- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CSO - You may have heard that we're living in a post-modern world, where the past makes less sense in our post-history era and computer makers gnash their teeth in post-PC times. Now, brace yourself for the post-crypto world.
|Hottest products at RSA Conference 2013|
|Do enterprise security teams want "Big Data Security"?|
|Juniper's "device fingerprinting" security technology gets mixed reviews|
|HP unveils 'Big Data Security' strategy|
|Weatherford outlines 'cyber 9-1-1' plan|
"It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system," Adi Shamir, considered to be one of the founding fathers of public-key cryptology, said during the forum.
"We need to think about security in a post-cryptography world," he said.
The declaration of the post-crypto era puzzled some cryptologists. "I think it's pretty bizarre to see that group of cryptographers proposing the idea of a post-crypto world," said Matthew Green, a professor specializing in cryptography in the computer science department of Johns Hopkins University.
Along with Shamir on the panel were Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie from ICANN and Ari Juels of RSA Labs.
The panelists make an important point about cryptology today, Green noted.
"We know how to do crypto well," he said. "The problem is that in order to use cryptography, you have to implement it on a computer with software, and we're very, very bad at writing secure software.
"If someone can own your computer and see everything you're doing, it doesn't matter that the data is encrypted," he continued. "If you can't trust the computer you're running crypto on, it doesn't matter how good the crypto is."
Unlike the post-PC era, where personal computers are supposed to become irrelevant, that's not the case in the post-crypto era, according to Les Hazlewood, CTO of Stormpath in San Mateo, Calif., which offers identity management services for developers.
"In a post-cryptography world, you're going to have to do other things in addition to cryptography to protect your data," he said. "It's not that cryptography isn't important any more. It's just not the whole thing any more."
In addition, cryptographic algorithms that may have been adequate to protect data in the past, don't cut it anymore, he said. "The amount of computing power available to attackers is huge now," Hazlewood said.
Nevertheless, a phrase like post-crypto world can be easily misinterpreted, said Bit9 Senor Researcher Dan Brown.
Crypto has been important to information security for years, he explained, but has often been elevated beyond its intended level.
"Cryptography is an important tool in today's information security regime, but has contexts where it applies and contexts where it doesn't," he said via email.