make stories have a ten or fifteen minute delay to allow people to actually READ the articles. Have a little timer that says how long until the story goes live for comments. This might take care of some of those who never read the articles.
Just a thought....
In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?
is being made towards the implementation and use of elliptic curve cryptography?
I have read a lot about it and it seems to be the direction public-key crypto is going nowadays. Have you done any serious work in this field? and if so, when do you think the public will start to see it implemented full force?
~ kjrose
What's your opinion on VPNs based on SSL/TLS, instead of those using protocols such as IPsec or PPTP?
Are SSL VPNs up to par? What are their strengths and weaknesses? Was SSL designed for such applications?
-------
Warning: Slashdot may contain traces of nuts.
The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?
Along these lines, of your own personal communications and data storage, what do you encrypt and what do you leave unencrypted?
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
The older versions of SSL has been very insecure.
How will the SSL team improve security in the new version of the SSL protocol?
Note to self: get smarter troll to guard door.
Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?
Will the advent of quantum computing render even current, state-of-the-art cryptography obsolete? Is there any way that cryptography can overcome the challenge presented by quantum computing? And how long will it be, if ever, until quantum computer's can break current, state-of-the-art cryptography?
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsiblity is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?
There's much going on in the area of DRM these days. Microsoft/Intel are pushing for a secure nub and a trusted OS (Palladium). DirecTV's P3 is totally hacked and Echostar is open to EJTAG manipulation. The studios are pushing for stronger encryption for the next-generation DVD after CSS has been hacked.
What is your opinion about where DRM systems should go? How can we protect fair use and still get movies released in HD?
What contingency plans are you aware of? What sort of research is being done to avoid this single point of failure problem in future solutions? Are we just hoping for quantum encryption to save us? Of course, the real solution is to not depend solely on crypto for security, as crypto it self will never be perfect (implementation problems, etc). Security organizations, who haven't already, need to update their risk assessments to include risks to crypto solutions. It's still interesting to look at crypto in a more narrow scope than the real world :)
I am a student pursuing a bachelor's degree in Computational Mathematics.
What is the best way to go about finding a career in cryptography/cryptology?
How did you start in the field?
Is there a "job market" per se, or is it more of a position that one falls into?
One of the applications that is supposed to get a large boost from going from 32 to 64 bits is cryptography. Are you very excited about the move to 64 bits? Do you really think that it would make that much of a difference? Are there any downsides to going to 64 bit compuiting in cryptography (other than the time to port the software)?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
The recent /. discussion of worms exploiting weak passwords got me thinking problems I have with consistently using strong passwords. I have heard many times that we should use strong passwords (mixed case, letters, symbols, no dictionary words in any language, no number patterns that others could derive, etc.), that we should not reuse passwords, that we should not write down passwords, but should always have them memorized.
Now, if I was on a handful of systems, this would make sense. However, I've found that many websites I come to are increasingly requiring registration, including creating a userid and password to log in to their systems. The personalization of my interface with their system is nice, but makes following the rules about passwords unmanageable -- I can't keep track of several dozen strong passwords from memory.
As an alternative to that, for website uses such as I've mentioned, it seems to me that making use of a public-key encryption system, something along the lines of what I understand SSL to do, would seem to make more sense. My system could exchange encrypted data with the web server using our known public keys, enabling us each to know that we are, in fact, who we claim to be. Even if I was required to use my pass-phrase that goes with that public key each time I logged in, it would be easier for me to remember that one pass-phrase (which could be even more secure than a 6-8 character password) than is currently available.
Obviously there would be change-over costs involved with this, but is there some big reason that this kind of a system would be less secure than the current system, particularly if we take into account the problem of weak and repeatedly used passwords?
My wife and I each are forced to have several dozen usernames and passwords for various websites, programs, email accounts, accounts at work's computer systems, etc. It seems that each sys admin/org has a different policy for creating these accounts, so that we are unable to memorize a few possibilities and choose from among those. (sometimes usernames/passwords are assigned, sometimes they insist on having #s, sometimes capital letters, etc.)
My wife has several files and pieces of paper with all of her passwords written down. She has to keep these on 3 or 4 computers, in her wallet, in her hotmail account, etc.
How problematic is this? Can this ever be solved? How?
Can you present a brief argument that you believe should raise the interest level of the general public in the need for cryptography?
sig.
