Slashdot Mirror
Interrogate Crypto Luminary Bruce Schneier
Most people who have any involvement with or interest in cryptography have heard of Bruce Schneier. If you haven't, check his online biography, check the home page for his consulting company, Counterpane Systems, or learn about his seminal book on the subject, Applied Cryptography (assuming you haven't already read it). Our usual interview rules apply: one question per post; moderators select their favorites; editors choose 10 - 15 of the highest-moderated questions and send them to Bruce on Tuesday; Bruce's answers appear on Friday.
Bruce, what is your view of what many have said is the governments relaxation of export controls on commercial cryptography? In particular are there any actual dangers to the requirement that the algorithms and code be submitted for review? My personal feeling is that rather than protecting the consumer the review process is more likely to be to ensure that any cryptography is sufficiently weak to please the government. So maybe crypto for credit card transactions is somewhat safe since the businesses involved can be subpoenaed, but crypto for obsfucating personal communications is less secure since there may be more chance of evidence being withheld.
Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.
Based on these two facts, do you think legally binding digital signatures are secure; why?
--
You have stated, time and again, that while picking a good cryptographic algorithm with an adequate key length is important to security, it is only one link in the chain. There are numerous examples of this, including the attacks on Netscape's PRNG's and attacks against smart cards that measure power consumption, timing, etc. to determine the key. Any one of these methods can effectively render the rest of the system useless.
Now for the question: what do you think is the most overlooked aspect of designing a secure system? For example, PRNGs, ineffective key management, mismanaged trust, bad authentication, etc... What can people writing software do (aside from peer review, which is a *must*) to reduce the risks of common problems?
Thanks!
Back in the "good old days" of cryptography, the algorithms used were understandable by non-mathematicians. Most modern cryptographic systems in use are still mathematically "simple". By this I mean that once you understand the complexities of the algorithm, the mathematical basis is understandable to someone who has, say, a college degree in mathematics or physics.
The cryptographic systems being developed today are often based on much more sophisticated mathematical ideas. Elliptic and hyper-elliptic curves spring to mind. The algorithms may be understandable, but the mathematical basis may be complicated enough that it takes a PhD in mathematics to understand.
These systems are the future generation of cryptography. Some have suggested that their security is based more on mathematical obscurity than anything else (i.e. the number of people able to even understand what the algorithm is doing is very small). Do you think this is accurate? Do you see cryptography moving exclusively into the domain of mathematicians, so that it is totally inaccessible to motivated non-mathematicians (such as yourself)?
I am in the midst of reading Applied Cryptography (1st edition). Amazing book so far, thanks for all the hard work you obviously put into it.
Here's my question: Your short timeline at the beginning of AC notes that public research in cryptography didn't really get under way until 1976 but that the NSA (and it's predecessors) started during WWII. What far ahead do you think the NSA (or whoever) is? In particular, do you have any reason to believe they have cracking algorigthms for some of today's hardest problems (NP-completeness, etc)?
---
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Most of the discussions I hear and work I see is towards makeing algorithms safer. On the other hand a lot of security gets compromised by a large number of protocol violations, human errors (like dictionary passwords, pet names etc) and other means like reading electromagnetic emissions, bugging or bribing. Where do you see the optimal division of effort?
I have read your papers on Yarrow and was impressed both with the algorithm and your discussions of the importance/vulnerablities of Pseudorandom Number Generators. It seems to me that PRNGs can be just as important a component of a protocol as the algorithm or keys themselves. How important do feel they are? Do you see this role increasing/decreasing in the future with new technologies and developments (Quantum Computing/Encryption)? What do you see as their future?
thanks
When Applied Cryptography was published, CAST was looking very promising but was still very new. How IYO has CAST held up since then?
Always keep a sapphire in your mind
What did you think of Neal Stephenson's Cryptomonicom ?
Vidi, vici, veni. (I saw, I conquered, I came)
I know that you have done a lot of work in the area of A. But what about B? Specifically, what do you think it will take, to get people to use cryptography with their email on a regular basis? Most of us here agree that it should be as standard as putting your letter in an envelope instead of using a postcard.
However, even I don't regularly use encryption. I have tried encryption packages and they are easy to use, but I can't seem to be able to convince my friends an family to go through the trouble. Because the people that I communicate with, don't use encryption, it seems that I can't either.
Because of its inclusion with web browsers, some level of encryption is now used for much of e-commerce. Most people just know that their transaction is somehow secured and know nothing of the details. But the same hasn't happened for other mediums.
What do you think it will take? An personal electronic Pearl Harbor in which many people have their secrets spread throughout the world? Inclusion of crypto with the most popular free email clients? Or maybe people just don't care and they will never encrypt their email?
Many government officials are opposed to encryption on the grounds that it will somehow impede investigation and prevent prosecution.
