U.S. Attorney General Jeff Sessions’ call for a way to “overcome” cryptography met with scorn from a panel of elite cryptographers speaking at this week’s RSA Conference 2017 in San Francisco.
“Any one of my students will be capable of writing good crypto code,” says Adi Shamir, the ‘S’ in RSA and a professor at the Weizmann Institute in Israel.
Sessions’ use of the term “overcome” during his confirmation hearings actually means installing backdoors, says Ronald Rivest, the ‘R’ in RSA and a professor at MIT. He cited a joint Congressional study that concluded that weakening encryption works against the national interest, and that encryption is global anyway -- so the U.S. can’t call all the shots.
Shamir noted that the current, most respected encryption algorithm was devised by Belgians, and noted that other major crypto advances were made by Japanese, Israelis and others. “It’s not uniquely American,” he says. Forcing backdoors in American crypto products would be shooting U.S. interests in the foot, he says. “Other countries would be happy to step in with un-backdoored cryptography,” he says.
+ MORE FROM RSA: Hot products at RSA 2017 +
Susan Landau, another panelist and professor at Worcester Polytechnic Institute, says there are other ways to get around cryptography than backdoors, so the call for them is overblown. These include court-authorized, legal hacking of end devices.
Landau notes that in the Apple v. FBI case last year, the problems of decrypting a terrorist’s iPhone were overblown by the FBI, which said it could only get in with Apple’s help. Later, the FBI hired a private firm to do the work, and a researcher demonstrated how to do it with about $150 worth of off-the-shelf gear.
Shamir says that the Israeli company that purportedly helped the FBI was later hacked and its methods publicly disclosed by the attackers. “You need to be careful about helping the FBI,” he says with a smile.
AI and quantum computing’s impact on cryptography
The group was asked about the impact artificial intelligence will have on security and seemed unimpressed.
Shamir says AI will be good for security defense because it can find anomalous behaviors and make associations quickly that humans would take longer to make or not make at all. But as an offensive weapon to devise zero-day attacks, AI is lacking. “That requires ingenuity and originality,” something only humans can contribute, he says.
The group seemed unafraid of the advent of quantum computing and the threat it might pose to cryptography, but said that work is needed to create cryptography that can withstand quantum-backed cracking.
Shamir says if RSA were to be broken, it’s more likely to be broken by advances in math that will make it possible to crack keys much faster than current brute-force techniques.
Landau says there needs to be more math research into quantum-resistant cryptography. The current efforts lag behind what went into creating the Advanced Encryption Standard (AES) and should be stepped up.
And about that election…
The security of the U.S. presidential elections should have been audited to erase doubts of their validity, Rivest says. Election officials had the ability to check the integrity of the hardware and software used, but didn’t. “There’s no proof now,” he says. Auditing would have been good hygiene to determine whether the election technology was hacked. Rivest calls for 100% paper ballots which can be readily recounted and verified.
+ MORE ON THE ELECTION: Q&A: The myths and realities of hacking an election +
Landau, who is a professor of cybersecurity policy, says the hack of Democratic National Committee emails was nothing new in terms of what was stolen and how. “The way the information was used was new,” she says. “The drip, drip, drip of information,” had a more powerful effect on public opinion than dumping it all at once would have.