Thursday, November 5, 2015

ICMC15: Keynote: Current Issues in Cryptography

This year's conference has over 200 attendees from more than 18 countries and 18 sponsors. Oracle is one of them - we're sponsoring lunch today. :-)

Phil Zimmermann, Creator of PGP, Co-founder, Silent Circle

The last time I saw Phil speak was at DefCon2 - so I'm very happy to see him again!

Phil contested his introduction, which said PGP is the most widely used crypto software - because it's only for email, and nobody encrypts their email.  We don't have to worry about NSA cracking our crypto, because we're simply not using it.

People are more aware now that we are being watched, in part due to the revelations from Edward Snowden.The industry is coming up with new ways to push pervasive use of encryption.

Public Key infrastructure has spectacular failures, like an Iranian hacker subverting the system, turning over keys to the Iranian government, who then did man in the middle attacks against Iranian dissidents. 

Quantum computing is like nuclear fusion - we've been 5 years away from nuclear fusion for the last 50 years.  If we do actually get quantum computing, perhaps we'll actually get nuclear fusion! :-)

Phil's been thinking about quantum computing. When designing ZRTP, a protocol used for secure telephony, uses a federal Diffie-Hellman exchange and destroys the keys at the end of the call. There are elements in the protocol to deflect hackers - like only one chance to use a hash.

While we don't have quantum computing today, there's nothing to stop a government from storing your encrypted data from today to process later when computing power improves.  Intelligence agencies have a long term way of thnking and a lot of patience.

Had to develop ZRTP with the components he has at his disposal: DH ECC, and block ciphers.  Want to be able to set up new calls quickly, and still securely. Lots of things to think about here.

Zimmerman is finding that it's not just regular people wanting to hide their traffic from the intelligence community - corporations are worried, too.

Phil laments that we're losing our natural inclination for conversation privacy, thanks to the widespread use of telephones.  We shouldn't trust the phone companies. We should be able to still, essentially, whisper in each other's ears.

Even experienced cryptographers struggle to understand and explain trust models. Any crypto scheme that relies on the end user understanding a trust model will fail.  It needs to be so easy that anyone, even non technical people, can use it.

We focus on coming up with hard mathematical equations that wwe imagine our opponents factcing - but that's not how the NSA thinks about this.. They think of this as an engineering problem.  Thinking of harder math problems won't get us very far. They are fun, we feel smug - but that's not how the NSA works.

We have to think like the intelligence agencies - it can't just be about hard math.
 
 Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!