Ask Security/Cryptography Expert Paul Kocher

Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.

Serious Threats?

[Prizm]

While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your speciality, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?

Triple barreled question

[Sophrosyne]

Should the general public have access to powerful and secure computing as a right, or should cryptography be limited to banks, government agencies, etc.? Do you believe that, as cryptography becomes more prevalent and as computing power increases we will see an increase in criminal activity over the web? And if so, what is the best way to curb illegal activities on the Internet, for example do you give the keys to the Governments that request them?

fhnlsfdlkm&5nlkd%Bvbcvbc

[matt4077]

fkgsdf%LDjöofjnvBNlöjbfjsbyv%$bhlvy$knvnlkblnbxcjv byx$LJKFhgsfKNV4346Khndjbgvkbhdfgföljny kny_FYFKdfknyY_LirhrhaeihÖFHGsfihFYbjbK453KhdsFkbs KbfknvyVNkKnfkgnbxfdkn445k3nlDKNAdsSAdkfasdfKLNKdf nDFKgnentk4n4ktn4knt4 kaKdfnjaSDKfnaDKfnaK4n4knaKGAna4ank495p9zhthgugbhf hjbernara?

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

Uv, V'z jbaqrevat vs lbh guvax gurer'f n shgher sbe EBG13. V'ir urneq vg'f cerggl frpher...

Lbh pna ernq guvf? Qnza!

redundancy is key

[b_pretender]

Mr. Kocher would point out that in computer security, redundancy is key

Therefore, "Please try not to ask questions that can be answered with a few minutes' worth of online research." should be rewritten as, "Please try not to ask or moderate up questions that can be answered with a few minutes' worth of online research. "

Social engineering

[miratim]

For every advancement in computer security, there seems to be a social backdoor involving the humans that use the system. Is there any research being done on figuring how to effectively solve the social engineering problem at the software/hardware level somehow?

Theory vs. Practice

It has been said that it is just as important (if not more so) to focus on educating people on what cryptography can do for them as it is to research crypotography to come up with important breakthroughs. What is your opinion on this? Should more focus be put on educating the public?

Ok it's well known that

[TerryAtWork]

In Crypto there's the NSA and there's everybody else. It's also well known they're years ahead of the pack etc.

My first question is, how confident are you, as a crypto person, that you're not inadvertently peddling snake oil, that is, crypto the NSA has already cracked?

Second, the NSA allegedly has secret patents it uses to suppress new crypto. Do you think this is a significant inhibiter on research or am I worried for nothing?

who is the worst to deal with?

[greechneb]

Where do you find the most resistance is in integrating/using a new standard such as this?

- The software developers
- The software distributors
- The end users

My first guess would be the end users, but I am curious as to which group gives you the most problems.

How can I help?

[arnie_apesacrappin]

I just started a Master's program in CS that is specialized in information security. One of the options for degree completion is a thesis.

From the formal side of things, I am new to information security. I have been doing applied security work for about three years. I would really like the challenge of writing a thesis, but so far I haven't come up with anything.

Here are my requirements: I want the topic to be challenging, I want it to be within the grasp of a Master's level understanding of information security, and I want it to be valuable to the community.

Are there any areas or topics that need to be addressed but have not? Is there something the community needs but has not yet received? If background info helps, I really enjoy picking apart IP traffic, and have some interest in fractals from a mathematic perspective.

Also, I'd like to say thanks for the links on your site. I now have tons more reading material.

So....

[GigsVT]

Have you ever forgotten an important password/passphrase?

Re:So....

[tigertigr]

As a follow-up, do you have your own personal system for generating/remembering passwords?

Furthermore, since we require more and more passwords for things such as networks, email, online banking, ebay, and on and on, what do you think is the best method for joe average to keep track of all of these, aside from a) using the same password for all of them and b) using a "trusted" framework (passport, palladium). Can there ever be a solution to such a problem?

Not a question, but a comment for slashdot

After seeing this story go up, it made me actually think about the interview longer, without being so pressed to try to get my response in quickly. I actually went to their website, and read through more carefully then usual. - Which got me to thinking.

Why not make stories have a ten or fifteen minute delay to allow people to actually READ the articles. Have a little timer that says how long until the story goes live for comments. This might take care of some of those who never read the articles.

Just a thought....

