Over the last year, leaks by former National Security Agency (NSA) contractor Edward Snowden have shown that the U.S. intelligence-gathering agency has been collecting huge quantities of data on U.S. citizens and foreigners alike, and purportedly attempted to weaken the cryptographic standards maintained by the National Institute of Standards and Technology (NIST). A pair of recent Reuters reports indicated that the NSA may have been involved in some backhanded dealings with RSA, the security division of EMC Corp., including paying the security vendor $10 million to make a weakened random number generation algorithm the default in its Bsafe encryption product.
Despite the NSA's activities, Snowden himself reiterated his belief in cryptography when answering readers' questions on The Guardian website: "Encryption works. Properly implemented strong cryptosystems are one of the few things that you can rely on." Does that mean enterprises can still rely on encryption as an infosec bedrock?
In this interview, which was recorded at the 2014 RSA Conference in San Francisco, Paul Kocher, president and chief scientist for Cryptography Research Inc., a division of Rambus, explained how the ongoing NSA encryption scandal has led to a "loss of trust" among the security community. Certain crypto algorithms, like the Dual Elliptic Curve random number generator exposed by Reuters, are completely buried, according to Kocher, while the security industry is left to question others that have been maintained by NIST.
For enterprise security teams, Kocher said the scandal shows that nation-state entities, including those in the U.S., now pose a threat to sensitive corporate data, and that even if the NSA undergoes proposed reforms to split its offensive and information assurance capabilities, questions about the agency's intent will linger. Ultimately, while the mathematics behind cryptography can be trusted, Kocher warned that a faulty implementation can easily undo the strongest algorithm.
Read the transcript below.
Hi there. I'm Brandon Blevins with SearchSecurity.com. Thanks for watching this video. Joining me today is Paul Kocher. Paul is President and Chief Scientist with Cryptography Research, Inc. Paul, it's been nearly a year since Edward Snowden began leaking a series of documents exposing widespread surveillance and data monitoring activities at the NSA, including attempts to break and manipulate widely used cryptographic standards. What has been your reaction to that ongoing story line?
Kocher: Well, there are a number of different pieces to that story. At the highest level it's been something of a loss of innocence. We used to think of the government as playing a more benign role, at least in terms of the industry perspective and I think that perception is forever changed now. If you look back in the history, there was suspicion and concern about the government's role in setting standards like the DES standard back in the 1970s, but after a lot of both technical work as well as political discussions, finally meant that NSA gained people's trust. And I think there's now a feeling that they gained that trust but then abused it. So I think it's much harder to regain that and I'm not sure that will ever occur.
I think also there's a level of looking at this from the perspective of changing the way we look at threats. It used to be that there was either a view of the threat as kind of the rogue bad actor or the rogue nation state, but this blurring and recognition that the activities of the US government really fall into the category of adversary or threat really wasn't the way that people were mostly looking at the problem before. China, or even more so a nation like North Korea or Iran would have been viewed in that category, but not a western democracy. And that really is going to make it more difficult for the government to play a role of cooperating with vendors. If you're working with somebody from the government instead of viewing them as a customer, you're now viewing them as a potential entity with an agenda that might conflict with your own.
And that blurring of the lines that [inaudible 00:02:25] mentioned yesterday [inaudible 00:02:26], right?
Kocher: Exactly. And it's really going to be problematic in the places where the government has something to contribute, because folks with a benefit to provide are going to be viewed suspiciously. And there is talk about trying to separate those roles out, so there might be an offensive or signals intelligence portion of the NSA separate from the COMESEC or information assurance portion, and if that kind of separation gets done maybe it's possible for one piece of the government to be viewed as trustworthy and the other to be viewed as not as trustworthy.
But it's hard to play both sides of the game if you're an organization and it's also important to remember that you can look at this from the context of the US, but spying is a global game and in many ways the US is more restrained than other entities or countries. So we're going to see rapid escalation and emulation of what the US has been doing elsewhere, so even if the US changes its behavior, we've still got another 20 to 40 nation states that have varying degrees of capability that will be trying to do the same things to our systems.
So, if you kind of think about it from a battleground perspective instead of just having a few rogue actors running around the systems, you're going to have a huge number and that creates a bunch of very complex and difficult security challenges as well as reliability issues, integrity issues, privacy issues. It's really a set of very difficult challenges that we face.
You mentioned that loss of trust, especially with NIST. Have you personally lost any trust in any cryptographic standards over the last year?
Kocher: Well, so there's the one spectacular example, which is the dual EC retina regenerator and in a way it went from being a suspicious standard to being one that is completely blacklisted, so that one has completely lost its reputation and for good reason.
I think the next area where there's some anxiety but no smoking guns to relate to the NIST's chosen curves for elliptic curve cryptography and there's some folks who think there may be problems there. I think the jury is certainly still out. That said, in some of our products where we're choosing algorithms, we tend to prefer the RSA algorithm, not necessarily because we know that there's a problem with anything in the elliptic curve side but it just avoids a conversation with the customer about whether there might be a government back door there from the US. And as a US company, I view us as now having to make sure that we present ourselves to an especially high standard and work with our customers to make sure they're comfortable with what we're doing.
