Cryptographers take on security challenges @ RSA2015

This entry was posted on Wednesday, April 22nd, 2015.

The RSA 2015 Cryptographers’ Panel in San Francisco featured a number of prominent security personalities such as Adi Shamir, Ed Giorgio, Ronald Rivest and Whitfield Diffie.

Moderated by Paul Kocher, the President and Chief Scientist of Rambus’ Cryptography Research Division, the panel touched on a wide range of topics, including E.M.V. smart credit cards, the Internet of Things (IoT) and ransomware.

“Massive growth during the Industrial Revolution posed a number of significant challenges for society,” said Kocher, who kicked off the panel in front of a packed auditorium. “We face a similar issue today when it comes to technology, particularly around security and how to manage risk.”

rsacryptopanelfull

Image Credit: RSA Conference

Rivest, the Vannevar Bush Professor of Computer Science at the Massachusetts Institute of Technology, expressed similar sentiments by drawing an analogy to the Cambrian explosion 542 million years ago, when life on earth evolved very rapidly.

“All of a sudden, the planet Earth was suffused with light,” he said. “Animals can now see long distances, significantly altering the relationship between predator and prey. This is a good analogy for the current security situation today.”

Adi Shamir, who specializes in cryptographic schemes and protocols, agreed that newer technologies and products related to the rapidly expanding IoT were vulnerable if not properly secured. However, the Borman Professor of Computer Science at the Weizmann Institute in Israel also emphasized that the more things changed, the more they actually stayed the same.

To illustrate his point, Shamir reiterated his “three laws of security” which, although formulated by the cryptographer back in the 1980s, remains extremely relevant today.

“Firstly, secure systems do not exist today or in the future. Secondly, cryptography will not be broken, but bypassed. Thirdly, to halve the vulnerability you have to double the cost,” he explained. “Trying to stop the most sophisticated attacks means companies have to spend lots of money. This is why some have chosen to adopt a ‘good enough’ approach to security.”

More specifically, says Shamir, some of the new IoT products offer less than stellar security. Indeed, one recently tested demo system was found to have (temporarily) unsecured WiFi during the configuration – a major vulnerability that could allow attackers to steal passwords and gain access to the network.

In addition to exploring IoT security challenges, the cryptographers discussed the recent adoption of the E.M.V. smart credit card standard in the United States. While the new cards are likely to deny cyber criminals one of their most lucrative strategies, no one expects them to throw in the digital towel anytime soon.

Indeed, as Kocher noted in a recent New York Times op-ed, cyber criminals will shift to other lucrative (though somewhat less attractive) ways to profit from stolen data and credentials, such as stealing from brokerage accounts, forging checks, filing bogus tax refunds and engaging in insider trading and medical billing schemes.

“The E.M.V. roll-out is a critical first step, but it will take a long time to shift our critical security tasks away from complex microprocessors and their software to simpler, well-isolated circuits and chips built for security,” he added. “More systems will get attacked and then upgraded, technical advances will create new and greater opportunities for abuse, and the cycle will continue.”

Ransomware was another area of concern for the panel, with KEYW cryptographer and security expert Ed Giorgio emphasizing that once cyber criminals gain access to a system and hold specific files hostage, they are likely to look around for something else to blackmail a victim with.

“Ransomware [is lucrative] and will be around as long as they can make [victims] pay money and maintain their ability to extort,” he concluded.

Interested in learning more about Rambus’ activities at RSA 2015? Be sure to check out booth S1815 on the exhibit floor, where we will be showcasing CryptoFirewall and a wide range of DPA countermeasure solutions. You can also follow us on Twitter for live show updates.