Worst implementation?

[burgburgburg]

In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?

Re:Worst implementation?

[rjh]

True story. I won't name the company, nor do I list my employment with this company on my resume'. After you hear the story, you'll know why.

I was recruited from a major telco to work for a competing telco in 1999, ostensibly to work as part of their tiger team. When I showed up for work, there was nobody else on the team. "Don't worry," I was told, "we're hiring more. Just try and get some good design work done on securing our billing back-end, because right now it's wide-open."

Wait, your billing back-end is wide open?

"Yes."

And it's deployed?

"Yes."

Oh, fuck.

So I went to work on the back-end (which, at the time, was handling about $1 billion a year), with a great feeling of doom hanging over my head. When you're getting paid $38K and have no backup and you're told that "if we lose money from insecurity, it's all your fault, regardless of the fact we deployed it without any security to speak of"... well. You can figure it out.

A month later I had a binder full of attacks against the network, and another binder full of design ideas for how to secure it. By "binder", I mean 2-inch binders stuffed to the gills with paper. I was shortly thereafter called into my manager's office. An HR representative was present, so I knew the news was bad.

"Rob," my manager said, "we're concerned that you've made no progress on your task..."

What? I asked. I pulled out the Binders o' Doom from my satchel (we didn't have any secure storage in the development group, so I didn't ever let those binders out of my sight) and set them on her desk.

"Oh," she said as she leafed through the binders. The look on her face was roughly that of an indigenous South Pacific islander who was seeing an indoor toilet for the first time. "Um. Rob. Didn't anyone tell you?"

Tell me what?

"We already have a design we want you to use. You just have to implement it. No, no, you're not anywhere near senior enough to come up with a design for the security of the billing system..."

I breathed a sigh of relief. Sanity at last! And then she handed me a very thin folder.

I opened it up and it was, I shit you not, RFC1991. Classic PGP.

I laughed, handed the binder back, and told her she grabbed the wrong folder. Then she got very angry with me and asked me what, precisely, was wrong with using Classic PGP to secure the back-end?

I gave her the litany:

• Classic PGP is used to protect email traffic in transit. It doesn't protect databases, it doesn't separate privileges, it doesn't set up a redundant network, it doesn't do offsite backups, it doesn't make sure your Verisign certs are current.
• Classic PGP has been superseded by RFC2440, which fixes a lot of problems in the original spec, like no separate subkeys for encryption and signing.
• Classic PGP uses two patented algorithms, and if you can barely afford the $38K budget entry for my salary, there's no way you can afford the patent royalties on a couple of billion dollars of transactions.
• Classic PGP is a protocol: it's not a security design.
• ... and on and on and on.

Finally I asked "so who's the genius who came up with this one?"

Whoops. Turns out said genius was sitting across the desk from me.

By the end of the day I was busy writing Classic PGP in C++, under Management orders. The Sword of Damocles was falling and I was right under it. I protested, loudly and vociferously, until finally I got canned for "not being a team player and not performing according to expectation".

I was climbing in my car to leave the company for the last time when I realized... hey, I still have the Binders o' Doom in my satchel.

I got out of my car and walked back towards the building. An HR representative stopped me at the door and told me that if I walked in, it'd be considered trespass. I explained that I just wanted to drop off something for w

Internet broken?

[bpfinn]

The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?

Palladium

[SiliconEntity]

Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?

Quantum Computing and Cryptography

[Nova+Express]

Will the advent of quantum computing render even current, state-of-the-art cryptography obsolete? Is there any way that cryptography can overcome the challenge presented by quantum computing? And how long will it be, if ever, until quantum computer's can break current, state-of-the-art cryptography?

Dive Right In

[Accidental+Hack]

What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsiblity is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?

DRM systems?

There's much going on in the area of DRM these days. Microsoft/Intel are pushing for a secure nub and a trusted OS (Palladium). DirecTV's P3 is totally hacked and Echostar is open to EJTAG manipulation. The studios are pushing for stronger encryption for the next-generation DVD after CSS has been hacked.

What is your opinion about where DRM systems should go? How can we protect fair use and still get movies released in HD?

Crypto in the scope of the real world.

