Cryptography techniques must keep pace with threats, experts warn
Cryptographers at RSAC 2019 discussed personal data protection laws and challenges, future threats and the pressure for tech companies to work with law enforcement on decryption.
Cryptography techniques work well to protect data in a hyper-connected world, but the battle to maintain the integrity of encrypted data and ensure cryptography is used wherever necessary remains a challenge for experts in the field.
One such challenge came from the Australian government, which passed a law in December requiring technology companies to work with law enforcement agencies to decrypt encrypted data when a crime may have been committed. Technology companies and security experts argue this type of measure undermines data privacy and security efforts.
"Secret backdoors are like pathogens, and governments have done a terrible job of managing them," said Paul Kocher, a cryptographer and independent researcher, during "The Cryptographers' Panel" keynote at RSA Conference (RSAC) this week. He pointed to the NotPetya ransomware debacle in 2017, where security exploits from the National Security Agency were weaponized.
Under Australia's new law, developers can be imprisoned if they refuse to build backdoors in their products, or if they tell anyone they've done it -- a strategy cryptographers like Kocher consider "100% backward."
"If anyone should be going to prison, it is developers who sneak backdoors into their products without telling their managers and their customers that they've done it," he said during the panel discussion.
Cryptographer and security expert Whitfield Diffie shared his view that legislators should not have a role in personal privacy decisions, as technologies that chip away at privacy continue to materialize.
"I am very worried. At this moment, you still have a certain amount of privacy in your own thoughts," Diffie told RSAC attendees. "Electronic brain interfaces may well come to the point where they can read your mind ... If you look at things that are still your own, they are eroding very quickly."
Personal data protection is increasingly important, as more value is extracted from the troves of data being collected from devices. Corporations and government organizations use personal data in AI applications, such as facial recognition, speech recognition and machine vision, and data sets inform processes from setting bail to credit risk scoring, said Shafi Goldwasser, director of the Simons Institute for the Theory of Computing at the University of California, Berkeley, during the keynote panel discussion.
"You don't only send information, but you also process it. And this data should be kept private, because the power is in the data," Goldwasser said. "We have to talk about private computation, making sure computation is done in such a way that data privacy is maintained -- in a way that's robust and done correctly."
Cryptography tools and techniques protect the privacy of data throughout the computing processes, while ensuring the computation is accurate, she added.
While legislation around data privacy is controversial, GDPR and California's 2018 privacy law will play an important role in preventing companies from abusing and misusing personal data. Tal Rabin, manager of the Cryptographic Research Group at IBM Research, described regulations as an opportunity for the security community to foster development of built-in data protection features to support the use of data in a way that also protects privacy.
Accessible cryptography techniques
Cryptography techniques continue to evolve, but there are tried-and-true cryptographic methods that have stood the test of time, which many people don't know about, Kocher said.
Password-authenticated key exchange is old technology that works well and should be much more widely used than it is, according to Kocher. A second is threshold and multiparty computation techniques, which allow users to do computations like signing an SSL certificate, where not just one entity decides whether something will happen and the computation is split among multiple parties.
Paul Kochercryptographer and independent researcher
People should also use cold storage of data more, according to Kocher, who explained it is simple to put a public key somewhere offline and encrypt data as it is generated. Cold storage has found wider use in cryptocurrency, where it is also known as a cold wallet. It allows people to store their crypto-coin private keys offline, away from internet hackers.
"This isn't cutting-edge stuff -- it is stuff you can implement now, and it would make a big difference in solving some of the problems people have on a daily basis," he said.
While those and other cryptography technologies work well, they sit atop operating systems, processors, firmware and application codes; if those don't work perfectly, the crypto may fail, as well, Kocher warned.
But it has proven difficult to develop hardware that supports cryptography, said Ronald Rivest, a leader of the cryptography and information security research group at MIT's Computer Science and Artificial Intelligence Laboratory.
"I talk to my colleagues at MIT who work in hardware and architecture, and they start thinking about Spectre and Meltdown [vulnerabilities], and their eyes just go crazy," Rivest said during the panel discussion. "It's really hard to make hardware that supports cryptography in the way that cryptographers like to think about it in the ideal world, where people have secrets that are maintained and used securely. Having that implemented in the real world is still a challenge."
It doesn't help that bad things happen quickly in the cybersecurity space, and the good things seem to take an enormous amount of effort and time, Kocher said. But those positives are coming to fruition.
The transition to domain name system security extensions has been plodding along and is making important progress. There's the TLS 1.3 effort and safer languages like RUST, and there's a switch from passwords to cryptographic authenticators. These developments are all difficult, but they really matter, according to Kocher.
"A lot of us are used to working on internet company time, where you get an idea and you have a mock-up, and it's in the market six months later. These initiatives are measured in decades, but they are incredibly important, and they are moving forward."