Ask Security/Cryptography Expert Paul Kocher

Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.

Serious Threats?

[Prizm]

While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your speciality, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?

Triple barreled question

[Sophrosyne]

Should the general public have access to powerful and secure computing as a right, or should cryptography be limited to banks, government agencies, etc.? Do you believe that, as cryptography becomes more prevalent and as computing power increases we will see an increase in criminal activity over the web? And if so, what is the best way to curb illegal activities on the Internet, for example do you give the keys to the Governments that request them?

redundancy is key

[b_pretender]

Mr. Kocher would point out that in computer security, redundancy is key

Therefore, "Please try not to ask questions that can be answered with a few minutes' worth of online research." should be rewritten as, "Please try not to ask or moderate up questions that can be answered with a few minutes' worth of online research. "

Social engineering

[miratim]

For every advancement in computer security, there seems to be a social backdoor involving the humans that use the system. Is there any research being done on figuring how to effectively solve the social engineering problem at the software/hardware level somehow?

who is the worst to deal with?

[greechneb]

Where do you find the most resistance is in integrating/using a new standard such as this?

- The software developers
- The software distributors
- The end users

My first guess would be the end users, but I am curious as to which group gives you the most problems.

How can I help?

[arnie_apesacrappin]

I just started a Master's program in CS that is specialized in information security. One of the options for degree completion is a thesis.

From the formal side of things, I am new to information security. I have been doing applied security work for about three years. I would really like the challenge of writing a thesis, but so far I haven't come up with anything.

Here are my requirements: I want the topic to be challenging, I want it to be within the grasp of a Master's level understanding of information security, and I want it to be valuable to the community.

Are there any areas or topics that need to be addressed but have not? Is there something the community needs but has not yet received? If background info helps, I really enjoy picking apart IP traffic, and have some interest in fractals from a mathematic perspective.

Also, I'd like to say thanks for the links on your site. I now have tons more reading material.

Worst implementation?

[burgburgburg]

In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?

Re:Worst implementation?

[rjh]

True story. I won't name the company, nor do I list my employment with this company on my resume'. After you hear the story, you'll know why.

I was recruited from a major telco to work for a competing telco in 1999, ostensibly to work as part of their tiger team. When I showed up for work, there was nobody else on the team. "Don't worry," I was told, "we're hiring more. Just try and get some good design work done on securing our billing back-end, because right now it's wide-open."

Wait, your billing back-end is wide open?

"Yes."

And it's deployed?

"Yes."

Oh, fuck.

So I went to work on the back-end (which, at the time, was handling about $1 billion a year), with a great feeling of doom hanging over my head. When you're getting paid $38K and have no backup and you're told that "if we lose money from insecurity, it's all your fault, regardless of the fact we deployed it without any security to speak of"... well. You can figure it out.

A month later I had a binder full of attacks against the network, and another binder full of design ideas for how to secure it. By "binder", I mean 2-inch binders stuffed to the gills with paper. I was shortly thereafter called into my manager's office. An HR representative was present, so I knew the news was bad.

"Rob," my manager said, "we're concerned that you've made no progress on your task..."

What? I asked. I pulled out the Binders o' Doom from my satchel (we didn't have any secure storage in the development group, so I didn't ever let those binders out of my sight) and set them on her desk.

"Oh," she said as she leafed through the binders. The look on her face was roughly that of an indigenous South Pacific islander who was seeing an indoor toilet for the first time. "Um. Rob. Didn't anyone tell you?"

Tell me what?

"We already have a design we want you to use. You just have to implement it. No, no, you're not anywhere near senior enough to come up with a design for the security of the billing system..."

I breathed a sigh of relief. Sanity at last! And then she handed me a very thin folder.

I opened it up and it was, I shit you not, RFC1991. Classic PGP.

I laughed, handed the binder back, and told her she grabbed the wrong folder. Then she got very angry with me and asked me what, precisely, was wrong with using Classic PGP to secure the back-end?

I gave her the litany:

• Classic PGP is used to protect email traffic in transit. It doesn't protect databases, it doesn't separate privileges, it doesn't set up a redundant network, it doesn't do offsite backups, it doesn't make sure your Verisign certs are current.
• Classic PGP has been superseded by RFC2440, which fixes a lot of problems in the original spec, like no separate subkeys for encryption and signing.
• Classic PGP uses two patented algorithms, and if you can barely afford the $38K budget entry for my salary, there's no way you can afford the patent royalties on a couple of billion dollars of transactions.
• Classic PGP is a protocol: it's not a security design.
• ... and on and on and on.