Just thought you'd like to know, ROT13 is outdated. There is a new protocol out to replace it as of a couple of days ago called ROT-13+.
In the long run, we're all dead.
The reason I'm asking is because there are a lot of great techies out there, but it's rather the geeks that seem to do most of the advocacy and who seem to be able best to stick to their guns and force their peers to use GPG, etc.
Also, I used the word "abuse" also. Do you think you've ever gone over the top with crypting everything, or have you ever used your knowledge to gain access to information that you should not have seen (however trivial), or have you ever been paid to crack something encrypted, won prizes, that sort of thing?
Conversion Rate Optimisation French / English consultant
Which algorithm / program do you use to protect your "top secret" files? And is there any commonly-used algorithm / program that you wouldn't trust to protect your shopping list?
RMN
~~~
How do you currently interface with various government agencies? What kind of pressure is put to bear, how do you see it evolving and are you able to answer these questions freely.
Help fight continental drift.
Hey, is there a feasability problem with making the addition of TLS a socket option? For TCP/UDP/SCTP clients (connection/datagram initiators), it would be great to use a system-wide certificate store (perhaps in kernel space?), and just say "turn on TLS". This would make writing network clients with encrypted traffic a dream.
Granted, openssl's interface may be trivially more complex, but just the thought of managing yet another set of certificates makes me cringe.
All of cryptology is built on a group of cryptographic primitives. Block ciphers, hash functions, factoring problems, discrete log problems, etc. are all used to build higher order cryptographic structures, such MACs, encryption, and signature schemes. However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?
To what extent to you use cryptography in everyday life? For instance, under what circumstances do you digitally sign or encrypt email? What information do you encrypt on your hard drive? How do you communicate securely with folks who aren't technically adept with current encryption tools? Are the tools at your disposal easy enough to use to keep up with your level of paranoia?
thanks.
Thanks for letting us ask you these questions.
:)
Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.
Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?
Thanks, and I'll take my answer off the air
I love vegetarians - some of my favorite foods are vegetarians.
Can you recommend some good hardcore books, or journals to follow for what's going on currently in the crypto scientific community?
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
Cryptography is great, but it's only part of the solution. Seems to me that all cryptography and security measures are no more than "levels of deterence". If someone wants to gain access to your critical data, the easiest way is not going to be to break an algorithm, or try to guess a Key. Corporate espianoge and social engineering both play a huge role in the security of information. If you can dig through a trash can to find a password, or pose as a technician to gain a key to a system, why would you ever want to try to break the algorithm? How can you eliminate employees choosing passwords like 'secret', 'password', or '12345', especially when the company heads are not technical enough to enforce company policies. Afterall, just because someone pays you for your advice as a consultant, doesn't mean they'll take it. On the other end of the argument, you can't expect people to remember 16 8-bit hexidecimal numbers that are generated at random monthly, so how to do let them carry around their password in a secure fashion? Biometrics seems promising, but what if someone is able to copy your fingerprints? It's not like you can get a new finger... Any suggestions on this would be helpful... thanks!
With recent developments, such as the capability to "store" photon states within a physical substance, and the progress in quantum NOT gates, there seems to be steady advancement towards quantum computing / quantum cryptography. What roles do you see quantum computing and quantum cryptography taking in changing the way cryptography is handled at present? What hurdles would have to be overcome in order to make these of practical use?
As an authority in the "private industry", I'm assuming you earn more money and get more public respect than someone working for the NSA. My question is, if it weren't for the secrecy and (probable) lower pay in the NSA or a similar agency, would you want to work for them? That is, if the recognition and material rewards were equal on both sides, which would you choose?
Ignoring errors in the several implementation, current encryption algorithms software provides everyone the chance to keep information secure as it is simply impractial to break the encryption in a reasonable amount of time and enough money provided. Nevertheless, I notice that the overall awareness about keeping information secret is pretty low (I'm too young to say that it has been higher some time). Anybody, who wants to get encrypted information simply attacks not the data itself but the people with legitimate access to this data. Sometimes, even this is not nescessary (I get unencrypted but highly confidential information (No Nigeria Spam!) almost daily due to a popular internet domain from my government with a simiar spelling. Those people are just guessing the email adress of their friends and sometimes they fail.)