[matman]

It seems that most cryptographic methods depend on one of a number of hard to solve problems, such as the factoring of large numbers, elliptic curve discrete log, etc. These kinds of methods suffer catastrophic failure when the problems on which they depend are no longer hard. In the foreseeable future, it seems that factoring large primes will become less hard (especially with the help of quantum computers).

What contingency plans are you aware of? What sort of research is being done to avoid this single point of failure problem in future solutions? Are we just hoping for quantum encryption to save us? Of course, the real solution is to not depend solely on crypto for security, as crypto it self will never be perfect (implementation problems, etc). Security organizations, who haven't already, need to update their risk assessments to include risks to crypto solutions. It's still interesting to look at crypto in a more narrow scope than the real world :)

From a Student's Perspective

[TedCheshireAcad]

I am a student pursuing a bachelor's degree in Computational Mathematics.

What is the best way to go about finding a career in cryptography/cryptology?
How did you start in the field?
Is there a "job market" per se, or is it more of a position that one falls into?

64 Bit Computing

[MBCook]

One of the applications that is supposed to get a large boost from going from 32 to 64 bits is cryptography. Are you very excited about the move to 64 bits? Do you really think that it would make that much of a difference? Are there any downsides to going to 64 bit compuiting in cryptography (other than the time to port the software)?

Alternative to uid/pw logins to establish identity

[Blain]

The recent /. discussion of worms exploiting weak passwords got me thinking problems I have with consistently using strong passwords. I have heard many times that we should use strong passwords (mixed case, letters, symbols, no dictionary words in any language, no number patterns that others could derive, etc.), that we should not reuse passwords, that we should not write down passwords, but should always have them memorized.

Now, if I was on a handful of systems, this would make sense. However, I've found that many websites I come to are increasingly requiring registration, including creating a userid and password to log in to their systems. The personalization of my interface with their system is nice, but makes following the rules about passwords unmanageable -- I can't keep track of several dozen strong passwords from memory.

As an alternative to that, for website uses such as I've mentioned, it seems to me that making use of a public-key encryption system, something along the lines of what I understand SSL to do, would seem to make more sense. My system could exchange encrypted data with the web server using our known public keys, enabling us each to know that we are, in fact, who we claim to be. Even if I was required to use my pass-phrase that goes with that public key each time I logged in, it would be easier for me to remember that one pass-phrase (which could be even more secure than a 6-8 character password) than is currently available.

Obviously there would be change-over costs involved with this, but is there some big reason that this kind of a system would be less secure than the current system, particularly if we take into account the problem of weak and repeatedly used passwords?

Your use and abuse of Cryptography

[fruey]

I'd like to know if you practice what you preach. Do you go out of your way to use GPG/PGP or other encryption on all correspondance, run all your web applications under TLS/SSL, and generally advocate this? Or is cryptography something for which you think only specific applications are in order?

The reason I'm asking is because there are a lot of great techies out there, but it's rather the geeks that seem to do most of the advocacy and who seem to be able best to stick to their guns and force their peers to use GPG, etc.

Also, I used the word "abuse" also. Do you think you've ever gone over the top with crypting everything, or have you ever used your knowledge to gain access to information that you should not have seen (however trivial), or have you ever been paid to crack something encrypted, won prizes, that sort of thing?

Interface with Government agencies

[bstadil]

How do you currently interface with various government agencies? What kind of pressure is put to bear, how do you see it evolving and are you able to answer these questions freely.

Is Cryptology a House of Cards?

[kakos]

All of cryptology is built on a group of cryptographic primitives. Block ciphers, hash functions, factoring problems, discrete log problems, etc. are all used to build higher order cryptographic structures, such MACs, encryption, and signature schemes. However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?

Your use of cryptography in everyday tasks ...

[Hollins]

To what extent to you use cryptography in everyday life? For instance, under what circumstances do you digitally sign or encrypt email? What information do you encrypt on your hard drive? How do you communicate securely with folks who aren't technically adept with current encryption tools? Are the tools at your disposal easy enough to use to keep up with your level of paranoia?

thanks.

Is the Technology ahead of us?

[Coz]

Thanks for letting us ask you these questions.

Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.

Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?