I beleive this is the same feint magicians use to misdirect the audience from the real action. Currently, prosecutors must only provide phone records as evidence, and not a tape of the actual phone call. The evidence that something transpired, and not the actual "what" is all that's required. Records of wire transfers are acceptable, even if you can't seize the actual money. The classic tenets of motive and opportunity suffice, without someone having to provide a videotape of the crime. In other words, I think you can prosecute, and convict, even if you can't decrypt.
So, first, any idea what the Feds are really worried about? (It's got to be more than just Eschelon.) And second, how do we present the privacy issues to the public so that the average citizen understands what's at stake? (e.g. encryption = privacy = good thing)
I've heard you say many times that unless a particular crypto alg. has undergone lots of public review, it should not be considered safe. Unless possibly it's from the NSA. (Excluding, of course, the NSA stuff that is INTENTIONALLY backdoored.)
The implication there is that the NSA has applied some many resources to the crypto problems,that they are as good as the rest of the cryptographers put together.
My question is: Do you really think that a private process, no matter how many resources applied, can equal the public process?
One would think that cryptographers, who study the mathematical means for controling information (not just secrecy, but also signatures, zero knowledge proofs etc) would be the least inclined to support the articial limits to information set up by our legal system, and yet the field is littered with patents (probably more so than any other field of mathematics).
You, on the other hand, have been very generous with your algorithms and cryptos. Is there a political, ideological, or practical reason behind this?
-
Bruce,
in a recent cryptogram, you write that most symmetric ciphers need more entropy than people can remember and hence supply. Even with bio-metrics adding more bits, it is not really worth the effort to construct ciphers with more than 128 bits of entropy in the key, because people won't give them more than that much entropy in the pass phrase.
However, social and technological pressures make longer and longer keys a necessity. What promising approaches do you see for making remembering and entering -- even though I have long passages of text memorised, I don't want to type them in for each email I want to send -- usefully long passphrases?
Ie, to paraphrase, would you discuss the state of the art of cipher/human interaction, as it pertains to key management.
Johan
What impact do you think your science studies have on your current career? I suspect the high mathematical background of physics prepared you for cryptology, but what other aspects of a science degree come into play in your line of work? Would you call your B.S. in Physics an advantage or a disadvantage?
"Knowledge = Power = Energy = Mass"
Bruce, thanks very much for making cryptography so much more accessible to us all.
You wrote in Applied Cryptography that IDEA was your "favorite" symmetric cipher at the time. Is that still true today?
Always keep a sapphire in your mind
Your book describes a slew of interesting applications for crypto protocols, including electronic money orders, digital time-stamping, and secure multi-party computation. What are the remaining crypto problems of interest to the general public which have not been solved? (secure distribution of digital media comes to mind -- can you sell someone a music file, allow them to use the file anywhere, but make sure no one else can use it?)
OK, hypothetical question. You rub a magic lamp, and a genie comes out. Specifically, a cryptographic protocol genie. He can come up with an effecient, secure protocol for any activity you want (assuming a protocol is possible, of course). What would you pick, and more importantly, why?
Quantum physics seems to be the "magical" form of physics, and its application to cryptography even more magical. I don't think I properly understand "quantum cryptography," and I don't think that most of the people that have made public comment on it understand it terribly well either.
Could you comment on the present state of Quantum cryptography, and its probable relevance in public matters short term (which appears nonexistent), medium term (where the research of today may be in 5-10 years), and longer term?
If you're not part of the solution, you're part of the precipitate.
Scott McNealy claims we've already fought and lost the war for personal privacy. Do you agree with him or not, and why?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Given that most cryptographic algorithms are well known and understood worldwide, can governments control their use effectively by legal means? Do you think legal restrictions on cryptography are likely to become more or less strict over the coming years?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Bruce --
As many know, your twofish algorithm is one of the (many) submissions to become the AES standard. The goal for these algorithms is to be able to implement them extremely cheaply in hardware -- say on a 6800 with 256 bytes of RAM. In other words, cheaply enough to put on a smart card.
But IBM's team alleges that any algorithm that simple can be fairly easily cracked by doing a power usage analysis on the chip (by watching fluctuations in the electrical contacts with the reader) and that the necessary equipment to protect against power analysis would be equivalent to a much more complex processor -- so much so you might as well just implement a different and more complex (and hopefully power-random) algorithm. Of course IBM suggests their own implementation.
What do you think? Is there a way to build a simple smart card so that power analysis isn't a problem? Perhaps the whole question will become irrelevant since we'll be carrying around so much processing power in our PDAs that we'll just use them?
In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.
Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.
Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?
The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.
thad
I love Mondays. On a Monday, anything is possible.
What are your thoughts on the recent reports of quantum computing and its effects on encryption?
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
Thanks again,
PS Neville
As one of the stronger voices behind the proposition that only peer reviewed, open, and thoroughly tested algorithms can be trusted you've widely disseminated several algorithms, Solitaire and Yarrow among them. What attacks or interesting analyses have surfaced since their release?