So, my question is this:
Has cryptography to include the human factor itself into the calculation or is it still only about mathematics? Can you imagine a strong encryption system with a special focus on people with low awareness?
However, I was not referring to the same kinds of VPNs the AC mentions. I understand why TCP over TCP is a bad idea.
I was thinking of these kinds of products:
-------
Warning: Slashdot may contain traces of nuts.
VIA's web site says that you are testing their hardware RNG, and "preliminary results show high-quality output".
So... how does it work? I know Intel's chipsets count cycles of a high-speed (~300 MHz) clock between cycles of a low-speed VCO controlled by resistor noise.
Did they repeat Intel's mistake implementing hardware whitening, or is it feasable to implement on-like quality checks by testing to see if the deviation from randomness is as expected?
What's the software interface?
I have heard from everyone with any real experence in cryptography that of all the areas of computing, cryptography is the one best left to the experts. What most programmers (including myself) might think of as a very secure encryption, when analysied by the experts, turns out to be as transparent as ROT13.
On the other hand no where is the Open Source Modle more touted as the panacea of computing then in cryptography. Many eyes it is said will catch backdoors and reveil poor implimentations before they become security issues.
My question then: When developing and implementing encryption, How would you weigh the need for experties with the trust and scrutiny availible from Open Source development?
Strive to make your client happy, not necessarly give them what they ask for
Paul,
First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.
I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.
In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.
More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?
Thanks again for any insight on the matter you may be able to provide!
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
as a software engineer building open source p2p applications (gnutella), we are faced with a huge problem: how do we establish trust in a open environment where any application that speaks the protocol can participate? we've thought of various cryptographic systems to establish trust, but they have several fatal flaws - they require some sort of centralization (a no-no in a p2p environent), they lock out 'untrusted' vendors, etc.
what can we do to maintain an open environment and establish trust between peers?
smd4985
First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.
In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.
But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.
For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?
The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.
Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.
Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.
So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.
Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.
What impact would a factoring algorhitm which reduced prime factoring to a non exponential problem have on the encryption industry in general?
Has any of your work been impacted or covered up by the USPTO's ability to declare a patent a secret? Were you compensated for the loss? How do feel about the confiscation both personally and in general?
-- If you cast your bread on the water, sometimes it comes back angel food cake.
*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.
0 00 0000000
... joules of power.
... joules of power.
In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)
That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.
To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.
Let me repeat this.
It requires
65000000000000000000000000000000000000000000000
By comparison, the Sun's annual power output is in the realm of 1.2 * 10**34 joules.
Or
120000000000000000000000000000000000
Are you beginning to see why it's such a silly question to ask whether or not modern ciphers can be brute-forced with Crays?
Please. Use Google before asking questions.
Grid Computing seems to be a technology that has the potential to host brute force decryption efforts. Aside from bigger and bigger keys are there any other crypto techiqures or research underway to defeat grid computing? Also, what does this mean for desktop cryptography?
"The only way to catch tiger cubs is to go into the tiger's den."
When we talk about crpytography, people go around saying that one method is stronger than another, however, I haven't seen quantifiable measures of strength presented. What (if any) strength measurements do security analysts use and how are
these measurements computed?
How difficult is it to implement very secure algorithms for the common developer with little experience in implementing security. As innovations in making more complex algorithms comes into play, what types of innovatoins are being done for implementing these algorithms? Could the lack of understanding how to implement these algorithms be in itself a reason for lack security in applications / processes?
Hi!
Thank you for letting us ask all these questions.
If you would recomend using crypto in PDA:s, cellphones etc that are dependent on battery power, and you want to be as secure as on your desktop where SSH and SSL is used, what crypto would you use for different applications such as webbservice, mail, telnet and VoiceIP? Are there any cryptoalgorithms that are much less computing intensive but still keep a high crypto profile?
Luck is opportunity meets preparation, lets get lucky
In your opinion, how well would current crypto standards (SSL for example) stand up against a cryptnalysis attack using quantum computer(s) (if/when ever available).
I normally hate the cliche of "thinking outside of the box", but here it is fully appropriate.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
It seems that the primary problem with cryptography is sociology, not mathematics. I spent about two weeks signing messages before co-workers complained that it made mail more difficult to read. A talk I gave last year on the importance in securing reseach data was attended by a total of 3 people. What do you see as the biggest barriers to adoption of digital signatures?