Now, Snowden himself said that strong crypto systems are one of the few security measures that are still reliable and effective. Do you agree?
Kocher: I do. The huge asterisk that goes after that statement though is that while the mathematics is strong, the mathematics in any given system are only as good as the implementation and the end points there. So, even if you've got a strong algorithm, if the keys you're using with it are exposed it doesn't provide you with any protection at all and this in reality means that when you put your keys on, for example a PC, the strength of that PC becomes the primary factor to determining your security, not the mathematical strength of the algorithm.
That said, having building blocks like digital signatures, encryption, public encryptography, that are mathematically robust is extremely useful as we try to construct these more complex systems because at least we have some ability to start building things on a foundation that is solid, whereas almost everything else that we have to work with really is not robust, at least not in the software domain. There's some things that you can do in hardware that maybe we'll talk about a little later here, that may be somewhat different, but in a complex device, whether it's a mobile phone or PC or tablet, there's just too much complexity there to be confident that the end point is bug-free.
Paul, practically speaking, how should the average enterprise security professional digest the NSA encryption scandal?
Kocher: Most companies from an economic perspective aren't directly threatened by the NSA. The NSA isn't taking the information they capture and using it to help competitors as far as we can mostly tell. Other countries don't have that degree of restraint. So in China, for example, there's pretty good evidence that information collected through their intelligence activities is used to give Chinese companies an advantage competitively.
So, when you see what one adversary or one spying organization can achieve, that gives you a really clean sense that you need to be building security systems that can deal with those kinds of threats. And I think one of the key messages coming from both the conference as well as the press reports recently is that the offensive side is having huge victories. The defensive side of security is really in disarray right now. The strength of systems is simply inadequate to deal with threats.
Paul, how do you prepare for that sort of nation-state adversary? How sophisticated are they compared to the average criminal organization in China or Russia, say?
Kocher: Well, so it depends on what kind of organization you're dealing with and what the motivation of the adversary is. If you've got a major engineering project like if you're one of the top ten websites or a major technology vendor, then you have a really complex and nasty set of problems on your hands, because your worth the effort of an adversary, for example, to plant insiders in your team. And your scale is such that people are willing to intercept shipments going to your data centers and tamper with some along the way, and do kinds of things that require some effort that is pinpointed toward your systems, but if you have a system that's going to have hundreds or thousands or millions of people, organizations, data on them, your systems therefore become a single point of failure for the security of all of these organizations.
This really comes down to the fundamental challenge facing security in the cloud, which is that when you aggregate lots of people's data together the requirements for security go up in some ways proportionally to the amount of data there. And even though a given cloud provider may be better than you can achieve from a security perspective as a single organization, having all this data in one place creates this particularly attractive target for adversaries.
So from an enterprise or from an organization with large amounts of extremely amounts of valuable data, these factors make it so that the challenges become very difficult and perhaps in some cases insoluble using today's technology. At the other end of the spectrum you may have a small company without information of any particular importance to nation states or it doesn't matter if somebody can see the data coming in and out of a local real estate broker, for example. There are some modestly privacy issues there but no government is really interested in stealing ordinary people's savings. It's just not the kind of thing it's your business to do even if you're a rogue nation state. You're just not going to bother with that.
So, there you can deal with a much, much lower level of adversary and your primary focus then becomes in some ways just really ducking down and figuring out ways to build at least high enough barriers that most of the real attacks are just going to fly overhead. So, there it's a more solvable problem and a lot of the technologies that you see on the show floor here at the RSA conference are well-designed to that kind of a need where you've got detection of well-known attacks, risk management of... if you've got multiple threats coming, that have gotten through your perimeter, helping catch some of those. But the technologies we've got right now really don't do a good job of dealing with the targeted adversaries who are going after a particular organization. That's really where the biggest challenges lie.
You moderated the cryptographer's panel here at the 2014 RSA conference and I'd like to ask you one of the questions that you asked that luminous panel. Have there been any developments, papers or the like over the last year in the photo cryptography that you feel like have moved things forward?
Kocher: You know, if I had to pick a single area where I have optimism it's around technologies for building compartments and taking things that you may not trust and being able to segregate those from the things that you do trust. And this isn't necessarily a single paper, but there are a lot of different things going on there from the rollout of smart cards in the payment infrastructure to build little compartmentalized security pieces separate from the terminals and the infrastructure that processes transactions to techniques for building paging and E systems and mobile payment systems where you've got... they have little compartments where you put things and not trust them so much.
There was some work that Google did and has actually backed away from allowing people to set application specific permissions in Android, where you can have an application that you may trust to do network access but not read your context, even though the developer wants to read your context. That kind of choice and control and ability to compartmentalize that you can get the benefit of something, yet not entirely not trust it; I think is going to be essential going forward.
Paul Kocher. Thanks for joining us today.
Kocher: Thanks for having me.
And thank you for joining us as well. For more of our videos, please be sure to visit SearchSecurity.com/video.