Post-Crypto in a Pre-APT World
There was a Cryptographers’ Panel session at the RSA Conference with Adi Shamir of the Weizmann Institute of Science, Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie of ICANN and Ari Juels of RSA Labs. You have probably read Adi Shamir’s statement about implementing (IT) security in a „post-crypto“ world. He claimed that cryptography would become less important for defending computer systems and that security experts have to rethink how to protect valuable information in the light of sophisticated Advanced Persistent Threats (APTs). „Highly secured“ Infrastructure has been compromised despite „state of the art” defence mechanisms. So what does rethinking really mean? Do we have to start from scratch? Should we abandon everything we use today and come up with a magic bullet (or a vest more appropriately)?
Our first implication is not to abandon cryptography alltogether. Speaking of cryptography is a broad generalisation. Encrypting information will always be a part of securing infrastructure and data. Shamir mentioned that once attackers have compromised a system they have access to decrypted information. This is true for any security measure – It doesn’t imply that we should abandon access controls, tokens and passwords just because we might have a security breach. There will be breaches sooner or later, but cryptography isn’t at fault here. You can break trust without breaking cryptography. Ask the social engineers.
Speaking of trust, there is a big issue with trust and secure data transport. Past attacks have featured valid certificates of certificate authorities. Even certificate authorities themselves have been breached, abused or broken (look up the Comodo, DigiNotar or TurkTrust cases). While there are plenty of certificates left, the term authority has lost some – if not all – of it’s credibility. If you use a public key infrastructure (PKI) you can either run and secure it yourself (which is a lot of effort depending on what you use the PKI for), or you can outsource it to trusted certificate authorities. Most infrastructures require a mix of different certificate authorities. You can experience this mix if you install the Certificate Patrol add-on for Firefox and watch certificates and certificate authorities changing every time you load web pages using content distribution networks. Even experts have a hard time to tell which change is legitimate and which might be a threat. PKI is a nice tool, but you will need additional or alternate methods to anchor and verify trust relationships. There is no way around it.
Let’s skip the part about the Bring Your Own Device (BYOD) hype. If you open the flood gates and allow any kind of device into your network, then you are clearly not afraid of APTs.
Adi Shamirs talks about secrets, failures and visions. And even if we do not fully agree with his statement, we concur that we need some visions. The motto for DeepSec 2013 is „Secrets, Failures and Visions“.Our Call for Papers is open. Send them to us.