SAN FRANCISCO – Even the best encryption in the world won't going to stop an employee from bypassing procedures...
and making a mistake leading to data leakage, or a rogue insider from giving up sensitive information for money.
That was the main message that emerged from a group of prominent cryptographers at at RSA Conference 2011 on Tuesday. Encryption is sometimes deployed improperly, leaving gaping holes that can be used by attackers to steal sensitive data. Other times, encryption is used on a small subset of an organization's network – a risk-based decision that can have a profound effect on the security of interconnected networks, the panel said.
The RSA cryptography panel, known for sometimes witty and even terse exchanges between prominent PKI (public key infrastructure) experts, was more subdued this year. Instead the group focused on a new panel member, Richard "Dickie" George, a prominent cryptographer and 32 year veteran at the NSA. He currently serves as the technical director for information assurance at NSA.
the simple things and
then knowing it's not enough. Our best tools
are not that great for security.
George said the NSA treats its systems as if they are already being penetrated by adversaries. He said, like the NSA, most organizations should focus on basic security first and then add behavioral technologies on top to detect suspicious activity from files and processes.
"We're doing the simple things and then knowing that it's not enough. Our best tools are not that great for security," George said. "How well we marry up security tools with other IT tools and strategies can in fact help [alleviate some of the risk]."
George said behavioral and reputation-based security systems are layered on to help detect and defend against malicious software penetrating the network.
"People will never be perfect and we recognize that," George said. "Can you make it they don't make mistakes? That will solve a lot of problems."
The panelists pointed out that even the latest high profile security threats wouldn't have been defeated by encryption. Stuxnet, the complex computer worm that targeted a Siemens industrial control system in an Iranian power facility and most recently the "Anonymous" group carrying out attacks against firms blocking WIkiLeaks funding, were successful because of poor basic security procedures, said Martin Hellman, professor emeritus of electrical engineering at Stanford University.
"I'm sure all the possible security mechanisms were in place, but [Stuxnet] shows you can sneak in and modify data even in the most secure facilities," Hellmann said.
George, who was involved in the creation of the 56-bit key data encryption standard algorithm in the 1970s, was peppered with questions by the panelists about why a 56-bit key was deemed strong enough. One panelist asked if George ever thought cryptography would become an important field.
"We didn't see the importance of the Internet which provided a critical mass of people who could contribute to this," George said."There were lots of smart people out there working on a lot of things. No one could have envisioned how it exploded."
The 56-bit block size was cracked over several years and has been replaced by Triple DES which uses a 112-bit security with 168-bit keys. Today the AES encryption standard uses 128-bits and can be increased to 256-bits for even stronger encryption. George said the U.S. National Bureau of Standards, which was involved in creating DES, determined it would last for five years before needing updating. The NSA, according to George, thought it could last for a decade or more. Today, NSA is likely using 256-bit AES keys. Experts say the only successful published attacks against the full AES have been side-channel attacks on specific implementations.
"There were a lot of pieces involved in this. We wanted to provide an algorithm that had adequate security and met the security needs of the world at the time," George said.