Thanks, and I'll take my answer off the air :)

The Importance of Cryptography

[presroi]

Ignoring errors in the several implementation, current encryption algorithms software provides everyone the chance to keep information secure as it is simply impractial to break the encryption in a reasonable amount of time and enough money provided. Nevertheless, I notice that the overall awareness about keeping information secret is pretty low (I'm too young to say that it has been higher some time). Anybody, who wants to get encrypted information simply attacks not the data itself but the people with legitimate access to this data. Sometimes, even this is not nescessary (I get unencrypted but highly confidential information (No Nigeria Spam!) almost daily due to a popular internet domain from my government with a simiar spelling. Those people are just guessing the email adress of their friends and sometimes they fail.)
So, my question is this:

Has cryptography to include the human factor itself into the calculation or is it still only about mathematics? Can you imagine a strong encryption system with a special focus on people with low awareness?

SSL and Forward Security

[Effugas]

Paul,

First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.

I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.

In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.

More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?

Thanks again for any insight on the matter you may be able to provide!

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

trust in open p2p communities

[smd4985]

as a software engineer building open source p2p applications (gnutella), we are faced with a huge problem: how do we establish trust in a open environment where any application that speaks the protocol can participate? we've thought of various cryptographic systems to establish trust, but they have several fatal flaws - they require some sort of centralization (a no-no in a p2p environent), they lock out 'untrusted' vendors, etc.

what can we do to maintain an open environment and establish trust between peers?

NSA may not be that far ahead.

[rjh]

First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.

In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.

But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.

For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.

So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.

Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.

Re:NSA may not be that far ahead.

[swillden]

Good post, but I disagree on a couple of minor points.

Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

This doesn't really follow. Schneier's a smart guy, and he's among the better cryptographers in the world, but his screwup doesn't necessarily mean that the NSA would also.

However, the fact that *every* cryptographer who's been around for a while has had his or her share of public failures does.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Umm, not quite. First, Biham and Shamir invented differential cryptanalysis in 1990; they didn't invent it to attack SKIPJACK (although their paper on SKIPJACK did introduce a new variant, IIRC). Second, there are two possible "lessons" to take away regarding the capabilities of the NSA. One is what you said, that the NSA had built in a lower safety margin than they thought they had, but the other is that they knew what they were doing and deliberately chose 32 rounds because they knew 31 could be broken and they're pretty confident in their analysis.

Breaking a 31-round reduction of SKIPJACK does absolutely no good if you need to decrypt messages encrypted with 32-round SKIPJACK.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors

Umm, SKIPJACK *doesn't* have any back doors or weaknesses that we know of. The LEAF (Law Enforcement Access Field) they proposed for Clipper (with SKIPJACK as the cipher) was soundly thrashed by Matt Blaze, but that was the opposite. The NSA intended to design in a back door whereby law enforcement officials could decrypte messages, but Blaze found a way to close that door.

The weakness in the LEAF, however, was almost certainly a significant "braino" by the NSA. Even if for some reason they wanted to be able to defeat the LEAF, they apparently underestimated the ability of academic cryptanalysts. It's more likely, however, that they just plain screwed up, just like they did with the dual counter mode.

USPTO

[T.+Bombadil]

Has any of your work been impacted or covered up by the USPTO's ability to declare a patent a secret? Were you compensated for the loss? How do feel about the confiscation both personally and in general?

Please use Google.

[rjh]

*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.

In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)

That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.

To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.

Let me repeat this.

It requires

650000000000000000000000000000000000000000000000 00 0000000

... joules of power.

By comparison, the Sun's annual power output is in the realm of 1.2 * 10**34 joules.

Or

120000000000000000000000000000000000

... joules of power.

Are you beginning to see why it's such a silly question to ask whether or not modern ciphers can be brute-forced with Crays?

Please. Use Google before asking questions.

Grid Computing and Crypto

[Subotai]

Grid Computing seems to be a technology that has the potential to host brute force decryption efforts. Aside from bigger and bigger keys are there any other crypto techiqures or research underway to defeat grid computing? Also, what does this mean for desktop cryptography?

How do you think?

[Charles+Dodgeson]

When I first read about some discovery of a weakness (for example, I know your name from your work on MD5), I am always struck by the thinking beyond the framework of the designer of the system and of the community to date. The same things strikes me about timing attacks and similar sorts of things. These are things that I wouldn't have thought of in a million years. Can you give any insight into how minds like yours work. And to what extent you think that this might be a trainable skill.

I normally hate the cliche of "thinking outside of the box", but here it is fully appropriate.