News Stay informed about the latest enterprise technology news and product updates.

Hellman: Authentication at every access point

In the 1970s, Martin Hellman and Whitfield Diffie wrote the recipe for one of today's most widely used security algorithms in a paper called "New Directions in Cryptography." The paper mapped out the Diffie-Hellman key exchange, a major advancement in Public Key Infrastructure (PKI) technology that allows for secure online transactions and is used in such popular protocols as the Secure Sockets Layer (SSL) and Secure Shell (SSH). In 2000, they received the prestigious Marconi Foundation award for their contributions.

With the world increasingly dependent on the Internet for commerce, and a financially-motivated underground of malcode writers working overtime to exploit its weaknesses, there's been plenty of debate over how cryptography must evolve to meet new threats. In this two-part feature, Diffie and Hellman discuss the threats that concern them most and where they think the technology they helped advance is headed.

Part 1: Hellman, now professor emeritus of electrical engineering at Stanford University, explains why phishing is one of the biggest threats we face, why strong authentication is needed at every access point and why security add-ons won't do much to ease the threats of cyberspace.

When you look at today's security threats, what worries you the most?
The phishing type of threat and e-mail scams have gotten really good. You hear a lot about the need for authentication. We should have every Web and e-mail connection authenticated from the start. People have accused me of being too utopian in my thinking. That may be true. I've heard people say it's too expensive to have authentication at every access point. But the cost of not authenticating will be much worse. And it gets hard to add on that extra security after the fact.

Martin Hellman

Which threats do you think get too much attention in the media?
None come to mind. The press tends to pick up on one thing, everyone picks up on it and other important things might be ignored. But in the end, the press attention keeps the focus on security awareness. That's a good thing, always raising awareness.

Any threats you think are not getting enough attention?
The Internet is basically insecure. Credit card numbers are all encrypted and you have SSL. But what the military learned long ago is that little pieces of information together can be very valuable. That so and so was moving to New Mexico in 1942 didn't seem major until you started to see evidence that others were moving there. I read that there was a competition using Google and other search engines; a contest on how much information you could gather on random people. They get Social Security numbers and other things, in many cases from government sites. Many pieces put together can make for an interesting dossier.

For tech vendors to succeed in the coming years, what do they need to offer people?
They need to bring security into the equation from the beginning. I don't want to mention specific companies by name, but I'll say this: In 1980 no one was thinking security except for people like myself and (Whitfield) Diffie. Security became an add-on later. Adding after the fact is very difficult and accounts for many of the flaws we see today. It's important not to try and sell encryption as a standalone product. Selling an encryption add-on to e-mail is much less likely to succeed than an e-mail offering that has it integrated in. Companies that form partnerships -- encryption companies partnering with Microsoft for e-mail protection, for example -- also have the best chance to succeed.

Related links

The other half of the equation: Diffie: Infrastructure a disaster in the making

Expert advice: Diffie-Hellman exchange in depth

News: Is single sign-on ready for primetime?

A running joke is that whatever year we're in is "The Year of PKI," meaning the technology has yet to live up to its hype. Do you believe there will ever be a true year of PKI?
I hope so. Whenever it happens, I hope it's the year security gets the attention it deserves. In the 70s we started seeing increased computer use that would drive encryption demand. We were thinking it would take five years for the technology to advance. It has taken much longer. The government is a big reason. The NSA (National Security Agency) didn't want a public key standard that ensured privacy. So the digital signature standard came out and didn't include privacy. RSA has privacy and authentication. The government held things back. There has also been a lack of user and vendor awareness. A major change seems to be happening now because of security guidelines like HIPAA, credit card issues, and so on. These things are forcing people to pay attention.

How do you see the technology evolving over the next decade?
Certain threats have been dealt with because of the Secure Sockets Layer (SSL), which has largely secured things like credit card transactions over the Web. I'd like to see more automated, transparent, integrated advancements in all areas, all technology where security is affected. People will use it when they don't know it's there. Integration is important because when people have to cobble things together, it's unlikely they'll do it.

A back issue of Information Security magazine calls Ralph Merkle an "unsung hero," arguing that he had as much to do with advancing PKI technology as you and Whitfield Diffie did. Do you think Merkle deserves more credit for his contributions than he has received in the past?
Even though his CACM paper, "Secure Communications Over Insecure Channels," appeared in April 1978, 17 months after "New Directions in Cryptography," Merkle's 1975 submission predates "New Directions." Merkle was unlucky to get an editor and referee who did not recognize the ground-breaking nature of his paper, so it went through a three-year review process while both "New Directions" and the RSA paper received unusually fast publication, each appearing in well under a year from initial submission. In partial defense of Merkle's editor and referee, Merkle was only a masters student at the time and had no experience in writing papers for publication, but that does not change the credit which is due him. His paper not only introduced the notion of public key distribution, but presented a working system based on puzzles. While not practical, particularly with the technology of the time, Merkle's puzzle system was the first and for well over a year was the only public key system known. What is now usually called the "Diffie-Hellman Key Exchange" is not a public key cryptosystem, the initial approach that Diffie and I took to public key cryptography. Rather, it is a public key distribution system, the concept introduced in Merkle's paper. Diffie and I made our debt to Merkle clear in "New Directions," but when names were later attached to the system, Merkle's was unfortunately left off. This was an error and, if any names are associated with that system, it should be the "Diffie-Hellman-Merkle Key Exchange."

Dig Deeper on PKI and digital certificates

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.