Cryptography and Data Security:
Long-Term Challenges
Burt Kaliski, RSA Security
Northeastern University CCIS Mini Symposium
on Information Security
November 9, 2004
Approach
•
•
•
•
Looking toward future generations of information technology –
30-year timeframe
Cryptography, network security grow in importance as essential
building blocks
Challenges lie ahead – what can we do?
Two kinds of solution to consider:
— “Easy”: apply current knowledge to alleviate problems
— “Better”: discover new knowledge that overcomes them
Challenge #1: No Algorithm Is Safe
•
•
Today’s algorithms remain secure for 30+ years against known
attacks on classical computers, with sufficiently large keys
The risk: unknown attacks and quantum computers
— Quantum computers would break today’s number-theoretic publickey cryptography; halve effective key size of secret-key algorithms
— Unknown attacks could have equally dramatic effect
•
Key problem: With a few exceptions, no algorithms are proven
secure unconditionally
Algorithm Directions: “Easy”
1.
Employ multiple algorithms based on different hard problems
— Presumably less likely all to fall at once
2.
3.
Deploy secret-key-only architectures where feasible
Adopt Merkle hash signatures
— (2.) and (3.) reduce the dependence on number-theoretic publickey cryptography, which is riskiest against quantum computers
— However, no assurance that specific secret-key algorithms and
hash functions resist specific quantum (or classical) attacks
4.
Introduce quantum cryptography as an extra layer of
protection
— But limited to link encryption with photon transmission
Algorithm Directions: “Better”
5. Develop alternative algorithms based on different hard
problems
— A broader portfolio against attack
— But involves a long testing process – few hard problems have
survived last 30 years
6. Find new algorithms that are provably resistant to attack – or
fully prove strength of existing ones
— Requires major breakthroughs in computational complexity theory
•
e.g., lower bounds for integer factoring
7. Invent quantum or other form of cryptography that isn’t limited
to photon transmission, e.g., “RF quantum”?
— Assumes new results in physics
Challenge #2: No Data Is Safe
•
•
Data and keys can be reasonably well protected today against
compromise with trusted hardware, software
The risk: Attacks are becoming more sophisticated, and
usability competes with security
— Side-channel analysis can expose keys in many implementations
— Availability requirements often encourage multiple copies of data
•
Key problem: Security architectures today generally based
around explicit data and keys
— Each instance an opportunity for compromise
Data Protection Directions: “Easy”
1. Build implementations of existing algorithms to address sidechannel attacks — not just for speed & space
2. Employ architectures based on implicit data and keys:
— Secret splitting: Data stored in n shares, k required to reconstruct
— Distributed cryptography and secure multi-party computation:
Keys stored and used in shares – never explicitly reconstructed
3. Adopt techniques that “heal” the effects of compromise:
— Proactive security: Shares are periodically refreshed
— Forward security: Keys are updated regularly such that past keys
cannot be computed from current ones
Data Protection Directions: “Better”
4. Design new algorithms that are provably less vulnerable to
side-channel attacks and other compromises
— “physically observable cryptography” (Micali, Reyzin)
— potentially a difficult tradeoff versus conventional attacks
5. Develop new, practical data protection techniques based on
other hard problems
— e.g., only on hash functions
6. Invent something physics-based, e.g., “quantum secretsplitting”?
And That’s Just the Data …
•
Future networks, with numerous mobile components in ad hoc
configurations, will also be at risk to a host of new attacks, e.g.:
— Routing table corruption, leading to network partition, traffic
analysis
— “Selfish” nodes that expend others’ resources but do not
contribute their own
•
Countermeasures here involve a new way of viewing networks,
where trust is earned, not assumed (Jakobsson et al.):
— “Micropayments” as network diagnostics
— Reputation management
— Game theory
Summary
•
•
Today’s cryptography and data protection are reasonably
strong, but 30 years is a long time
Better long-term assurance requires new techniques and
methods of analysis
— An architecture of implicit data built on a foundation of provable
algorithms
•
Research challenge is the same as for networks: a roadmap
from today’s “gigabit security” into terabits and beyond
Contact Information
•
Burt Kaliski
VP Research, RSA Security
Chief Scientist, RSA Laboratories
[email protected]
http://www.rsasecurity.com/