We’re on the 11th floor of a tall glass building overlooking San Francisco’s iconic Market Street. Clanging cable cars ply the bustling streets below as the fading rays of a softly setting sun reflect off a row of remarkably preserved cipher machines, including an Enigma. The early cryptography platform – invented by Arthur Scherbius at the close of World War 1 – was used commercially during the 1920s before being adopted by various militaries for enciphering and deciphering secret messages, although it was famously cracked during World War II.
Across from me sits legendary cryptographer Paul Kocher. One of his early research projects was the discovery of timing cryptanalysis – a method of obtaining secret keys from cryptographic devices operating in non-constant time. He found that many RSA and Diffie-Hellman were executing simple operations (such as 00=0) faster than more complex ones (762735256431=195588898785), allowing keys to be found by measuring the variations and applying innovative statistics.
Kocher also co-developed simple power analysis and differential power analysis, contributed to the design of Deep Crack (a DES brute-force key search machine) and co-authored the Secure Sockets Layer (SSL) 3.0 protocol, a cryptographic standard for secure communications over the Internet.
For Kocher, who serves as President and Chief Scientist of the Cryptography Research Division at Rambus, the antiquated machines epitomize the salient challenges faced by modern-day cryptographers.
“Those who cannot remember the past are condemned to repeat it,” Kocher said, quoting the philosopher George Santayana. “The people who designed Enigma deemed the cipher unbreakable, yet it was ultimately cracked by a combination of Polish, French, and British efforts.”
What can we learn from this?
“As cryptographers, we need to constantly question ourselves and avoid being lulled into a false state of complacency. Attackers have the luxury of being successful if the methods they try fail 99% of the time and succeed 1%,” Kocher explained. “In contrast, for system designers, failing even 1% of the time is unacceptable. We need to secure systems 100% of the time, and a 1% failure rate isn’t good enough, so we’re constantly asking ourselves what we might be missing.”
Although securing vulnerable systems and sensitive data has long been a critical priority for the industry, the Internet of Things (IoT) is creating new challenges and opportunities for cryptographers, with a staggering 30 billion devices projected to be connected by 2020.
“The approaches used today for laptops, tablets and smartphones involve frequent patching, updates, and user prompts, but this doesn’t work for IoT devices such as refrigerators, ovens, washing machines and dryers,” he continued.
“The solution? We must find a way to create effective security that works even if there are software bugs. This requires building better, more secure hardware that can provide effective security and last across the extended lifespan of devices such as appliances and cars. These appliances need to ‘just work’ in a secure manner.”
According to Kocher, there has been a paradigm shift in the way the threat landscape is perceived. Indeed, the industry is moving towards solutions that address a diverse set of security requirements across multiple platforms and chips, rather than building narrow solutions specific to a single use case or device.
“From my perspective, truly robust security starts with the design of an SoC, and security needs have to be addressed along the manufacturing supply chain. This ‘cross-industry’ approach can be found in the DNA of our CryptoManager, a technology we recently licensed to Qualcomm.”
Once the exclusive domain of empires and militaries, diverse implementations of cryptography are now essential to the modern world, protecting everything from smartphones to bank transactions.
“It is difficult to imagine any device these days that processes information, yet does need some form of cryptographic security,” Kocher concluded. “Adoption of cryptographic solutions will only continue to accelerate, as everything from cars to refrigerators join the growing ranks of the IoT. We plan on staying well ahead of the security curve, whether in the IoT or elsewhere. ”