Finally I asked "so who's the genius who came up with this one?"

Whoops. Turns out said genius was sitting across the desk from me.

By the end of the day I was busy writing Classic PGP in C++, under Management orders. The Sword of Damocles was falling and I was right under it. I protested, loudly and vociferously, until finally I got canned for "not being a team player and not performing according to expectation".

I was climbing in my car to leave the company for the last time when I realized... hey, I still have the Binders o' Doom in my satchel.

I got out of my car and walked back towards the building. An HR representative stopped me at the door and told me that if I walked in, it'd be considered trespass. I explained that I just wanted to drop off something for w

Re:fhnlsfdlkm&5nlkd%Bvbcvbc

Uv, V'z jbaqrevat vs lbh guvax gurer'f n shgher sbe EBG13. V'ir urneq vg'f cerggl frpher...

Lbh pna ernq guvf? Qnza!

Internet broken?

[bpfinn]

The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?

Palladium

[SiliconEntity]

Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?

Dive Right In

[Accidental+Hack]

What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsiblity is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?

DRM systems?

There's much going on in the area of DRM these days. Microsoft/Intel are pushing for a secure nub and a trusted OS (Palladium). DirecTV's P3 is totally hacked and Echostar is open to EJTAG manipulation. The studios are pushing for stronger encryption for the next-generation DVD after CSS has been hacked.

What is your opinion about where DRM systems should go? How can we protect fair use and still get movies released in HD?

Alternative to uid/pw logins to establish identity

[Blain]

The recent /. discussion of worms exploiting weak passwords got me thinking problems I have with consistently using strong passwords. I have heard many times that we should use strong passwords (mixed case, letters, symbols, no dictionary words in any language, no number patterns that others could derive, etc.), that we should not reuse passwords, that we should not write down passwords, but should always have them memorized.

Now, if I was on a handful of systems, this would make sense. However, I've found that many websites I come to are increasingly requiring registration, including creating a userid and password to log in to their systems. The personalization of my interface with their system is nice, but makes following the rules about passwords unmanageable -- I can't keep track of several dozen strong passwords from memory.

As an alternative to that, for website uses such as I've mentioned, it seems to me that making use of a public-key encryption system, something along the lines of what I understand SSL to do, would seem to make more sense. My system could exchange encrypted data with the web server using our known public keys, enabling us each to know that we are, in fact, who we claim to be. Even if I was required to use my pass-phrase that goes with that public key each time I logged in, it would be easier for me to remember that one pass-phrase (which could be even more secure than a 6-8 character password) than is currently available.

Obviously there would be change-over costs involved with this, but is there some big reason that this kind of a system would be less secure than the current system, particularly if we take into account the problem of weak and repeatedly used passwords?

Is the Technology ahead of us?

[Coz]

Thanks for letting us ask you these questions.

Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.

Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?

Thanks, and I'll take my answer off the air :)

Re:So....

[tigertigr]

As a follow-up, do you have your own personal system for generating/remembering passwords?

Furthermore, since we require more and more passwords for things such as networks, email, online banking, ebay, and on and on, what do you think is the best method for joe average to keep track of all of these, aside from a) using the same password for all of them and b) using a "trusted" framework (passport, palladium). Can there ever be a solution to such a problem?

The Importance of Cryptography

[presroi]

Ignoring errors in the several implementation, current encryption algorithms software provides everyone the chance to keep information secure as it is simply impractial to break the encryption in a reasonable amount of time and enough money provided. Nevertheless, I notice that the overall awareness about keeping information secret is pretty low (I'm too young to say that it has been higher some time). Anybody, who wants to get encrypted information simply attacks not the data itself but the people with legitimate access to this data. Sometimes, even this is not nescessary (I get unencrypted but highly confidential information (No Nigeria Spam!) almost daily due to a popular internet domain from my government with a simiar spelling. Those people are just guessing the email adress of their friends and sometimes they fail.)
So, my question is this:

Has cryptography to include the human factor itself into the calculation or is it still only about mathematics? Can you imagine a strong encryption system with a special focus on people with low awareness?

SSL and Forward Security

[Effugas]

Paul,

First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.

I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.

In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.

More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?

Thanks again for any insight on the matter you may be able to provide!

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

NSA may not be that far ahead.

[rjh]

First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.

In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.

But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.

For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?

The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.

Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.

Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.

So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.

Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.

USPTO

[T.+Bombadil]

Has any of your work been impacted or covered up by the USPTO's ability to declare a patent a secret? Were you compensated for the loss? How do feel about the confiscation both personally and in general?