Author and leading security expert Bruce Schneier digs into the topics of the current state of cryptography and whether or not companies should care about the U.S. government's release of portions of the CNCI.
Watch part one of this interview: Bruce Schneier on security for cloud computing
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Bruce Schneier on cryptography and government information security
Mike Mimoso: Hello. I am Mike Mimoso, and today I am talking to Bruce Schneier.
Thank you for joining me today, Bruce.
Bruce Schneier: Thanks for having me.
Mike Mimoso: The first question, at the Cryptographer's Panel yesterday, the panel
talked about the potential demise of a couple of algorithms,
particularly AES 128 and RSA 1024. They talked about this happening,
potentially within the next decade. Do you think this is inevitable,
or was it something that you never thought you would see?
Bruce Schneier: There is a fundamental rule of crypt analysis, that it always
gets better, it never gets worse. Every year there are advances in
techniques and we learn how to make things better. Some things like
RSA, you are going to have advances just due to Moore's Law, like
factoring gets faster, in addition to advances in how we factor. We
knew that 1,000 bit keys were doomed when we created them. Exactly
when, we do not know, but it is pretty much right on schedule. I think
anybody who is using a 1,000 bit keys today is long overdue for
updating. Something like AES was a little harder to forecast to
foresee. There were a lot of us during the AES competition that did
not really like Ringdahl because it was so simple, because it was
playing so close to the edge. We are looking at 128 go down sooner
than we expected, but there are people who did not trust Ringdahl,
which became RSA, because of that. The timing is always a surprise,
but we know this was going to happen sooner or later.
Mike Mimoso: When something like this happens, are you sad to see these algorithms
go? Do you feel a close connection to them?
Bruce Schneier: I think more exciting are the new techniques we learn that
cause the algorithms to fall. Every time an algorithm breaks, we learn
more how to make something secure. Every crypt analysis paper is also
design information. Yes, it is sad to see things go, but it is great
to see what we learn when they go.
Mike Mimoso: You answered the question the little bit, but can you talk about the
state of cryptography today? Is it any better today than it was,
maybe, a decade ago?
Bruce Schneier: Cryptography is the same it was a decade ago. It turns out that
the fundamental problems in cryptography are not really about
cryptography. We built all the cryptography needed in the '80s, to do
the things we need to do today. Many algorithms are different, maybe
some of the computations are different, but the basic ideas are
all the same. The real hard problems are in using cryptography,
embedding it in software, remembering and moving secrets around,
installing it, updating it; that is the real hard stuff. The
cryptography things we got pretty licked. You go to the show floor at RSA,
the cool companies are not doing cryptography, they might be using
cryptography in some cool way, but the stuff they are using is decades
Mike Mimoso: What do you make of the government's decision to declassify portions
of the CNCI?
Bruce Schneier: It was interesting to see. It is really a summary; there is not
a lot of details. In all of these matters, the devil is in the
details. I like the fact that they declassified what they did, I think
it is interesting reading, but I do not think we learned a lot. What
is missing is more important than what is there.
Mike Mimoso: CNCI has always been this mysterious document. Do you think it is
really worth the time in the general business population to worry
Bruce Schneier: I doubt it, it is a policy document. We do not know what is
implemented, we do not know the time from it, a lot of things we do
not know, but in some ways it is like alien technology. We know so
little about what goes on, that any little data we get we study
minutely because it is all we have, and we try to learn from it. My
guess is there is less there than we want.
Mike Mimoso: I do not think we have spoken since Howard Schmidt was appointed
Cyber Security Coordinator. I do not know if you know Howard very
well, but do you think he is the right type of person, that blend of
part politician, part technologist?
Bruce Schneier: Cyber Security Coordinator, or Czars, is a really hard job
without budgetary authority, there is not a lot you can do, and Howard
Schmidt is one of the few people who actually might be effective in
that role. I do not think it is easy, but he definitely has the
political skills and the technical chops, so he has got a shot, and I
wish him well. People can do big jobs, but they need resources behind
them. The problem with cyber securities are that it does not have the
resources behind it. All you can do is control, all you can
do is cheerlead, all you can do is suggest, you cannot mandate. If you
cannot mandate, you cannot get stuff done. You got to be politically
savvy, technically savvy, you got to keep quiet, so it is a hard job.
He is a good choice, and I wish him well, but he has got a tough row
Mike Mimoso: Great. Thank you for joining me today, Bruce.
Bruce Schneier: Thank you.
Mike Mimoso: For information, please go to SearchSecurity.com.